An aadhaar to privacy by Apar Gupta
Most of the debate on the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 has centered on the right to privacy. All five amendments suggested by the Rajya Sabha to the Aadhaar Act, subsequently rejected by the Lok Sabha, had an element of this right within them. Though credible, the amendments failed to notice the core deficiency of the law rested not in the lack of protections within the Aadhaar Act, but in the absence of a comprehensive privacy statute to develop and enforce them.
To gauge the level to which privacy is safeguarded we must look at both the substantive protection and the procedure available to enforce them. Many people regard privacy as an amorphous concept, which is also why it is hard for them to visualize any harm to it. Recognizing this problem in 2012 the Justice A.P. Shah Committee conducted comparative research of existing law, international treaties and foreign legislations and suggested nine distinct principles canonizing the right to privacy. An analysis of the Aadhaar Act shows that it does not even recognize some of these nine principles, remaining substantively inadequate. For instance, take the principle of access; a person cannot in any instance demand access to their core biometric information under the Aadhaar Act. Since no public consultation was conducted on the draft law and the explanatory memorandum is silent we can only guess why this deficiency exists.
Greater difficulty exists to enforce the laconic safeguards of the Aadhaar Act. Broadly, the three forms of judicial remedies usually enforced are civil, criminal and the writ jurisdiction of the High Courts and the Supreme Court of India. Any litigant can attest to their sloth and indeterminacy. But while they may require a lot of time and persistence, they also deliver justice. The Aadhaar Act makes all these three remedies ineffective for individuals.
The civil remedies under the law oust the jurisdiction of the civil courts in favor of the system set up for penalties under the Information Technology Act. The existing penalties under the IT Act are deficient, as they were never intended to provide comprehensive privacy legislation. Even if they are amended the enforcement under the IT Act has never worked properly and shows no promise of improvement. Under it the jurisdiction of civil courts is barred in favor of, “adjudicating officers”. These officers are usually a serving IT Secretary of the State Government given an additional charge to adjudicate cases under the IT Act. Though persons of high competence, they are not usually trained in law, lack a permanent seat and clerical staff for the court they hold. This lack of resources and training handicaps not only their capacity but also the quality of judicial orders necessary to withstand review. Such scrutiny would naturally arise in appeal as provided under the IT Act — but for the last 3 years the Cyber Appellate Tribunal that hears such appeals has not been properly constituted and is not functioning.
Problems with enforcement of the criminal remedies are more straightforward. Only the Unique Identification Authority that administers the Aadhaar programme can make complaints for the offences contained under the Aadhaar Act. Not only is this a conflict of interest, but it also takes away the injured party/Aadhaar user’s recourse to a criminal remedy. It may be argued by some that penal provisions under the IT Act and the Indian Penal Code do exist and can be invoked by individuals. But such an assertion must consider the absence of any notification mechanism. The Aadhaar user is never informed when a crime occurs of their data. They will never have the particulars necessary to register a criminal complaint.
This brings us to the final remedy of writs that can be availed to enforce the fundamental and statutory rights available to a person. It would normally be expected that any person would be able to approach a High Court for the enforcement of rights under the Aadhaar Act. Especially when the Unique Identification Authority does not provide authentication as it is intended to do or fails to correct the data records. Most people know the poor quality of data entry in their government IDs. They would agree that a mandatory scheme such as Aadhaar requires a safeguard clearly conferring a right than can be enforced through a writ. However these rights are problematically phrased as “requests” for supplying and correcting information of an Aadhaar user (on the basis of which all authentication happens). This dilution is made clear by the absence of the requirement of a hearing, a reasoned order or an appellate process under the Aadhaar Act.
It is not without reason the Justice A.P. Shah report on privacy suggested a comprehensive legislation to safeguard privacy and also the office of a central privacy commissioner to develop and apply it. Even when suggesting the establishment of a privacy commissioner, who could impose penalties for violations, it recognized the central role of existing judicial forums by retaining the jurisdiction of the civil courts. While many may see privacy as the core issue in the Aadhaar programme, privacy itself transcends it. As our everyday lives become connected, a comprehensive privacy legislation is an essential safeguard. This is not a product of paranoia against digital surveillance but a basic ask for the legal protection of a human right.
Crossposted with permission from the author.
Apar Gupta is a litigator based in New Delhi, India. He holds a masters degree from Columbia Law School and has authored a Commentary on the Information Technology Act, 2000 (published by LexisNexis). His Twitter handle here.