The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Tuesday, July 25, 2017


Editor's Note: A nation’s legal system is integral to how its citizens look upon issues that concern the country in general and their individual lives in particular. Despite having the world’s longest Constitution — not to mention, one that has gone through numerous amendments and the many directives by the Supreme Court that have secured the stature of de facto law, the Indian law books have struggled to evolve at a pace commensurate with the rapid changes society has undergone. As the load of being archaic becomes heavier on our law system, Firstpost introduces a 10-part series titled 'Letter of the Law' to push forward the debate on legal practices and the law itself. The series will explore a variety of aspects pertaining to Indian law through opinion and analyses.

“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
- Benjamin Franklin

Aadhaar, India’s biometric identification system, which is the largest such project in the world, is in the eye of a storm lately. Though Aadhaar has become the focal point of debate on right of privacy, threats to data security and citizens’ rights to privacy go far beyond it.

The Constitution of India does not provide privacy the status of a fundamental right, however, the same comes into existence upon widening the horizons of Article 21 of the Constitution ie right to liberty which states that “No person shall be deprived of his life or personal liberty except according to procedure established by law”. Since the Constitution of India does not specifically guarantee ‘right to privacy’, the determination of privacy as a right completely rests upon the interpretation of the judiciary, and has been subject to restrictions under various provisions and judgments of the Supreme Court of India. The recognition of privacy as a right first came up in the case of Kharak Singh versus State of Uttar Pradesh, wherein the Supreme Court interpreted that right to privacy is not guaranteed under the Constitution yet the said right is an essential ingredient of personal liberty which is implicit in Article 21 of the Constitution.

Life as we know is something more than one’s mere survival and existence; therefore, the right to privacy is an inherent right to every citizen of the country. As things stand today, where the Government of India is taking a stand that the right to privacy is not a fundamental right and at the same time the government is promoting digitalisation, enacting policies and regulations permitting surveillance in cyberspace, telephones, email, personal messages etc through multiple agencies under the grab of national security, implementing national programmes like Unique Identification Number etc, it is imperative for India to enact stringent privacy laws.
Evidentially, there has been a rampant use of technology by the masses on daily basis and as a result, the internet giants like Google, Apple, Facebook, WhatsApp and Microsoft have vast information about us, through malware, covert eavesdropping, and the unwarranted permissions we voluntarily grant social media sites and apps. There is an immediate need for a data protection law which emphasise a person’s rights to her personal data; require her informed consent to collect, process, remove or alter such data; oblige those who deal with data to keep it secure; and have a grievance mechanism to punish violations with hefty fines and imprisonment.

Growing challenges of privacy
The current laws on privacy are not at par with the growing developments in technology in India. The Information Technology Act, 2000 (IT Act) and the rules made thereunder, do entail certain provisions pertaining to data protection, however as privacy is not a right per se under any law in force, these provisions appear inadequate in addressing issues relating to sharing of, disclosure and retention of data and leave room for potential abuse.

The Privacy Bill, 2010 was introduced by the Department of Personnel and Training, however though the objective of the Privacy Bill was to protect individuals’ fundamental right to privacy, the Privacy Bill primarily focused on provisions pertaining protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use. Incidentally, the National Identification Authority of India Bill, 2010, which aimed at establishing a National Identification Authority for issuance unique identification number (called Aadhaar) to every resident of India, which would be linked to a resident’s demographic and biometric information, was also introduced. Neither the Privacy Bill, 2010 nor the National Identification Authority of India Bill, 2010, were enacted.

With a view to conquer growing privacy challenges in the country and in order to effectively address the privacy issues, the erstwhile Planning Commission of India had directed the constitution of a ‘Group of Experts’ to identify the privacy issues and prepare a report on the same to facilitate authoring of privacy bill for India. The Expert Committee, which submitted its report in 2012, analysed various international privacy principles and the existing privacy legislations in India. According to the recommendation of the Committee, the Privacy Act should put into place a regulatory framework for both public and private sector organisations and further aim to harmonise all statutory legislations with respect to privacy laws in India.

