Advocate Chaitanya S. G. said he is tired of making rounds to the court. For 11 years now, Chaitanya has been working with retired Colonel Mathew Thomas to nullify the UIDAI’s contracts with foreign companies allowing access to Aadhaar data. Their plea, recently submitted to the Karnataka High Court, talked about the contracts’ potential threat to national security – only to avail lukewarm response.
“Our major concern is: Did the citizens of India give express right to the government in the year 2010 to hand over their data to US. foreign companies? For sure, I did not give any consent,” said Chaitanya.
Aadhaar data consists of citizens’ bank accounts, ration cards, addresses, mobile numbers etc. Considering this massive chunk of data, Thomas even submitted the plea during the Puttaswamy case in 2013. However, the Supreme Court either did not notice “the facts in this petition” or it was not brought to the apex court’s notice. Now, five years after the conclusion of that case, the High Court has advised Thomas to approach the Supreme Court again.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What is the Thomas’s plea against the contracts?
The UIDAI in 2010 entered contracts with three companies (collectively called “Biometric Solution Providers or BSPs) for setting up biometric matching services. These companies included L1 Identity Solution Operating Co. Pvt. Ltd and Accenture, both of which were contractors to US Defence, Homeland Security departments and to US intelligence agencies, as per the petition.
L1 Identity Solutions was originally registered in Delaware, US. It was later sold to a French Defence company and then sold to a group of private equity investors. It is presently named as IDEMIA.
The third contract was with a collaboration between Satyam Computer Services Ltd., an Indian company, and Morpho Safran, a French Defence Contractor.
“These are all defence contractors. What does a defence contractor have to do with your collecting password information? I’ve been screaming at top of [my] voice also. But nobody listens. Unless the media is with the cause, it [the plea] will never get legs in the court,” said Chaitanya.
The UIDAI department not only gave these companies access to citizens’ Aadhaar data but also authorized them “to use, store, transfer, process, and link” data to any individual, said the plea. Accordingly, Thomas stated that the contracts violate the fundamental rights of Indian citizens and pose a serious threat to national security.
“Citizens have been made to think that the government in its own capacity is collecting those databases. In reality, private agencies are operating in the guise of government bodies and are siphoning away valuable information which could very well lead to a major security threat to our nation,” said the petition submitted to the High Court.
Thomas seeks to void contracts: Although Chaitanya mentioned that the plea will likely be revised before submission to the Supreme Court, it largely appeals to:
- Strike down all three of contracts with foreign private companies and declare them as void in law.
- Issue a mandamus to the government not to use the existing UIDAI database for any purpose whatsoever.
- Direct the UIDAI to ensure that the data is not used for tracking of citizens and in the alternative to destroy the entire database.
- Ensure that data available and / or stored by the contractors is destroyed and the same is audited by Indian auditors. An independent auditor must ensure that all data is not accessible to anyone for any purpose.
- Direct the government to make suitable changes in the Aadhaar Act to achieve the objectives of the said Act.
- Appoint a commission to decide on measures to prevent misuse of the data which is already in the possession of the foreign entities.
What are the plea’s grounds for nullifying the contracts?
Largely, the petition makes it case on the following grounds:
- Ownership of personal data of Indian citizens
- Processing of Aadhaar data by foreign companies poses a threat to the sovereignty of India
- Aadhar data fails to be accurate
- Aadhaar is not a unique ID
Citizens own their personal data: The draft National e-Commerce Policy, 2019 states that an individual owns the right to their data which can be used only with his/her express consent. Even anonymised data of a group of individuals is the collective property of the group. As such, the plea states that the data generated in India belongs to Indians and calls it a “national asset.”
Access to data can be a threat to national security: Despite government assurances, Thomas pointed out how a clause in the contracts allows foreign private firms to not only collect more data but also “use it in any way they wish.” Moreover, Clause 3.2.3 of the contract shows that the government “has no control over the output from the system when data of those enrolling is entered into it.” The plea alleges this is a “serious threat to national security.”
No assurance of Aadhaar data: In Clause 4.1.1 of Annexure ‘E’, the government “provides no assurance” of demographic data accuracy and advises against its use for de-duplication. By its own admission, the government states that the data cannot be used for biometric identification of the larger population.
Aadhaar is not a unique ID: The UIDAI in an affidavit admitted before the Delhi High Court that dead bodies cannot be identified using biometrics. Instead, the system can only identify a person if her / his Aadhaar number is known. According to the plea, this the clearest admission that Aadhaar cannot result in unique identities.
“If dead bodies cannot be uniquely identified, living bodies too cannot be uniquely identified,” it said.
Aadhaar far from a social security code: Originally, touted as an Indian version of the Social Security Code, Aadhaar was later revamped as a means to efficiently avail government subsidies. However, now that Aadhaar is used for various government transactions, the plea calls it “an amorphous and leaky agglomeration of databases.”
“[The data] connect names, faces, and prints to their demographic (caste, education, religion, etc.) and financial data (banking details, online purchases, wallet transfer, etc.),” said the plea.
All in all, the plea accused the contracts of being “illegal” because they violate rights of Indian citizens under Article 51 and contravene the sovereign duties of the government to protect its people from foreign assault and intrusion.
How does the government respond to these claims?
The plea acknowledges the government statement that the data is ‘safe and protected.’ MediaNama also sent the following queries to three officials in the UIDAI department:
- Is it true that Aadhaar data of Indian citizens is accessible to the foreign companies in contract with UIDAI?
