In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.
Senior Counsel Shyam Divan continued to take the court through the relevant provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act). He started off with s.57 and pointed out that the section not only contemplates the giving of the aadhaar number by an individual but the proviso also requires it to be authenticated. Next, he moved to s.59 and argued that the text of the section only validates the actions of the central government and therefore the actions of private entities including private enrollment agencies are not protected.
Justice Sikri stated that during the pre-statute regime also, the appointment of the enrollment agency was made by the Unique Identification Authority of India (UIDAI). However Mr. Divan responded arguing that there was neither a statutory framework nor privity of contract prior to the Act. He also indicated that the even if the enrollment agency was appointed by the Registrar, the later was still not the central government and therefore the protection of s.59 does not extend to private enrollment agencies.
Justice Sikri, however, stated that as the central government appointed the UIDAI, all the actions performed by it should be protected by s.59. Mr. Divan responded that what may be protected is the central government’s action of entering into a memorandum of understanding (MoU) with the UIDAI but not the actions of the Registrar.
Justice Chandrachud pointed out that the Registrar would not have been appointed in the absence of the MoU and therefore his actions are also protected. Mr. Divan, however, stated that there was no legislative or contractual framework for the appointment of the Registrar and his actions cannot be attributed to the central government. He also stated that enrollment agencies are not covered under the MoU and therefore the enrollments prior to the Act are not saved by s.59.
Mr. Divan further argued that even if the provision was assumed to have retrospective effect, it would still not be able to cure breach of fundamental rights that have already occurred, as the violation is complete.
Justice Chandrachud asked whether Aadhaar was used by private entities before the Act and pointed out that such action would not be validated by s.59. Mr. Divan replied that he will gather the specific factual details on it. Justice Chandrachud further mentioned that s.59 attempts to provide a basis in law, as was said to be required in Puttaswamy vs. Union of India, through a legal fiction. He asked Mr. Divan to consider how to deal with data breaches prior to the Act.
Mr. Divan also pointed out that there is a requirement of informed consent that is to be satisfied and mentioned that there can be no retrospective validation by stating that there was always consent. He concluded the discussion on the provision by submitting that even if the provision is upheld, it should be accorded the narrowest reasonable construction.
He then submitted the main heads of challenges to the Act:
- Surveillance: The architecture of Aadhaar enables pervasive surveillance.
- Violation of privacy: Prior to the Act, there was no law authorizing the violation of the right to privacy. Even after the enactment of the Act, violation of informational privacy continues when the private entities are allowed to collect information. Mandatory authentication for availing subsidies, depriving individuals the choice to submit alternate modes of identification also results in violation of informational privacy.Mr. Divan also submitted that there is a violation of individual autonomy and dignity, when individuals are compelled to part with demographic or biometric information. He stated that in a digital society, individuals have the right to control dissemination of their personal information and highlighted that information in silos, when aggregated, can enable the government to create an entire profile of the individual, resulting in the violation of their right to privacy.
- Limited government authority: The Constitution is not about the power of the state but about the limits to that power. The Aadhaar programme if allowed, would result in a totalitarian state wherein all basic activities of the citizens will be known to the state.Here, Mr. Divan reiterated that state has the power to cause civil death by disabling an individual’s Aadhaar. He also said that implementation of the Aadhaar programme would result in a pervasive state where citizens are forced to be transparent to the state instead of the state being transparent to the citizens.
- Money Bill: Mr. Divan reiterated that the Act was not a money bill and stated that Mr. Sibal and Mr. Datar will address this in detail.
- Violation of Ar.14 and Ar.21: Procedure under the Act violates Ar.14 and Ar.21 as there is no informed consent. The individuals are not informed about the commercial value of the data or that it could be used in criminal proceedings pursuant to court order. Furthermore, there is no opt-out option. Also, most of the process is performed by private entities with no government oversight. Moreover the data collected and stored lacks integrity, as it is self-certified. Here, Mr. Divan indicated how the verification processes of the banks are now being replaced merely with the Aadhaar, a process that lacks adequate oversight. He also stated that UIDAI has no control over the use or misuse of the data; at the most it can blacklist the agencies.
- Unreliability of biometrics: Biometrics are probabilistic. Mr. Divan stated that if biometrics does not match, then an individual ceases to exist.
Mr. Divan, next, moved to the Act to establish its unconstitutionality, section by section. He submitted that when s.2(c) on “authentication” and s.2(d) on “authentication record” are read with s.32, they facilitate real time surveillance which is unconstitutional. He also submitted that the notion of a central database is unconstitutional as it enables an authoritarian or police state. He stated that it will also compromise national sovereignty, if the database is operated by foreign agents.
Justice Chandrachud asked who maintains the Central Identities Data Repository (CIDR) and if the source code is with the UIDAI. Mr. Divan responded that there are agreements with foreign entities as they developed the technology and as far as the source code is concerned, it is proprietary technology which belongs neither to the UIDAI nor to the Indian government.
