“It is better to be unique than the best. Because,
being the best makes you the number one, but
being unique makes you the only one.”
The decision of the Supreme Court in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India, (“Aadhar judgment”) begins with the words quoted above, which were later revealed to be a WhatsApp forward message. The quoted words also form the underlying basis of the majority judgment which leans heavily in favour of the right to ‘dignity’ of marginalised sections versus the right to privacy. The majority judgment that spans over 567 pages proceeds on the assumption that Aadhar confers a “unique” identity to marginalised sections, and that there was no other mechanism by which pilferage in socio-economic beneficial schemes could be checked.
Background to the challenge
The provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhar Act”) were challenged before the Supreme Court of India on inter alia grounds of Article 21 and Article 14 of the Constitution. The Aadhar Act establishes the UIDAI as a statutory body which is given the task of developing the policy, procedure and system for issuing Aadhaar numbers to individuals and also to perform authentication. As the first step, a number of enrolling agencies are recruited by the UIDAI to collect biometric and demographic information. The collection of demographic and biometric information at the stage of enrolment is based on the individual’s “consent” to store such information on a Central Identities Repository Data (“CIDR”).
Once a person is enrolled and is allotted an Aadhar card, he or she is entitled to benefits and subsidies. At the second step, a particular institution/body from which the subsidy, benefit or service is to be claimed by such an individual, the intended recipient is required to submit his Aadhaar number and is also required to give biometric information to that agency. On receiving this information and for the purpose of its authentication, the said agency, known as Requesting Entity, would send the request to the UIDAI which shall perform the job of authentication of Aadhaar number. On confirming the identity of a person, the individual is entitled to receive subsidy,benefit or service.
The main problems with the Aadhar framework can be broadly summarised as following:
The provisions (Section 2(h) read with Section 10 of the Aadhar Act) for collecting and maintaining data on the CIDR is inherently a violation of privacy and may lead to the possibility of a surveillance state.
CIDR is maintained not by the government but by private entities.
Enrolling agencies are also private entities. Almost 49,000 such enrolling entities had been blacklisted because they were not adhering to the prescribed norms.
The Requesting Entity has the responsibility of making a request for authentication of the Aadhar holder. While undertaking such authentication request, the Requesting Entity can store information about daily transactions of an individual which are then transmitted to the CIDR. All this information can be strung together to profile citizens and chain every Indian citizen/resident to a central data bank.
Most provisions of the Aadhar Act are vague and extremely broad. Important aspects such as collection of biometric data, demographic information, the operation and working of the CIDR, generating and assigning Aadhaar numbers, authentication of Aadhaar numbers, omitting and deactivating Aadhaar numbers, commercial exploitation of information collected by the Government,etc. are all left entirely to the UIDAI without any sufficient defined legislative policy.
Given the aforesaid, the principle challenge to the Aadhar Act by the Petitioners was based inter alia on Article 14 and Article 21, more importantly the right to privacy as held to be a fundamental right by a 9-judge bench of the Supreme Court in K.S. Puttaswamy(“Privacy judgment”).
A large part of the majority judgment contains extracts of the Right to Privacy judgment where the Supreme Court had held that while the right to privacy was a fundamental right, it was not an absolute right. Privacy in itself was considered to have distinct connotations such as spatial control (privacy which concerns the personal space of an individual), decisional autonomy (intimate personal choices) and informational control (the ability of an individual to control his or her personal information). It was further held by the Privacy judgment that an invasion of life or personal liberty must meet certain requirements such as:
the invasion must be backed by law and therefore, the restriction on privacy be backed by legality;
there should be a legitimate state aim for restricting the right to privacy, which should be necessary (the test of manifest arbitrariness and Article 14 are implied);
the restriction should be proportional, i.e. the extent of the interference should be proportionate to the need for such interference; and
there should be procedural guarantees against the abuse of such interference.
