The Aadhaar and Other Laws (Amendment) Act, 2019 came into force on 24th July, 2019. The Act has amended the Aadhaar Act, 2016 as well as the Indian Telegraph Act, 1885 (‘ITA’) and the Prevention of Money Laundering Act, 2002 (‘PMLA’).
The amendment has come in the wake of events over the last year. On September 26, 2018 the Supreme Court of India delivered its verdict on the constitutional validity of Aadhaar in Justice K.S. Puttaswamy v. Union of India, 2019 1 SCC 1 (‘Aadhaar judgment’). The majority upheld the constitutional validity of the Aadhaar Act and concluded that it does not tend to create a surveillance state.
However, certain provisions of the statute were found ultra vires the Constitution in part or in whole. Additionally, the mandatory linking of Aadhaar to bank accounts and mobile connections was struck down, as disproportionate and violative of the right to privacy. The Court emphasised that there could be less intrusive alternatives to achieve the avowed objects of preventing money laundering and the misuse of SIM cards. In light of the changes necessitated by the Court’s judgment, the Central Government promulgated the Aadhaar and Other Laws (Amendment) Ordinance, 2019 in March this year. The Act repealed the same.
The amendment has brought in some salient changes in Aadhaar’s legal position. Perhaps the most significant change is the deletion of Section 57 which abundantly extended the ambit of Aadhaar. Its omission has flowed from the Supreme Court holding the part of the provision permitting body corporates and individuals to seek authentication as unconstitutional.
Read More+ Further, the amendment has underscored the voluntary nature of Aadhaar. The amended Section 4 states that every Aadhaar number holder may voluntarily use their Aadhaar number through authentication or offline verification. Voluntary use by way of authentication has been predicated on the individual giving informed consent. The amended provision also gives the Unique Identity Authority of India (‘UIDAI’) the power to decide whether an entity may be allowed to perform authentication based on its compliance with (i) privacy and security standards, (ii) under Parliamentary law, or for a purpose approved by the Central Government. Mandatory authentication for the provision of any service shall take place if required by a law made by Parliament. Offline verification of an individual’s identity has been permitted by the Act—a process devoid of authentication and biometric information collection. Other changes include giving children the option to cancel their Aadhaar number on turning eighteen, allowing individuals to register complaints in certain cases and imposing civil penalties on entities in the Aadhaar ecosystem that fail to comply with the statute. The amendment has identified banking and telecom services as cases where Aadhaar may be voluntarily used for the verification of individual identity. For banks, a passport or any other officially valid document as notified by the Central Government may also be used. The amendment appears to be in line with the Aadhaar judgment where provisions of the PML Rules, 2005 mandatorily linking Aadhaar to bank accounts were struck down. It may be noted that the term ‘officially valid document’ has not been defined by the amending Act. In this light, RBI’s 2016 KYC Master Direction (as updated in 2019) provides for six documents including Aadhaar number, passport, driving license etc. that individuals may use for the verification of their identity. It is worth noting that the PMLA also applies to reporting entities other than banks, such as financial institutions and intermediaries. Subject to approval by the Central Government, reporting entities other than banks may use Aadhaar authentication for verifying customers’ identity. Similarly, telecom service providers shall be permitted to use Aadhaar authentication for verification The Court had earlier noted that the linking of Aadhaar with mobile connections was neither backed by law nor serving a legitimate aim. The adequacy of the amendment must be tested against certain omissions. The terms ‘voluntary’ and ‘informed consent’ are not defined in the Act. The meaning of informed consent may be understood from the draft Personal Data Protection Bill, 2018 (‘PDPB’) which is not yet law. Thus, what constitutes voluntary is ambiguous under the amendment. Moreover, even with the addition of offline verification services, the impact of the PMLA amendment remains unclear for entities that are not traditional banking companies. For example, FinTech companies such as PayTM require greater clarity on the methods by which KYC may be carried out. If not addressed, these concerns may negatively impact financial inclusion. The proposed amendment is also silent on Aadhaar data already collected under erstwhile mandatory linking schemes. Debates in the Lok Sabha had briefly dwelt on the right to be forgotten and its impact on the proposed amendment, however the Act is silent on the same. It must be emphasized that the interaction of the PDPB and Aadhaar shall form the bedrock of India’s identity-privacy balance. Thus, the absence of a data protection law will feed privacy concerns. The PDPB is yet to be tabled before the Parliament. Further, whilst permitting future use cases sanctioned by law, the Act remains silent on the nature of services. By not providing such a framework, the law perpetuates a textual ambiguity. These developments in Aadhaar are significant for the identity-privacy debate that began with the formation of the UIDAI in 2009. A decade later, it remains to be seen as to how we shall arrive at a privacy compliant digital identity framework. Read Less-
Contributed by: Dr. Shardul S. Shroff, Executive Chairman; Sohini Chatterjee, Research Fellow; K.S. Roshan Menon, Research Scholar
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that:
Click here for important public notice from the Firm.