12762 - Shutting down Aadhaar is not the answer to the privacy question - Hindustan Times

Shutting down Aadhaar is not the answer to the privacy question

Every time a new technology has offered new benefits it has, at the same time, had some impact on our current expectation of personal privacy. In every such instance, rather than being shut down, we amended our perceptions of privacy, amending our laws to address the concerns they posed, and establishing a new balance between the benefits that these new technologies provided and the harms that they could cause.

OPINION Updated: Jan 22, 2018 19:20 Ist

Rahul Matthan

Aadhaar is an identity project that has been introduced into a country that had no reliable means of identity. When you provide identity to a person who has never had it before, you strip him of the anonymity of the crowds.(Pradeep Gaur/Mint)

The battle over Aadhaar is now in its endgame. A five judge bench of the Supreme Court is currently hearing arguments about the validity of Aadhaar and will decide, once and for all, whether to uphold it or strike it down. Whichever way the court rules, the consequences will be significant. If it is upheld, and if the concerns of the petitioners as to the security and safety of the identity infrastructure are to be believed, it will result in exclusion, giving the Deep State free rein to misuse its powerful infrastructure for nefarious purposes. If, on the other hand, the project is struck down, the many crores of savings the government has been able to realise as well as the vast infrastructure that is now indispensable for many in the private sector, stands to be destroyed.

Over the past few weeks the debate has risen to a fever pitch. Detractors have not lost any opportunity to pillory the project, and the press has joined in — sometimes sacrificing investigative rigour for TRPs. The UIDAI, for its part has not exactly covered itself with glory, responding incoherently to the concerns being raised and often taking legal action in unseemly haste. But if we can put aside the hyperbole for a moment we will quickly realise that the position we find ourselves in is not entirely without precedent.

Aadhaar is an identity project that has been introduced into a country that had no reliable means of identity. When you provide identity to a person who has never had it before, you strip him of the anonymity of the crowds. For many this is a blessed relief. As long as they remained hidden amongst the crowds, the benefits that were supposed to trickle down never ever reached them. Now that they had an identity – one that no-one else could use – they could finally claim these entitlements themselves. For others, losing the shelter of the crowd has left them exposed, their personal lives subject to unprecedented scrutiny, now that an imperfect identity no longer shields them.

Read more

Aadhaar: from compiling a govt database to creating a surveillance society  In the history of privacy, we have stood at this crossroads many times before. Every time a new technology has offered new benefits it has, at the same time, had some impact on our current expectation of personal privacy. The invention of the printing press democratised the written word, bringing the knowledge and entertainment of literature to the masses and ensuring that not just the wealthy could enjoy books. But at the same time, it made it possible for correspondence that was only ever intended to be private, to be published for all to read — giving rise to some of the earliest judgments on violation of privacy. When portable cameras were invented they allowed passers-by to snap pictures of us at unguarded moments producing images that embarrassed or tarnished our reputation and changing forever our expectations of privacy in public spaces.Aadhaar is an evolving endeavour, UIDAI responsive to public concerns | By Nandan Nilekani

In every previous instance these technologies were denounced and sought to be banned lest they destroy our current way of life. In every such instance, rather than being shut down, we changed our perceptions of privacy, amending our laws to address the concerns they posed, and establishing a new balance between the benefits that these new technologies provided and the harms that they could cause.

Data is the latest technology that is threatening our personal privacy and, as before, the choice is between shutting it down and allowing it to proceed within a new framework of personal privacy. I have no insight into the mind of the five gentlemen who are sitting down to decide this matter but if history is anything to go by, nothing will come of attempting to shut down by brute force, a technology that has already come into its own. Data-driven decision-making is here to stay and digital identity is just one of the engines that will power its evolution. There is nothing to be gained from railing at the technology. Instead we’d do well to begin to change our current perception of personal privacy. In the immortal words of Wayne Gretzky, we need to “skate to where the puck is going, not where it has been.” (This is the fourth in a series of by-invitation opinion pieces on Aadhaar) Rahul Matthan is partner and head of the technology practice group at Trilegal The views expressed are personal

11935 - The good and the bad of the privacy ruling - Live Mint

The good and the bad of the privacy ruling

Much as I enjoyed reading the Supreme Court’s judgement affirming privacy as a fundamental right, I have some misgivings about the direction down which it is pointing us

Rahul Matthan

26th August 2017

While the Supreme Court judges seem to understand the benefits that big data can bring us, they appear, at the same time, ignorant of the chilling effect that a strict notice and consent-based framework can have on these business models. Photo: Mint

One of the pleasures of being a lawyer in a vibrant common law jurisdiction is that every once in a while the system spits out a decision so artfully crafted and filled with nuance and meaning that it is a sheer joy to read. Few decisions in recent memory are better exemplars of this than the recent decision of the Supreme Court in Puttuswamy v. Union of India, affirming the fundamental right to privacy.

