Pick your poison: Money bill privilege or government shutdown?

by Pratik Datta and Radhika Pandey.

On January 2, 2019, the government introduced a bill in the Lok Sabha to amend the Aadhaar Act, 2016. Once again, the opposition is up in arms. Once again, there are apprehensions that this amendment bill will be certified as a money bill to avoid the opposition parties in the Rajya Sabha. In a parallel development, Jairam Ramesh filed a review petition against the Puttaswamy decision last week. The majority of the judges in that case had upheld the enactment of the Aadhaar Act, 2016, as a money bill. They refused to let judicial review be used as an institutional check to prevent abuse of money bills by Lok Sabha. The lone dissent was by Justice Chandrachud, who referred to such abuse as a `fraud on the constitution'. Ramesh's review petition now seeks to reopen this issue.

In this backdrop, this post revisits the basics to better appreciate the rationale for the Lower House's money bill privilege. In doing so, we highlight two extreme constitutional designs to overcome a common problem - how to decide on the funding for government agencies?

The problem

All government agencies need funds to function. These funds need to be appropriated from the state's finances every year. In liberal democracies, this funding decision cannot be left to unelected executives. Instead, the citizens through their elected representatives should have a say in this - should funds be released to the government? If so, how much? Consequently, the legal mechanism for such annual appropriation requires the citizens' elected representatives in the legislature to pass an appropriation bill into a law. In India, money bills perform this critical function (see Article 110(1)(d)).

In a bicameral legislature, an ordinary bill becomes a law usually after it is approved by the Lower House, the Upper House and the President. If the bill fails to receive approval from any one of them, it does not become a law. In that event, the prior law continues. Life moves on. Not so for an appropriation bill (or money bill in India). Failure to enact such a law would result in a funding crunch, potentially causing a government shutdown.

Solutions

There are broadly two different ways of resolving this problem.

The simpler solution is to leave it to negotiation among politicians in the Lower House and the Upper House, and the President. This option is costly because of coordination and hold-up costs. And till the negotiated solution is reached, the government remains shutdown, wasting huge public resources.

An alternative solution is to reduce the number of approvals needed to enact an appropriation bill into a law. The Lower House, being directly elected, could be empowered to enact an appropriation bill into law without any approval from the Upper House and the President. However, there is a flip side to this arrangement. The Lower House could abuse this privilege by camouflaging ordinary bills as appropriation bills to avoid opposition from Upper House and the President. Consequently, this arrangement may resolve the government shutdown problem at the cost of diluting the sanctity of the bicameral legislature itself.

Interestingly, the efficacy of these two different solutions are currently being tested in one of the world's oldest democracies - the USA - and the world's largest democracy - India.

USA

The American federal government has been partially shutdown since December 22, 2018. This is the 3rd shutdown of the US federal government in 2018 and the 21st in American history. However, this is the first shutdown of any significant length since 2013, when the government was shut for 16 days. Such government shutdowns arise out of failure to enact appropriation laws.

Under the American constitution, the House of Representatives (Lower House) alone can introduce an appropriation bill. The Senate (Upper House) cannot do this. An appropriation bill passed by both the Lower House and the Upper House must also be approved by the President to become an appropriation law. A direct consequence of this constitutional design is that either the Upper House or the President could block an appropriation bill, starving the federal government of funds. Further, the Anti-deficiency Act prohibits American executive branch agents from authorising expenditures or obligations in excess of the amount appropriated by Congress. Consequently, failure to pass an appropriation law results in government shutdown in the USA.

The ongoing shutdown started when President Trump refused to approve the appropriation bill for the budget for the current fiscal year that began on October 1, 2018. The President refused to approve the bill since it did not provide necessary funds for building the wall on the US-Mexico border. There are now two options to break this deadlock. Either, the proponents of the budget could negotiate with the President to get his approval on the appropriation bill. Or, the bill could be enacted even without President's approval, if a super-majority (ie. two-third) in each House approves the bill.

Both these routes require hard bargaining and trade-offs by Congressmen across party lines. The reason America accepted this cumbersome constitutional design is possibly best captured in Alexander Hamilton's following observation: "[t]he injury that may possibly be done by defeating a few good laws will be amply compensated by the advantage of preventing a few bad ones".

India

India seems to have adopted the exact opposite position. Our constitution, as interpreted by the Supreme Court, favours having a few good laws at the cost of suffering a few bad ones. After the Puttaswamy judgment, the Indian Lower House could potentially enact any bill, appropriation bill or not, into law using the money bill route. In the process, it can completely bypass any opposition from Upper House or the President. Even judicial review is not permitted. Consequently, there is currently no institutional check on potential abuse of money bills by the Lok Sabha. If left unchecked, such abuse may very well end up being the death knell of our bicameral model of legislature. However, from the perspective of resolving government shutdowns, the Indian system is undoubtedly efficient. India never experiences government shutdowns for failure to enact appropriation laws like in USA.

Conclusion

Is this trade-off worth it? The Indian Supreme Court may soon find itself asking this question. Jairam Ramesh's review petition offers the Supreme Court yet another opportunity to revisit this critical constitutional issue.

 

Pratik Datta and Radhika Pandey are Researchers at the National Institute of Public Finance and Policy.

The accountability framework of UIDAI: Concerns and solutions

by Vrinda Bhandari and Renuka Sane and Bhargavi Zaveri.

The public discourse on Aadhaar has largely focused on concerns about the privacy issues associated with the collection of personal information, and the constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("the Act"). Regardless of the outcome of the case at the Supreme Court, most residents will likely have to interact with the UIDAI, which is the body empowered to roll out an enrollment and authentication program for beneficiaries of welfare programs.

The UIDAI is an Agent established by the Principal (Parliament), with three powers. The law allows the State to compel an individual seeking a state-sponsored subsidy to undergo the enrollment and authentication processes designed by the UIDAI (although Aadhaar has now been made mandatory for certain non-welfare schemes as well, which goes beyond the conception in the law). The UIDAI is empowered to license and regulate Registrars and enrolling agencies to collect the demographic and biometric information of individuals, and enroll them under the Act. Finally, the UIDAI has quasi-judicial powers, such as the power to suspend the licenses of such enrolling agencies and Registrars.

