India’s Narendra Modi government yesterday (Feb. 28) approved the tweaking of the law governing the country’s controversial biometric ID programme, Aadhaar. Among other things, the changes allow Aadhaar to be used by private entities—months after a September 2018 supreme court judgment ruled that was unconstitutional.

Following extensive hearings on a constitutional challenge to the programme, the apex court had ruled that the Aadhaar Act’s section 57, which authorised private parties to ask customers for their ID numbers, was unconstitutional. Yesterday’s ordinance, first brought forth by the government in January as the Aadhaar amendment bill, reintroduces the spirit of section 57 “through the back door,” by amending other Indian laws.

The supreme court verdict had caused many private companies, from fintech startups to telecom firms, to panic as they had been using Aadhaar as a form of Know Your Customer (KYC) information. Some, including the controversial tech lobby iSpirt, reportedly looked to the government for a legislative solution—which may now have arrived.

Critics, however, warned that no amendments violating the supreme court judgment should be introduced, especially not until India passes a data protection bill. The constitutional challenge to Aadhaar, made up of a clutch of around 30 different petitions, had included many critiques of the system’s vulnerability to privacy breaches and private exploitation—which, critics argue, is exacerbated when the ID is used by the private sector.

Now, the way the government cleared the ordinance is just as controversial as its contents.

An ordinance is a law that the country’s executive can issue without waiting for parliament to convene. The amendment bill, passed by India’s lower house Lok Sabha in early January, was not discussed by the upper house Rajya Sabha before the parliamentary session ended in mid-February.

Critics have accused the government of circumventing India’s democratic systems by taking the ordinance route, especially when the matter was not of pressing urgency.

This also comes amid a storm of bad press for Aadhaar.

Last week, Techcrunch reported that an Indian state gas company had leaked millions of beneficiary Aadhaar details. Days later, a HuffPost India investigation presented evidence, including government documents, showing that the biometric identity of an Aadhaar operator had been stolen and misused hundreds of times across India, casting doubts over the integrity of the entire enrolment system. And just days ago, a right-to-information request revealed that the use of an Aadhaar-based software, purportedly meant to “purify” electoral rolls of duplicates, had resulted in voter deletions without proper verification of almost 3 million names in the southern state of Telangana.