Update at 1:00 pm: IT Minister RS Prasad introduced the Aadhaar and Other Laws (Amendment) Bill, 2019 in the Lok Sabha today. NK Premachandran, MP from Kollam (Kerala), opposed the introduction of the Bill, to which Prasad countered that “Aadhaar does not violate privacy and it is in national interest”. Prasad stated that all the issues Premachadran raised have been “dealt with”. Prasad said that usage of Aadhaar for bank and SIM linking was so far being done through circulars and rules, but now it’ll be done through an act of Parliament. He pointed out that under the amendment bill, a child’s consent for Aadhaar will be taken after he becomes an adult, and that there is also a provision for offline verification.
Premachandran opposed the Bill’s introduction
Premachandran had opposed the introduction of the bill on three grounds: “first, the Aadhaar Amendment Bill violates the SC judgment, second, it allows private entities to hold Aadhaar data, even when the SC specifically directed all agencies to delete Aadhaar data, and third, it violates fundamental rights including the right to livelihood … ”
Amendments against spirit of SC judgment, violates fundamental right to privacy: “The Puttuswamy judgment restricted use of Aadhaar only for schemes involving subsidies and those paid out of the Consolidated Fund of India; the Bill intends to amend three laws, the Aadhaar Act, 2016, Telegraph Act, and PMLA Act. Clause 7 of the amendment which amends Section 4 mandates Aadhaar authentication. This is against the spirit of the SC judgment, it violates right to privacy which is a fundamental right, and violates a historic judgment of the SC which allowed Aadhaar only for subsidies. The bill also allows use of Aadhaar for services availed under PMLA. Further, clause 24 of amendment allows telcos for use of Aadhaar for online and offline authentication, and allows for private authentication and holding Aadhaar data, again in violation of the SC judgment. The amendment inserts a new section 11A, amending PMLA, allowing banks to use Aadhaar. I strongly oppose the introduction of the bill.”
Points out that Personal Data Protection needs to come first: Pointing out that since PM Modi was in the house, he flagged that government is passing other laws around use of data, even as the Personal Data Protection Bill has not yet been introduced in Parliament. “Instead of bringing PDP Bill, you’re amending the Aadhaar amendment,” he said. He said that personal data needs to be protected, and again stated that he opposes the introduction of the bill. Other MPs wanted to raise objections to the introduction of the bill, but the Lok Sabha speaker Om Birla said they should have given notice for it earlier.
The motion to introduce the Bill is then put to vote and is passed#Aadhaar Amendment Bill gets introduced
— Maadhyam (@_maadhyam_) June 24, 2019
Supreme Court upheld Aadhaar & Aadhaar Law. SC suggested that provision regarding use of Aadhaar for issuing SIM card and opening Bank account should be done by law, not by executive order. Therefore this amendment was needed. Use of Aadhaar for these purposes will be voluntary. pic.twitter.com/Ptr1syjeh6
— Ravi Shankar Prasad (@rsprasad) June 24, 2019
Original story at 11:00 am:
Minister for IT and Law and Justice RS Prasad will introduce the Aadhaar amendment bill, to replace the Aadhaar ordinance, today in the Lok Sabha’s ongoing Budget Session. The bill is listed in the Lok Sabha’s agenda for today. Titled the Aadhaar and Other Laws (Amendment) Bill, 2019, it will allow private bodies such as banks and telcos to use Aadhaar as one of the ‘know your customer’ (KYC) methods for authenticating users. This is in contravention to the Supreme Court’s judgment on Aadhaar, which limited Aadhaar-based authentication for services, subsidies and benefits under Section 7 of the Act. The judgment also scrapped Section 57 of the Act, which allowed private firms to use Aadhaar. The bill will amend three laws: the Aadhaar Act 2016, the Indian Telegraph Act, 1885 and the Prevention of Money-Laundering Act, 2002.
The Aadhaar and Other Laws (Amendment) Bill, 2018 was passed by the Lok Sabha on January 4. The bill lapsed in the Rajya Sabha on January 9, the last day of the 16th Lok Sabha. The government, however, passed the Aadhaar ordinance in February.
Here’s an explainer on what the Aadhaar amendment bill will change:
What does this amendment do?
1. Expanding the meaning of the “Aadhaar number“: The Aadhaar number will also include “any alternative virtual identity generated.”
What this means: Earlier, the Aadhaar number only referred to the 12 digit UID number given by the UIDAI upon receipt of demographic and biometric information of an Indian resident. Now, it has been expanded to include the sixteen digit Virtual ID that people can use to mask their Aadhaar number and share information with third parties. The expanded definition effectively brings the Virtual ID also under the Act.
2. Overarching powers for the UIDAI: The proposed amendment gives power to the UIDAI to issue directions to any entity in the Aadhaar ecosystem.
What this means: Earlier Banks had questioned the jurisdiction of the UIDAI to give them orders, saying that, as per the Banking Regulation Act, only the Reserve Bank of India and finance ministry’s department of financial services (DFS) is empowered to issue directives. This amendment gives the UIDAI the power to issue orders to any entity in the Aadhaar ecosystem, which includes enrolment agencies, registrars, requesting entities and offline requesting entities. This therefore can include banks, telcos and other government and private bodies, as “requesting entities”.
3. Interchangeable use of authentication and verification: While the original Aadhaar Act uses the term verification only twice, the amendment bill uses the term 31 times. The original document only talks about biometric authentication which is the “process through which biometrics or demographic information of an individual is verified from Central Identities Data Repository”.
Who will be allowed to use authentication and how?