- What are all the specific data points accessible to the companies?
- Has the government taken any preventative measures to ensure that citizens’ data is not misused by the companies? What are these measures?
- Since the contract was formed as far back as 2010, have there been any changes in the terms of contract?
However, the government is yet to answer the questions. We will update this article if and when responses are received.
Should we be worried about ‘national security’?
Obviously, the idea that some foreign companies have access to one’s Aadhaar data is quite daunting. For Siddharth Sonkar, author of What Privacy Means (2022), such access can raise concerns like border security.
“One of the biggest concerns with companies’ access to such data, in the context of national security, is if, for instance, there are specific defense persons that have shared information relating to their phone numbers. It’s possible to trace the location of such personnel using that phone number,” he said.
Still, this depends on whether such data actually exists and whether the companies can identify a specific army personnel. Another factor to consider is how granular is the companies’ access to this information.
There’s always a risk of contractual breach: While most contracts include terms banning use of information beyond the purpose of the contract, there’s always a risk of contractual breach. Sonkar pointed out that even if companies don’t breach contractual terms, in some countries the governments have powers under surveillance laws to access information, originally accessed by the company.
“So in those situations it becomes problematic. But again, the extent to which it can actually result in any tangible harm would depend on the extent you are able to tie this information with a strategic person,” he said.
Govt’s past instances of violating citizen’s privacy rights
In 2021, the Karnataka High Court barred the Indian government and the National Informatics Centre (NIC) from sharing user data stored in the Aarogya Setu app with other government departments and agencies without individual’s informed consent. The court called it a violation of the Supreme Court judgement that recognised privacy as a fundamental right.
On June 8, 2022, the NIC said that the Protocol has since discontinued, while replying to an RTI filed by the Internet Freedom Foundation. However, the Protocol’s data collection practices have already faced flak for failing on ‘principles of legality, necessity and proportionality.’ Moreover, the response did not clarify how data collected until 2022 is being accessed, managed or deleted, “leaving privacy concerns largely unanswered.”
What’s the way forward?
Sonkar said that rather than worrying about companies’ access to data, the focus should be on how to ensure that companies do not misuse such data. He argued that it is often necessary to involve foreign players to “bridge the gap [in] the country’s economic, defence or infrastructure inefficiencies.” Moreover, some companies are also subject to laws from their own country, which often require them to overridingly comply with their own domestic laws over that of, say, India.
“In that situation, if you don’t comply with the law, you could have penal consequences for not complying with them. In India we have this laws like that,” he said.
Walking away from Aadhaar is also not an option considering many people are now reliant on the same for availing subsidies and benefits.
“I think the solution is instead to try and identify situations where it becomes an issue for foreign companies to have information, such as in countries where vendors exist and they are subject to laws which require sharing of information with the government. And we know that there is a potential risk that this government may misuse the information that is shared, such as in the context of quality defence possible,” said Sonkar.
Government should follow court guidelines: Shashank Mohan, Program Manager at the Centre for Communication Governance (CCG), told MediaNama that the Supreme Court in the Aadhaar judgment had clarified that “private entities shouldn’t have access to Aadhaar data.” The Supreme Court also said that before accessing biometric data even by the government, judicial authorisation must be a requirement.
“Such guidelines must be followed by the government,” he said.
These instances of government side-stepping make a strong case for creating laws relating to Aadhaar data. The latest such government document was the Digital Personal Data Protection (DPDP) Bill, 2022. MediaNama has created a comprehensive guide looking at various aspects of the Bill. Sadly, the Bill makes no mention of Aadhaar or any such sensitive data. In fact, the DPDP Bill appears to have removed safeguards for sensitive personal data.
What does the DPDP Bill say about sharing data with foreign companies? Well, nothing. In the 2021 version of the Bill, the Join Parliamentary Committee (JPC) suggested that “mirrored copies of sensitive and critical personal data” in foreign hands must be mandatorily brought to India within a specific time period. It advised that the Bill provide data localisation provisions once a Data Protection Authority (DPA) is established. It also suggested that the central government work on a separate data localisation policy.
However, the DPDP Bill says nothing about data localisation. Companies can directly transfer data to the countries approved by the government. Worse still, it doesn’t even talk about personal data in the hands of foreign companies or list which countries can receive Indians’ data.
Chaitanya estimated that the plea will be submitted in the coming weeks. Despite the general indifference to the issue, he remains hopeful.
“If people have that awareness, people have enormous strength. Even now, if we wake up, it’s not too late. Let’s assume that data is safe with the Indian government for a moment. But first let us go ahead and nullify this agreement. It should be declared as null and void,” he said.
Doing so, will make it seem as though each and every individual has entered into contract. Considering that no consent was ever sought or given, this will mean that the provisions of the contract cannot be enforced.
Note: The headline was updated on November 22, 2022 at 4:55 PM to correct a grammatical error. The lead sentence was updated at 6:40 PM to correct the spelling of Advocate Chaitanya S.G. and the designation of Shashank Mohan.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- PIL Alleging UIDAI Shares Citizen Data With Foreign Companies Withdrawn
- New “Liveliness” Feature Introduced In Aadhar To Prevent Frauds Using Fake Fingerprints
- Six Countries Take Up IIIT-B’s Aadhaar-Like Digital Identity Programme
- Linkage Of Aadhaar And Voter ID Completely Irrational, Says Randeep Surjewala’s Petition To Supreme Court