The system of common law is based on precedent. Judges are bound to consider past judgments and apply them to disputes that come before them in the future. They are only permitted to diverge the chain of historical decisions if it is possible to sufficiently distinguish—in fact or principle—from the available precedents. Our law is, therefore, not so much a monolith handed to us by our founding fathers as an edifice constructed brick-by-brick through an incremental series of decisions—each one based on the judgements that preceded it but in aggregate a composite, well-integrated whole. Common law takes shape in this manner, organically evolving to accommodate new technologies and social mores while remaining consistent with the past from which it arose.

The fundamental right to privacy has been developed by the courts in this manner for over 60 years. The reason the Supreme Court had to take the effort to gather nine judges together to rule on whether or not we have a fundamental right to privacy was because of a minor inconsistency that had crept into the chain of decisions over 50 years ago and remained, till last Friday, unresolved.

It all began when the attorney general of India, while defending the Aadhaar project, argued that the Constitution does not include within it a fundamental right to privacy. He based his conclusion on two cases decided by the Supreme Court—one, MP Sharma v. Satish Chandra, decided by an eight-judge bench in 1954 and the other, Kharak Singh v. State of Uttar Pradesh, by six judges in 1962. Both cases had held, under different circumstances, that the Constitution of India does not specifically protect the right to privacy. In the 55 years that have passed since these cases were decided, there hasn’t been a larger bench of Supreme Court that has considered this issue, and therefore, by sheer weight of numbers, these judgements bound us. It would take nine judges to set this straight.

When you get into the weeds, MP Sharma dealt with a completely unrelated issue—the right against self-incrimination. While it did mention the right to privacy in passing, these comments were stray observations at best. Kharak Singh, on the other hand, was a confusing decision that held, on the one hand, that the intrusion into a person’s home is a violation of liberty (relying on a US judgement on the right to privacy), but on the other hand went on to say that there was no right to privacy contained in our Constitution.

But since these were eight- and six-judge benches of the Supreme Court, every subsequent court had to deal with this confusion as best they could. In the next case, Gobind v. State of Madhya Pradesh, a three-judge bench, mindful of its inability to overturn a judgment of a larger bench, skirted around the inconsistency by “assuming” that the right to privacy was protected under the Constitution—relying on the first part of the Kharak Singh judgement without specifically calling out its inconsistency with the second. Once Gobind hacked a pathway through this thicket, many smaller benches followed suit, building on these principles to articulate a fundamental right to privacy in the context of medical privacy, matrimonial privacy, reputational privacy, privacy of sexual orientation and many more. But we always knew that this jurisprudence, built as it had been on uncertain foundations, was susceptible to challenge.

The task before the nine-judge bench in Puttuswamy v. Union of India was to settle the law once and for all. They did so emphatically—overruling both MP Singh and Kharak Singh to the extent that they had held that there was no fundamental right to privacy. They also overruled additional district magistrate (ADM) Jabalpur—a decision that allowed for fundamental rights to be suspended during an Emergency and called into question the judicial reasoning in the Naz Foundation case that implied that the “minuscule minority” LGBTQ (lesbian, gay, bisexual, transgender and queer) community was not entitled to the right to privacy. They connected our privacy jurisprudence over the years with our international commitments and established our conformity with comparative laws around the world.

In doing so, they affirmed the precedential basis of every single privacy judgement in our judicial history, making it clear that even without an express fundamental right to privacy, we are entitled to enjoy the right as it is inherent in our right to liberty and dignity.

