Most of the debate on the Aadhaar bill has centred on the right to privacy. All five amendments suggested by the Rajya Sabha, subsequently rejected by the Lok Sabha, had an element of this right within them. But the core deficiency rested not in the lack of protections in the Aadhaar bill but in the absence of a comprehensive privacy statute to develop and enforce them.
We must look at both substantive protections and the procedure available to enforce them. Many people regard privacy as an amorphous concept, which is also why it is hard for them to visualise any harm to it. Recognising this problem, in 2012, the Justice A.P. Shah Committee suggested nine distinct principles canonising the right to privacy. An analysis of the Aadhaar bill shows that it does not even recognise some of these nine principles. For instance, take the principle of access; a person cannot in any instance demand access to their core biometric information under the Aadhaar bill.
But greater difficulty exists in enforcing the laconic safeguards of the bill. Broadly, the three forms of judicial remedy usually enforced are civil, criminal and the writ jurisdiction of high courts and the Supreme Court. The Aadhaar bill makes all these three remedies ineffective for individuals.
The civil remedies under the bill oust the jurisdiction of civil courts in favour of the system set up for penalties under the Information Technology Act. The existing penalties under the IT Act are deficient, as they were never intended to provide comprehensive privacy legislation. Even if they are amended, enforcement under the IT Act has never worked properly and shows no promise of improvement. Under it, the jurisdiction of civil courts is barred in favour of “adjudicating officers”. These officers are usually a serving IT secretary of the state government given additional charge to adjudicate cases under the IT Act. Though persons of high competence, a lack of resources and training handicaps not only their capacity but also the quality of judicial orders necessary to withstand review. Such scrutiny would naturally arise in appeal as provided under the IT Act — but, for the last three years, the Cyber Appellate Tribunal that hears such appeals has not been properly constituted and is not functioning.
The problems with enforcement of criminal remedies are more straightforward: Only the UIDAI can make complaints for the offences contained under the Aadhaar bill. Not only is this a conflict of interest but it also takes away the Aadhaar user’s recourse to a criminal remedy. It may be argued that penal provisions under the IT Act and the IPC can be invoked by individuals. But such an assertion must consider the absence of any notification mechanism. The Aadhaar user is never informed when a crime relating to their data occurs. They will never have the particulars necessary to register a criminal complaint.
This brings us to the final remedy of writs that can be availed of to enforce the fundamental and statutory rights available to a person. It would normally be expected that a person would be able to approach an HC for the enforcement of rights under the Aadhaar bill. Especially if the UIDAI does not provide authentication as it is intended to do, or fails to correct the data records. Most people know the poor quality of data entry in government IDs. Aadhaar requires a safeguard clearly conferring a right than can be enforced through a writ. However, these rights are problematically phrased as “requests” for supplying and correcting information. This dilution is made clear by the absence of the requirement of a hearing, a reasoned order or an appellate process under the bill.
It is not without reason that the Justice Shah report suggested a comprehensive legislation to safeguard privacy and also the office of a central privacy commissioner to develop and apply it. Even when suggesting the establishment of a privacy commissioner, who could impose penalties for violations, it recognised the central role of existing judicial forums by retaining the jurisdiction of civil courts. While many may see privacy as the core issue in the Aadhaar programme, privacy itself transcends it. As our everyday lives become connected, a comprehensive privacy legislation is an essential safeguard.