In this article, we examine the foundations required to make UIDAI work properly: the performance and accountability standards. Under the present law, UIDAI is neither performance oriented nor is there accountability for failure. The problem of accountability at UIDAI is a little explored issue, other than occasional media reporting which expresses angst about data breaches and authentication failures (see here, here, and here). There is considerable knowledge from the global and Indian literature on public administration on how to achieve performance of such an Agent. Drawing on this body of knowledge, we propose that the UIDAI should be held to appropriate accountability standards, so as to create an environment where it will perform well.

Agencification and its associated challenges

Since the 1980s, governments have established specialised organisations which perform certain functions. These Agents have diverse mandates such as regulating a specific sector (SEBI and TRAI); administration of social welfare schemes (the erstwhile Benefits Agency in the UK); and running prisons (such as the HM Prison Service (HMPS) in the UK or the Dienst Justitiële Inrichtingen - National Agency for Correctional Institutions (DJI) in the Netherlands).

The Agent performs its mandate through the exercise of three kinds of powers, namely, quasi-legislative powers, quasi-executive powers, and quasi-judicial powers (FSLRC, 2013). While some agencies have all three kinds of powers at their disposal, others have some of them. For instance, while SEBI has all three powers, agencies which are tasked with administrative functions such as the UK Benefits Agency or the HMPS have limited quasi-legislative powers and no quasi-judicial powers. Whatever may be the scope of powers of these agencies, two features cut across all such agencies: (a) they perform functions that the sovereign would have otherwise performed; and (b) they wield the power of the State in being able to coerce certain private persons in certain ways.

Broadly speaking, agencification has worked well in improving State capacity. However, this has come from establishing an array of mechanisms to deal with a few important concerns:

1. Weaker links between the people and agencies: When a sovereign delegates functions to agencies, this reduces accountability through elections (Maggetti, 2010). The persons manning such agencies are one more step away from the people, as they are autonomous from the government and are not politically accountable to the people. Power in the hands of unelected officials also creates concerns about democratic legitimacy (Majone 1998). For instance, agencies which have been tasked with the administration of social welfare have been accused of opacity (Pollitt et al, 2004).

2. Unfettered discretion: When agencies have the power to write subordinate legislation (i.e. regulations), this power is often not accompanied by checks and balances. In liberal democracies, there are elaborate checks and balances that are placed upon Parliamentary law. These checks and balances can, and often are, diluted in the context of the "regulatory state". For example, in all these years of SEBI's establishment, only one of its quasi-legislative instruments has been challenged. Compare and contrast this to the constitutional challenge that virtually every significant parliamentary law faces in India. Similarly, in the last 30 years, no order issued by RBI has been challenged by the person penalised. This leads to the possibility of abuse of power (Cochrane, 2015).

3. Size and ever-growing footprint in administration of public affairs: Autonomous bodies, especially those entrusted with the administration of social security benefits, end up assuming significant proportions, both in terms of their size and budget allocations. For instance, in 2000, the Benefits Agency which was responsible for the administration of social welfare schemes in the UK employed a staff of 70,642 and accounted for 30% of the overall state budget (Pollitt et al, 2004). Similarly, the Social Security Administration in the United States now has a staff strength of 60,000. In the Indian context, the annual expenditure of the RBI is larger than that of the States such as Goa.

An accountability framework for agencies of the State

The power to coerce or the power to spend, that is conferred upon the Agent, must be associated with commensurate accountability mechanisms (Stone and Thatcher, 2002). Accountability mechanisms are ex-ante and ex-post. Examples of both are enumerated below:

Ex-ante accountability mechanisms:

1. Having an adequate strength of independent directors on the board of the agency
2. Regular internal audits to review the performance of the agency and ensuring that it complies with the law in exercising the discretion vested in it
3. Setting out the objectives of the agency and the instruments to be used to achieve them, clearly in the law
4. Setting out performance oriented goals and metrics for measurement of performance, in advance
5. Defining formal processes for the exercise of the powers vested in the agency
6. Mechanisms to facilitate transparent decision making, such as public consultations before making delegated legislation, maintaining a website, publishing a clear rationale for each decision of the agency

Ex-post accountability mechanisms:

1. Laying all quasi-legislative instruments before the Parliament
2. Reports showing the goals set out at the beginning of the year, the extent to which they are achieved at the end of the year and a statement of reasons for failure
3. Resource allocation towards different goals and year-end utilisation
4. Performance and audit by external independent agencies and publishing the reports of such audits

How do other social security administrators account for their performance?

Since the Aadhaar number is so often compared to the social security number issued by the Social Security Administration (SSA) in the United States, we can usefully draw a comparison with the annual performance and financial report published by the US SSA. The report sets out the strategic goals of the SSA that were determined at the beginning of the year. It divides the strategic goal into multiple objectives, specifies measurable performance metrics to ascertain the extent to which the objectives have been met, and the extent to which the goal was achieved. An example of how the performance reporting for the SSA works, is given below.

1. For FY 2012, a pre-determined strategic goal of the SSA was to deliver "quality disability decisions and services".

2. This strategic goal was divided into three objectives. One of the objectives was to "Reduce the wait time for hearing decisions and eliminate the hearing backlog". The metrics used to measure the performance of the SSA on this objective was to complete "the budgeted number of hearing requests" and "reduce waiting time between hearings and decisions". SSA reported its performance on these two metrics as under:

Example of performance reporting by the SSA

Objective: Reduce the wait time for hearing decisions and eliminate the hearing backlog
Performance Measure	FY 2012 target	FY 2012 Actual	Whether target achieved
Complete the budgeted number of hearing requests	875,000	820,484	No
Minimize average wait time from hearing request to decisions	321 days	362 days	No

The SSA's performance report also shows the funds allocated to each objective and a statement of reasons where the performance metric is not met.

The current accountability framework of the UIDAI

A reading of the objectives and functions assigned to the UIDAI under the Act would suggest that the UIDAI must, at the very least, be held accountable for:

1. The enrollment and authentication of persons [sections 11 and 23(1)]
   
2. The regulation of enrollment agencies and other service providers licensed by it [section 23(2)(i)]
   
3. The security and confidentiality of the data shared by persons who have enrolled with the UIDAI [section 23(2)(j) and (k)].

