Asheeta Regidi

As per an Economic Times report, the UIDAI recently directed several private digital payment companies to stop using Aadhaar based eKYC, in pursuance of the Supreme Court’s directions in the Aadhaar verdict. The striking down of Section 57 of the Aadhaar Act by the Supreme Court made it clear that Aadhaar based authentication, including eKYC, could no longer be used by private companies. A debate that has arisen since is on the standing of voluntary use of eKYC and whether such use could be legalised through a new law. The majority verdict takes an unclear stance on this issue.

Mandatory eKYC

The issue of the validity of eKYC is of particular concern to the private sector given its huge cost-cutting potential (said to be from Rs 100 to Rs 20 per customer), its speed as well as a large number of private sector players that were banking on the eKYC model. In pursuance of Rule 9 of the Prevention of Money Laundering Rules (mandatory bank account linking with Aadhaar), the RBI had mandated eKYC in 2018, lending further support to the use of eKYC. The Supreme Court in the Aadhaar verdict, however, struck down this Rule.

In particular, the majority verdict held that the government had failed to show why the use of Aadhaar was imperative, and why all the other Officially Valid Documents (passport, driving license, etc.) prescribed by the RBI previously were inadequate. Thus, the ruling made it clear that mandatory eKYC is unconstitutional. The position on the voluntary use of eKYC, however, is not so clear.

Reading down Section 57 in the majority verdict

To understand this, the reading down of Section 57 must be looked at. eKYC was mainly the result of Section 57, which allowed the private and contractual use of Aadhaar and Aadhaar based authentication. The majority verdict, to recap, read down Section 57 in the following manner:

Firstly, Aadhar can be used for establishing the identity of an individual for ‘any purpose’, provided the purpose is backed by law. Second, contracts permitted by Section 57 are not backed by any law, and thus, fail the first requirement of the test of proportionality and are unconstitutional. So far, it is clear that any use of Aadhaar must be backed by law. A mere contract, even if consent-based, will not suit the purpose unless there is a law backing it.

Majority verdict on the private use of Aadhaar

Thus, as argued here, the holding of contractual use of Aadhaar as unconstitutional indicates that the Supreme Court does not intend to permit the voluntary or consent based use of Aadhaar. However, a question that arises is whether such use is permissible when backed by law, as opposed to the contract. On this, the majority verdict has not taken a clear stance.

For this, the last part of the reading down of Section 57 needs to be looked at. Here, the majority verdict noted that Section 57 authorises any body corporate/person to avail authentication services, “… which can be on the basis of purported agreement …”. The impact of this authorisation, the Court held, was ‘to enable commercial exploitation of an individual biometric and demographic information by the private entities’.

The Court then goes on to hold that: “Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person , would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional”.

Possible interpretations

When evaluating whether the Court has prohibited a law allowing the voluntary use of Aadhaar based eKYC, it is important to understand if the Court declared the private use of Aadhaar itself to be unconstitutional and a violation of privacy, or whether the declaration is with respect to the private use of Aadhaar in pursuance of a contract as opposed to a law. The first interpretation doesn’t allow legalising of voluntary eKYC, while the second does.

On a reading of the ruling above, it can be argued that had the phrasing of the ruling referred to private entities availing authentication services ‘on the basis of a contract’, then it would be understood that the emphasis is on the contract or the lack of the law. The phrasing as availing authentication ‘which can be on the basis of a contract’ indicates that the Court takes issue with private use in itself. This fundamental issue is then seconded by the fact that the private use can be founded on contract, and not law.

Further, it can be said that the Court’s concern is with the possible commercial exploitation of the people’s biometric and demographic information by multiple private parties, and this it has ruled to be a violation of privacy. The possibility of commercial exploitation, in particular, does not reduce only because private use is made voluntary or consent based. Thus, since private use in itself is unconstitutional, a new law permitting voluntary eKYC by private persons will also be unconstitutional.