An entity can be allowed to carry out authentication if they are compliant with the privacy and security regulations of the UIDAI. They can also be permitted to authenticate a user under the provisions of Parliamentary law or if the authentication is done in the “interest of the State.”
- The UIDAI will decide whether an entity should be permitted the use of the actual Aadhaar number or virtual identity.
Why this is being done: The Supreme Court had prevented private parties from (biometrically) authenticating users via Aadhaar. By adding/replacing that phrase with verification, the government is thereby expanding the scope of Aadhaar to include verification, which may not be biometric, and may include offline means. This enables the offline verification (explained below).
4. Introduction of offline verification:The proposed bill also includes a new sub-section, under which any private body using an offline Aadhaar-verification shall not force the Aadhaar card holder to authenticate, nor can it collect, use or store an Aadhaar number or biometric information for any purpose. Currently, the QR code is the only proposed form of offline Aadhaar authentication.
- Amendment in the Telegraph Act: As per the amendment, a user can identify herself voluntarily through one of these modes: Aadhaar authentication, offline verification, passport or any other officially valid document. Users cannot be denied services for not having an Aadhaar number.
- Amendment in the Money Laundering Act: A client can voluntarily identify themselves through Aadhaar authentication, offline Aadhaar verification, passport or any other legal document notified by the Central Government. No person can be denied services for the want of Aadhaar.
5. Voluntary but mandatory: The nature of Aadhaar prior to the Supreme Court judgment was such that even though it was deemed voluntary, several government departments and banks were making it mandatory. The new amendment uses the word “voluntary” repeatedly, in order to highlight the voluntary-ness of Aadhaar verification, but at the same time, includes a clause which says:
“Notwithstanding anything contained in the foregoing provisions, mandatory authentication of an Aadhaar number holder for the provision of any service shall take place if such authentication is required by a law made by Parliament”
This suggests that there is a possibility of the Government coming up with a law, or amending a law (such as the Telegraph Act or the PML Act) to make Aadhaar mandatory for certain services. Here, the government is essentially using the supremacy of Parliament to override the Supreme Court.
6. Infirmity, old age etc.: The proposed amendment makes a provision in Section 8 of the Aadhaar Act which provides an alternative means of identification if a person fails to authenticate themselves through Aadhaar due to illness, injury or infirmity owing to old age or any other technical reason.
What this means: There are reported cases of exclusion and starvation deaths, as the Aadhaar authentication failed due to fading fingerprints or other technical issues. As a result of this, people were not able to avail benefits under social welfare schemes. The amendment provides exemptions to those dependent on these schemes.
7. How it governs children:
- A child Aadhaar card holder, within a period of six months of attaining 18 years of age, can make an application for cancellation of his Aadhaar number. Earlier a young adult did not have the provision of opting out.
- A child shall not be denied any subsidy, benefit or service if his Aadhaar authentication fails.
Problem: The time frame to be able to opt out is arbitrary, and the Supreme Court had put no such limitation in its judgment. The amendment also does not talk about the opt out option for other adults who were enrolled before Aadhaar Act came into force, which the Supreme Court had ordered.
8. Conditions for disclosure of information stored in CIDR: Earlier, a district court judgment could ask for disclosure of information from the Aadhaar Central Identities Data Repository (CIDR). This amendment allows only a judge not inferior to that of the High Court of India to request information. While the earlier provision allowed the disclosure only after UIDAI had made a case in the matter, now the amendment also empowers the Aadhaar number holder along with the authority to get themselves heard.
Penalties for non-compliance
The proposed amendment has paved the way for a new chapter that deals with “penalty for failure to comply with provisions” of the Act.
- The entity which does not comply the provisions of the Act, shall be liable to a penalty which may extend to Rs 1 crore. In a continuing case of contravention, there will be an additional penalty of Rs 10 lakh every day.
Appointment of an Adjudicating officer: The UIDAI will appoint an adjudicating officer to carry out such penalties. Their rank will not be below the Joint Secretary of the Government of India.
Option of appealing against the Officer’s order: A person or entity may file an appeal before Telecom Disputes Settlement and Appellate Tribunal, if aggrieved by an order of the Adjudicating Officer. The appeal can be filed within 45 days from the day of the order.
- “No civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter” in which the Adjudication Officer or the Appellate Tribunal is empowered to determine.
Penalties: The term of imprisonment for unauthorised access to CIDR goes up from three years to ten years.
- Penalty for unauthorised use by requesting entity or an offline verification seeking entity may extend to three years or with a fine of up to Rs 10,000. For a company, the fine may extend to Rs 1 lakh or both.
- General punishment for an offence which has not specifically notified under the Aadhaar Act, has been extended from one year to three years.
- The amendment allows the Aadhaar number holder to file a complaint. Earlier, the complaint could only be filed by UIDAI or its officers.
Concern: The penalties were mentioned in the Aadhaar Act as well. But the Act failed to create an oversight mechanism that could prevent Aadhaar data leaks from different departments. The amendment fails to propose any mechanism that reports or to plug the leaks.
- The bill also fails to differentiate between a whistle-blower and an offender, which can have an implication on the press freedom as seen in the Rachna Khaira case.
Deletion of authentication records: The court, in its order, specified that the authentication records must not be saved beyond a period of six months but the bill fails to address this.
Need for data protection bill: The Personal Data Protection Bill, with adequate consultation, should be the priority of the government, to adequately address issues related to data security and informational privacy.
This article was updated at 1: 00 pm with developments in the Lok Sabha. Originally published at 10:50 am.