The Aadhaar project is regulated by the Aadhaar Act, 2016, which was amended in July 2019 (along with the Telegraph Act and Prevention of Money Laundering Act), based on the Supreme Court’s September 2018 judgement on Aadhaar.

Under the amended Aadhaar Act, your basic rights are as follows:

What is Aadhaar?

Aadhaar is essentially a means of identity verification. When you enrol for Aadhaar, your identity information is stored in the Central Identities Data Repository (CIDR). Identity information includes Aadhaar number, biometric information (fingerprints, iris scan, photograph) and demographic information – name, age, address and so on.

Authentication means that identity information (biometric and/or demographic) you provide to a ‘requesting entity’, along with your Aadhaar number, is matched with the corresponding information stored in the CIDR against your Aadhaar number.

Example 1: A PDS dealer puts your fingerprint (and Aadhaar number) in a point of sale machine at the ration shop, to verify that you are the rightful owner of the ration card bearing that Aadhaar number. This is an example of biometric authentication.

Example 2: A bank asks you to perform biometric authentication in a similar way, before linking your bank account with Aadhaar. In the process, the bank gets access to your demographic information in the CIDR. This is called ‘e-KYC’ – short for ‘know your customer’.

Offline verification is a new method of identity verification of an Aadhaar holder, introduced by the July 2019 amendments, which does not involve authentication. How this will be done is not specified in the amendments. One possible example could involve showing a printed Aadhaar “card,” which has your photograph, Aadhaar number, name and address, and a QR code. The “requesting entity” uses special (UIDAI-provided) software to “read” the QR code using a scanner, and matches the details stored in the QR code against those on the printed Aadhaar “card”.

Also read | How Private Sector Slowly Regained Access to Aadhaar Post SC Judgment

Contrary to common perception, most of the identity information in the CIDR is not confidential – only the ‘core biometrics’ (fingerprints and iris scan) are confidential. The Aadhaar Act puts in place a framework for sharing your identity information with various ‘requesting entities’.

General safeguards [Ss. 8 and 29, Aadhaar Act]

In all cases of Aadhaar authentication (mandatory or voluntary), the following safeguards apply:

1) It must be based on informed consent.

2) You must be informed in writing of any purpose for which identity information made available to the requesting entity may be used or disclosed.

3) The information you give can be used only for the purpose to which you have consented.

4) Alternative means of verification must be made available in cases where authentication is not possible ‘due to illness, injury or infirmity owing to old age or otherwise or any technical or other reasons’.

For offline verification, safeguards (1)-(3) apply, along with the following:

1) The information you provide must be used only for the purpose of verification.

2) You must be informed of ‘alternatives to submission of information requested, if any’.

3) The verification-seeking entity cannot collect, use or store your Aadhaar number or biometric information for any purpose.

Government services [Section 7, Aadhar Act]

Under the Aadhaar Act, it is legitimate for the government to make Aadhaar authentication mandatory for subsidies, benefits or services paid for by the Consolidated Fund of India or the Consolidated Fund of State.

Tax [Section 139A, S. 139AA and S. 272B, Income Tax Act]

Under the Income Tax Act, as amended by the Finance Act, you are required to submit your Aadhaar number for filing your returns and to apply for a PAN card. Failure to link Aadhaar number to your PAN card shall result in the PAN being made ‘inoperative’. Failure to intimate Aadhaar number or PAN, where required, including for filing returns, can result in a fine of Rs 10,000, per default.

Phones [Telegraph Act]

Under the amended Telegraph Act, a phone company must identify its clients through one of the following means: (1) Aadhaar authentication; (2) offline verification; (3) passport; (4) “other officially valid documents or modes of identification” that may be notified by the Central government.

As of now, other valid documents to verify identity include the Driving License, Voter ID, while valid documents for proof of address include the driving license, a recent water bill, or a fixed-line telephone bill.

Banks [Prevention of Money Laundering Act]

The same provision applies to banks under the amended Prevention of Money Laundering Act. As of now, other valid documents for opening bank accounts include passport, driving licence, voter ID, NREGA job card, proof of possession of Aadhaar number and letter issued by the National Population Register. Under an amendment brought in by the Finance Act, certain high-value transactions will require Aadhaar authentication.

Other Private Companies [S.4, Aadhaar Act]

No private company is allowed to make Aadhaar authentication mandatory unless authentication is required by a law made in parliament [Section 4(7)]. However, a private company can offer voluntary authentication as an option, provided that:

1) It is authorised to do so by the UIDAI.

2) Authentication is based on informed consent.

3) Other means of identification are also made available.

4) All the general safeguards apply.

The amended Aadhaar Act does not explicitly authorise private companies to make offline verification mandatory, but nor does it seem to prohibit it – this is an important ambiguity.

Children [S. 3A, Aadhaar Act]

The amended Aadhaar Act includes important safeguards for children:

1) Consent of parents is required for Aadhaar enrolment.

2) Children can “opt-out” of Aadhaar within six months of turning 18, if they wish.

3) No child can be denied any subsidy, benefit or service for lack of Aadhaar or Aadhaar authentication.

What about the Aadhaar card?

The Aadhaar Act does not say anything about the Aadhaar card – the word “card” does not appear in it at all.

Prepared by advocate Ria Singh Sawhney for Rethink Aadhaar