The Aadhaar and Other Laws (Amendment Bill), 2018 has been tabled in the lower house of the Parliament for consideration, despite resistance from opposition parties. The bill seeks to amend three acts: the Aadhaar Act 2016, the Indian Telegraph Act, 1885 and the Prevention of Money-Laundering Act, 2002. The bill can be read here.
What does this amendment do?
The proposed amendment allows private bodies such as banks and telcos to use Aadhaar as one of the ‘know your customer’ (KYC) methods for authenticating users. This is in contravention to the Supreme Court’s judgment on Aadhaar which limited the Aadhaar authentication for services, subsidy and benefits under Section 7 of the Act. The judgment also disallowed private companies from using Aadhaar by striking down Section 57 of the Aadhaar Act.
Here are some of the important proposed changes in the current amendment:
1. Expanding the meaning of the “Aadhaar number“: The Aadhaar number will also include “any alternative virtual identity generated.”
What this means: Earlier, the Aadhaar number only referred to the 12 digit UID number given by the UIDAI upon receipt of demographic and biometric information of an Indian resident. Now, it has been expanded to include the sixteen digit Virtual ID that people can use to mask their Aadhaar number and share information with third parties. The expanded definition effectively brings the Virtual ID also under the Act.
2. Overarching powers for the UIDAI: The proposed amendment gives power to the UIDAI to issue directions to any entity in the Aadhaar ecosystem.
What this means: Earlier Banks had questioned the jurisdiction of the UIDAI to give them orders, saying that, as per the Banking Regulation Act, only the Reserve Bank of India and finance ministry’s department of financial services (DFS) is empowered to issue directives. This amendment gives the UIDAI the power to issue orders to any entity in the Aadhaar ecosystem, which includes enrolment agencies, registrars, requesting entities and offline requesting entities. This therefore can include banks, telcos and other government and private bodies, as “requesting entities”.
3. Interchangeable use of authentication and verification: While the original Aadhaar Act uses the term verification only twice, the amendment bill uses the term 31 times. The original document only talks about biometric authentication which is the “process through which biometrics or demographic information of an individual is verified from Central Identities Data Repository”.
Who will be allowed to use authentication and how?
An entity can be allowed to carry out authentication if they are compliant with the privacy and security regulations of the UIDAI. They can also be permitted to authenticate a user under the provisions of Parliamentary law or if the authentication is done in the “interest of the State.”
- The UIDAI will decide whether an entity should be permitted the use of the actual Aadhaar number or virtual identity.
Why this is being done: The Supreme Court had prevented private parties from (biometrically) authenticating users via Aadhaar. By adding/replacing that phrase with verification, the government is thereby expanding the scope of Aadhaar to include verification, which may not be biometric, and may include offline means. This enables the offline verification (explained below).
4. Introduction of offline verification:The proposed bill also includes a new sub-section, under which any private body using an offline Aadhaar-verification shall not force the Aadhaar card holder to authenticate, nor can it collect, use or store an Aadhaar number or biometric information for any purpose. Currently, the QR code is the only proposed form of offline Aadhaar authentication.
- Amendment in the Telegraph Act: As per the amendment, a user can identify herself voluntarily through one of these modes: Aadhaar authentication, offline verification, passport or any other officially valid document. Users cannot be denied services for not having an Aadhaar number.
- Amendment in the Money Laundering Act: A client can voluntarily identify themselves through Aadhaar authentication, offline Aadhaar verification, passport or any other legal document notified by the Central Government. No person can be denied services for the want of Aadhaar.
5. Voluntary but mandatory (Nikhil adds): The nature of Aadhaar prior to the Supreme Court judgment was such that even though it was deemed voluntary, several government departments and banks were making it mandatory. The new amendment uses the word “voluntary” repeatedly, in order to highlight the voluntary-ness of Aadhaar verification, but at the same time, includes a clause which says:
“Notwithstanding anything contained in the foregoing provisions, mandatory authentication of an Aadhaar number holder for the provision of any service shall take place if such authentication is required by a law made by Parliament”
This suggests that there is a possibility of the Government coming up with a law, or amending a law (such as the Telegraph Act or the PML Act) to make Aadhaar mandatory for certain services. Here, the government is essentially using the supremacy of Parliament to override the Supreme Court.
6. Infirmity, old age etc.: The proposed amendment makes a provision in Section 8 of the Aadhaar Act which provides an alternative means of identification if a person fails to authenticate themselves through Aadhaar due to illness, injury or infirmity owing to old age or any other technical reason.
What this means: There are reported cases of exclusion and starvation deaths, as the Aadhaar authentication failed due to fading fingerprints or other technical issues. As a result of this, people were not able to avail benefits under social welfare schemes. The amendment provides exemptions to those dependent on these schemes.
7. How it governs children:
- A child Aadhaar card holder, within a period of six months of attaining 18 years of age, can make an application for cancellation of his Aadhaar number. Earlier a young adult did not have the provision of opting out.
- A child shall not be denied any subsidy, benefit or service if his Aadhaar authentication fails.
Problem: The time frame to be able to opt out is arbitrary, and the Supreme Court had put no such limitation in its judgment. The amendment also does not talk about the opt out option for other adults who were enrolled before Aadhaar Act came into force, which the Supreme Court had ordered.
8. Conditions for disclosure of information stored in CIDR: Earlier, a district court judgment could ask for disclosure of information from the Aadhaar Central Identities Data Repository (CIDR). This amendment allows only a judge not inferior to that of the High Court of India to request information. While the earlier provision allowed the disclosure only after UIDAI had made a case in the matter, now the amendment also empowers the Aadhaar number holder along with the authority to get themselves heard.
Penalties for non-compliance
The proposed amendment has paved the way for a new chapter that deals with “penalty for failure to comply with provisions” of the Act.
- The entity which does not comply the provisions of the Act, shall be liable to a penalty which may extend to Rs 1 crore. In a continuing case of contravention, there will be an additional penalty of Rs 10 lakh every day.
Appointment of an Adjudicating officer: The UIDAI will appoint an adjudicating officer to carry out such penalties. Their rank will not be below the Joint Secretary of the Government of India.
Option of appealing against the Officer’s order: A person or entity may file an appeal before Telecom Disputes Settlement and Appellate Tribunal, if aggrieved by an order of the Adjudicating Officer. The appeal can be filed within 45 days from the day of the order.
- “No civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter” in which the Adjudication Officer or the Appellate Tribunal is empowered to determine.
Penalties: The term of imprisonment for unauthorised access to CIDR goes up from three years to ten years.
- Penalty for unauthorised use by requesting entity or an offline verification seeking entity may extend to three years or with a fine of up to Rs 10,000. For a company, the fine may extend to Rs 1 lakh or both.
- General punishment for an offence which has not specifically notified under the Aadhaar Act, has been extended from one year to three years.
- The amendment allows the Aadhaar number holder to file a complaint. Earlier, the complaint could only be filed by UIDAI or its officers.
Concern: The penalties were mentioned in the Aadhaar Act as well. But the Act failed to create an oversight mechanism that could prevent Aadhaar data leaks from different departments. The amendment fails to propose any mechanism that reports or to plug the leaks.
- The bill also fails to differentiate between a whistle-blower and an offender, which can have an implication on the press freedom as seen in the Rachna Khaira case.
Deletion of authentication records: The court, in its order, specified that the authentication records must not be saved beyond a period of six months but the bill fails to address this.
Need for data protection bill: The Personal Data Protection Bill, with adequate consultation, should be the priority of the government, to adequately address issues related to data security and informational privacy.