The Act and the accompanying Regulations specify a limited accountability framework, which is not oriented towards performance or service delivery to the citizen. Three accountability measures are present under the Aadhaar Act and Regulations:

1. An annual CAG audit, and requiring these certified accounts of the UIDAI to be laid before each House of Parliament [Section 26 of the Act]; and
2. Requiring an annual report in a prescribed form describing UIDAI's past activities, accounts, and future programmes of work, to be laid before each House of Parliament [Section 27 of the Act]. However, no such manner and form for the publication of the report has been laid down in the Aadhaar Regulations, nor does such a Report seem to be available in the public domain.
3. Requiring certain processes to be followed by the CEO in transacting business at the UIDAI (Transaction of Business at Meetings of the Authority) Regulations, 2016, although these only relate to the number of meetings, quorum, voting procedure etc.

Apart from an annual financial audit, the law lacks any performance accountability mechanisms for the UIDAI. For instance, there is nothing in the law requiring the UIDAI to set performance standards for itself or account for core responsibilities such as number of people enrolled and not enrolled, number of authentication failures or number of data and security breaches. The law is similarly completely silent on ex-post accountability mechanisms. It neither requires a performance audit nor demands a justification for failures on its part.

Weak law will deliver weak performance

The conduct of an agency is largely shaped by the law governing it. For instance, Burman and Zaveri (2016) find that there is a correlation between the laws which mandate transparency of a regulator and the responsiveness of such regulators to citizens' preferences. Similarly, the detailed performance reporting by the SSA is underpinned by a law called the Government Performance and Results Act, 1993, a law that set up a performance-oriented framework of reporting for the US federal agencies to show the progress they make towards achieving their goals.

In the absence of such statutorily mandated accountability standards, measuring the performance of the UIDAI is difficult. Stories of security breaches and authentication failures for availing benefits abound. For instance, Scroll.in queried the UIDAI about the authentication requests received between September 2010 (when the first Aadhaar number was issued) till October 2016, and how many failed or succeeded. The query was aimed at assessing the efficacy of biometric authentication. The UIDAI replied that it had not maintained any records between September 2010 and September 2012 and that it did not maintain authentication data state-wise. More importantly, the UIDAI revealed that data about the success or failure of the over 331 crore authentication requests was "not readily available", nor was the breakup of the negative reply to the requesting authority on each of the five modes of authentication "readily available".

Similarly, cases of fake Aadhaar cards have also been reported. Pertinently, in response to an RTI filed by PTI, seeking details related to all cases of duplicate and fake Aadhaar cards and the action taken on them, the UIDAI refused the request on the grounds that the disclosure might affect national security, or lead to incitement of an offence. The UIDAI also informed PTI that its CIDR facilities, information assets, logistics and infrastructure and dependencies, are all classified as "protected system" under the IT Act, and are thus, exempt from RTI. It further stated that the format in which it held the information contained identity details, which may be prone to identity theft, if divulged. The practical reality thus is that cases of unauthorised leaks/disclosures of identity information are being dealt with on a case to case basis, with zero clarity in the law on who is to be held accountable for such lapses in the future.

Conclusion

In previous decades, when we first set up state agencies in India, we were driven by concerns of efficiency and expertise that such agencies would bring to public administration. We now have sufficient experience about the endemic failure of State capacity in that approach. If one more new agency is built, on the lines of existing agencies, there is a high chance that it will reproduce the failures of existing agencies.

The climate of thinking on these questions in India is shifting. The FSLRC report, which proposes a new financial regulatory architecture, made extensive recommendations on the accountability framework for financial sector regulators. These recommendations were codified in the Indian Financial Code (IFC), a draft law that accompanied the FSLRC report. For example, the IFC contains provisions that mandate (a) regulators to build a system of periodical internal audits and publish the reports of such audits, (b) performance audits by an external auditor, (c) building systems for measuring the performance and efficiency of regulators, and (d) public consultation and a cost benefit analysis before exercising quasi-legislative powers. Some of these provisions that do not require legislative amendments are being implemented by the Ministry of Finance through a Handbook on Governance enhancing recommendations of the FSLRC, adopted by the four financial sector regulators in October 2013.

The report of the Bankruptcy Law Reforms Committee (2015), drew on the regulatory governance framework recommended by the FSLRC and recommended four elements for achieving accountability of the Insolvency and Bankruptcy Board of India, India's new insolvency regulator. While some of these elements were codified in the Insolvency and Bankruptcy Code, others are sought to be implemented in the course of setting up the Insolvency and Bankruptcy Board of India. Recent events at TRAI are pushing the organisation towards sound processes.

While the subject of regulatory governance seemed remote and a second order issue in setting up institutions in India, policy thinking today has increasingly started recognising that enhancing governance standards is as important as technical soundness, when designing new frameworks. Every government agency is an Agent, and the journey to building high performance agencies lies in setting up a sound principal-agent relationship, in the law. UIDAI is an important new organisation, and it should emerge as a high performance agency. We must harness our experience and our knowledge, to build appropriate accountability standards for the UIDAI in the law.

References

Cochrane, J. (2015), The rule of law in the Regulatory State.

Heidenheimer, A.J., Heclo, H. and Teich Adams, C. (1990), Comparative Public Policy: The Politics of Social Choice in America, Europe, and Japan, (3rd edition) New York: St. Martins.

Maggetti, Martino (2010). Legitimacy and Accountability of Independent Regulatory Agencies: A Critical Review, Living Reviews in Democracy Vol 2.

OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy, OECD Publishing.

Pollitt, Christopher, Colin Tablot, Janice Caufield, and Amanda Smullen (2004), Agencies: how governments do things through semi-autonomous organizations, New York: Palgrave Macmillan.

Young Han Chun, Hal G. Rainey (2005), Goal Ambiguity in U.S. Federal Agencies, J. Public Adm. Res. Theory 2005, 15 (1): 1-30.

Majone, Giandomenico (1998), The Regulatory State and its Legitimacy Problems, Political Science Series No. 56, Department of Political Science of the Institute for Advanced Studies (IHS)

Sweet, Alec Stone and Thatcher, Mark (2002), "Theory and Practice of Delegation to Non-Majoritarian Institutions", Faculty Scholarship Series, Paper 74

Report of the Financial Sector Legislative Reforms Commission, Volume 1 (2013)

Burman, Anirudh and Zaveri, Bhargavi (2016), Regulatory responsiveness in India: A normative and empirical framework for assessment, IGIDR Working Paper WP-2016-025, October 2016.

 

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the National Institute of Public Finance and Policy, Delhi. Bhargavi Zaveri is a researcher at the IGIDR Finance Research Group, Mumbai.

Grievance redress and enforcement problems in the Aadhaar legal framework

by Vrinda Bhandari and Renuka Sane.

