Aadhaar: Are UIDAI and DoT Misleading Mobile Users on SC order?

With the five-judge Constitution Bench of the Supreme Court terming Section 57 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, as 'unconstitutional', there is clear panic among government authorities and private entities who were insisting on Aadhaar for each and every purpose.

Surprisingly, government agencies, like the Unique Identification Authority of India (UIDAI) and the department of telecom (DoT), seem to be more afraid than private entities and have come out with a clarification on media reports about disconnection of over 500 million mobile subscribers who had used only Aadhaar for know-your-customer (KYC) while buying a new SIM.

However, under the pretext of clarification, what both, DoT and UIDAI, have done is to mislead mobile subscribers by playing with words. Plus, in the press release, they have added one more 'authentication' for issuing new SIM cards through a mobile app.

One thing is clear: Those mobile subscribers, who have obtained new SIM cards by using only Aadhaar as KYC, will not face any disconnection. There are two reasons for this. First, nobody, including mobile operators and the government, wants to reduce by almost 50% the number of mobile subscribers in the country. And, secondly, such subscribers can submit photocopies of officially valid documents (OVD) like passport, driving licence, permanent account number (PAN) card, voter's ID card issued by the Election Commission of India, job card issued by NREGA duly signed by an officer of the state government, and letter issued by UIDAI.

On 26 September 2018, the Supreme Court, while upholding the constitutional validity of Aadhaar, struck down Section 57 of the Aadhaar Act, disallowing private entities from possessing the Aadhaar numbers of individuals. The judgement also barred telecom companies and online wallet services from seeking the unique identity number of consumers.

Section 57 of the Act permits private entities to use Aadhaar information to authenticate identity of the person.

After the judgement, DoT secretary, Aruna Sundararajan, had said that the DoT, UIDAI and telecom operators would make sure that the telecom regulations and service-providers are in compliance with the Supreme Court verdict on Aadhaar.

According to the common media release from DoT and UIDAI, there are news reports which state that almost half the total number of mobile subscribers are at the risk of disconnection. It says, "The joint statement clarifies that the Supreme Court in its judgement in Aadhaar case has nowhere directed that the mobile number, which has been issued through Aadhaar e know-your-customer (eKYC), has to be disconnected. Therefore, there is absolutely no reason for panic or fear at all. People should not believe in such rumours."

Here is what the Supreme Court had stated in its order, especially on Section 57...

"The decision to link Aadhaar numbers to SIM cards and to enforce a regime of eKYC authentication clearly does not pass constitutional muster and must stand invalidated. All telecom services providers (TSPs) shall be directed by the Union government and by the Telecom Regulatory Authority of India (TRAI) to forthwith delete the biometric data and Aadhaar details of all subscribers, agencies or private sector operators. Moreover, this provision within two weeks. The above data and Aadhaar details shall not be used or purveyed by any TSP or any other person or agency on their behalf for any purpose whatsoever." (Page 961/962 of the SC Order)

The Order further said: "Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such 'law' is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services, which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual’s biometric and demographic information by the private entities. Thus, this part of the provision, which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the Section, thus, is declared unconstitutional," the apex court had stated.

The Aadhaar judgement also mentions about a letter issued by TRAI on 6 January 2016 on the new procedure (Aadhaar linked eKYC) for subscriber verification. Following these recommendations, the DoT, on 16 August 2016, issued a direction to launch an Aadhaar eKYC service across all licensed service areas for issuance of mobile connections.

The apex court says, "TRAI and DoT do have a legitimate concern over the existence of SIM cards obtained against identities, which are not genuine. But the real issue is whether the linking of Aadhaar cards is the least intrusive method of obviating the problems associated with subscriber verification. The state cannot be oblivious to the need to protect privacy and of the dangers inherent in the utilization of the Aadhaar platform by telecom service providers. In the absence of adequate safeguards, the biometric data of mobile subscribers can be seriously compromised and exploited for commercial gain. While asserting the need for proper verification, the state cannot disregard the countervailing requirements of preserving the integrity of biometric data and the privacy of mobile phone subscribers. Nor can we accept the argument that cell phone data is so universal that one can become blasé about the dangers inherent in the revealing of biometric information." (Page 960)

Later, on 23 March 2017, the DoT directed all telecom licensees to re-verify all existing mobile subscribers (prepaid and post-paid) through Aadhaar based e­KYC process.

The Supreme Court, stated, "...we do not find that the decision to link Aadhaar numbers with mobile SIM cards is valid or constitutional. The mere existence of a legitimate state aim will not justify the means, which are adopted. Ends do not justify means, at least as a matter of constitutional principle. For the means to be valid, they must be carefully tailored to achieve a legitimate state aim and should not be either disproportionate or excessive in their encroachment on individual liberties." (Page 961)

The Bench also mentioned the contention submitted by senior advocate Shyam Divan. In his submission, Mr Divan had stated, "Section 57 is also patently unconstitutional inasmuch as it allows an unrestricted extension of the Aadhaar platform to users who may be government enables the seeding of the Aadhaar number across service providers and other gateways and thereby enables the establishment of a surveillance state. The impugned provision enables the spread of applications and Aadhaar dependent delivery systems that are provided not from Consolidated Fund of India resources but through any other means."

He also submitted that Section 57 also enables commercial exploitation of an individual’s biometrics and demographic information by the government as well as private entities.

Here is what Section 57 is:

“57. Act to prevent use of Aadhaar number for other purposes under law.

­ Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.”

The five-judge Bench, in its ruling said, "Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e., ‘or any contract to this effect’ is struck down."

The release issued by DoT and UIDAI also talks about no restrictions on telcos for keeping authentication data. It says, "The Court has also not asked to delete all the eKYC data of telecom customers after six months. What the apex Court has asked that UIDAI should not keep authentication log for more than six months. The restriction of not keeping authentication log beyond six months is on the UIDAI and not on the telecom companies. Therefore, there is no need for telecom companies or authentication user agencies (AUAs) / KYC user agencies (KUAs) to delete authentication logs at their end. They are, in fact, required to keep authentication logs at their end as per Aadhaar regulations to resolves any consumer grievances." Here is what the Supreme Court orders states: "Retention of data beyond the period of six months is impermissible. Therefore, Regulation 27 of Aadhaar (Authentication) Regulations, 2016, which provides archiving a data for a period of five years is struck down." As per Aadhaar (Authentication) Regulations 20(2) and 20 (3), authentication logs needs to be maintained by the ASA for two years. Upon the expiry of the period of two years, the authentication logs should be archived for five years. Upon the expiry of five years or the number of years required by the laws or regulations governing the entity whichever is later, the authentication logs should be deleted except those logs, which are required to be retained by a court or for pending disputes.