The starting point
Whenever a judgment is challenged before the Supreme Court as being violative of the Constitution, the court considers the grounds for such challenge on the basis of constitutional principles and then arrives at a decision. These constitutional principles may also involve a harmonious interpretation of conflicting rights. But what is important is to undertake a detailed analysis of each and every right that is alleged to have been violated. The majority judgment does undertake this analysis, but it does so before giving a detailed history of the right to live with dignity as a facet of the right to privacy. What the court is doing here is to reverse the analysis. It does not consider the challenge to various provisions of the Aadhar Act as the first step. It proceeds on the basis that the Aadhar Act is a beneficial legislation, that there was pilferage in the grant of benefits and subsidies, that there is a need to ensure that marginalised sections of the society avail these benefits and are allowed the right to live with dignity.
The consequence of such an analysis is a judgment that runs into 567 pages without undertaking the most important analysis – Was Aadhar the only way to meet the legitimate state aim of ensuring no pilferage in socio-economic welfare schemes? Does it meet the proportionality test? This analysis comes in only in the dissenting judgment where it has been held that the seeding of Aadhar into every database allows anyone with access to this information to re-construct a profile of an individual’s life. The legitimate state aim, i.e. only genuine beneficiaries receive the benefits of social welfare schemes, could be met by other less intrusive measures as well. The requirement of insisting on an Aadhar number for the payment of pensionary benefits involves a breach of the principle of proportionality.
The majority’s analysis of the need for Aadhar glosses over the threats of big data and its misuse. The majority judgment takes note of the provisions of the Aadhar Act and the regulations thereunder to hold that adequate safety measures are in place. It further holds that the only method of ensuring the authenticity of recipients of social welfare schemes is to create a database based on biometric information which is “unique” for each individual. While doing so, the court ignores the various reports of leakages in the Aadhar database, ground level difficulties faced by marginalised sections of the society because they did not own an Aadhar number, reports which show that fake Aadhar cards are available, and that 49,000 enrolling agencies which had been blacklisted because they were not adhering to the prescribed norms. In the words of the majority judgment:
“It may, however, be mentioned that of late certain reports have appeared in newspapers to the effect that some people could hack the website of CIDR, though it is emphatically denied by the UIDAI. Since there are only newspapers reports to this effect which appeared after the conclusion of hearing in these cases and, therefore, parties could not be heard on this aspect,we leave this aspect of the matter at that with a hope that CIDR would find out the ways and means to curb any such tendency.”
The court’s analysis seems to be based on convenience – almost as if the court is allowing the state to proceed with collection of biometric information,irrespective of the potential harm posed, because the state has miserably failed to install a mechanism which prevents fake PAN card/ ration cards etc. from being issued. Furthermore, the majority judgment relies on the regulations under challenge to conclude that the data on CIDR is secure. It does not convincingly deal with the primary challenge to collection of data in itself, irrespective of security concerns.
Necessity and proportionality
It has been settled law that no abstract test of reasonableness could be laid down. In State of Madras v. V.G. Row, the Supreme Court held that the nature of the right alleged to have been infringed, the underlying purpose of the restrictions imposed, the extent and urgency of the evil sought to be remedied thereby, the disproportion of the imposition, the prevailing conditions at the time, should all enter into the judicial verdict. The Aadhar judgment takes note of this. The Supreme Court also adopts the tests as laid down in Modern Dental College and Ors. v. State of Madhya Pradesh &Ors. to determine the proportionality of a measure which invades privacy, which are:
a measure restricting a right must serve a legitimate goal (legitimate goal stage);
it must be a suitable means of furthering this goal (suitability or rational connection stage);
there must not be any less restrictive but equally effective alternative (necessity stage); and;
the measure must not have a disproportionate impact on the right-holder (balancing stage).
In analysing the aforesaid tests, the majority judgment once again proceeds on the assumption that the data on CIDR is secure and does not consider the impact of the regulations.While the legitimate goal stage and rational connection stage are discussed in detail, the majority judgment does not independently deal with the necessity stage. It simply relies on its findings for the earlier two stages to conclude that Aadhar is necessary because there is no alternative measure with a lesser degree of limitation which could achieve the same purpose.