Over the last few weeks, there has been a furore over the divulging of Aadhaar details, with the information of the pensioners in Jharkhand to that of a famous cricket player (M. S. Dhoni), being made available publicly. The UIDAI has responded swiftly by filing FIRs against 8 websites, and also shutting down several others to prevent the misuse of data. Other complaints about the Aadhaar have included instances of failure of biometric authentication, server and connectivity problems, cryptic error messages, and identity theft.

A recent paper by CIS reported that around 130-135 million Aadhaar numbers and 100 million bank account numbers were estimated to have leaked from four government portals. It is unclear whether these Aadhaar numbers had been inadvertently published by the government portals (without realising the consequences of their actions) or had been displayed as a measure of transparency. Either way, while Dhoni may be famous enough to reach out to the UIDAI, other ordinary citizens have not been so fortunate.

A key component of a system, especially one that interfaces with individuals, is its ability to provide protection to its intended users from being harassed, misled, or deceived. One way of ensuring this is to provide access to a reasonable mechanism of grievance redress, where citizens can complain and seek remedies. In this post, we focus on the lacunae in the grievance redress mechanisms and the enforcement concerns that arise in the context of Aadhaar. This is especially important, since, in the absence of an over-arching privacy or data protection law, an effective grievance redress mechanism, through the Aadhaar legal framework, remains the only remedy to Aadhaar holders.

Inadequate details about the procedure for grievance redress

When things go wrong, customers need to have access to a proper complaints mechanism. This can be a call center, a web portal, or physical offices. In the case of Aadhaar, such access is to be provided through the establishment of "contact centers" (Regulation 32 of the Aadhaar Enrolment and Update) Regulations).

The Regulations envisage that a contact centre shall provide a mechanism to log queries, ensure safety of the information received, and comply with the procedures and processes as may be specified by the Authority for this purpose. Residents are also permitted to raise grievances by visiting the UIDAI's regional offices, or through any other officers or channels as may be specified by the Authority for this purpose.

To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI. In a previous article, Is Aadhaar grounded in adequate law and regulations?, we criticised such delegation of power by the UIDAI to its future self. The same criticism applies equally in the case of grievance redress. If the process of grievance redress has not been specified in the Regulations, there remains an unjustifiable ambiguity on the remedial measures available to an Aadhaar number holder. This is worsened by the ambiguity on how the UIDAI will ensure safety of the information received.

The handling of grievance redress in the Aadhaar Regulations suffers from the following problems:

1. The regulations leave the actual processes of redress, including the procedure for raising a grievance, the composition of the grievance redress/contact centre, and the timelines envisaged for resolving a query unspecified. They are silent on the identity/qualifications of the final decision maker, on whether the inquiry process will be administrative or quasi-judicial in nature, and whether an appellate remedy is provided for. The regulations are also silent on the binding nature of the resolution mechanism, and their relationship with the penalties and liabilities prescribed under the Act. In fact, even after reading the regulations, one is confused about whether the grievance redress mechanism is a simple contact centre or an actual authority, with some powers.

2. Regulation 32(3) of the Enrolment and Update Regulations states that residents may raise grievances by visiting the regional offices of the UIDAI or through any other offices or channels as may be specified by the Authority. Notably, there are only 8 regional offices, namely Bangalore, Chandigarh, Delhi, Guwahati, Hyderabad, Lucknow, Mumbai, and Ranchi, which are primarily all Tier I cities. Further, these regional offices are not spread out throughout India - for instance, Western India only has one regional office in Mumbai, whereas North India has three offices in Delhi, Chandigarh, and Lucknow. The other channels remain unspecified.

3. The efficacy and performance of these contact/call centres is hard to assess, since the regulations do not prescribe any minimum standards, or even a Code of Conduct (as in the case of Registrars, Enrolling Agencies, and other service providers) that would govern the behaviour of these centres. The Regulations are also silent on the performance standards of the grievance redress system as a whole, so that the UIDAI can be held accountable.

4. In the case of the Aadhaar (Authentication) Regulations and the Aadhaar (Data Security) Regulations, no grievance redress mechanism has been specified, and no reference has been made to the grievance redress mechanism provided for in the Aadhaar (Enrolment and Update) and (Sharing of Information) Regulations. This suggests that there is in effect, no mechanism for redress in these two regulations at all.

These issues become particularly important when we consider that Regulation 30(2) of the Enrolment Regulations envisages the use of this grievance redress mechanism to resolve complaints relating to the omission or deactivation of an Aadhaar number. Between September 2010 and August 2016, the UIDAI had deactivated over 85.6 lakh Aadhaar numbers. The consequences of such deactivation can be huge, including the exclusion from receiving various government subsidies, and now potentially, for filing income tax returns. In this context, the silence on substantive matters of grievance redress in the regulations is disconcerting.

No power to file criminal complaints

While the Regulations provide for a contact center, Section 47 of the Aadhaar Act stipulates that only the UIDAI or its authorised officer can file a criminal complaint for violations of the Aadhaar Act. The Aadhaar Act, criminalises, among other things, the disclosure and dissemination of the identity information of an Aadhaar number holder (Section 37), unauthorised access to the Central Identities Data Repository (Section 38), and the unauthorised use of the identity information of an Aadhaar number holder by a requesting entity (Section 40). Consequently, the UIDAI has been given complete discretion in determining if, and when, to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person, is left to rely upon the bonafide actions of the UIDAI.

In the Dhoni case for example, the UIDAI seems to have decided to not file a criminal complaint against the enrollment agency, even though they reportedly tweeted a photo of his application form. In fact, RTI replies of the UIDAI reveal that in the six years from September 2010 to 31st October 2016, it received 1390 complaints about enrollment. However, only three FIRs were filed against the enrolling agencies, and that too, only by UIDAI's regional Bangalore office. The remaining complaints, were either 'resolved', 'dropped', or 'closed' without initiation of any criminal action. Conversely, the UIDAI's Delhi office was quick to register its first FIR in over six years, when a CNN-18 journalist ran a sting operation on security lapses in the Aadhaar enrollment centers.