Much as I enjoyed reading the judgement, I have some misgivings about the direction down which it is pointing us. I am concerned that the tests they have articulated and the constraints they have imposed could well have a chilling effect on our ability to get the most out of modern technology. While the opinions of both justice D.Y. Chandrachud and justice Sanjay Kishan Kaul speak of the need to balance the individual’s right to privacy with the benefits of data mining and big data, they go on to suggest a framework to protect individual autonomy based solely on consent. While they seem to understand the benefits that big data can bring us, they appear, at the same time, ignorant of the chilling effect that a strict notice and consent-based framework can have on these business models.

Just as the strength of the common law system comes from the solid foundations on which it is based, its weakness is that it is structurally designed to build only on past decisions. Since they are required to decide solely based on historical thought processes, they are incapable of finding solutions for a future untethered to the past. This is why a common law judiciary is so bad at dealing with disruption.

We are currently in the midst of a period of unprecedented disruptive change. Where it was once sufficient to secure personal privacy by limiting the collection of data, in the face of a rapidly increasing number of devices and systems that constantly collect information from us in ways that we cannot completely comprehend, consented collection is completely infeasible. We are also beneficiaries of new technologies that leverage the power of data offering us facilities and services that enhance our quality of life. Most of these new technologies rely on big data and machine learning—which in turn depend on access to large data sets in order to do their magic. Requiring data controllers to restrict themselves by proportionality and purpose could have a chilling effect on these new business models.

Regulators around the world have begun to discard the principle of notice and consent that guided their actions for over three decades. They have, instead, begun to rely on models such as accountability to address the challenges of a disruptive future. If the nine judges who have done such an exemplary job of righting the mistakes of the past could have only shifted perspective while legislating for the future, we’d have got a judgement that was truly perfect by every measure.

Rahul Matthan is a partner at Trilegal. Ex Machina is a column on technology, law and everything in between.

His Twitter handle is @matthan

First Published: Sat, Aug 26 2017. 01 00 AM IST

11452 - Aadhaar: The fine balance between identity and anonymity - Live Mint

Last Modified: Wed, May 17 2017. 01 31 AM IST

Aadhaar: The fine balance between identity and anonymity

With mechanisms such as Aadhaar, a balance needs to be drawn between the need for social identity on the one hand, and the very human right to personal privacy

The evolutionary success of Homo sapiens is quite inexplicable. There is very little to distinguish us from the other species who inhabit the planet—in fact our evolutionary ancestors were lower down the food chain than hyenas. Yet, somehow, over the course of millennia, we’ve managed to become the most powerful species on the planet.

In his latest book, Homo Deus, Yuval Noah Harari puts forward an unusual theory to explain this. Harari argues that the one thing that distinguishes us from apes is our ability to believe in myths—notions like religion and money that are completely made up—in pursuit of which we are willing to make tremendous personal sacrifices. One such myth is the concept of the nation-state. Citizens believe in the notion of nationality and take upon themselves the common identity that a nation-state provides. This belief encourages them to act in concert with other citizens to achieve national goals—even if doing so comes at a personal cost. As a result, nations achieve far more than a single family or even an entire tribe could hope to accomplish. No other animal has the concept of myth-making and hence none can match the accomplishments of humankind.

While there are many elements that make up the myth of nationhood, one of the most prominent among these is identity. It is the concept that establishes the relationship between the individual and the state and allows us to perform our social responsibilities and lay claim to our legal rights. It offers us the means to avail of government facilities and participate in commercial dealings. More importantly, it ensures that the services to which we are entitled actually get to us and are not diverted to someone else. Given the complexity of modern society, reliable identity is critical to our daily existence. The alternative—complete anonymity—is clearly undesirable as it does damage to the myth of the nation-state.

All nation-states have mechanisms to confer identity—from citizenship records that list births and deaths to government registers that contain details of people entitled to various benefits and services. Increasingly, governments around the world are coming around to believe in the need for standardization of national identity. Currently, over 80 nation-states provide some form of national identification number or card to their citizens and even though they were all originally deployed by the government, these forms of identity are more often than not used in all transactions, be they with private parties or with the government.

Aadhaar is India’s mechanism to provide its citizens with a non-repudiable identity. Once it has been rolled out completely, the stated hope is that vast swathes of the population that have, till now, existed outside the mainstream will be able to avail of services and benefits that are currently denied to them for want of identification.

