by Elonnai Hickok in Privacy — Dec 07, 2010 01:20 PM
The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill.
On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.
Architecture
The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.
Scope
The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits
Voluntary and not Mandatory
The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the Aadhaar number is truly voluntary.
Inadequate Privacy Safeguards
The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.
Unwarranted Data Retention
The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.
Lack of accountability for all Actors
The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced.
Lack of Exceptions
The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of Aadhaar numbers or authentication of transactions.
Lack of Anonymity
The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested.
Inadequacy of Penalties
The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.
Unaffordability of Fees
It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated.
Lack of Rollback and Ombudsman Office
The Bill does not provide adequate redress for system/transaction errors and fraud.
Inappropriate Structure and Governance
The Bill does not provide appropriate judicial and parliamentary oversight.
Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant:
Definition of Resident
Section 2 (q): “resident” means an individual usually residing in a village or rural area or town or ward or demarcated area (demarcated by the Registrar General of Citizen Registration) within ward in a town or urban area”
Comment: This section clarifies the definition of ‘resident’ from the draft Bill, which defined resident as an “individual usually residing within the territory of India”. By specifying that individuals in demarcated areas will not receive UID numbers, the definition of resident is brought into line with the scope of the Bill as laid out in the preamble. We see this change as a positive revision.
Prohibition of Dissemination of Information
Section 30 (3): “Notwithstanding anything contained in any other law and save as otherwise provided in this Act, the Authority or any of its officer or other employee or any agency who maintains the Central Identities Data Repository shall not, whether during his service as such or thereafter, reveal any information stored in the Central Identities Data Repository to any person”
Comment: This section prohibits the dissemination of any information that is stored in the Central Identities Data Repository. This prohibition extends to anyone or any entity that handles information, and supersedes other laws that might permit dissemination of information. We see this change as a positive revision.
Disclosure of Information in the Case of a National Security
Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”
Comment: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."
The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill.
On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.
Architecture
The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.
Scope
The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits
Voluntary and not Mandatory
The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the Aadhaar number is truly voluntary.
Inadequate Privacy Safeguards
The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.
Unwarranted Data Retention
The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.
Lack of accountability for all Actors
The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced.
Lack of Exceptions
The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of Aadhaar numbers or authentication of transactions.
Lack of Anonymity
The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested.
Inadequacy of Penalties
The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.
Unaffordability of Fees
It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated.
Lack of Rollback and Ombudsman Office
The Bill does not provide adequate redress for system/transaction errors and fraud.
Inappropriate Structure and Governance
The Bill does not provide appropriate judicial and parliamentary oversight.
Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant:
Definition of Resident
Section 2 (q): “resident” means an individual usually residing in a village or rural area or town or ward or demarcated area (demarcated by the Registrar General of Citizen Registration) within ward in a town or urban area”
Comment: This section clarifies the definition of ‘resident’ from the draft Bill, which defined resident as an “individual usually residing within the territory of India”. By specifying that individuals in demarcated areas will not receive UID numbers, the definition of resident is brought into line with the scope of the Bill as laid out in the preamble. We see this change as a positive revision.
Prohibition of Dissemination of Information
Section 30 (3): “Notwithstanding anything contained in any other law and save as otherwise provided in this Act, the Authority or any of its officer or other employee or any agency who maintains the Central Identities Data Repository shall not, whether during his service as such or thereafter, reveal any information stored in the Central Identities Data Repository to any person”
Comment: This section prohibits the dissemination of any information that is stored in the Central Identities Data Repository. This prohibition extends to anyone or any entity that handles information, and supersedes other laws that might permit dissemination of information. We see this change as a positive revision.
Disclosure of Information in the Case of a National Security
Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”
Comment: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."
