APC calls for strong data protection safeguards following Supreme Court of India's verdict on Aadhar, India's biometric identity programme

Photo by julian correa under CC0 1.0 Universal Public Domain Dedication (https://flic.kr/p/ahL8Hv) Photo by julian correa under CC0 1.0 Universal Public Domain Dedication (https://flic.kr/p/ahL8Hv)

 

Publication date: 
October 2018
Author: 
APC

The Association for Progressive Communications (APC) calls on the government of India to adopt and implement strong data protection safeguards in view of the verdict of the Supreme Court of India on the unique identification project, Aadhar.

On 26 September 2018, the Supreme Court of India, while upholding the constitutionality of Aadhar, India's unique biometric identity programme, made some significant observations which should guide the manner in which one of the largest biometric databases in the world is to be administered and governed. Aadhar contains biometric data of over a billion people, such as photographs, fingerprints and iris scans, which are stored in a centralised database. As such, we view the mandatory requirement of biometric identity cards as a violation of the right to privacy and the rights of individuals to access benefits that they are entitled to, that are paid for from taxes and are a basic necessity for the realisation of their human rights.

Over the past years, many experts have expressed great concern about the design and implementation of Aadhar. Concerns ranged from the lack of consultation with civil society in the design of the programme, easy access to fake cards, fake biometrics used to obtain cards, privacy concerns as a result of data leaks, insecure storage of data, and the access that corporations had to the Aadhar details of individuals. The most problematic concern relates to the aggressive rolling out of biometric identity cards and making them mandatory to access basic services including education, health, banking and mobile service connections in the absence of any data protection mechanisms in place. Biometric data carries with it a percentage of false-negative cases, which defies the notion of these being foolproof. As Aadhar is a mandatory programme, this foundational flaw has far-reaching consequences where some individuals are unable to access services they are entitled to due to the inability of the system to accept their data, while others are able to fraudulently “game” the system by using other people's biometric data. A major problem of biometric data is that it is unique and irreplaceable, unlike passwords and ID numbers which can be replaced; therefore, once a biometric system is compromised, it is compromised forever and follows a person throughout their life.

The Supreme Court, while upholding the constitutionality of Aadhar, has observed that it considers enrolment in the programme to be foolproof and that biometric data cannot be replicated, despite many instances disproving this conclusion. The court has cited the unique identity card empowering marginalised sections of society by giving them identity and referred to its usefulness in ensuring that welfare schemes and benefits are implemented in an effective way. "Much to our disappointment, the majority verdict has failed to recognise the flaws in the manner in which biometric data is stored and the overall weakness in security systems, putting one of the largest databases in the world at constant risk,” said Chat Garcia Ramilo, executive director of APC. “This ultimately compromises the right to privacy of all individuals enrolled in Aadhar and poses serious dangers of such a database being abused by state and non-state actors, including the use of data for mass surveillance,” she added.

However, the judgement has limited the access of corporate entities, including banks, to the details of individuals stored in the Unique Identitication Authority of India (UIDAI) database. The portion of Section 57 of the Aadhar Act 2016 that enabled this has been declared to be unconstitutional, and as a result, corporate bodies can no longer demand authentication via Aadhar. "The fact that it is no longer possible for private companies to make the use of Aadhaar mandatory is welcome. But on the whole, the majority judgement in the case fails to sufficiently recognise the particular challenges that are posed by large-scale data processing in the digital age,” said Anja Kovacs, director of the Internet Democracy Project. “The continued requirement for citizens to furnish an Aadhaar number if they want to avail of a slew of government benefits and services, which are necessary for the realisation of basic human rights, continues to put those most vulnerable under greater distress. Persons with disabilities, those living below poverty line, women and sexual minorities and other vulnerable groups are now at the mercy of ongoing exclusion as well as a particular risk of profiling, as they are unable to take their identity management in their own hands," she stressed.

The court has also held that authentication records are not to be kept beyond a period of six months, as against the five-year period allowed in the Act, and has further held that maintaining a metabase relating to transactions is impermissible. 

Section 33(1) of the Act, which authorised a district judge to permit disclosure of an Aadhar number, has been read down, clarifying that an individual whose information is sought to be released shall be afforded an opportunity of hearing and appeal against a decision permitting disclosure. Similarly, another part of the section permitting disclosure on the basis of national security has been struck down, and the state has been asked to reframe the section within the framework prescribed by the Court. "We hope that the state, in reframing this section, will adhere in letter and spirit to the guidelines prescribed in this judgement and adapt a rights-based approach, which includes security of personal data as a facet of national security, by consulting all stakeholders including civil society in the redrafting," said Osama Manzar, executive director of the Digital Empowerment Foundation. The Court has also granted individuals affected by violations the right to file complaints under Section 47 of the Act. 

"We are also glad that education institutions, which have been demanding students, including children, to provide Aadhar details for enrolment for admission and examinations can no longer do so,” said Gayatri Khandadhai, Asia policy advocacy coordinator at APC. “This has caused severe distress to many students across the country and has essentially forced parents to enrol their children in a programme, the privacy concerns of which they could not have possibly fully appreciated." 

In addition, children have now been provided the right to exit the Aadhar programme on attaining the age of majority. 

"The Aadhar project as a whole, and the manner in which it was implemented, is a problematic development for the region, as many states are hurriedly trying to introduce similar systems in their countries,” noted Khandadhai. “We call on states and lawmakers in other jurisdictions to closely study the dissenting opinion provided by Justice Chandrachud, which takes a rights-based approach to technology and holds the entire Act and the programme to be unconstitutional. The dissenting opinion recognises the weakness of biometric data, in terms of the loss of control over it by individuals and the security architecture behind the programme,” she added. 

“Most significantly, it warns of the impact this will have on the rights of individuals beyond the right to privacy, especially in environments where access to technology is uneven. The jurisprudence provided by Justice Chandrachud is one for the ages and we sincerely hope that this will soon guide how courts address technology and rights," Khandadhai emphasised.

"As observed by the Court, we call on the government of India to urgently adopt a robust data protection regime framed with the objective of protecting rights in the form of an enactment, by taking into account the inputs provided by experts, civil society and individuals in the state. It is indeed disconcerting that such large amounts of data were permitted to be collected in such a hurried manner with no legislative safeguards governing data privacy, protection and security," concluded Garcia Ramilo.

« Go back