The opposition to the widespread adoption of Aadhaar has, of late, become increasingly vocal. The fear being expressed is that Aadhaar poses a grave risk to personal privacy and that no matter what the benefits may be, its continued proliferation is not worth the potential harm that it could cause. Opponents of the scheme stand against the very concept of a state-conferred identity, preferring anonymity over having to part with their biometrics.

It is important to recognize that identity and anonymity sit at two ends of the same spectrum. As much as the opponents of the national identity scheme might prefer a life of complete anonymity over the risk of State surveillance, if all of us live and work without any form of reliable identity, society would crumble into chaos in very short order. Equally, as much as the government needs to be able to identify its citizens in order for them to play a part in the grand mission of the nation, it must afford them the opportunity to retain their personal privacy.

Neither extreme is acceptable. A balance needs to be drawn between the need for social identity on the one hand, and the very human right to personal privacy.

In my view, this can only be achieved by enacting a privacy law that recognizes the right of the individual to keep certain aspects of their lives private (from both the State as well as other citizens), but which, at the same time, ensures that everyone has the ability to use a non-repudiable, tamper-proof identity in order to be able to function optimally in society. Where any harm is suffered by the individual on account of any violation of his right to personal privacy, this law must prescribe strict punishment for the perpetrator. After all, if we want to preserve and enhance the myth of the nation-state, we would do well to preserve the operational functionality of one of its cornerstones.

Rahul Matthan is a partner at Trilegal. Ex Machina is a column on technology, law and everything in between.

His Twitter handle is @matthan.

Rahul Matthan

11421 - Aadhaar: The fine balance between identity and anonymity - Live Mint

Last Modified: Wed, May 17 2017. 01 31 AM IST

Aadhaar: The fine balance between identity and anonymity

With mechanisms such as Aadhaar, a balance needs to be drawn between the need for social identity on the one hand, and the very human right to personal privacy

The opposition to the widespread adoption of Aadhaar has, of late, become increasingly vocal. Photo: Hindustan Times

The evolutionary success of Homo sapiens is quite inexplicable. There is very little to distinguish us from the other species who inhabit the planet—in fact our evolutionary ancestors were lower down the food chain than hyenas. Yet, somehow, over the course of millennia, we’ve managed to become the most powerful species on the planet.

In his latest book, Homo Deus, Yuval Noah Harari puts forward an unusual theory to explain this. Harari argues that the one thing that distinguishes us from apes is our ability to believe in myths—notions like religion and money that are completely made up—in pursuit of which we are willing to make tremendous personal sacrifices. One such myth is the concept of the nation-state. Citizens believe in the notion of nationality and take upon themselves the common identity that a nation-state provides. This belief encourages them to act in concert with other citizens to achieve national goals—even if doing so comes at a personal cost. As a result, nations achieve far more than a single family or even an entire tribe could hope to accomplish. No other animal has the concept of myth-making and hence none can match the accomplishments of humankind.

While there are many elements that make up the myth of nationhood, one of the most prominent among these is identity. It is the concept that establishes the relationship between the individual and the state and allows us to perform our social responsibilities and lay claim to our legal rights. It offers us the means to avail of government facilities and participate in commercial dealings. More importantly, it ensures that the services to which we are entitled actually get to us and are not diverted to someone else. Given the complexity of modern society, reliable identity is critical to our daily existence. The alternative—complete anonymity—is clearly undesirable as it does damage to the myth of the nation-state.

All nation-states have mechanisms to confer identity—from citizenship records that list births and deaths to government registers that contain details of people entitled to various benefits and services. Increasingly, governments around the world are coming around to believe in the need for standardization of national identity. Currently, over 80 nation-states provide some form of national identification number or card to their citizens and even though they were all originally deployed by the government, these forms of identity are more often than not used in all transactions, be they with private parties or with the government.

Aadhaar is India’s mechanism to provide its citizens with a non-repudiable identity. Once it has been rolled out completely, the stated hope is that vast swathes of the population that have, till now, existed outside the mainstream will be able to avail of services and benefits that are currently denied to them for want of identification.

The opposition to the widespread adoption of Aadhaar has, of late, become increasingly vocal. The fear being expressed is that Aadhaar poses a grave risk to personal privacy and that no matter what the benefits may be, its continued proliferation is not worth the potential harm that it could cause. Opponents of the scheme stand against the very concept of a state-conferred identity, preferring anonymity over having to part with their biometrics.