A specific privacy legislation is imperative and urgently required in order to safe guard the privacy of individuals

The report recommended fundamental ‘privacy principles’ in line with global standards including the EU, OECD, and APEC, which included the principle of notice, choice and consent, collection and purpose limitation, disclosure of information, security and accountability. Further, the Expert Committee also recommended the establishment of privacy commissioners, self-regulating organisations and co-regulation, to ensure implementation and enforcement of policies. The draft privacy bill of 2011, was modified based on the recommendations made by the Expert Committee, however, no definite timeline has been provided by the government in relation to the introduction of legislation to protect privacy of individuals.

While the enactment of much needed privacy laws seems to be not a priority, the government is uncontrollably enacting policies and regulations for surveillance through systems like the Centralised Monitoring System, NITRA, NATGRID (for collecting data from across databases) in the interest of National Security and linking citizens and databases across the unique identity number in Aadhaar. If we look at the steps being taken by the government in relation to the implementation of these programs and the powers being granted to various governmental authorities under these legislations to monitor data over the telecommunications networks including interception of calls, tracking of IP addresses etc. it becomes evident that a specific privacy legislation is imperative and urgently required in order to safe guard the privacy of individuals.

Monitoring and surveillance
If we look at the establishment of the Central Monitoring System (“CMS”), which is a centralised telephone interception provisioning system installed by the Centre for Development of Telematics to automate the process of lawful interception; monitoring of telecommunications, there is a lack of clarity on the scope, functions, and technical architecture of the CMS.
It is worrying that there is no specific law which mandates or regulates the CMS. Surveillance in India is primarily governed by the Indian Telegraph Act, 1885 (“Telegraph Act”) and the IT Act. Section 5(2) of the Indian Telegraph Act which empowers the Indian government to intercept communications on the occurrence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, public order or for preventing incitement to the commission of an offence.

On the other hand Section 69 of the IT Act (as amended in 2008) grants the government with the power to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource if it is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognisable offence relating to above or for investigation of any offence.
It is relevant to note that prerequisites of ‘public emergency’ and ‘public safety’ which were earlier nearly the same in the IT Act, and the Telegraph Act, have now been removed from IT Act with which the power of the government has become more extensive in relation to interception and monitoring of telecommunications.


It is worrying that there is no specific law which mandates or regulates the Central Monitoring System
In addition to the implementation of the CMS, the government had also setup the National Intelligence Grid (NATGRID), which is an integrated intelligence grid connecting databases of core security agencies of the Government of India. NATGRID would provide intelligence agencies real-time access to 21 databanks, including banking, credit card, income tax, election identity card, call records, PAN card and driving licence details. Again, there is no specific law which mandates or regulates the NATGRID.

Internationally, the USA, the EU and the UK provide for specific laws in relation to lawful interception and surveillance. However, globally mass surveillance activities are being challenged by Human Right activists as being violative of privacy rights of citizens. The EU had also introduced the Data Protection Directive in 2006, which mandates the retention of metadata of internet and telephone usage, which was struck down by the European Court of Justice in 2014 on the grounds of infringement of privacy.

Similarly, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”), was passed in the Lok Sabha, despite being opposed on numerous grounds including the concerns regarding privacy and protection of biometric information and demographic data of citizens collected by the enrolling agency for issuance of the Aadhaar number. Though the objective of the Aadhaar Act is to provide for efficient, transparent, and targeted delivery of subsidies, benefits and services to individuals residing in India through assigning of unique identity numbers to such individuals, the Aadhaar Act creates a single database, a Central Identities Data Repository (CIDR), holding bio-metric as well as demographic information on every Indian, along with name, address, and phone number. Even though the Aadhaar Act was introduced post submission of the recommendations of the Shah Committee Report, the Aadhaar Act does not address some of the key principles enumerated under the Shah Committee Report.

While the question whether there is any right to privacy guaranteed under our Constitution is still pending before the Constitutional Bench of the Supreme Court, the government is proposing to make Aadhaar mandatory for obtaining a permanent account number, filing your income tax returns etc. All this while, the Supreme Court, had previously stated that Aadhaar cannot be made mandatory and the production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen. However, with the Finance Act, 2017, it seems the order of the Apex Court has consciously been disregarded which has negated an individual’s freedom of voluntary enrolment.

