August 24 will mark the first anniversary of the Supreme Court’s emphatic re-affirmation of the status of the right to privacy as a fundamental right under the Constitution. It may be recalled that that decision, a unanimous one of a nine-judge bench, came in the context of the cases challenging the constitutionality of the Aadhaar project.
In the one year since that decision, even as a five-judge bench has heard and reserved for judgment the case against Aadhaar, a committee of experts headed by Justice (Retd) B N Srikrishna has submitted in the last week of July its report and a draft bill on personal data protection. Among other things, the report proposes extensive amendments to the Aadhaar Act, without including those in the draft bill. The draft bill has been criticised by many, with good reason, as containing exceptions and exemptions for the government and law enforcement as opposed to treating the state as a model data controller or fiduciary. Be that as it may, it still gives us a good framework to evaluate and critique the past and present practices of the state — including Aadhaar.
The draft bill so unequivocally disapproves of the UIDAI’s practices that many of the safeguards sound as if the committee, of which the CEO of UIDAI is a member, intended to say sorry to the Indian public on behalf of the government.
The Aadhaar project was set up by an executive notification in January 2009, which did not mention that the UIDAI would have the authority to collect, store or process biometric information — including fingerprints or iris scans. The draft bill defines sensitive personal data to ordinarily include biometric data and that such sensitive personal data usage by the state without consent can only be authorised by a law or explicitly mandated by law, under clauses 19 and 20. Even for processing sensitive personal data with consent, the draft bill lays down that such consent must be free, clear, explicit, informed, specific and capable of being withdrawn. It is not valid consent when people are made to enrol for Aadhaar on a threat of denial of any service or benefit, for example.
In recognising the principle of collection and purpose limitation obligations in clauses 5 and 6, Aadhaar’s regime of “mission creep” also receives the committee’s rebuke. From allowing registrars to collect several additional fields and create their own 360-degree resident profiles in the State Resident Data Hubs (SRDH), to opening the Aadhaar platform to be used by anyone for any purpose — from painting competitions to abortion services in clinics, mission creep was the modus operandi for UID ubiquity. The obligation of ensuring data quality on the fiduciary is also at odds with the UIDAI philosophy of exclusively placing the burden of accuracy on the data principal: The UIDAI database was referred to us a “self-correcting” database for that reason.
The obligation of a detailed notice under clause 8 and the rights under chapter VI of the draft bill such as the right to opt-out, the right of erasure or the right to be forgotten and the right of data portability, have never been provided for nor respected in the case of Aadhaar.
Clause 37 lays an emphasis on the data fiduciary engaging other entities to process data on its behalf only through a valid contract. It is worth recalling that the UIDAI engaged and continues to engage registrars and enrolment agencies to collect and process data on its behalf based on MoUs it signed with registrars, which clearly are not valid contracts. Moreover, in placing the burden of accountability on the data fiduciary, the committee has also effectively come down heavily on the long-standing UIDAI practice of pointing fingers at someone else in case of a security or privacy incident.
These are but just a small sample of the Aadhaar’s features and practices that the committee has effectively found unacceptable. Aadhaar may win or lose its legal battle. However, its chances in the arena of public reason have suffered a rather steep fall.