It is important to recognize that identity and anonymity sit at two ends of the same spectrum. As much as the opponents of the national identity scheme might prefer a life of complete anonymity over the risk of State surveillance, if all of us live and work without any form of reliable identity, society would crumble into chaos in very short order. Equally, as much as the government needs to be able to identify its citizens in order for them to play a part in the grand mission of the nation, it must afford them the opportunity to retain their personal privacy.

Neither extreme is acceptable. A balance needs to be drawn between the need for social identity on the one hand, and the very human right to personal privacy.

In my view, this can only be achieved by enacting a privacy law that recognizes the right of the individual to keep certain aspects of their lives private (from both the State as well as other citizens), but which, at the same time, ensures that everyone has the ability to use a non-repudiable, tamper-proof identity in order to be able to function optimally in society. Where any harm is suffered by the individual on account of any violation of his right to personal privacy, this law must prescribe strict punishment for the perpetrator. After all, if we want to preserve and enhance the myth of the nation-state, we would do well to preserve the operational functionality of one of its cornerstones.

Rahul Matthan is a partner at Trilegal. Ex Machina is a column on technology, law and everything in between.

His Twitter handle is @matthan.

Rahul Matthan

9628 - Aadhaar: Fact and fiction - Live Mint

Aadhaar: Fact and fiction

What is revealing is the abysmal ignorance about Aadhaar among so-called experts, activists and even some legislators

Anil Padmanabhan

Photo: Pradeep Gaur/Mint

Last week, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, finally got Parliament’s approval after the National Democratic Alliance (NDA) government employed unorthodox methods—introducing it as a money bill to deny the Rajya Sabha its now-customary veto. But wait a minute. This is not the big takeaway.

Indeed, while purists may baulk at the manner in which the NDA obtained parliamentary approval, what was revealing is the abysmal ignorance about Aadhaar, or the unique identification number held by 992,641,185 residents of India, among so-called experts, activists and even some legislators. More appalling was the fact that this ignorance was being spread across television channels with a certitude, similar to what former US president George Bush employed in arguing that Iraq had a stash of dangerous chemical weapons to justify an invasion.

One activist claimed in a TV discussion that because of Aadhaar, she would be under surveillance while travelling from Jaipur to Delhi by road—when crossing tolls, she claimed, the government would monitor her and invade her privacy. This is plain fiction and smacks of a complete lack of understanding of Aadhaar and the process of authentication.

Yes, Aadhaar is a repository of detailed personal information—which if it lands in wrong hands could be put to immense misuse—but not accessible to other government departments as activists would like us to believe.

And no, it is not equivalent to GPS coordinates (which, by the way, is what Google accesses on your phone when you use its maps facility to plan your road trip; wonder what happens to privacy concerns then).

All that the Unique Identification Authority of India (UIDAI), which commands this database, will do, when a request is made to verify the Aadhaar number of someone, is to authenticate the claim. No other information is exchanged nor can it be sought; and now with Aadhaar enjoying statutory backing, it will be illegal to do so.

Similarly, it is fiction that possessing Aadhaar will imply citizenship. The 12-digit unique identification number is issued to all residents and the UIDAI does not verify if the person is a citizen; all they see is that the person is resident in India—so yes, even foreigners can have an Aadhaar, but this does not make them citizens. (During the discussion in Parliament, I recall an opposition member claiming that the passage of the Aadhaar bill will bestow illegal Bangladeshi migrants with Indian citizenship as they can now enrol for an Aadhaar number.)

Yes, it is a fait accompli. The Congress-led United Progressive Alliance (UPA) is remiss in not exhibiting the same urgency and realpolitik as the NDA to push for the statutory backing of Aadhaar. Instead, it used the power of an executive order to empower the UIDAI to capture the biometric data of nearly one billion Indians. So, giving it legal backing was a foregone conclusion.

Yes, there are concerns about privacy. But then, they are considerably reduced with the passage of the Aadhaar legislation.

I would go with what a genuine expert such as Rahul Matthan, partner in the Technology, Media and Telecom (TMT) group at Trilegal, has to say on the subject.

In a piece published on 7 March in Mint (http://bit.ly/1Rt8Dkf) he said, “The Aadhaar Bill, if it passes in its current form, will impose some of the strongest fetters on government over-reach, of any legislation in the country.”

