The Aadhaar Bill has been passed with no public consultation about the privacy safeguards necessary for such a database and no provision for public or independent oversight. The rights to liberty and freedom of expression cannot survive if the right to privacy is compromised.

The > Central government has forced the Aadhaar Bill through Parliament in a week. Aadhaar has had an invasive and controversial presence well before the government’s attempt to legitimise it. It has been challenged before the Supreme Court, and in defending it, our Attorney General (funded by our taxes) has argued that we have no right to privacy. In this context, any version of the > Aadhaar Bill would have been subject to close scrutiny. When the Bill is sprung in Parliament with little warning and mislabelled as a money bill to avoid Rajya Sabha scrutiny, it will naturally be treated with even more suspicion than usual.

There are extensive threats to privacy contained within this legislation, which seeks to institutionalise an extensive, pervasive database that links multiple other databases containing our personal information. It is unconscionable for the government to pass the Aadhaar Bill with no public consultation about the sort of privacy safeguards that are necessary for such a database.

The right to privacy in India

It is truly unfortunate that the privacy debate in India is circling back to its initial stages in 1948-49. While drafting the Constitution, amendments were moved to insert safeguards against search and seizure within the fundamental rights chapter. Dr. B.R. Ambedkar pointed out that these safeguards were already provided by the Code of Criminal Procedure but he agreed that adding them to the Constitution would make it impossible for the legislature to tamper with them. Although no convincing arguments were made against the amendment, there was commotion in the House. The vote was deferred. Eventually the amendment did not pass through the House but the debates were disappointing since they offered no discernible reason for this choice.

However, the Supreme Court soon read the right to privacy into the Constitution. Progressively, in case after case, it realised that the rights to liberty and freedom of expression cannot survive if the right to privacy is compromised. It began with recognising people’s rights against government intrusion into their homes and went on to build this norm over the years across a variety of cases. It is the right to privacy that protects us from the indiscretions of doctors who see us at our most vulnerable. It is the right to privacy that prevents the police from turning our homes inside out on a whim. It is the right to privacy that prevents, albeit fairly ineffectively, law enforcement from listening in on our phone conversations and recording them. This is all a result of the Supreme Court recognising time after time, across decades, that our other rights will not stand for much without privacy.

The Aadhaar database is a dangerous thing in itself. Like dams that wall in enormous quantities of water or plants storing toxic material, this database could cause widespread disaster if breached. It is necessary to take every possible precaution when building anything this dangerous. It is also necessary that whoever puts such a hazard among us takes full responsibility for the ill-effects if anything goes wrong. The Government of India is doing no such thing with the Aadhaar database. Despite multiple assurances of safety, it has offered citizens no guarantee of compensation or recompense if its poor choices endanger them.

In many ways, this legislation is something of a Trojan horse. We are told that its sole purpose is the noble goal of creating a functional Public Distribution System. We are also told that the sensitive information in the database is secure and inaccessible for any purpose other than authentication. However, the legislation does a fine job of obfuscation: in part labelled “protection of information”, it begins with very promising norms about not sharing information for purposes outside the legislation, and then undoes these norms completely by creating two enormously significant exceptions that permit the government to easily dip into Aadhaar data.

The exception permits the government to access the database in two separate ways. One way is if a district judge orders disclosure of information. This is very dangerous if one bears in mind that we have inadequately trained district judges all over the country, and that they are not given enough support to understand the implications of a database like Aadhaar. District judges in far-flung districts have been authorising mass blocking of online content and gag orders. These judges can now authorise access to Aadhaar data without any disclosure or discussion with the citizen affected — only the Aadhaar authority will have the right to contest the order if it is so inclined. The legislation offers no avenue where the affected party may appeal if her rights are affected. This creates a huge window for access and misuse of the database.

There is a second way in which the government may abuse its power and access the Aadhaar database. A Joint Secretary authorised by the government can direct disclosure of information “in the interests of national security”. This direction again leaves the affected party out of the equation, and nothing in the legislation compels any kind of public or independent oversight that may help ensure that there is no abuse of power. While this order will be reviewed by a committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, this is an inadequate safeguard for multiple reasons.

Inadequate safeguards

The safeguards contained within the > Aadhaar Bill are appalling even by very outdated Indian standards. By international standards, they are laughable. The Indian standards for using technology for widespread surveillance began with the use of the telephone. When large-scale telephone tapping was challenged in PUCL v. Union of India (1997), the government attempted the very same national security argument that is being used for Aadhaar. The Supreme Court ruled that telephone tapping would violate Article 21 of the Constitution unless it was permitted by the procedure established by law, and that it would also violate the right to freedom of speech and expression under Article 19 unless it came within the permissible restrictions. The Supreme Court was very clear in this context that even when the law clearly defines the situations in which interception may take place, this law must have procedural backing to ensure that the exercise of power is just and reasonable. Having insisted on the need for procedural safeguards, the Supreme Court created a stopgap, interim administrative measure that was to act as a safeguard in the absence of a statutory mechanism. That this deeply inadequate stopgap measure continues to be our sole communication surveillance safeguard is a mark of how all governments across political lines find it difficult to restrict their own powers to respect the rights of the people.

Owing the great variation of privacy safeguards internationally, it was difficult until recently to argue convincingly for specific reforms to the system. However, that has changed since the then UN High Commissioner for Human Rights Navi Pillay published her detailed report on ‘The Right to Privacy in the Digital Age’ in July 2014. Ms. Pillay’s report stated clearly that internal procedural safeguards without independent external monitoring are inadequate for the protection of rights. This means that the system by which a Joint Secretary issues orders that are reviewed by three Secretaries is not acceptable. Ms. Pillay’s report said that effective protection of the law can only be achieved if all the branches of government as well as an independent civilian oversight agency are built into the procedural safeguards. The new Aadhaar legislation removed the independent oversight committee that was meant to monitor the operation of Aadhaar. Both its systems for access to Aadhaar data involve only one branch of government each.

Where Ms. Pillay’s report insisted that known and accessible remedies need to be made available to those whose privacy is violated, the Aadhaar legislation does no such thing. The remedies are supposed to include thorough and impartial investigation and the option of criminal prosecution for gross violation. The Aadhaar Bill excludes courts from taking cognisance of offences under the legislation, requiring that the authority that runs Aadhaar consent to prosecution for any action to be taken under the legislation. This part of the Bill completely undermines all the safeguards that do exist within it, since citizens cannot access these safeguards without co-operation from the authority which is arguably in a position of conflict of interest.

Impact of human rights violations

The government seems unable to resist the pressures of the Home Ministry. It is perfectly natural that investigating agencies will ask for as much power with as few hurdles as possible. Letting them have their way leads to a police state. It is for the government, especially one with such a significant majority, to have the intelligence and leadership to think long term.

If the object of Aadhaar is smoothly functioning government benefit schemes, why give law enforcement agencies or indeed anyone else access to the database at all? If the access is written in to provide for unforeseen future emergencies, the circumstances in which the state can breach our privacy must be much narrower. There must be more oversight and much more accountability in the manner in which this is done. If this system is something that the government lacks the expertise to build, it should have invited expert and other comments.

(Chinmayi Arun is Executive Director, Centre for Communication Governance at National Law University, Delhi, and Faculty Associate of the Berkman Centre at Harvard University.)