Widening the scope of sharing Aadhaar information with government entities, the Unique Identification Authority of India (UIDAI) has proposed amendments — called the Aadhaar (Sharing of Information) (First Amendment) Regulations, 2023 on May 8, 2023 — to the Aadhaar (Sharing of Information) Regulations, 2016. The UIDAI has invited public feedback on the amendments at suggestion.legal@uidai.net.in within 30 days.
The Aadhaar (Sharing of Information) Regulations, 2016, issued in September 2016, lays out the rules and restrictions for sharing Aadhaar information of the individuals by requesting entities and other entities or agencies, which are in possession of Aadhaar data of individuals. The UIDAI has proposed changes to the rules and restrictions that govern entities, including a requesting entity — having Aadhaar information of an individual — when it comes to using, storing, sharing and retaining of such information for varied purposes.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
What’s a requesting entity? Under the Aadhaar Act, a requesting entity is “an agency or a person that submits Aadhaar number and demographic information or biometric information, of an individual to the Central Identities Data Repository (CIDR) for authentication”. Through the latest notification, the UIDAI aims to expand the scope of select regulations in the original 2016 Regulations.
Why it matters: The proposed amendments enable greater access to Aadhaar data of individuals collected by the entities to the authorities (amendments to Regulation 4 and 6) and also dilute the scope of consent-based data sharing (amendment to Regulation 5) with authorities for reasons not explicitly informed to the Aadhaar holder. It is important to note that the IT Ministry’s recent draft amendments to the Aadhaar Authentication for Good Governance Rules, 2020, allow private entities to conduct Aadhaar authentication of individuals.
Both these proposed amendments mainly mean greater use and access of Aadhaar data for purposes way beyond the objective of providing government benefits, subsidies, or services. Further, the more biometric information is exposed to multiple entities and their databases, the greater the threat to privacy and data security. Not to forget, these developments are taking place in the absence of a data protection law.
What are the proposed amendments?
A. On sharing of information by the Authority, i.e. the UIDAI:
Regulation 3 of the 2016 Regulations: Originally, Regulation 3 of the Aadhaar (Sharing of Information) Regulations, 2016, lists out the cases and the manner in which the Authority (which is UIDAI) can share Aadhaar information (including biometric and demographic information) with requesting entities for authentication purposes.
What’s proposed: The UIDAI has proposed amendments to sub-regulations 2 and 3 under Regulation 3, which are as follows:
- Sub-regulation 2 permits the UIDAI to share “demographic information and photograph” of an individual with a requesting entity for authentication of e-KYC data only if the Aadhaar holder has consented to the authentication process. This has to be done in accordance with the Aadhaar (Authentication) Regulations 2016. In the draft amendments, the UIDAI has replaced ‘Aadhaar (Authentication) Regulations 2016’ with ‘Aadhaar (Authentication and Offline Verification) Regulations, 2021’.
- Sub-regulation 3 enables the UIDAI to share authentication records of the Aadhaar number holder in accordance with regulation 28 of the Aadhaar (Authentication) Regulations, 2016. The UIDAI has substituted Aadhaar (Authentication) Regulations, 2016, with Aadhaar (Authentication and Offline Verification) Regulations, 2021, in the proposed amendments.
- The UIDAI has also proposed to insert a new sub-regulation (5) under Regulation 3 of the 2016 regulations. The new sub-regulation enables the UIDAI to verify supporting documents of an individual submitted at the time of enrolment for or during updating their Aadhaar. The UIDAI is looking to consistently keep track of the accuracy of data shared by the individual. The new sub-regulation reads as follows:
“(5) In order to maintain continued accuracy of data, the Authority may verify the details of the supporting documents, as specified in regulation 10(5) for enrolment data or for verification of update data, as specified in regulation 19A of the Aadhaar (Enrolment and Update) Regulations, 2016, with respective document issuing authorities, in a manner, as may be specified by the Authority from time to time.”
B. On sharing of information by a requesting entity:
Regulation 4 of the 2016 Regulations places restrictions on sharing, storage, and usage of core biometric information collected from an individual during authentication by requesting entities.