According to Matthan, the NDA government has sufficiently ring-fenced the biometric data, though it has squeezed in exceptions (like threat to national security) where it can access personal data, but with the clearance of an oversight committee.

Ideally, this debate can only be satisfactorily concluded once the NDA brings forward the legislation on privacy, which the UPA drafted but conveniently consigned to the byzantine world of the Indian bureaucracy.

Presumably, this puts an end to the countless rumours that have been taking root, ever since Nandan Nilekani was brought in from the private sector to pilot Aadhaar by the UPA. Now, it is time for all concerned to deliver on the promise.

Anil Padmanabhan is deputy managing editor of Mint and writes every week on the intersection of politics and economics.

Comments are welcome at capitalcalculus@livemint.com

His Twitter handle is @capitalcalculus

Anil Padmanabhan

9453 - The stiff backbone of aadhaar bill - Live Mint

Tue, Mar 08 2016. 01 45 AM IST

The stiff backbone of aadhaar bill

We need an Aadhaar legislation to establish boundaries within which the ID database will function and clearly cordon it off from government over-reach

Massive sensitive personal information has been collected under Aadhaar, and the government has a casual and porous approach to inter-departmental data transfer. 

Photo: Mint

When the National Democratic Alliance (NDA) introduced the Aadhaar Bill in Parliament late last week, it looked like the government was trying to latch the stable door a few years after the horse had bolted. This is 2016. We are approaching the one billion-mark in number of Aadhaar cards issued. Passing an enabling legislation now is a bit like planning a coronation to celebrate the diamond jubilee of the Queen.

Much of the opposition to Aadhaar comes from the massive amounts of sensitive personal information that has been collected. These apprehensions are exacerbated by the casual and porous approach that the government has to inter-departmental data transfer—a fear that was brought into sharp focus when it took the full might of the Supreme Court to stop the Central Bureau of Investigation (CBI) from accessing the Aadhaar fingerprint database.

This is why we need an Aadhaar legislation—to establish boundaries within which the identity database will function and clearly cordon it off from government over-reach. In many ways, it is far more important to have a legislation today, as the project enters the implementation phase, than when the project was conceived.

I have worked with the government on drafting a privacy legislation and my expectations of the Aadhaar Bill were low. 

The government hates absolutes, and I was resigned to finding privacy provisions riddled with exceptions. I was pleasantly surprised to find only a few. I will go so far as to say that the Aadhaar Bill, if it passes in its current form, will impose some of the strongest fetters on government over-reach, of any legislation in the country.

The best example of this is in the protection afforded to core biometric information—a subset of biometric information that includes the fingerprints and iris scans and forms the foundation of Aadhaar’s authentication mechanism. Under Section 29, core biometric information cannot be shared with anyone for any reason whatsoever. The section makes it clear, in language that brooks no exception, that this information cannot be used for any purpose other than the generation of Aadhaar numbers and authentication of Aadhaar number holders.

There are many examples throughout the bill where core biometric information has been ring-fenced in this manner. For instance, Section 8, which deals with authentication, states that the response to an authentication query must exclude core biometric information. Perhaps the most extreme manifestation of this is in the proviso to Section 28 (5), which prevents the Aadhaar number holder from accessing his own core biometric information in the Central Identities Data Repository (CIDR).

The other pleasant surprise is the manner in which classic privacy principles of notice, consent and purpose limitation have been liberally sprinkled throughout the statute. Enrolment officers have to inform individuals seeking enrolment how their information will be used, who it will be shared with and what access rights they have. Requesting entities must obtain consent before collecting information for authentication and provide details of the information that will be shared and the alternatives available if the individual doesn’t want to submit identity information.

There is an entire provision (Section 28) devoted to the protection of information. This is yet another example of a provision that has been framed in the absolute—prohibiting the authority from revealing any information stored in the CIDR.

It would have been too much to ask for the legislation to have been completely devoid of exceptions—Section 33 allows for judicial and executive exceptions to the absolute prohibition against disclosure of information. It states that the protections of Sections 28 and 29 will not apply against the order of a district judge (or higher). Similarly, the protections under Sections 28 and 29 can be over-ridden by directions issued by an officer above the rank of joint secretary, in the interests of national security. Any such direction must be reviewed by an oversight committee before it takes effect.