An alternative argument

In the alternative, however, it may be argued that the finding of a violation of privacy is in relation to private use as mandated/ directed by contract, as opposed to the law. It may be argued thus that the Court did not rule on whether a law which allows the use of Aadhaar based authentication, for a specific purpose and on a voluntary basis, will also fail the test of constitutionality.

This argument can also find support in the Court’s statement in Para 356, where it was stated that “…If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem ”, indicating that the Court has left the question of voluntary or consent based use of Aadhaar, when backed by a suitable law, open.

Consent, after all, is the foundation of data protection and the principles of privacy. Such an interpretation, in particular, will be a relief for the many private players banking on eKYC.

Unclear picture in the majority verdict

The ruling in the majority verdict thus does not present a clear picture. This is more so when compared with the rulings on this issue in the other verdicts. Justice Chandrachud’s dissent, for instance, takes a clearer stance, holding that the private use of Aadhaar will overreach the purpose of enacting the law for the object of ensuring targeted delivery of social welfare benefits. This, it is ruled, ‘leaves bare the commercial exploitation of citizens data even in the purported exercise of contractual clauses’, and will result in ‘a violation of privacy and profiling of citizens’. The framing makes it very clear that the private use of Aadhaar in itself, in any form, violates privacy.

Justice Bhushan’s verdict, similarly, held that that “Section 57, to the extent, which permits the use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void”. This makes it clear that what has been struck down is private use that is founded on contract as opposed to a law and not private use in general.

Money Bill ruling

To resolve the issue of the two alternative interpretations, one has to return to the Money Bill issue for clarity. While upholding the passing of the Aadhaar Act as a Money Bill, in relation to which the presence of Section 57 was a key point of contention, the majority verdict held that Section 57 simply allows Aadhaar to be used for other purposes. Further, this was without taking away from Section 7 (which has a clear nexus with a Money Bill) or affecting the status of the Aadhaar Act as a Money Bill.

An important point here is that this was held after Section 57 was ruled to fail the proportionality test, and private and contractual use was prohibited. The majority verdict, due to this reading down, did not address the argument of the petitioners that a provision like Section 57, which permits private use, can have no place in a Money Bill. As a result, it can be said that the reference of the Court when upholding Section 57 as a part of a Money Bill is to other uses of Aadhaar and Aadhaar based authentication services by the State, within the ambit of the law, and not by private persons.

Thus, a key aspect of the upholding of the constitutionality of the Aadhaar Act in relation to its passing as a Money Bill was because the private use of Aadhaar was held to be unconstitutional. In such a case, allowing the private use of Aadhaar through a new law, even on a voluntary basis, will reopen the question of the constitutionality of the passing of the Aadhaar Act as a Money Bill.

Private use of Aadhaar should not be permissible

The fundamental issue here, as argued by the petitioners and as ruled by Justice Chandrachud in his dissent, is that Aadhaar fundamentally creates an identification system, as opposed to a system to enable the targeted delivery of benefits. This is why a system like eKYC was envisaged with all its benefits of lower costs and efficiency. Had the Aadhaar Act been passed as such, as a normal law creating a new form of identification, it would have been subject to the parliamentary and judicial scrutiny of a different nature, and possibly a different view would have been taken for its use for eKYC.

However, given the mechanism through which Aadhaar has been created, and the ruling of the majority verdict, in order to retain the constitutionality of Aadhaar, private use of Aadhaar in any form should not be possible. The Supreme Court’s comment on the possible voluntary use of Aadhaar must also be interpreted as such, to (possibly) allow voluntary use of Aadhaar or Aadhaar based authentication, by the State, when backed by a law and not by private persons.

Had the Court gone into its reasons for its findings, then a clearer interpretation may have been possible. The majority verdict has, in the least, expressed a clear intention of protecting biometric and demographic information from the possible commercial exploitation by private parties, which is defeated if eKYC is permitted, even on a voluntary basis. The issue, however, is open to interpretation, and a new law permitting eKYC will certainly rekindle this debate.

The author is a lawyer and author specialising in technology, privacy and cyber laws.