Indian law, rarely, if ever, permits a third party to file a criminal complaint on behalf of an aggrieved individual, to the exclusion of that individual. Given that we have no access to any explanatory memorandum or notes on clauses, it is difficult to ascertain the reason for introducing such a provision in the Act. Not only does the Aadhaar Act introduce a new framework, it does so without specifying any accountability mechanism between the UIDAI and the aggrieved Aadhaar number holder. The scheme of the Aadhaar Act does not envisage any remedy for an aggrieved Aadhaar number holder if the UIDAI decides that her complaint is not worth pursuing. The UIDAI, thus, has unchecked discretion. It is worth noting that even the CrPC provides judicial recourse to an individual if the police fails to register an FIR.

Low clarity and emphasis on enforcement

Regulations have force, only when enforcement mechanisms leave no ambiguity about the costs of violation. The Aadhaar Regulations are largely silent on enforcement. In fact, as stated above, even the enforceability of any decision of a "contact centre", as part of the Grievance Redress Mechanism, is suspect. This is a result of the lack of power to enforce penalties in the Aadhaar Act itself.

The Regulations suggest, for example, that enrollment activities are to be monitored by the UIDAI, and any violations may result in immediate suspension and eventual cancellation of the service providers' or the concerned persons' credentials and permissions under the Act. However, apart from this penalty, there is no other prescribed liability - in terms of a monetary fine or imprisonment - as the case may warrant, for failure to comply with the code of conduct or any of the other Regulations. Even the application of this penalty is unclear, and left to the complete discretion of the UIDAI, inasmuch as Regulation 26(3) of the Enrolment Regulations only states that such cancellation will take place after 'holding due inquiry as deemed fit by the Authority'.

Similarly, Regulation 25 of the Authentication Regulation only provides that a requesting entity or authentication service agency may be burdened with 'disincentives' by the UIDAI, including suspension of their activities, in case of any contravention of the Act or the regulations. The regulations do not provide for gradation of offences and consequent punishments in terms of monetary penalties to imprisonment depending on the offence. It is also unclear whether, and which, provisions of the Act will apply.

There exists a Code of Conduct (specified in Schedule V of the Enrolment Regulations) which requires service providers to make 'best efforts' to protect the interests of the residents (Rule 1); to not divulge any confidential information about the residents, except when required by law (Rule 5); to ensure 'timely' redress of grievances (Rule 7); to abide by the Act and the regulations there-under (Rule 9); to inform the Aadhaar number holder in case of any breach or non-compliance (Rule 11); and to follow confidentiality, privacy, and security protocols 'as may be specified by the authority' (Rule 23). However, it is completely silent on the consequences of non-compliance. Thus, without proportionate penalties and clear procedures for imposing liabilities, the incentives to comply with the provisions of the Act and the regulations fall.

Inadequate power to conduct grievance redress

Finally, there is even some doubt on the UIDAI's power to regulate issues of grievance redress itself. Section 23(2)(s) of the Aadhaar Act empowers the UIDAI to set up "facilitation centers and grievance redress mechanism for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers". However, Section 54 of the Act, which enumerates the UIDAI's power to make regulations does not refer to this sub-section, despite referring to other sub-sections of Section 23. This assumes importance because all the Aadhaar Regulations derive their power from Section 54. The source of the UIDAI's power to write regulations on grievance redress is thus, unclear.

Way forward

In this new world, where Aadhaar is the centerpiece of the government's agenda and is becoming a necessity to avail multiple government services and benefits, an effective accountability and enforcement mechanism is paramount. Unfortunately, the Aadhaar Act and the Regulations are inadequate and vague.

Enrollment and use is not accompanied by any adequate redress mechanism, leaving us with the problem of a legal vacuum. Seven years, and a law later, there is still no clarity on the accountability and redress frameworks in the Aadhaar Act. A large part of the problem comes from the structure and governance mechanisms of the UIDAI itself, with no separation between the regulatory functions at UIDAI and its operational functions.

These issues are ultimately derived from the poor intellectual capacity in the drafting of law in India. There is an urgent need to introduce amendments in the Aadhaar Act to address these problems. A new data protection framework is reportedly being drafted. Many elements of our research program on Aadhaar have important implications for both these strands of work.

 

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the National Institute of Public Finance and Policy, New Delhi.

Is Aadhaar grounded in adequate law and regulations?

by Vrinda Bhandari and Renuka Sane.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ["the Aadhaar Act"], as the name suggests, aims at targeted delivery of subsidies, benefits and services by providing unique identity numbers based on an individual's demographic and biometric information. Enrollment into Aadhaar is, in principle, voluntary - both as per the Central Government's own stand and repeated orders of the Supreme Court since 2013. The Government has, however, slowly been linking government (and other services) to the Aadhaar card. Since January 2017, the Government has issued 22 notifications making Aadhaar mandatory for receipt of a range of services, ranging from the Mid-Day Meal scheme to maternity benefits. The Aadhaar number is likely to become a pre-requisite for filing income tax returns and applying for a PAN card.

As of March 2017, more than 1.1 billion individuals have been enrolled in the system and 4.9 billion authentication transactions have taken place. In the process, the Government has expanded the scope and coverage of Aadhaar while the Supreme Court has yet to decisively settle questions about constitutional challenge.

In this article, we ask if the legal foundations on which the Aadhaar operates match up to the requirements of a program that is likely to touch the lives of all citizens of India. Can we, as citizens of India, be satisfied that there are enough checks and balances in the functioning of Aadhaar?

This is important as we have already started seeing implementation problems in the form of failure of biometric authentication, server and connectivity problems, cryptic error messages, and the irrevocability of the biometric, all of which have left the Aadhaar number holder and intended recipient of a subsidy without any remedy. As well, in the absence of an over-arching privacy law, our regulatory surveillance architecture is heavily weighted in favour of the State leading to the very real possibility of strengthening mass surveillance with little regard for the effect on individuals' rights to privacy.

What should the legal framework provide?

A program such as Aadhaar, should be built on sound legal foundations. At the very least, the Aadhaar scheme should be able to guarantee first, good governance by the Unique Identification Authority of India ["UIDAI"], the statutory body responsible for the functioning of the Aadhaar system; second, privacy protection from the State and the private sector against the misuse of the Aadhaar number; third, security protection against data breaches; and fourth, an effective grievance redress mechanism against mistakes, deception, and abusive practices.

We evaluate the Aadhaar Act and the subsequent regulations on two issues namely their scope and ambit, and security standards. In a follow up article, we will focus on the privacy, accountability, and enforcement concerns that arise in the current legal framework.

