Not part of the proposed Data Protection Act, but a significant amendment recommended by the Srikrishna committee in its report includes changing who can use Aadhaar for online authentications, which has become the base for the architecture of an entire segment of the data industry in India.
The report recommends changing Section 8 of the Aadhaar Act, effectively excluding any private entity from using Aadhaar-based online authentications and restricts only such authentication only to a “public authority performing a public function”.
Currently the Unique Identification Authority of India (UIDAI) allows registered Authentication User Agencies (AUAs) and Authentication Service Agencies, which could be public or private bodies to offer Aadhaar-based online authentication services that are used by other players. As of June end the UIDAI had 299 AUAs, majority of which were private players. These agencies, offering Aadhaar-based authentications have become the focal point of an ecosystem promoting digital authentications using Aadhaar in businesses and startups in the fields of health, banking, finance, etc.
Section 8 of the existing Aadhaar Act that discusses authentication says that the Unique Identification Authority of India, (UIDAI) will perform an authentication of an Aadhaar number “submitted by any requesting entity” in relation to the biometric and demographic information of the Aadhaar number-holder subject to certain condition, and on payment of a fee.
The amendment recommended by the Srikrishna committee in its report wants to define who a requesting entity can be. The amended Aadhaar Act—if the government goes forward with the recommendation—will state that UIDAI will perform an authentication from a requesting entity only if either the authentication is “mandated pursuant to law made by Parliament”; or is needed by a “public authority for performing a public function” that too with a “prior approval” from UIDAI.
The proposed amendment also states that in deciding whom to grant approval as a valid requesting identity, UIDAI will look at the “nature of the interest of the requesting entity”; standards of security it employs; and any other factor which is “relevant in protecting the privacy of an Aadhaar number holder”.
Such an amendment will be close to a death knell for all private entities that have built businesses on using Aadhaar as a quick and cost effective way to validate people’s identities. According to the Right to Information Act a public authority is an authority, body or institution of self- government established or constituted by the Constitution or a law; by a notification issued or order made by the appropriate government including an entity owned, controlled or substantially financed, directly or indirectly by funds provided by state or central government.