The right to privacy and its impact on the Aadhaar project by Varun Mathew
By Varun Mathew
The impact of the Aadhaar scheme on an individual’s informational privacy can be determined on the basis of the control it affords to that individual.
Descriptions of the unanimous judgement of the Supreme Court in Justice K.S. Puttaswamy v. Union of India as historic and landmark, are not exaggerated. This verdict is a judgement for the ages; a constitutional affirmation of a basic human right which will form the basis on which many other essential civil rights, currently unrealized in India, are fought for in the future. It is particularly significant in that it was delivered at a time when the Central and State governments in India are seeking to police the private lives of citizens, by regulating personal choices such as food consumption, sexual preferences etc.
Further, the establishment of the right to privacy as a fundamental right is expected to have a profound impact on the future of the Aadhaar scheme. This article analyses some of the issues with the Aadhaar scheme in light of the Puttaswamy decision, specifically with regard to informational privacy.
It is likely that the current structure of the Aadhaar scheme was developed with the view that privacy was not a fundamental right. This is supported by assertions made by the State itself, with special reference to the arguments put forth by the Attorney General on multiple occasions, beginning with the petitions against the Aadhaar scheme in 2015. One of the arguments advanced against this proposition by the senior counsel Shyam Divan, in S.G. Vombatkere v. Union of India (which also involved a constitutional challenge to the Aadhaar scheme), was that “the right to life includes maintaining personal autonomy through informational self-determination. Accordingly, “an individual must be allowed to limit what he or she wants to put out because otherwise her personal autonomy could get compromised”. This reasoning finds acceptance in the Puttaswamy judgement, which makes it clear that the fundamental right to privacy includes ‘informational privacy’. In the words of Justice Chandrachud, the right to privacy includes informational control, which “empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person”. Justice Nariman elaborates on this, stating that the unauthorised usage of personal information would infringe the right to privacy, and that informational privacy “recognises that an individual may have control over the dissemination of material that is personal to him”.
Thus, informational privacy is founded on the control that an individual may exercise over her personal information.
Control, in this context, refers to the ability to independently and freely determine the extent of access and usage of one’s personal information by someone else. Such control is necessarily continuous in nature, and does not extinguished upon the disclosure of that information to a third party.
This was established by the Supreme Court in the Canara Bank case (and affirmed in Puttaswamy), wherein it was held that the right to privacy was not lost when confidential information was parted with. Without such control over her personal information, an individual’s right to privacy stands infringed.
Accordingly, the impact of the Aadhaar scheme on an individual’s informational privacy can be determined on the basis of the control it affords to that individual. Subject to reasonable restrictions, such control should, at the very least, include: (i) the right to decide when to surrender or disclose such information; (ii) the right to have such information erased or forgotten; and (iii) informed consent in relation to the usage of such data. The Aadhaar scheme is evaluated in the context of these elements, below:
First, and perhaps most significantly, an Aadhaar holder has little autonomy in deciding when to disclose her personal information. This is because the possession of and authentication with an Aadhaar number is mandatory for a person wishing to access basic and essential services. Thus the provision of biometric and identity information, both at the time of enrolment and subsequent authentication, is not voluntary, but instead the result of coercion.
This lack of control over personal information is further perpetuated by the mandatory linkage of the Aadhaar number to, inter alia, personal account numbers, bank accounts, medical records, phone numbers, tax returns, welfare programmes. As Justice Chandrachud notes, such information may be inconsequential when considered in their individual silos; in aggregation, however, they reveal core aspects of a person’s personality.
Further, an Aadhaar holder has little control over the usage of personal information once it is delivered into the Aadhaar infrastructure pipeline. Consider the infographic below:
The Aadhaar Act (per S.8(3)) requires the entity requesting authentication of Aadhaar (“Authentication User Agency” or “AUA”) to provide a full disclosure to the Aadhaar holder of: (i) the nature of the information that is sought from the central identities data repository (“CIDR”), and (ii) the use to which such information shall be put. Prior to authentication, the consent of the Aadhaar holder should necessarily be obtained, and all information received thereafter should be used solely for the purpose disclosed (S.8(2)).