Concerns about the Aadhaar Act

In a recent paper, Towards a privacy framework for India in the age of the internet, we proposed a privacy framework that incorporated universally accepted privacy principles and analysed the Aadhaar Act against these benchmarks. Our critique of the Aadhaar Act focused on the lack of clarity surrounding the scope and ambit of the Act; the absence of any meaningful provisions on consent; the omission of privacy considerations; the role of private companies; and inadequate redress mechanisms.

The Act leaves too much to be specified by the Regulations. For instance, the definition of biometric information [Section 2(g)], the procedure for sharing [Section 23(2)(k)], and publication [Section 29(4)] of an Aadhaar number holder's information are left to be specified by regulations. This causes uncertainty about the scope and ambit of the Aadhaar Act, apart from concerns about the lack of Parliamentary scrutiny over any subsequent Regulations. In fact, the constitutionality of the Act can be challenged on the ground that it delegates essential legislative functions, including important decisions on policy, to the Executive, and lacks sufficient control over its exercise (See Re Delhi Laws Act, AIR 1951 SC 332; Avinder Singh v State of Punjab, AIR 1979 SC 321; and Ajoy Kumar Banerjee v UOI on excessive delegated legislation).

Concerns with the Aadhaar Regulations

In an attempt to address some of these criticisms, the Government, through the UIDAI, released detailed Regulations on enrollment, authentication, data security, and sharing of information in September 2016. These Regulations are also incomplete for two reasons.

Lack of clarity on the scope and ambit of the Regulations

As with the Act, the UIDAI, which was expressly tasked with notifying the Regulations under the Aadhaar Act, has failed to exercise such power delegated to it, causing further uncertainty about the working of the Act and the Aadhaar Scheme. The UIDAI, while notifying various regulations in September 2016, left multiple aspects of the functioning of the Aadhaar Scheme to be ``specified by the Authority'', i.e. to be specified by itself at a future undetermined date.

For instance, the UIDAI was empowered under Section 23(2)(a) of the Act to "specify, by regulations, demographic information and biometric information required for enrollment and the processes for collection and verification thereof." However, Regulations 3(2) and 4(5) of the Enrollment Regulations leave the ``standards'' for collecting biometric and demographic information, required for enrollment, to be specified by the Authority for this purpose. Thus, despite being tasked with laying down the regulations to govern the enrollment and collection of demographic and biometric information, the UIDAI's own Enrollment Regulations leave the specification of such standards to be notified by itself at some point in the future.

Similarly, Regulation 13(2) of the Enrollment Regulations on the generation of Aadhaar numbers states The Authority shall process the enrollment data received from the Registrar, and after deduplication and other checks as specified by the Authority, generate the Aadhaar number. There is no guidance to the UIDAI on what kind of checks should be laid down, and principles that have to be followed in the interim, before further regulations are notified.

Through the four substantive regulations, the phrase specified by the Authority has been used 51 times (See Regulations 3(2), 4(5), 7(2), 8(2), 8(4), 11(2), 11(5), 13(2), 14(2), 17, 19(c), 20, 22(2), 23(5), 25(1), 29(2), 31(2), 32(1), 32(2), 32(3), 34 and Rules 17, 19, 22, 23, 24, 25, and 26 of the Code of Conduct in Aadhaar (Enrollment and Update) Regulations 2016; Regulations 6(2), 7(3), 12(1), 12(2), 12(4), 13(1), 14(1)(d), 16(8), 18(1)(c), 18(1)(d), 18(2), 19(1)(a), 19(1)(h), 22(2), 22(3), 23(2)(a), 28(3), and 28(4)(a) of the Aadhaar (Authentication Regulations); Regulations 4(2), 5(a), and 6(1) of the Aadhaar (Data Security) Regulations; and Regulations 4(1) and 4(2) of the Aadhaar (Sharing of Information) Regulations, 2016).

In some cases this may be justified because the standards relate to technical aspects such as the collection of information, the mode of updating residents' information, convenience fees, and certification processes; which may require a separate set of rules outside the regulations. However, important issues surrounding the enrollment, storing, and sharing of data -- issues that determine how our sensitive, personal information is collected, authenticated, stored, used, and shared with third parties -- have been left unspecified. This does not seem to have deterred the Government from pushing forward with the Aadhaar project.

The incompleteness of the various Regulations notified by the UIDAI underscores the lack of specificity in the working of the Act and the Regulations. The powers delegated to the UIDAI have in a sense been 'delegated' to its future self, to be notified when the UIDAI deems it appropriate. There is thus complete uncertainty about when, and whether, any future regulations will be notified by the UIDAI or whether the enrollment process will continue in this legal vacuum.

Lack of specification of security standards

The incompleteness of the Aadhaar Regulations is not limited to the Aadhaar (Enrollment and Update) Regulation. It extends to other Regulations as well, such as the Aadhaar (Data Security) Regulations. Notably, Section 23(2)(m) of the Aadhaar Act empowers the UIDAI to specify, by regulations, "various processes relating to data management, security protocols and other technology safeguards under this Act." Given the vast quantities of sensitive, personal data that is being stored in one centralised repository, one would imagine that the UIDAI would be quick in clarifying all the security protocols and technology safeguards. However, through Regulation 3(1) of the Data Security Regulation, the UIDAI does not lay out any specific measures for ensuring information security, instead only stating that: The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies.

Regulation 5(a) then further requires service providers engaged by the UIDAI to ensure compliance with such information security policy ``specified by the Authority''. Such a policy, to the best of our knowledge, has not yet been notified.

Thus, despite the enactment of the Aadhaar Act and the notification of the Aadhaar (Data Security) Regulations 2016, the failure to notify/specify an information security policy has meant that the fear of identity theft remains. In fact, is only exacerbated in a country such as India, which does not have an adequate data protection regime, both in terms of the relevant legal provisions and effective enforcement mechanisms.

Conclusion

The Aadhaar regulations raise an important question on the consequences of a regulator's (UIDAI) failure to exercise the power that has been delegated to it, and to instead, postpone the specification of important standards/procedures to a future, undetermined time. In the meanwhile, the UIDAI is carrying on, and in fact, hastening, the process of enrollment, without any of these guidelines and processes having been notified. Thus, the various processes under the Act are happening in some sort of legal vacuum. This is a cause for worry.



Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi. We thank Anirudh Burman, Pratik Datta, Shubho Roy and Bhargavi Zaveri for useful discussions.

Privacy concerns in the Aadhaar Act, 2016

by Vrinda Bhandari and Renuka Sane.