What’s proposed: The UIDAI has proposed changes to sub-regulations 1, 2, and 3 of Regulation 4, which are as follows:
- Sub-regulation (1) of regulation 4 prohibits requesting entities from storing “core biometric information” of individuals for “buffered authentication” as specified in the Aadhaar (Authentication) Regulations, 2016, and from sharing with anyone for “any reason whatsoever”. Here, the UIDAI has substituted Aadhaar (Authentication) Regulations, 2016, with Aadhaar (Authentication and Offline Verification) Regulations, 2021 in the proposed amendments.
- Sub-regulation (2), under clause (a) restricts a requesting entity from using the “identity information” of the Aadhaar holder for purposes other than that specified during authentication. It also restricts from sharing and disclosure of such information without the individual’s consent, under clause (b).
The UIDAI, under clause (b) has removed the word “consent” and added that an individual’s information shall not be disclosed for purposes other than those mentioned in writing at the time of authentication in “clear and precise” language. This amendment does away with the mandatory clause of obtaining a person’s consent for disclosing their personal information.
- Sub-regulation 3 permits the requesting entity to share details of authentication records with the Aadhaar holder and also the UIDAI for audit purposes as per Regulation 18 of the Aadhaar (Authentication) Regulations, 2016. Now, as per the amendments, the details would be shared with the individual as per Regulation 18 of the Aadhaar (Authentication and Offline Verification) Regulations, 2021, and with the UIDAI under Regulation 21 of the Aadhaar (Authentication and Offline Verification) Regulations, 2021.
C. On responsibilities of entities other than requesting entities:
Regulation 5 of the 2016 Regulations: This regulation, under three sub-regulations, lists out the responsibilities of agencies and entities other than the requesting entity with respect to the Aadhaar number. In addition to specifying the consent-based and voluntary use of Aadhaar, the regulation restricts such entities from sharing or use of an individual’s Aadhaar information for purposes other than those specified while obtaining the consent.
What’s proposed: Sub-regulation (3) of regulation 5 prohibits entities other than the requesting entities from sharing someone’s Aadhaar number without the consent of the holder. As per UIDAI’s draft amendments, there’s an addition to regulation 5(3), which states that entities or agencies shall not disclose the Aadhaar number for purposes other than those informed to the person “in writing” during the offline verification. The word “consent” from the original sub-regulation is removed in the amendment.
D. On sharing, publishing, and circulation of Aadhaar number:
Regulation 6 of the 2016 Regulations: This regulation imposes restrictions on sharing, circulating, and publishing Aadhaar numbers by any entity or agency. It restricts entities, including requesting entities, from making any database that has Aadhaar information public, from asking individuals to transmit Aadhaar data via internet unless it’s for correction of errors and is encrypted, and from retaining Aadhaar information for longer than necessary for the required purpose.
What’s proposed:
- Sub-regulation 6(3) restricts any entity, including a requesting entity from making public any “database or record” containing an individual’s Aadhaar number unless the number has been “redacted or blacked out through appropriate means” in print as well as electronic format. The UIDAI has proposed to substitute sub-regulation (3) allowing the entities, including a requesting entity to make such database with Aadhaar number public on two grounds. One, the entities have to obtain “consent of the concerned Aadhaar number holder, for the specified purpose”. Two, the Aadhaar numbers have to be redacted or blacked out, both in print and electronic format.
- Adding a new sub-regulation (6): The UIDAI has proposed to add a sub-regulation to regulation (6), which states that the “Aadhaar number, photograph and demographic information” of the holder, may be shared with various ministries or departments of the Central and State government for determining eligibility for government schemes under Section 7 of the Aadhaar Act and for authentication purposes under Section 4(4) (b) and Section 4(7) of the Act. It adds that the information can be accessed or shared only if the consent of the individual is obtained for “specified purposes”, which must be informed to the individual in clear language understandable to them.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- IT Ministry’s Proposed Amendments Allow Private Entities To Use Aadhaar Authentication To Provide Services
- Section 57: Why Aadhaar Can’t Be Used As Authentication By Private Companies
- Government Allows Aadhaar E-KYC For Telecoms Despite Supreme Court Judgement Striking Down Section 57 Of Aadhaar Act 2016
- India’s ID Authority Cites New ‘Security Mechanism’ When Asked About Aadhaar-Based Payment Frauds