However, the Aadhaar holder is not privy to the actual technical request that is sent to the CIDR, and hence has no oversight with regard what information is actually requested and received by the AUA. Similarly, the Unique Identification Authority of India (“UIDAI”) is not privy to the actual disclosures made by the AUA to the Aadhaar holder. Thus, it is entirely possible for the AUA to misrepresent its actual purpose to the Aadhaar holder, submit an unauthorised authentication request to the CIDR, and receive personal information in response, with no one being any the wiser. Since, the UIDAI is permitted to respond to an authentication request with any form of identity information (excluding core biometric data), the AUA could gain access to sensitive personal data and maintain this in an unregulated private database. In essence, the Aadhaar holder is expected to trust every actor within the Aadhaar pipeline, which perfectly illustrates the absence of control. In its short life span till date, instances of fraud by intermediaries in the Aadhaar pipeline abound.
This leads to the second essential element of control, which is the ‘right to be forgotten’. Justice Kaul discusses this his judgement in Puttaswamy, making reference to the European Union Regulation of 2016 which specifically grants this right. He bats for a limited recognition of this right, wherein an individual may request the removal of any personal data so long as this does not conflict with overriding State objectives or social interests.
However, the right to have one’s Aadhaar related data erased is not recognised within the Aadhaar framework. Once an individual is enrolled, his identity information and authentication data will remain embedded within the CIDR. While such retention in the CIDR may be justified on several grounds, the retention of information in private databases that are linked to the Aadhaar number or have received authentication responses from the CIDR, is not.
The importance of such erasure, and indeed the overarching requirement of control over personal data, lies in the fact that the disclosure of such information can alter an individual’s behaviour and restrict their personal freedoms. Note that personal data is recombinant, in that separate pieces of personal information can be combined to create new pieces of personal information. Justice Chandrachud discusses Christina Miniodis’ seminal article on this aspect, and how modern big data techniques may be used to create personal information that is unknown even to the target individual, such as the likelihood that that individual will engage in a certain type of behaviour. Additionally, personal data inputs can be used to identify individuals within aggregated or anonymised data sets, thereby leading to greater invasions of privacy. Thus, individuals must have the right to request erasure of all personal information locally stored by private parties.
Informed consent also forms an integral part of informational privacy. An individual disclosing her personal information or authorising an authentication request must be fully aware of the exact purpose for which the disclosed data will be used. This extends to each instance of usage. As discussed in Gautam Bhatia’s illuminating essay on the impact of the Puttaswamy judgement, “consent is not a one-time waiver of your right to control your personal information, but must extend to each and every distinct and specific use of that information, even after you have consented to the State collecting it from you”. This is in line with the holding in the Canara Bank case and the observations made in Puttaswamy by Justice Chandrachud.
However, while the Aadhaar framework requires that consent be taken prior to any usage of personal information, it is almost impossible to ensure or enforce this. This is because an AUA may freely store identity information on its local servers; the Aadhaar Authentication Regulations only prohibit the local storage of core biometric data. The usage of information on a local server for analytical purposes, or even sharing of such information with third parties (particularly in aggregated forms) cannot be detected. Hence private parties can easily side-step the obligation to obtain consent each time they make use of personal data. This is a direct fallout of the Aadhaar Act permitting private parties to mandate the usage of the Aadhaar to validate private transactions, a decision seemingly motivated solely by the commercial potential of Aadhaar data.
Similarly, the inter-linkage of the Aadhaar number with the information in other government databases creates a wealth of information that the State can co-relate across the board and utilise for any purpose it wishes; the restriction on access and usage of personal information by the State is placed only on information contained within the CIDR. Indeed, the Aadhaar framework does not even provide for the notification of an individual when her Aadhaar data is used, let alone the securing of prior and informed consent.
For these reasons, it is evident that the Aadhaar project invalidates the control of an Aadhaar holder over her personal information, and the resulting restrictions on the right to privacy are neither reasonable nor proportionate. Curing this will require systemic changes, both within the Aadhaar scheme and India’s general regulatory framework pertaining to data protection, cyber security and privacy. Even then it is unlikely that all of the criticisms of the Aadhaar project can be addressed, since many of these strike the very heart of its infrastructure (such as the use of biometrics). Hope for redressal now rests on the upcoming Supreme Court hearings on the constitutional validity of the Aadhaar, and with the Shrikrishna Committee established by the Ministry of Electronics and Information Technology to draft a model data protection law for the country.
Varun Mathew is a Delhi based lawyer. He specialises in Information Technology and Cyber Security laws.
Image credit: Benoit Crouzet/Flickr CC BY-NC 2.0
Disclaimer:"The views in the article are of the author and do not represent the views of the Invisible Lawyer"