As we continue to analyse the Aadhaar judgement, we are faced with a peculiar situation in which both the petitioners and respondents are claiming a qualified victory. In the maelstrom of public opinion, there is one message — the fight is not over yet. There is every reason to anticipate further executive and legislative actions that spill over into challenges in court. These will be through changes in the Aadhaar Act and other laws, as well as through the introduction of a comprehensive privacy and data protection law. On both, this judgment of five judges which splits into three opinions, with a majority authored by Justice A K Sikri supported by Justice Ashok Bhushan and a dissent by Justice D Y Chandrachud, hold important lessons.
Immediate government measures may include breathing life into the mandatory linking of Aadhaar with mobile and bank services as well as permitting its use by private entities — all of which have been struck down by the Supreme Court. While such devices may be achieved by executive action, a firmer foundation in legislation will be necessary as indicated by the judgment. But beyond the absence of a credible underlying law, the reasoning of the majority opinion of Justice Sikri also sets important parameters.
This second-stage scrutiny that utilises the constitutional doctrine of proportionality is most clearly reasoned when the court strikes down the mandatory linking of bank accounts with Aadhaar. It states, “making the requirement of Aadhaar compulsory for all such and other persons in the name of checking money laundering or black money is grossly disproportionate”. Hence, a similar reasoning would extend even to compulsory mobile linking, as and when it is required, even if done by an act of Parliament. Even going by the majority judgment in isolation, there is a requirement to tailor the use of Aadhaar; the pre-judgment position of a universal, mandatory link to every conceivable service has become constitutionally untenable. Similar requirements will be necessary for any legal authorisation for the use of Aadhaar by corporate bodies. They will need to be on the basis of a law that clearly states its purpose, with specific limitations and safeguards — mere executive notifications for universal linkages or mandatory use will just not do.
The other area where a legislative agenda has been set is with regard to a comprehensive privacy law. While the majority judgment does seem to go into the specific issues of the compliance of the Aadhaar project with data protection principles such as data minimisation and purpose limitation, such principles are premised on a powerpoint presentation made by the UIDAI CEO, A B Pandey to the Court. These are factual determinations, which required an independent examination by a regulatory body such as a privacy commission. Further, the majority also makes a mistake by repeatedly commending the pending processes of the Union government to enact a data protection law as recommended by the Justice Srikrishna committee. At moments it almost seems, that despite the caveats of the judgment, the Court is agreeing with the formulation of the Draft Bill of the Srikrishna Committee, which has come in for intense criticism.
Even as a matter of propriety, the draft bill was submitted to the government long after arguments had been completed and the judgment was reserved — it should not have been a matter of consideration for the court. This becomes important as such an opportunity would have permitted the petitioners to challenge the provisions of the draft bill and the recommendations of the committee that many claim are fundamentally misaligned with both individual and public interests. The demand for a comprehensive and a strong privacy law becomes greater with each passing day. Here, Justice Chandrachud while noting the urgent need for an independent statutory body to ensure the protection of personal data that can oversee the UIDAI, issues a stark warning by stating, “the invisible threads of a society networked on biometric data have grave portends for the future. Unless the law mandates an effective data protection framework, the quest for liberty and dignity would be ephemeral as the wind”.
This forces us to ask: What should the approach be when the Aadhaar Act is amended or other laws regulations related to data protection framed? Should the exercise rest on the desire to restore the mandatoriness and power of the project, or should it be about addressing the concerns which lead to a diverse set of petitioners approaching the Supreme Court? One hopes that the government does not approach the issue of reforms to the Aadhaar project from the narrow lens of a recalcitrant private litigant.