Yet another day and yet another ministry has made the Aadhaar compulsory. The latest is the ministry of health and family welfare, which has made the Aadhaar compulsory for all patients suffering from tuberculosis and receiving treatment under the Revised National Tuberculosis Control Programme (RNTCP) run by the government of India.

While the move has, predictably, caused outrage, the notification also demonstrates that bureaucrats within the central government do not understand the true scope of Aadhaar or their own powers to make it compulsory.

No card, but number

A lot of the public commentary surrounding Aadhaar constantly refers to ‘Aadhaar card’. Both journalists and government functionaries seem to be under assumption that Aadhaar is a card. For instance, at the time the mid-day scheme was made compulsory, HRD minister Prakash Javadekar, in several media statements, kept referring to ‘Aadhaar cards’ for all children. Similarly in the notification discussed above, the ministry of health has referred to Aadhaar as an “identity document” that “obviates the need for producing multiple documents to prove one’s identity”. The notification further states that either “proof of possession” or “authentication” will suffice to receive services. This is the common template followed in the dozens of notifications issued since January making Aadhaar compulsory for various schemes of the government including the notification on ‘right to food’.

The problem with this characterisation of Aadhaar as a ‘card’ or an ‘identity document’ and then framing policies based on it, is the fact that Aadhaar was never conceptualised as a card and the Aadhaar Act, 2016 never uses the word ‘Aadhaar card’. This is not an omission but a conscious decision that was taken at the early stages of the Aadhaar project. In an interview given to the New Yorker in 2011, Nilekani had explained the reason for this conscious decision to restrict Aadhaar to being a number and not a card. Describing the Aadhaar project, the New Yorker article had stated:

‘Enrollment would be voluntary, and available to all residents. And there would be no I.D. cards – just I.D. numbers. A card, carrying a photograph and other biometric information, can confirm identity offline; it’s a database of one. But cards can suggest authoritarianism, and they create a market, for they can be bought and sold.’

It then quotes Nilekani as follows: “Nilekani called Aadhaar’s decision not to release cards an ‘epiphanic moment’.”

True to his word, the legal framework for the Aadhaar Act, 2016 does not once mention the phrase ‘Aadhaar card’, only ‘Aadhaar number’. The only mention of a card in the Aadhaar framework is in Regulation 15 of the the Aadhaar (Enrolment and Update) Regulations, 2016 which is as follows:

15) Delivery of Aadhaar number. – (1) The Aadhaar number may be communicated to residents in physical form (including letters or cards) and/ or electronic form (available for download through the Authority’s website or through SMS). (2) All agencies engaged by the Authority for printing, dispatch, and other functions related to delivery shall comply with the applicable processes.

In other words, the card that is sent to every person on successful enrolment is a form of communication to all persons of their Aadhaar number. It serves no purpose other than telling a person their Aadhaar number. The law is entirely silent on the legal status of the card or the rights that the card vests in its holder. In other words, possession of an Aadhaar card does not guarantee anything under the law and is a worthless piece of paper.

Authentication process

What the Aadhaar Act, 2016 does is to guarantee rights to a person holding an Aadhaar number provided they undergo ‘authentication’. As per Section 2(c) of the Aadhaar Act, 2016, ‘authentication’ means the following:

‘the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such repository verifies the correctness, or the lack thereof, on the basis of information available with it’.

There are two modes of authentication authorised by the Act. The first mode of authentication is the ‘Yes/No’ mode of authentication whereby a number holder could be identified by his demographic (the name of the person) or biometric data (scanning the fingerprint or iris scan of a person) with a simply ‘Yes’ or ‘No’ from the UIDAI. Originally this mode was meant to be the only mode of authentication.

Somewhere along the way, this policy changed and Section 8 of the Aadhaar Act, 2016 introduced a new mode of authentication whereby on submitting biometric or demographic information of a person against the Aadhaar number, the UIDAI would return demographic information rather than just ‘Y/N’ – ostensibly, this was done for the purposes of enabling e-KYC for private service providers.

In other words, the Aadhaar number is valid only on authentication through one of the two modes described above. Such authentication in real time with the UIDAI through the internet is the basis of the entire Aadhaar project.

What does this mean for the various notifications issued by the government? First, all of the notifications are simply wrong to describe Aadhaar as an ‘identity document’. It is a number and not a document.

Second, the notifications state that ‘proof of possession’ or ‘authentication’ will suffice to access the required subsidy or service. Of the two phrases only ‘authentication’ is defined in law, there is no mention of possession.

