False sense of security: Aadhaar is broken, and the new bill doesn’t fix it

This article was originally published on Catch News.

Late last evening, the Aadhaar Bill was passed by the Lok Sabha without incorporating any amendments suggested by the Rajya Sabha. In the last 14 days, since its introduction in the Lok Sabha, much has been written about this Bill and the Aadhaar scheme. One of the main concerns raised not only now, but in the past as well, has been about the role of private companies in the Aadhaar scheme, and whether there are sufficient safeguards to prevent misuse or unauthorised use of personal information collected by them. In this article, I will break down the involvement of private parties in the enrollment for and use of Aadhaar numbers. Data protection involving private companies could have been ensured at two levels in the Aadhaar scheme —one, through contractual obligations on the private agency involved, and two, through protection built into law that such private agencies as required to observe. I will briefly look at the data flow, flag my concerns and how well they have been addressed.

Enrollment Process

As my colleague at the Centre for Internet and Society, Vidushi Marda has written, data flow for enrolment within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI itself enters into Memorandums of Understanding (MoUs) with different Registrars. These Registrars are usually government departments or large private actors such as LIC. The Registrars in turn enter into agreements or arrangements with various Enrollment Agencies (EAs) who are usually private parties who set Enrollment Centres where data collection happens.

Collection of extra data

The UIDAI has a standard enrollment form which includes information such as name, address, birth date, gender, proof of address and proof of identity. However, it has been reported that some MoUs allow Registrars to collect additional information to what is specified by the UIDAI, at their discretion. This is clearly problematic as it allows private parties like the EAs to collect information not necessary for Aadhaar enrollment. Usually, these choices are binary; therefore, an individual needs to share his information in order to register for an Aadhaar number. This places them in a position of being coerced to share personal information and this cannot be considered informed consent, which is the basis of all data protection law worldwide.

Lack of Contractual Accountability

The manner in which the enrollment process works is that the individual fills out a form manually which after verification against his documents is entered by an operator at the Enrollment Centre in the UIDAI provided Aadhaar Enrollment Client software. These operators are not answerable to the UIDAI, but to a private agency— the Enrollment Agencies. The lack of privity between UIDAI and the EAs, and the loose set of legal relationships between UIDAI and those collecting information leads to clear issues of accountability.

Access to information

Further, the language in the contracts with biometric solutions providers, such as L1 Identity Solutions Operating Company and Accenture Services Pvt. Ltd. (both, incidentally companies reputed to be connected to foreign intelligence agencies), is disturbing as it allows them “access to personal information of the Purchaser and/or a third party or any resident of India, any other person covered within the ambit of any legislation as may be applicable” for a period of seven years.

Provisions in the new Bill

While the new Bill does have some provisions that pay lip-service to these concerns by putting an obligation on the UIDAI to ensure that its obligations are also passed on to the consultants and agencies it engages to perform any powers or function under the Act, two things need to be remembered. First, this legal obligation is on the UIDAI and neither the operators or the EAs are subject to it in the absence of a binding contract. Second, more than 90% of the enrollment has already occurred and introducing these controls now is like locking the stable door after the horses have bolted.

Section 43A Rules

The new Bill makes a reference to the rules framed under Section 43A of the Information Technology Act, and brings biometric information collected within the definition of “sensitive personal data or information” under these rules. This is another attempt to provide some legal protection to the information being collected. However, this also leaves a lot to be desired as the Section 43A Rules are woefully inadequate. Section 43A is a data security provision, and not a data protection provision. They enable the framing of rules for reasonable security practices that private entities ought to follow. The rules itself try to punch above their weight by also including some data protection principles, but they are severely limited by the fact that they are subordinate to the enabling provision which only talks about data security.
The Aadhaar enrollment process has been broken since its inception, and while token efforts have been made to fix it under the new Bill, they do not go a long way in addressing most of the issues.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s