There is no doubt that people are evading taxes by maintaining multiple PAN. One estimate is that there are 19 million income taxpayers in India, whereas 250 million PAN cards are issued and Aadhaar can be an effective way to de-duplicate the PAN.
Further, though the Aadhaar Act prohibits usage of bio-metric information for any other purpose other than generation of Aadhaar number and authentication, under the Aadhaar Act, Section 33(1) permits the disclosure of information including identity information or authentication records, pursuant to a judicial order by a Court not inferior to that of a District Judge. Further, Section 33(2) permits disclosure of information including identity information or authentication records (including bio-metric data) in the interest of national security if so directed by an officer not below the rank of a joint secretary to the Government of India specifically authorised in this behalf.
The Section further provides that every such direction shall be reviewed by an ‘oversight committee’ consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect. The Aadhaar Act permits disclosure of information for ‘national security’ purposes but there is no clarity in relation to what extent the surveillance can be exercised by the government under the guise of ‘national security’.

The Aadhaar Act, has similarities to the Identity Cards Act, 2006 of United Kingdom, under which national identity cards which were a personal identification document and European Union travel document, linked to a database known as the National Identity Register, were proposed to be issued. As in the case of the Aadhaar Act, when the UK Identity Card Bill was introduced, independent studies in relation to the proposed bill strongly recommended against the centralising storage of information due to privacy concerns. The Identity Card Act, 2006 has been repealed and the National Identity Register has been destroyed, due to privacy and cost concerns.

What about Big Data?
With the launch of government’s digital India, which aims to transform India into a digitally empowered society and the widespread increase in the number of internet users in India, which has led to a rampant growth in the amount of data and information about an individual that is available in the hands of private enterprises and the government, the concern about privacy and security in relation to ‘big data’ analytics is discernible.

Government of India ranks second (the first being the US) requesting Facebook to share user data from India.

‘Big data’ refers to substantial and complex amount of data generated primarily by through internet access and usage. The significance of such data lies in the availability of such data in such volume through various sources such as Facebook posts, tweets, clickstream, online transactions, email, uploaded images, cookies, applications, smart phones etc. Such data is not merely restricted to one’s internet usage pattern but also encompasses data collected in real time, and pertaining to highly personal, sensitive behavioural patterns such as habits, likes, and dislikes, as well as travel, movements, health statistics, among others. As per recent data available in the public domain, Government of India ranks second (the first being the US) requesting Facebook to share user data from India.

Irrespective of different states having different laws on privacy, privacy has been recognised as a fundamental human right in the UN Declaration of Human Rights (“UDHR”), the International Covenant on Civil and Political Rights (“ICCPR”) and in many other international treaties. The UDHR and the ICCPR are binding upon India, as India is a signatory to both of these conventions, however no consequent and explicit legislation has been passed by India in this regard. Countries across the globe have formulated privacy laws and laid down principles in accordance with the privacy requirements that their country raises.

With ‘right to privacy’ being a fundamental right being questioned, the substantial growth and development in the technology sector, widespread growth of Internet users, the digital India program, implementation of CMS, NATGRID, Aadhaar and other government initiatives, a comprehensive legal framework that governs both the private companies and the government agencies needs to be implemented in line with the global data protection policies and the international human rights standards.

The lack of any comprehensive legislation in relation to privacy, surveillance, power and authorities of the government agencies to request for data and surveillance, protection and destruction of such data collected endangers the privacy of individuals as the limited provisions under the existing laws are not enough to deal with the development of the information technology sector and the government initiatives to collect, intercept, decrypt and store data in the interest of national security. Further, there is a need to amend the current regime to provide for greater transparency, accountability and clarity on the scope, functions, and technical architecture in relation to India's surveillance framework. Evidentially, the right to privacy is a right to be negotiated and more to be seen on the government initiatives as we move along.

You can access the rest of the series here.