On the other hand, Justice Chandrachud’s dissent in the proportionality analysis considers the impact of the regulations and not just the bare reading of the Aadhar Act. The dissent notes that the entities which provide the necessary infrastructure for securing network connectivity to enable authentication (Authorisation Service Agencies or ASAs) may store additional information on their systems to manage fraud. Regulation 26 of the Aadhar (Authentication) Regulations also enables the UIDAI to store and maintain authentication transaction data which could include server-side configurations (IP address and other details). The dissent considers the impact of the regulations in totality and concludes that UIDAI stores authentication transaction data. The information with the CIDR, the requesting entities and the ASAs leads to the creation of a silos. The threat to privacy does not arise from an isolated act of positive identification of biometrics but from the ability of third parties to access this information because most of the Aadhar infrastructure relied on technology that was being provided by private third parties. This foresight is missing from the majority judgment.
Article 14 – manifest arbitrariness
The 9-judge bench in the Privacy judgment held that a facet of legitimate state aim is to consider if a law suffers from manifest arbitrariness. Manifest arbitrariness means that a law should not be unreasonable, unwarranted or be based on irrelevant and extraneous considerations. The majority judgment does not consider if the Aadhar Act meets the requirements of Article 14 insofar that it is not manifestly arbitrary. The majority simpliciter relies on Binoy Viswam v. Union of India, a division bench judgment discussing the provisions of the Aadhar Act in the context of PAN linkage, to conclude that the Aadhar Act meets the requirements of Article 14.
The majority judgment does not, in contradistinction to the dissent, consider that the Aadhar Act left a number of security concerns to be settled by regulations and did not provide robust safeguard measures which should be a pre-condition to collection of data of 1.2 billion individuals in the CIDR. The dissenting opinion notes that the Aadhar Act does not provide for an autonomous body to ensure compliance with any data protection statute. It further notes that the Aadhar Act does not provide for any accountability and does not establish a robust regulatory framework to ensure rule of law under Article 14. The manner in which the majority deals with the absence of a data protection law is to “hope” that the recommendations made by Justice B.N. Srikrishna Committee Report are enacted with necessary modifications to bring out a robust law.
The threat of big data and concluding remarks
The Aadhar Act posed an unconventional and unprecedented scenario before the Supreme Court. Big data was debated before a court of law for the first time. Big data is characterised by three Vs – variety, volume and velocity. Very little is understood about this data but one thing remains unchallenged – it has immense potential if tracked correctly. The 9-judges in the Privacy judgment recognised this referring to Uber and Facebook in the following words:
“…As we move towards becoming a digital economy and increase our reliance on internet based services, we are creating deeper and deeper digital footprints — passively and actively. These digital footprints and extensive data can be analysed computationally to reveal patterns, trends, and associations, especially relating to human behaviour and interactions and hence, is valuable information. This is the age of “big data”. The advancement in technology has created not just new forms of data, but also new methods of analysing the data and has led to the discovery of new uses for data.”
The majority judgment while dealing with the arguments on big data does not deliberate upon whether linking of Aadhar with different platforms could lead to an augmentation of the big data, making it more susceptible to misuse. Tangentially, the judgment highlights the importance of technology and notes that individuals are willingly parting with personal information, but thankfully falls short of validating Aadhar Act on this basis.
As against conventional challenges to constitutionality of a provision, a direct harm could not be illustrated in the present case given the nature of big data. The challenges were therefore based on a certain degree of foresight and potential risks which the majority judgment termed as apprehensions. It escaped the court’s consideration that in 2018 technology may not be advanced enough to be able to process the large volume of data available and filter out irrelevant data resulting in profiling. But there is a possibility that such technological advancements are made in future which will enable third parties or even the state to assess every individual’s tastes, preferences and choices. The information, whether biometric or demographic is readily available in an encrypted form on the internet. It is only a matter of time that such information is found and put to misuse. While the majority judgment does take prohibit sharing of information with private entities, in the absence of a law for data protection in India, we are all at risk.
Big brother is officially watching us.
Anu Shrivastava is an advocate practising in Delhi.