This is not a legislation without flaws. There is a lot that’s left to be clarified through delegated legislation, and if there is one thing experience has taught us, it is that the devil is in the detail. One particularly disappointing provision is Section 29(4), which seems to allow core biometric information to be made public for purposes specified in the regulations—contrary to the manner in which it has otherwise been ring-fenced.

In the balance, this is a good legislation, filled with the kind of stiff backbone needed in a law that will form the basis for the digitization of government services. I have apprehensions about how it will be implemented, whether in practice, the privacy protections of consent, notice and purpose limitation will be given effect to. Or whether the national security exception will be misused. But given the absolutes in the drafting, it’s likely that the courts will make short work of any transgressions.

Rahul Matthan is partner in the Technology, Media and Telecom (TMT) group at Trilegal.

Rahul Matthan

5430 - Identity crisis By: Rahul Matthan- Indian Express

Identity crisis          By: Rahul Matthan

April 3, 2014 12:33 am  

In the absence of a working privacy law, various government agencies have free rein over personal information that has been and continues to be collected under the UIDAI mandate.

The Supreme Court order on Aadhaar averted a looming disaster.

When the Supreme Court issued a short order last week on the scope and applicability of the Aadhaar number, a great cry went up about how the apex court has set at nought the ambitious identity project of the UPA government. But most people missed the wood for the trees.

In actual fact, the Supreme Court order simply operates to stay a decision of the Bombay High Court that would have allowed the Unique Identification Authority of India fingerprint database to be handed over to Goan law enforcement agencies to help solve a gangrape case — a turn of events that the UIDAI itself had, to its credit, vociferously opposed. Had the high court order been allowed to stand, it would have created a precedent that other states around the country would have followed with alacrity. This would have been a huge setback for the right to personal privacy in India.

With control over the biometric information of over half the population of the country, the UIDAI is in possession of the most extensive database of personal records ever created. It is searchable and de-duplicated, making it a far more accurate personal identifier than anything that the police has at its disposal. It is no wonder then that investigative agencies are keen to access the Aadhaar database.

But this is not the purpose for which the data was collected. Aadhaar was conceptualised as a solution to the problem of providing accurate, non-repudiable identity to Indian residents. Six hundred million people have contributed their biometric information willingly because the Aadhaar number was going to give them something that eludes most of them even today — hassle-free and irreproachable identity information that is accepted by providers of government and private services alike. They all enrolled believing that the personal information they were providing for the purpose of securing their Aadhaar number would be kept secure by the UIDAI and used in a manner that upholds their basic fundamental rights.

And herein lies the one fatal flaw of the Aadhaar project. Despite its laudable objectives, the project is operating within the political and legal reality of today’s India. In the absence of a real working privacy law and the accompanying administrative machinery to enforce it, various government agencies have free rein over the vast store of personal information that has been and continues to be collected under the UIDAI mandate. This is, from a personal privacy perspective, a disaster waiting to happen.

In this context, the Supreme Court order preventing the transfer of Aadhaar data without consent is timely. Yet again, as it has done so often in the past, the court has stepped in to close the gap that an indolent legislature failed to fill. Thanks to this intervention, the brakes have been applied on other state agencies looking to gain access to the UIDAI database.

The second part of the judgment must also be read from a similar perspective. By preventing the state from denying services to anyone who does not have an Aadhaar number, the court is underlining the basic objective of the project — the goal of making available an identity scheme so effective that it becomes (without any government pressure) the most efficient means of proving identity in order to avail of a service.

As a matter of fact, this has been the approach that the UIDAI voluntarily chose to take. It never intended to force residents to use its services but rather pitched the Aadhaar number as the preferred alternative to the identity problem.

As a matter of law, the state cannot deny its citizens the services to which they are legitimately entitled solely on the grounds that they do not have a particular state-sponsored identity card. However, there is nothing in the Supreme Court order — nor in the law as it currently stands — that prevents the state from offering an easier alternative to avail of government services.

Aadhaar is just that, and rather than make it ubiquitous by fiat, the government should demonstrate the superiority of Aadhaar over other more traditional forms of identification. The moment residents realise that it is easier to avail of services with an Aadhaar number than through other means, they will voluntarily opt for it. And with that, the objectives of the project will be met in a manner that is consistent with the order of the Supreme Court, and with the mandate of the UIDAI itself.

The writer is founder partner at Trilegal