Aadhaar, the Unique Identification of individuals in India has become one of the largest biometric identification projects in the world, having touched 1.2 billion people. With the passing of Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act in 2016, use of Aadhaar for various private and public services has increased multifold including e-Know Your Customer for issuing mobile SIMs, linking bank accounts for direct benefit transfer, and more recently for income-tax filing, amongst others. However, at the same time, concerns are being raised regarding violation of privacy, the possibility of identity theft and the possibility of government surveillance of residents.
While the confusion over what constitutes privacy violation reigns supreme, it is important to identify which aspects of privacy are being compromised, if at all, in the case of Aadhaar and its uses. We identify these issues using the classical framework of privacy taxonomy as proposed by Daniel Solove of George Washington University School of Law in his paper published in University of Pennsylvania Law Review in 2006. The taxonomy analyses the privacy issues during information collection, processing, and dissemination stages.
Identification and aggregation: Subsequent to residents enrolling for Aadhaar and submitting identification information including biometrics, this information is used to (i) verify identity and (ii) authenticate for availing prescribed services. Aadhaar Act protects core biometric information of an individual not to be shared, changed or divulged in any manner through clauses 7(4), 29, 30, 34, 35. While Aadhaar number (which is a random number that bears no relationship to the identity of the holder) alone may not divulge much about an individual, when aggregated with other identity information (excluding core biometrics) may reveal some telling patterns about an individual. Clause (8) of the Act mandates responsibility of “requesting entity” to use the identification information mainly for authentication; only for the purpose desired, and be transparent to individuals about the use of the information so requested.
However, the identity information so collected about the individual by the requesting entity when aggregated and combined with other information such as bank account number, hospital ID, student entrance test registration number can reveal lot more about the individual than what a mere Aadhaar number provides. Hence, privacy violation through aggregation in the case of Aadhaar is quite high as more and more services use Aadhaar for identification and authentication. It is mandatory that the Unique Identification Authority of India (UIDAI) develops clear rules as to who gets “requesting entity” status and the enforcement regulation for disclosing the primary Aadhaar number as well as any aggregated information based on Aadhaar number.
It is significant that the Central Board of Direct Taxes (CBDT) has just issued a circular refraining tax officers from revealing personal sensitive information, including Aadhaar number of taxpayers. Similar guidelines and awareness initiatives are required for other government and private entities.
Secondary use: Secondary use is the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent. Though sections 8(3), 29 and (40) of the Act discourage secondary use by the requesting entity, propagation of identity information for secondary uses cannot be underestimated. First, most users cannot foresee the privacy violations due to secondary use; second, it is very difficult to monitor and penalise the requested entity of secondary use. Hence, threats of privacy violation due to secondary use are much higher in the case of Aadhaar.
Information security and identity theft: Though security of identity information stored in the Central Identities Data Repository (CIDR) is emphasised in many clauses in Chapter VI of the Act including the responsibility of the UIDAI, the probability of security breach of CIDR though very small may still not be zero! Associated with breach of security is identity theft that seems to have started happening in isolation. Though clauses in Chapter VII state penalties for impersonation and falsification, stricter sector specific regulations are required for protection against identity theft.
Confidentiality: Breach of confidentiality is covered in one sentence in clause 28(2). Breach of confidentiality is breaking a promise to keep a person’s information confidential. Residents repose such trust in UIDAI, the Government and the requesting entities to keep identity information confidential. Any disclosure of identity information and hence a breach of confidentiality is likely to raise serious credibility issues.
You might also want to see this:
In all the above cases, the legal decisions on any case will depend on privacy loss versus social welfare and benefits that accrue due to Aadhaar. While Aadhaar is just one use case, there are many instances of privacy violations that occur as digitisation permeates and our digital persona evolves at an exponential pace. Instead of making all decisions ex-post, the need of the hour is a comprehensive ex-ante privacy regulation that addresses all dimensions of privacy. That will provide credence to the Aadhaar story!
The important aspect of Aadhaar number is that it identifies a person in “flesh and blood” through the associated biometric details unlike any other identification such as PAN or even driver’s licence. Hence the associated benefits of Aadhaar, including de-duplication, efficiency, and transparency, especially to the advantage of the poor who were extorted by intermediaries this far. However, the fear of such identification has kept countries such as the US from passing any National ID card project until now. It is indeed a significant disruption by the UIDAI and the government in deploying the identification project nationwide at such a scale for the first time in the world! Clause (5) of the Act enabling enrollment of disadvantaged and those who do not have permanent dwelling units is commendable as it addresses inclusion and equity.
Hence, it is imperative that the government and the UIDAI take supreme precautions to protect the individual’s identification information as described below in all its various avatars and demonstrate evidence of the social benefits due to Aadhaar. A comprehensive regulation on the use of Aadhaar card, number, and associated information is required for residents to repose their faith on Aadhaar. At the same time, the tidbits in the Information Technology (Amendment) Act 2008 such as clauses 66A & 72 alone are not sufficient for protecting the privacy of individuals. With our national ID project well underway, a comprehensive privacy and data protection regulation is the need of the hour.