The Union government has inserted a new clause in the Aadhaar Amendment Act, according to Mint, which will allow the use of Aadhaar data by the states for implementing their schemes. The clause will permit the state government’s to use biometric information for devolution of funds. The Aadhaar Amendment Bill 2019, which is now passed in both houses of Parliament, inserts a new section 5A, it reads: “In section 7 of the principal Act, after the words “the Consolidated Fund of India”, the words “or the Consolidated Fund of State” shall be inserted,” the bill noted. The report said that with the insertion of the consolidated fund of state, the states will also be allowed to use the Aadhaar database for better targeting of schemes.

While speaking on the amendment in Rajya Sabha on July 8, IT Minister RS Prasad had said many state governments had complained and so the insertion has been made. “Therefore, what we have done is, under clause 7, we are giving the benefit to schemes that are paid out of the Consolidated Fund of India. But if we, in the States also, give many subsidies, kindly also bring the Consolidated Fund of State. So, that amendment also has been approved by the Lok Sabha”.

The State Resident Data Hubs

In 2012, UIDAI had directed a group of private companies to develop data hubs in states to ensure efficient Aadhaar-enabled service delivery. In 2014, state resident data hub (SRDH) – a unified Aadhaar enabled database of all the citizens – was introduced in many states by the state department of information technology. This repository is accessed by all departments for delivery of services. It contains citizens’ information including demographic data and photographs. although biometrics aren’t stored at the state level, but only with the CIDR.

However, in 2018, it was reported that the UIDAI had provided almost the copies of the Aadhaar database to the SRDHs, compromising privacy. During that time, data security researcher Srinivas Kodali had also said that SRDHs are surveillance databases and UIDAI actively shared all the data with these hubs. The Aadhaar regulator said it had stopped sharing the details after Supreme Court’s ruling on Aadhaar, however, the SRDHs already had personal and biometric information on the citizens. With this clause, states will get legal permission to use Aadhaar biometric data.

During the Lok Sabha session on July 4th, IT Minister RS Prasad had said that Aadhaar is voluntary. He explained that companies are not allowed to store any Aadhaar data or biometrics, that they’ll be fined Rs 10 crore if they do not follow the rules. He also added that services will not be denied in case of absence of Aadhaar, and identities apart from Voter ID and passport will be notified for use after the bill is passed.

IT Grids case: CIDR data may have been leaked

7.8 crore Aadhaar records from Andhra Pradesh and Telangana were found on the hard disks of IT Grids Pvt. Ltd, the firm which operates the Telugu Desam Party’s Sevamitra app. The case came into light when the company was raided by the Cyberabad police following a complaint a data analyst T Lokeshwar Reddy. The complaint and FIR noted that the IT Grids’ possession of extensive Aadhaar data likely meant that the data was sourced from either the Central Identities Data Repository (CIDR) or the State Resident Data Hub (SRDH).

Andhra Pradesh police from Guntur allegedly abused and threatened the Reddy and tried to take him away. However, the move was not successful as Telangana police offered him with protection. This led to a rift between Andhra Pradesh and Telangana governments over the jurisdiction of the case. Meanwhile, TDP alleged that Telangana Rashtra Samithi (TRS) had stolen the data as the hard disk and other materials were seized without any prior notice to the IT Grids owner. On the other hand, Andhra Pradesh chief minister, Nara Chandrababu Naidu had warned the Telangana government saying that if the state files one case then he will respond with four cases.

Later in April, it was reported that special investigation team (SIT) probing the IT Grids case had found that the company had Aadhaar records from “other southern states and a few states in north India” apart from data from AP and Telangana. At least 2 crore records from Punjab was also found with the company.

What will the Aadhaar Amendment Bill change?

The Aadhaar and Other Laws (Amendment) Act, 2019 will amend the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and further to amend the Indian Telegraph Act, 1885 and the Prevention of Money-laundering Act, 2002. It will also replace the Ordinance promulgated on March 2nd, which allows for voluntary use of Aadhaar data.

  • Offline verification of Aadhaar number: The bill allows ‘offline verification’ of an individual’s identity with consent.  The demographic information or any other information collected from the individual for offline verification will only be used for the purpose of such verification. During offline verification, the entity will not be allowed to “collect, use, or store an Aadhaar number or biometric information of any individual for any purpose”. It will also have to inform the users about the alternative ways for sharing the information.
  • Allows private bodies such as banks and telcos to use Aadhaar as one of the ‘know your customer’ (KYC) methods for authenticating users.
  • Voluntary use of Aadhaar: “Every Aadhaar number holder to establish his identity, may voluntarily use his Aadhaar number in physical or electronic form by way of authentication or offline verification, or in such other form as may be notified, in such manner as may be specified by regulations,” according to the amendment bill. Thus, users will be allowed to choose other modes for authentication as well. Producing Aadhaar details will not be mandatory.
  • Using Aadhaar data: According to the bill, an entity may be allowed to perform authentication through Aadhaar only if UIDAI finds the organisation to be:
    • compliant with certain standards of privacy and security;
    • permitted by law or;
    •  seeking authentication for a purpose specified by the central government in the interest of the state.
  • Penalty: The bill out a penalty mechanism for failing to comply with the provisions of the Act, such as the appointment of an adjudicating officer, punishment for up to 3 years for violations, and also allows the Aadhaar number holder to file a complaint.
  • Alternative virtual identity: To conceal the actual Aadhaar number of an individual an alternative virtual identity will be created.
  • The amendment provides for the establishment of the UIDAI Fund.
  • Removing Section 57 of Aadhaar Act: The amendment bill strikes down Section 57 of the Aadhaar Act which allowed private entities to collect Aadhaar data of individuals.