Principles endorsed by 15 global organisations, including the United Nations Development Programme, World Bank group and Asian Development Bank for the ‘maximization of benefits’ for identification systems like Aadhaar, have emphasised the need for establishing strong legal and regulatory frameworks, upholding user rights and establishing mechanisms for independent oversight to ensure their proper use.
Aadhaar may fall short of the benchmarks envisioned in some of these principles, especially when it comes to ‘building trust by protecting privacy and user rights.’
One principle emphasises the need for safeguarding data privacy, security, and user rights through a comprehensive legal and regulatory framework, one that promotes trust in the system. Whether the safeguards contained in the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the regulations notified under it can be considered robust and comprehensive enough to promote trust in the system is an open question.
It certainly does not envisage the creation of an independent regulatory body armed with appropriate powers to ensure that citizens’ rights are protected.
(Graphic by T. Ramachandran)
The government thinks that the Aadhaar Act does take care of data privacy and information protection requirements, going by its response to a question raised in the Rajya Sabha in December, 2016.
Mr. Sanjay Raut had raised the question as to whether the government planned to “initiate broad-ranging privacy and data protection laws that can address systematic concerns relating to breach of privacy of citizens while implementing the Aadhaar Act.” To which Minister of State for Electronics and Information Technology P.P. Chaudhary replied that all important, legally validated and well certified principles of data privacy and protection of information have been incorporated in the Act. He then went on to cite specific provisions of the Act in this context — that no core biometric information will be shared or used for any purpose other than Aadhaar generation and authentication. And that, at the time of enrolment, citizens are informed about how the information collected will be used and with whom it will be shared. Their consent will be obtained for using the identity information during authentication. They will also know about the nature of information that may be shared upon authentication.
These provisions of the Act which the Minister chose to highlight do not seem to meet the kind of requirements set forth in the proposed global principles in relation to protecting privacy and user rights. There are two key points here. Point One: “The use of identification systems should be independently monitored (for efficiency, transparency, exclusion, misuse, etc.) to ensure that all stakeholders appropriately use identification systems to fulfil their intended purposes, monitor and respond to potential data breaches, and receive individual complaints or concerns regarding the processing of personal data.” Point Two: Disputes regarding identification and the use of personal data that are not satisfactorily resolved by the providers (for example, refusal to register a person or to correct data, or an unfavourable determination of a person’s legal status) should be subject to rapid and low-cost review by independent administrative and judicial authorities with authority to provide suitable redress.
The Government has been on the defensive in recent days on Aadhaar, even as it has been bringing more and more benefits and services under its ambit. The recent incident of ‘misuse of biometrics’ reported in the media was an ‘isolated case’ of an errant employee of ‘a bank’s Business Correspondent’s company’ misusing the system, it said in an official release issued on March 5. It was detected by UIDAI’s internal security system and action has been taken under the Aadhaar Act. Another release issued on March 7 asserted that no one would be deprived of benefits due to the lack of Aaadhar. Benefits would continue to be given based on an alternate means of identification.