On 23rd March 2016, the Government of India enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act"), touted as India's biggest welfare legislation. The Act aims at the targeted delivery of subsidies, benefits, and services by providing unique identity numbers based on an individual's demographic and biometric information. The passage of this Act has been controversial, especially since the Lok Sabha rejected the amendments passed by the Rajya Sabha. Given the magnitude of data collection about individuals that would arise under the Aadhaar system, the law needs strong safeguards about privacy. In this article, we review the law from the viewpoint of concerns about privacy.

In this task, we use the conceptual framework that was constructed in our previous three articles: Protecting citizens from the State: The case for a privacy law (16 February 2016), Elements for the proposed privacy law (9 March 2016) and Analysing the Information Technology Act (2000) from the viewpoint of protection of privacy (18 March 2016). In these articles, we have setup an eight-fold path for evaluating laws from the viewpoint of privacy, which (in turn) builds on the nine privacy principles of Notice, Consent, Collection and Purpose Limitations, Access and Correction, Disclosure, Security, Openness, and Accountability. In this article, we use this approach to think about the Aadhaar Act, 2016.

Component 0: Objective of the law

By virtue of the large-scale and centralised collection, storage and use of an individual's demographic (e.g. name, date of birth, address) and biometric (e.g. iris scan, fingerprint, photograph etc.) information, the Aadhaar Act has great privacy implications. However, the Aadhaar Act does not consider privacy as one of its objectives. The word privacy does not even find mention in the Act. In fact, even the government's arguments in the Supreme Court during the challenge to Aadhaar, make it clear that it (and therefore, the Aadhar Act) does not view privacy as a fundamental right. Thus, while the text of this law is better than the UPA's 2010 draft, it is weak on privacy.

Component 1: Value of personal data

While the Aadhaar Act, on first blush, seems to understand the value of the information it collects, it is not underpinned by an understanding of the right to privacy. As discussed before, laws are shaped by the value we place on personal data, and function on an underlying premise of privacy being valuable in and of itself. However, the Aadhaar Act lacks any understanding or articulation of the  importance of privacy of personal data. Privacy considerations in the Act appear to be a minor afterthought, especially when juxtaposed with the needs of 'national security' which is given prominence in the Act.

Component 2: Scope and ambit of the law

The scope of the Aadhaar Act is a bit unclear since the working of key provisions have been left to regulations that are to be notified in the future. For instance, Section 2(g) of the Act defines 'biometric information' to mean photograph, finger print, Iris scan, or such other biological attributes of an individual as may be specified by regulations. It is thus possible that DNA can be included under this definition, and become part of a centralised government database. The consequences of DNA-based  profiling and its potential misuse are terrifying.

The Act oddly defines 'core biometric information' in Section 2(j), which is the same as biometric information, except that it excludes photographs.

Another example of the lack of clarity is found in Section 23(2)(k), which permits the Unique Identification Authority of India ("UIDAI") to share information about individuals in such manner as may be specified by regulations.

Similarly, Section 29(2) permits the sharing of identity information, other than core biometric information, in such manner as may be specified by regulations. Even more worryingly, Section 29(4) permits the publication and display of an individual's core biometric information or Aadhaar number for purposes as may be specified by regulations.

Together, these examples undermine the idea of a watertight database that will be used exclusively by the government for the purposes of giving subsidies, benefits or services. Even if the first wave of subordinate legislation is drafted with thought and care, the Act leaves the possibility of future changes to these rules and regulations in ways that undermine privacy.

Component 3: Coverage

The Aadhaar Act justifies the collection, storage, and use of personal data on the premise that it is a "condition for receipt of a subsidy, benefit or service", as stipulated under Section 7 of the Act. Thus, the Act is portrayed as covering (or regulating) only the interactions between the State and its residents.

However, a closer look reveals that under Section 57, the Act also facilitates interactions between private parties and residents of India by allowing "body corporate" to use the Aadhaar number for their own purpose. This raises concerns about violations of privacy when UIDAI shares data with private entities.

For instance, TrustID is an app that allows the user to verify any individual using their Aadhaar number, and offers a range of services including pre-employment, credit background, tenants, business partners, employers, and property owners' verification. It is not clear that the information access by TrustID is taking place in ways that protect the privacy of individuals. As Usha Ramanathan notes, many private companies have begun the process of trying to expand and leverage the uses of Aadhaar. The use of Aadhaar by a large number of private persons has long been touted as a contribution of the Aadhaar system to the Indian economy. There may be many conflicts about privacy in this process of expansion.

These applications suggest that the Aadhaar system will not be narrowly limited to the applications described in Section 7. The Act potentially covers everyone. It can include all the transactions conducted between an individual and the State in relation to benefits and subsidies; and the transactions between an individual and a corporate entity, where the private entity uses the Aadhaar number for identification and authentication.

The expanded scope of coverage, along with the absence of protection privacy, implies that this Act has reduced the overall privacy protections enjoyed by residents in India - whether in their interactions with the State to access subsidies/benefits or in their interactions with corporate entities.

Component 4: Collection and retention of personal data

With regard to data collection and its retention, it is important to provide an opt-in/opt-out clause to users, as this is consistent with the 'Choice and Consent' principle. This is particularly important in the Aadhaar Act, given our ownership over our own personal (demographic and biometric) data and the pervasiveness of our biometric data (e.g. we leave our fingerprints wherever we go).

The Aadhaar Act does not provide an opt-out clause, wherein Aadhaar number holders can choose to leave the system (and forego all its benefits) and ensure that their identity information is permanently removed from the Central Identities Data Repository.

Mr. Jairam Ramesh proposed an amendment to Clause 3 of the Bill in the Rajya Sabha, allowing a person to 'opt out' even if they had already enrolled, with the consequence that their authentication, biometric, and demographic information would be deleted from the system within 15 days. Although passed by the Rajya Sabha, the amendment was rejected by the Lok Sabha.

The absence of an opt-out clause is closely related to the issue of retention of personal information inasmuch as there are no time limits for the retention of data. This is unwelcome in light of the inherent non-revocability of biometric information and the fact that traces of our biometric data, for instance fingerprints, are left everywhere.

Component 5: Use and processing of data

The principle of 'Purpose/Use Limitation' is lacking in the Act. For instance, Section 33(2) carves out an express exception to Section 29(1)(b)'s stipulation of "using" core biometric information for any purpose other than generation of Aadhaar numbers and authentication under this Act if it is in the interest of [undefined] `national security'.

