- UID not compulsory when availing any services in India
- An Aadhar card holder’s biometric information within the UID may not be shared with any agency without the holder’s consent
Recently, the Supreme Court passed an ad-interim order in Unique Identification Auth. of India and anr. v. Central Bureau of Investigation1 where it held that the Unique Identification Authority of India was restrained from transferring anyone’s biometric information with an Aadhaar number to any other agency without such person’s consent in writing.
More importantly, the Apex Court also held that the Aadhar number would not be mandatory to be eligible for any service. Any government authority that had made the Aadhar number mandatory was asked to modify its circulars so that the Aadhar number would not be mandatory for the provision of such service.
This SLP was filed against Order of the division bench of R. S. Dalvi and F. M. Reis of the Bombay High Court at Goa in Criminal Writ Petition No.10 of 2014.2 The writ before the Bombay High Court sought to challenge the order of the magistrate of October 22, 2013 in which certain data of persons holding Aadhar cards had been provided to the Central Bureau of Investigation (CBI) upon CBI’s request for data under Section 91 of the Criminal Procedure Code, 1973 (power to seek summons for production of a document from a person in possession of such document). The CBI had approached the magistrate in respect of a rape case of a seven year old child which had taken place in a school washroom and the CBI had been unable to identify the offender. The CBI had however been able to retrieve some fingerprints from the place of the incident which could help them trace the accused. These fingerprints had been sent to the Unique Identification Authority of India (“UIDAI”) and the CBI sought information from the authority to search through its database and help identify if the fingerprints could be traced to anyone in the database. UIDAI refused to provide this information on the grounds that this would violate the privacy of Aadhar card holders. UIDAI relied on the case of District Registrar and Collector v. Canara Bank3 in which the Supreme Court had laid down the parameters of reasonable searches and seizures to ensure that a party’s fundamental right against self-incrimination is not violated under Article 20 (3) of the Constitution of India.4
During arguments, UIDAI also informed the High Court that several petitions were pending before the Supreme Court with respect to data held by the UIDAI including Writ Petition No. 494/2012: Justice K. S.Puttaswamy v. Union of India.5 In the said writ petition, a bench comprising Justice Chauhan and Bobde had held in the ad-interim order of September 23, 2013 that no person should suffer for the lack of an Aadhar card despite the fact that a government authority had issued a circular making it mandatory to submit the Aadhar card to avail of certain facilities. The High Court had also observed that the UIDAI ought to ensure that Aadhar cards are not issued to illegal immigrants. Thereafter, in subsequent orders in this petition the Supreme Court made all states and union territories parties.6This matter still remains part heard before the Supreme Court.
In the case before the Bombay High Court, the CBI had asked for all the data available in the State and thereafter the request was restricted to three specific persons. UIDAI refused to provide this information and then the CBI sent a CD to the UIDAI with fingerprints it had retrieved and asked UIDAI to compare them with the biometric available with it. UIDAI claimed that it did not have the requisite technology to parse through all the biometric information it held to run the comparison process. To this, CBI offered to test UIDAI’s database for its competence and run the comparison. The High Court observed that a statement on the capability of UIDAI’s database would be required. It directed (on the suggestion of the Advocate General) that the Director General of the Central Forensic and Scientific Laboratory could appoint an expert along with any other expert UIDAI itself suggested to ascertain the competence of UIDAI’s database. This report would have to be filed with the High Court within two weeks. The High Court would consider the questions of right to privacy and information subject to the Supreme Court’s order in existing petitions on this issue pending before it. It is from this impugned order that the present SLP was filed.
In its Order of March 24, 2014, the Supreme Court stayed this interim order of the Bombay High Court at Goa for the appointment of experts. In addition, the Apex Court also observed that an Aadhar card was not compulsory for availing any facility from a government authority and any authority making such a card mandatory would have to modify its circulars and notifications to that effect. Most importantly, the SC restrained the UIDAI from sharing any biometric information in its database without the consent of the owner of such data in writing.
The Central Government had claimed that the purpose of the Aadhar card was to “issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services.”7Some governments such as Delhi had made the Aadhar card mandatory to receive the National Food Security card and a petition challenging this was pending before the Delhi High Court.8 In addition the government was starting to make the card mandatory for LPG, ration etc.
Aside from being used as a government recognized identification card, the government was building the Aadhar network to effectuate its Direct Cash Transfer schemes which would allow the government to directly transfer cash without the fear of middle-men or leakage.9 This scheme was attempted through the Aadhar Enabled Payment Scheme (AEPS) by the National Payment Corporation of India which would allow for Aadhar to Aadhar cash transfers and other micro-credit facilities.10 This system uses micro-ATMs and the biometric of a person registered in the Aashar system as a PIN. The direct payment scheme was attempted in places such as Jharkhand but has met with limited success due to access and identification issues.
Other than the operational bottlenecks involved in the schemes stemming from the Aadhar, a more pressing concern is that of violation of an individual’s right to privacy when investigative agencies such as the CBI make demands for biometric data. The UIDAI is not a statutory body and currently there is no legislation governing it. It has been established by way of an Executive Order of the Planning Commission passed on January 28, 2009.11 The National Identification Authority of India Bill, 2010 has not been passed yet. In the absence of the Supreme Court’s order in the present case and any law governing the information available with UIDAI, this information could have been potentially shared with other national agencies (such as the CBI) with impunity. In fact, in the absence of the Supreme Court’s Order, the UIDAI could have shared this information with private agencies as well.
The biometric is not an absolutely accurate standard and there is a likelihood of error.12 Therefore using this information as an investigative tool especially for appropriation through agencies such as the CBI is likely to have an extremely deleterious impact. Besides, this would also be in breach of an individual’s right against self-incrimination under Article 20 (3) of the Constitution (although the standard has been set high under existing jurisprudence on this subject). The purpose of submission of the data with UIDAI is purely with respect to measures under the ambit of Aadhar. No consent has been taken from citizens when providing their biometric information that it may be used in future potential investigations against them. The National Identification Authority of India Bill, 2010 sought to allow the use of Aadhar data for the purposes of national security without the consent of the person whose data is being shared.13 But the constitutional validity of this bill if it becomes a law remains to be tested against the established standards of the law against self-incrimination and the standards of privacy in India.14
Further, while body corporates in India are subject to the data protection law for sensitive personal data under Section 43A of the Information Technology Act, 2000 (read with the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011), the UIDAI as a government body established under the planning commission (and not a body corporate15 in terms of its definition under the Information Technology Act) is not subject to it.
The Supreme Court’s ad-interim order has come as a welcome clarification in the background of uncertainties surrounding data collected by the UIDAI. One wonders though if this scheme where the government has already apparently spent Rs. 3,500 crores16 will be of any relevance after this Order.