Don’t leave Sec 57 as open-ended as before

There has been a lot of discussion, some panic and general confusion on what the Supreme Court really said about the use of Aadhaar by private players. Some have taken the brevity of the news headline and initial tweets quite literally. They think that any and all use of Aadhaar by private players is now prohibited. Others feel that there are still workarounds, and nothing will change. The TV media frenzy that pushes experts for sound bites as soon as the verdict is pronounced leaves little room for nuance and no time for reading the epic 1,446-page judgment. But here’s what we know:

Section 57 of the Aadhaar Act has not been struck down!

Given the length of the judgement, our first reading—much like everyone else’s—was driven by the judge’s statement, and confirmed by quickly parsing the lengthy judgment. But in this careful reanalysis, we reread the majority judgment at leisure and drilled down into the language of the operative parts around Section 57. Where ambiguities still remain, we relied on the discussions leading up to the operative conclusions. Further, to recheck our conclusions, we look at some of the other operative clauses not related to Section 57. We tested our inference against everything else that has been said and we looked for inconsistencies in our reasoning.

Having done this, we are confident in our assertion that the judges did not mean to completely blockade the use of Aadhaar by private parties, but merely enforce better guardrails for the protection of user privacy. Let’s begin.

Revisiting Section 57

First, we present the original Section 57 in its entirety:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

We read through the operating part of the order with reference to Section 57, i.e. on page 560. This is a part of paragraph 447(4)(h). The judges broke this into three sections, and mandated changes:

a. ‘for any purpose’ to be read down to a purpose backed by law.

b. ‘any contract’ is not permissible.

c. ‘any body corporate or person’—this part is struck down.

Applying these changes to the original Section 57, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual pursuant to any law, for the time being in force:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It is our opinion that this judgment does not completely invalidate use of Aadhaar by private players, but rather specifically strikes down the use for “any purpose (…) by any body corporate or person (…) (under force of) any contract”. That is, it requires the use of Aadhaar be purpose-limited, legally-backed (to give user rights & protections over their data) and privacy-protecting, instead of allowing any private contract to dictate data-sharing relationship.

As an exercise, we took the most conservative interpretation—“all private use is struck down in any form whatsoever”—and reread the entire judgment to look for clues that support this conservative view. Instead, we found such an extreme view is inconsistent with multiple other statements made by the judges. As an example, earlier discussions of Section 57 in the order, paragraph 367 states:

The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.

Some pointed out that this is simply a discussion, and not an operative clause of the judgment. But, even in the operative clauses where the linking of Aadhaar numbers with bank accounts and telecom companies is discussed, no reference was made to Section 57 and the use of Aadhaar by private banks and telcos.

Put simply, the court could have struck down the linking specifically because most banks and telcos are private companies! Instead, they applied their mind to the orders which directed the linking as mandatory. This further reinforces the idea that the court does not rule out the use of Aadhaar by private players; it simply provides stricter specifications on when and how to use it.

Remember, the judgment also says in Para 260 that “all matters pertaining to an individual do not qualify as being an inherent part of right to privacy”. It goes on to define reasonable expectations of Privacy in para 289, which requires the likelihood that some real harm is likely to be inflicted on the user because of the alleged act for it to be declared as invasive to privacy.

It is becoming clear from the series of judgments on Privacy and the draft Srikrishna Committee report that the country is agreeing upon the principle of purpose-limitation. Giving up data in lieu of a service is a necessity. No bank, for example, will open an account if you don’t reveal your name. But it is becoming clear that whether a bank gets your data or not, depends less on whether the requesting entity is a bank, and more on the purpose of the request. A bank may get your Aadhaar number for the purposes of lending and tracking NPAs, but maybe not for opening bank accounts.

The privacy risk in these use-cases must be evaluated in terms of the data in the use-case itself, as well as in relation to biometrics*, and the Aadhaar number** in the context of the user’s reasonable expectations, and real risks. It is helpful that the UIDAI has provided multiple means of mitigating risks, in the form of Registered Devices, Virtual IDs, Tokenisation, QR Codes on eAadhaar, etc.

We would advise everyone take a look at how their specific use-case draws from respective acts, rules, regulations and procedural guidelines to ensure these meet the tests used by this judgment. This is a useful model, and we would hope that the government will introduce a similar privacy impact review. Where there are adequate controls to protect the privacy of users, and to prevent privacy harms, the use of Aadhaar must be permitted for the convenience and cost-saving it brings to both parties. Use-cases, and an audit/enforcement mechanism matter more than whether the entity is the state, a public sector organisation, or a private sector organisation.

Sanjay Jain

(The author is Partner, Bharat Innovation Fund, and Chief Innovation Officer at the Centre for Innovation, Incubation and Entrepreneurship, IIM Ahmedabad. As a volunteer at iSPIRT, he helped define many APIs of IndiaStack, and was the Chief Product Manager of UIDAI till 2012)

Disclaimer: This is not legal advice.

* Registered devices will provide some protection to users; biometrics are only available in encrypted format to the application.

** Aadhaar Virtual ID will provide some protection here, since a discardable number is used.