With Aadhaar Amendments Passed, Need Data Protection Bill And Surveillance Reform

The hurry to pass the Aadhaar Amendment Bill has to be juxtaposed with the delay in tabling the Data Protection Bill.

An  iPhone is covered with chains in this arranged photograph. (Photographer: Craig Warga/Bloomberg)
An iPhone is covered with chains in this arranged photograph. (Photographer: Craig Warga/Bloomberg)

What explains the Indian government’s rush to push through the Aadhaar Amendment Bill, which allows private parties to collect data, even before a data protection law is in place, and without these significant amendments going before a Parliamentary Standing Committee?

Fintech companies, which relied extensively on Aadhaar for lowering their cost of customer authentication, it must be remembered, had gone before the Supreme Court to make their case for retaining Aadhaar for electronic know-your-customer verification. The Supreme Court, in its verdict, had struck down Section 57 of the Aadhaar Act, which enabled private companies from using Aadhar, saying:

“(c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.”

The Aadhaar Amendment Bill allows for the usage of the Aadhaar number for verification, by private parties, and thereby doesn’t prevent them from collecting the Aadhaar details of an individual.

The bill tactically avoids using the word authentication in the context of private parties, and uses the word ‘verification’ 31 times, as a means of bypassing what appears to be the Supreme Court’s emphasis on avoiding authentication, which typically refers to biometric authentication or the e-KYC process.

It means that a private party can verify and collect the Aadhaar number, a scan or a photocopy of the Aadhaar card, or read a user-generated Aadhaar QR code for a transfer, of an individual even if she doesn’t do biometric authentication. This will enable banks, fintech companies, and mobile phone companies, among others, to seek a user’s Aadhaar details.

However, remember that the Supreme Court had warned against commercial exploitation of even an individual’s demographic information by private entities.

A constitutional challenge to this Amendment of the Aadhaar Act will give the Supreme Court an opportunity to revisit its Aadhaar judgment, because the government, by itself, seems to be bypassing what appeared to be the Supreme Court’s intent in striking down Section 57.

The Supreme Court also needs to look at Aadhaar in the context of what appears to be the Indian government’s overt approach to the nationalisation and privatisation of personal data.

The Indian government is pushing hard on digitisation, data localisation, government access to data, and data sharing. For example, the Economic Survey 2018-2019 has a chapter on data which suggests the creation of a Central Welfare Database of citizens, which will combine four distinct sets of data about people: administrative data, including birth and death records, pensions, tax records, marriage records, etc.), survey data (including Census data, National Sample Survey data, etc.), institutional data (public school data on pupils, public hospital data on patients, etc.) and transactions data (e-National Agriculture Market data, United Payments Interface data etc.). The Economic Survey goes on to suggest that the private sector may be granted access to select databases for commercial use, in line with the “notion of data as a public good”. We’ve also seen similar themes, of data as a public good, play out in the draft e-commerce policy which positioned data as a community asset, and thus data of Indians belonging to the community of Indians, which is the country, and thus, the Government of India.

Why Data Localisation Might Lead To Unchecked Surveillance

We’re seeing the development of other large datasets:

  • The Reserve Bank of India has proposed a public credit registry which will house data on transactions.
  • In the same way, the National Health Policy suggests electronic health records that will be transferable through the National Health Information Network.

On top of these databases, it is expected, will be a consent-based framework allowing for citizens to share their personal data, collected by the state, with private parties. How does Aadhaar fit into this framework of taking personal data, converting it into a public asset, and then enabling its privatisation for economic growth? As a unique identifier, it allows those accessing the database from differentiating one Ram Singh from another across multiple databases. In the State Resident Data Hubs, which contain demographic information about citizens, we already have a situation where the states are, in the words of some of the states, creating ‘360-degree profiles’ of citizens. Enabling private players to use Aadhaar enables the creation of additional datasets, which the state can also potentially get access to.

Secondly, as we have seen historically with Aadhaar, consent is merely a tool to justify that permission has been taken to access data, and it has, for the most bit, been voluntary on paper, but forced upon citizens by instituting denial of service.

This is exactly where a strong data protection law comes in: one that can implement the Supreme Court’s historic verdict of privacy being a fundamental right, give citizens control over their own data by restricting both state and private access to it, and ensure that consent isn’t used as a mechanism to deprive citizens of their data and their privacy. In that context, the hurry to pass the Aadhaar Amendment Bill has to be juxtaposed with the delay in tabling the Data Protection Bill, and even the provisions in the bill that grant exemptions to the government over its access and usage of data. Thus, not only do we need a data protection bill, but also a bill that enables surveillance reform and provides greater accountability mechanisms, especially by Parliament, over our security agencies.

Nikhil Pahwa is the Founder of, and a proponent of digital rights.

The views expressed here are those of the author and do not necessarily represent the views of Bloomberg Quint or its editorial team.