Section 3(2) and Sections 8(2)(b) and 8(3) of the Act require the enrolling agencies to inform the individual about the manner in which their information shall be used and shared and ensure that their identity information is only used for submission to the Central Identities Data Repository.

At first blush, thus, the Act seems to incorporate principles of 'Purpose Limitation', especially since Section 41 imposes a penalty on the requesting entity for non-compliance. However, the lack of an effective enforcement mechanism, as discussed later, undermines these provisions. For instance, the Act does not detail how an Aadhaar number holder can escalate the issue (since only the UIDAI can file a complaint) or what standard will be used to determine whether the requesting entity has provided the information in a clear and suitable manner.

Further, the Aadhaar number holder's identity information can be used both by the State and body corporates, without any further regulation governing the use by third parties.

Component 6: Sharing and transferring of data

This component of privacy design focuses on the 'Disclosure' principle, namely the sharing of personal data with third parties. In the case of Aadhaar,  this entails the identity information of the Aadhaar number holder. One of the most controversial sections of the Aadhaar Act is Section 33, which provides for the disclosure of information, including identity information or authentication records, under certain circumstances.

Section 33(1) permits the disclosure of such information pursuant to a judicial order by a Court not inferior to that of a District Judge. Nevertheless, the proviso only requires a hearing to be given to the UIDAI, and not to the Aadhaar card holder, whose information is being disclosed. Consequently, this deprives the individual of their essential right to be heard.

Section 33(2) is even more controversial because it makes an exception to the security, confidentiality and disclosure provisions on the direction of the Joint Secretary in the interest of national security. Such a direction has to be reviewed by a three member 'Oversight Committee', consisting of the Cabinet Secretary, the Secretary of the Department of Legal Affairs and the Secretary of the Department of Electronics and Information Technology. The second proviso further provides that such a direction shall be valid for three months, after which it can be reviewed and extended every three months. This is problematic for various reasons.

1. As Mr. Jairam Ramesh and Mr. Sitaram Yechury noted while moving an amendment to Section 33(2), "national security" is an undefined term, and thus there is no transparency concerning covert surveillance. Consequently, the Rajya Sabha passed an amendment to replace the phrase "national security" with "public emergency or in the interest of public safety" (as is present in the Telegraph Act dealing with wiretapping). Unfortunately, this amendment was rejected by the Lok Sabha, and Section 33 remained as is.
2. The scope of Section 33 is vague and it seemingly permits, and even facilitates, the furnishing of personal information to any third party, if it is in the interest of `national security'.
3. The Oversight Committee is basically a committee of three Executive nominees. Thus, the possibility of effective oversight remains low. 

Component 7: Rights of users

As discussed previously, the right to access and correct one's own information, the right to data breach notification, and the right to data portability are extremely important from the perspective of the user.

Unfortunately, the Aadhaar Act does not grant these rights to the Aadhaar number holder. With respect to the right of access, it is instructive to examine the proviso to Section 28(5) of the Act, which states that an Aadhaar number holder may "request" (not demand) the UIDAI to provide access to her identity information. Nevertheless, the proviso excludes requests for her core biometric information.

It is unclear what the powers of the UIDAI are to accept or deny such a request or why a carve out has been made to restrict access to one's own finger print/iris scan, especially considering they can be wrongly entered in the system, as has been documented in Rajasthan (where the biometric information of potential food ration beneficiaries did not match the data stored on the Aadhaar servers).

Correction or change of demographic information (e.g. on getting married) or biometric information is governed by Section 31 of the Act, which requires the Aadhaar number holder to "request" (not demand) the UIDAI to alter such information in their records. The section states that the UIDAI, on the receipt of such a request, "may, if it is satisfied" make such changes. It is unclear what the standard for such "satisfaction" is, and the Act does not prescribe any statutory penalty or means for judicial redress for the delay/failure to act. Given the centrality of the Aadhaar number in linking various databases and services, such truncated rights of access and correction are worrying.

The Aadhaar Act also fails to prescribe 'data breach notification' requirements, mandating the UIDAI to inform an individual, the Aadhaar number holder, that their identity (biomentric and demographic) information has been shared or used without their knowledge or consent. Similarly, there is no concept of 'data portability' since information cannot freely be transferred amongst different service providers, since there are no alternatives to the UIDAI.

Component 8: Supervision and redress mechanisms

Effective supervision and redress mechanisms require individuals to be informed when there is a breach of confidentiality or disclosure of their personal information.

Section 47 of the Act prescribes that only the UIDAI or its authorised officer can file a criminal complaint under the Act. Thus, all the criminal penalties prescribed under the Act (e.g. for disclosing identity information under Section 37 or for unauthorised access to the Central Identities Data Repository under Section 38) can only be initiated by the UIDAI, and not the aggrieved Aadhaar number holder.

Consequently, even though the Act prescribes civil and criminal remedies for unauthorised access, use, or disclosure by the prescribed authority, the criminal remedy is not available to the aggrieved Aadhaar number holder. Such a person only has recourse to civil law, and the fines prescribed under the Act.

Unfortunately, a conjoint reading of Sections 28 and 47 of the Act disclose the possibility of conflict of interest since it may be in UIDAI's interest to cover up breaches of privacy. Without the UIDAI's proactive action, an individual Aadhaar number holder is left without remedy.

Section 30 of the Act treats biometric information as "sensitive personal data or information", as understood in Section 43A of the Information Technology Act. The treatment of such information under the IT Act has been dealt with in detail in our previous post. The IT Act itself fails to handle sensitive personal data or information in ways that embed privacy concerns.

Finally, as discussed in the sections above, the supervision mechanism for one of the Aadhaar Act's most controversial sections (Section 33), is the constitution of an 'Oversight Committee'. This Committee is tasked with reviewing the disclosures made in the interest of `national security', and thus serves to fulfill the 'Accountability' and 'Security' principles of privacy law. However, this three member Committee comprises of three government bureaucrats, especially after the Lok Sabha rejected the Rajya Sabha amendment to include either the CVC or the CAG as part of the Committee.

Conclusion

In this group of four articles, we have established a systematic eight-fold path for analysing laws from the viewpoint of concerns of privacy. We have used this framework to analyse two laws: The IT Act, 2000, and the Aadhaar Act, 2016. Both these laws have important failures in enshrining privacy. These laws thus hamper India's emergence as a mature democracy.


Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi.