Kashish Khattar is a 4th year student at Amity Law School, Delhi. This article is a discussion about the various amendments proposed to the Aadhar Act related to the FinTech space.
Introduction
The Lok Sabha passed the Aadhar Amendment Bill (“Bill”) in the first week of January 2019. This article is an analysis of the same with respect to the landmark Puttaswamy judgement regarding the Right to Privacy as a fundamental right to life under Art. 21 of the Indian Constitution. The five-judge bench partly struck down Section 57 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 (“Aadhar Act”). The section which was mainly an enabling provision which stated that nothing would come in between a body corporate or anybody who is trying to authenticate their identity.
This section was being used by private entities to authenticate the identity of the users which in turn lead an easy e-KYC process. This process was used to get new customers on board, as the process was speedy and easy to do.
The bill proposes amendments in the Aadhar Act, 2016; Telegraph Act, 1885; and PMLA, 2002. The bill can be seen as a way of quietly moving past the privacy judgement by making some subtle changes in the Aadhar Act.
What are the important amendments related to Fintech?
Let us look and analyse these subtle changes which pave the way for the private entities to again use the Aadhar infrastructure. However, using the Aadhar data now comes with a few conditions in place which are provided by this bill. The bill completely omits Section 57 from the Aadhar Act.
The beginning of an Aadhar ecosystem
Section 2 adds a really important definition to the Aadhar Act, which is undoubtedly the Aadhar ecosystem. It is defined as enrolling agencies, registrars, requesting entities, offline verification-seeking entities and any other entity or group of entities which will be specified as per regulations. By reading the definition carefully, we can see that the ecosystem doesn’t mention anything that will prohibit private players from entering this space. These participants are expected to be governed by the UIDAI or Unique Identification Authority of India. UIDAI is the umbrella organisation of the Aadhar Act, 2016. UIDAI is supposed to come up with various regulations with respect to these amendments. This will help out the private players to again get into the Aadhar ecosystem.
Further, Aadhar number is now defined as an individual number issued to an individual or a virtual identity generated. Offline verification is also added as a new concept which basically means that Aadhar data can be verified through offline modes which will be prescribed by regulations.
A creative solution with regards to the Privacy judgement
Looking at this particular paragraph 367 from the Privacy judgement – “The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as proof of his/her identity, there may not be a problem.”
These remarks can be clearly felt in the amended Section 4 of the Aadhar Act. Section 4 of the bill makes it clear that the Aadhar holder can now use their Aadhar number to authenticate their own selves. The voluntary basis of giving Aadhar has been reinforced by amending the relevant provisions in the Telegraph Act and the PMLA Act. These amendments in the aforesaid Act basically give Aadhar an equal standing with a passport and any other documents issued by the central government. Further, they give the power to entities like banks, other financial institutions to verify their identities through offline verification of Aadhar. The user is given a choice to use any mode of identity and he will not be denied of any services offered if he doesn’t wish to use his Aadhar number.
The bill gives a legal basis to the offline verification of the users, a process where users can use the Aadhar smart QR codes provided by the Aadhar authorities. The Aadhar number is now said to be in any form as prescribed by the regulations which will be notified at a later date. This kind of a code does not in any way try to gather information from the so-called Aadhar infrastructure and can be said to be in harmony with the privacy judgement. Further, this can be regarded as a creative way of going around the SC judgement.
The amendment in section 4 also talks about the entities being given permission to use Aadhar for verification. If the authorities are satisfied that the entities are (i) compliant with the standard of security and privacy as may be prescribed by regulations; (ii) permitted to offer authentication services by any other law; and (iii) seeking authentication for Government in consonance with the Aadhar authorities, and being in the interest of the state as may be prescribed. In my opinion, the amendment in Section 4 mainly allows the private players to again use the Aadhar ecosystem for verification of the identity of its users. Further, they would just have to be compliant with the standards put out by the authority and the government.
Aadhar’s new way of data protection
Section 29 (3) states that no information which is available with a requesting entity or offline verification-seeking entity can be used for any other purpose, other than the ones which were informed about in writing to the individual at the time of submitting any information for authentication or any offline verification or disclosure for any other purpose, other than purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification.
Section 29 (4) which previously talked about the core biometric information only, is now being changed and states that the demographic information or photographs which are collected or created under the Aadhaar Act can only be published, displayed or posted publicly for purposes that have been specified by regulations.
The change in the language of the above section shows that the government has gotten serious about the protection of the sensitive data that the Aadhar ecosystem has control over. Adding a separate chapter revolving around civil penalties also seems like a good step towards better regulation and protection. Further, this seems like a good step towards securing the database of the Aadhar ecosystem as the major leaks were coming from third parties.
Why need these changes at all?
Aadhar e-KYC is a process which the UIDAI came up with to accelerate the tedious process of KYC. The Aadhar e-KYC was a faster way of doing things, whereby the user can give permission to the private player to access his details from Central Identities Data Repository (“CIDR”) – which is regulated by the UIDAI. The authentication could be done through OTPs on registered mobile numbers or verifying biometric information of the user.
Attached is an image below about the various questions that were left unanswered because of the interpretation of the privacy judgement that could be done by the private players. In my opinion, Aadhar e-KYC can now be used again to get away from the bulky and tedious documentation process by this paperless method.
Conclusion
With the Data Protection Law on the horizon, the much anticipated Aadhar Amendment Bill comes with the subtle changes which let the private players actually use the infrastructure set up by the government for easy access of various benefits to the masses. The private sector has a big role to cater to the various benefits offered by the ease that has been made possible through the Aadhar Act. The Supreme Court has supported the use of Aadhar for various benefit schemes and wouldn’t have intended to stop the private players from spreading the various benefits associated with the Aadhar infrastructure. It is now a matter of time to see that the actions taken by the government through this bill would be able to solve the various problems associated with Aadhar and protect the sensitive data of its citizens.