He also raised the concern that private enrollment agencies cannot be entrusted with the task of ensuring informed consent. He also reiterated that the definition of “resident” is problematic as it neither requires proof nor has a verification mechanism in place. He pointed out that the security of the country is compromised when the Aadhaar is issued without rigorous verification process. Furthermore, he submitted that s.7 is unconstitutional, as it compels an individual to give up her constitutional rights to enjoy certain subsidies, benefits to which she is entitled.
Next, he moved to Chapter IV of the Act and stated that the right to individual freedom also entails the right to be alone. He then moved to s.33, which allows the information to be used for police investigation. He submitted that this would amount to self-incrimination and also highlighted that there is no opportunity for hearing, which is contrary to natural justice.
Mr. Divan then submitted to the bench a compilation of the various circumstances in which a society considers the collection of biometric information reasonable. He took the court to s.15 of the Census Act, 1948 to demonstrate the nature of protection accorded to census data. The section prevented any court from summoning the information gathered except for an offence under the Census Act. Next, he moved to s.7 of the Identification of Prisoners Act, 1920, which even in the pre-constitutional era accorded protection to bodily information by requiring the destruction of personal data if the prisoner is released without charge. Next, he moved to s.32A of the Registration Act, 1908. He pointed out that the section prescribed the collection of information-photograph and finger print- for a very narrow purpose and that it is collected only once and is maintained with one registry. He cited this as an example of a law satisfying the legitimate purpose and proportionality requirements. Finally, he took the court to s.6 of the Bombay Habitual Offenders Act, 1959 which allowed palm impressions of the offenders to be taken. However s.9 of this Act provides that the registration of a habitual offender would come to an end after five years.
Mr. Divan stated that all these acts are narrowly tailored unlike the Aadhaar Act.
Next, he elaborated his argument on surveillance. He began by explaining how the architecture of the Act enables surveillance. He reiterated that state can aggregate data collected over a period of time to acquire the profile of an individual, a community, or a segment of society. However the constitution does not permit a surveillance state.
Mr. Divan then discussed in detail the technical aspect of the programme. He stated that every electronic device linked to CIDR is assigned a unique number. This will help in recognizing the device from which the transmission of information emanates. A unique electronic path attaches to each transmission enabling the identification of the links through which the transmission takes place. Based on this, Mr. Divan submitted that every transaction can be tracked and the broad nature of the transaction can also be identified. He also submitted that the technology enables tracking of the location of the device in real time. He further stated that s.57 of the Act, will further deepen the extent and the scope of this surveillance over time.
Mr. Divan submitted affidavits of technical experts to demonstrate how the programme would enable surveillance by the state. Mr. D’Souza in his affidavit mentioned that he had demonstrated to the UIDAI officials the ease with which fingerprints can be replicated and duplicated. He also highlighted that fingerprint machines are not manufactured indigenously and therefore the machine code and source code are unknown to the UIDAI. This could result in having a backdoor feature that could be used for data mining without UIDAI’s knowledge, which could pose as a serious threat to national security.
Justice Chandrachud asked to what extent the court can look into technical evidence. He also asked if this would result in second guessing the decision of the executive government.
Mr. Divan stated that the affidavits confirm that the technology enables a complete mapping of the electronic path in real time, thereby allowing the tracking of the location. He pointed out that such a system is not in place anywhere else.
Justice Chandrachud stated that government is subject to Ar.14 and therefore the manner in which it uses the information is also subjected to the Constitution. He questioned if we are comfortable with Google maps and other private entities tracking us. Mr. Divan responded that when such surveillance is performed by the state it would make the state a police state, which is not permitted by the Constitution. He further stated that the Constitution couldn’t even be amended to permit it, as it would deprive individuals their liberty to live in a democratic state. He also mentioned that Google, although powerful, is not as powerful as the state.
Justice Chandrachud questioned what is the problem with collection of data if its use is limited to its purpose. He said that we are living in times of terrorism, money laundering and therefore we need to balance it with our concerns of privacy. He stated that surveillance is about how the data is used and not about the collection of data.
Mr. Sibal responded that the problem lies in handing over such extensive information to the state. He said that the state may use such information without the individual’s knowledge. Mr. Divan agreed to this statement and stated that the whole point is to prevent surveillance by the state. He said that it would be extremely perilous to ignore the affidavits of the technical experts. He mentioned that tracking by Google is a separate issue but what is of concern here is whether state can perform such pervasive surveillance.
Mr.Divan then took the court to Justice Subba Rao’s dissenting opinion in Kharak Singh v. The State of UP & Ors., which was endorsed as the correct position in Puttaswamy vs. Union of India. He read the part that discuses how surveillance constricts the right to life and liberty. Next, he highlighted the District Collector v. Canara Bank judgment wherein it was stated that “we are not living in a police raj”. He said this is exactly the point in the present case. Next, he moved to Justice Sotomayor’s opinion in US v. Jones wherein it was held that physical violations are no longer required to infringe privacy. Next, he moved to the judgment of the European Court of Human Rights in Zakharov v. Russia.
The hearing will continue on 30th January, 2018.