The phrase ‘proof of possession’ is not defined in the notification and the Aadhaar Act does not lay down a protocol to demonstrate ‘proof of possession’. If the government means proof of an Aadhaar card is ‘proof of possession’, its understanding of the law is completely wrong. The entire basis of the Aadhaar project and the legal framework surrounding it is based on authentication of the number in real time. As Nilekani made it clear in the New Yorker interview, Aadhaar was never meant to be about cards. It was supposed to be about a number.

What is the logical conclusion of the arguments that I have made above?

Well to begin, if Aadhaar is not an ‘identity document’ and there is no legal means to establish ‘proof of possession’ (as stated in the notifications), it follows that the Central government has not applied its mind while drafting the notification and it could possibly be argued that the executive notifications are irrational, arbitrary and in violation of Article 14 of the constitution.

Even presuming the notifications are ‘read down’ by a court of law, to allow government agencies to conduct authentication as per the Aadhaar Act, 2016, it follows that the government agencies making such notifications will have to first earmark financial budgets for the purchase of authentication devices and also ensure protocols are in place to deal with failures of the devices and failure of authentication.

Take for example the ‘mid-day’ meal scheme. According to the Open Government Data platform of the government, the mid-meal scheme in 2014-15 covered 10.45 crore children in 11.58 lakh schools. Each of these schools will presumably require a number of devices depending on their enrolment. The financial cost of purchasing these devices will be enormous and it is not clear whether the different ministries have budgeted for such purchases when they made Aadhaar compulsory for various schemes.

On the point of formulating protocols to be followed in case of failure of authentication or failure of the devices due to poor internet connectivity, the government needs to remember that technology can fail and it would be quite cruel and perhaps illegal to deprive a child of her legal right to a meal just because technology failed.

The Centre thus needs to evolve certain protocols on how to deal with the situation of technology failure. The mandarins sitting in New Delhi cannot delegate to the babu working at the grassroots the power to formulate their own policies on dealing with authentication failures or device failures. This would open the door to large scale violation of legal rights.

Who can make Aadhaar compulsory?

The second very important phrase in all the notifications making Aadhaar compulsory is as follows:

“Now, therefore, in pursuance of the provisions of the section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016) (hereinafter referred to as the said Act), the Central Government in the Ministry of XYZ hereby notifies the following”. (emphasis supplied)

All ministries issuing the notifications are drawing their power from Section 7 of the Aadhaar Act, 2016 which reads as follows:

‘The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India (CFI), require that such individual undergo authentication, or furnish proof of possession of Aadhaar number….’

When parliament delegates power to the Central government, it is for the president to allocate that power to a particular ministry under Article 77 of the constitution. The allocation happens through the Government of India (Allocation of Business) Rules, 1961. The normal practice is to allocate different legislation to different ministries. For example, The Prevention of Money Laundering Act, 2002, has specifically been assigned to the department of revenue. All the intellectual property laws are assigned to the Department of Industrial Policy and Promotion (DIPP), ministry of commerce. The allocation of administration of different laws for different ministries helps ensure both accountability and efficiency. From a legal perspective, it means that all mention of the ‘Central government’ in these laws refers to the ministry mentioned in the ‘government of India (Allocation of Business) Rules, 1961. To illustrate with an example, all mention of the Central government in the Patents Act, 1970 effectively means the DIPP, ministry of commerce.

Strangely, the latest version (dated February 15, 2017) of the Allocation of Business Rules are entirely silent on which ministry is responsible for administering the Aadhaar Act, 2016 and who in effect can exercise the power under Section 7 of the Act. The UIDAI itself was placed under the operational control of the Ministry of Electronics and Information Technology vide an order dated September 12, 2015 by the Planning Commission. This was before the enactment of the Aadhaar Act in 2016.

It is indeed surprising that a legislation as important as the Aadhaar Act is not even mentioned in the Allocation of Business Rules, 1961. There are legal consequences to this omission, especially the power that various ministries are now exercising under Section 7 of the Aadhaar Act, 2016.

If the president has not allocated, under Article 77 of the constitution, the power delegated to him by parliament under Section 7 of the Aadhaar Act, can various ministries simply go ahead to exercise powers under Section 7 of the Aadhaar Act? I would argue that these ministries cannot exercise the required powers under Section 7 until such time that the president, on the advice of the cabinet, has specifically allocated this power to them by amending the Allocation of Business Rules, 1961.

While convening a cabinet meeting to render such advice to president is not a complicated process and nobody foresees a turf war under the present government, the hope remains that the convening of a cabinet meeting by the cabinet secretariat will trigger a chain of checks and balances including a cost-benefit analysis of making Aadhaar compulsory for so many schemes. Till such time that the Allocation of Business Rules are amended, the dozens of notifications issued by different ministries making Aadhaar compulsory for so many different schemes are highly susceptible to a legal challenge.

Prashant Reddy T. is a research associate at the School of Law, Singapore Management University.