On 2nd March, 2019, the President of India vide the office of Ministry of Law and Justice notified the Aadhaar and Other Laws (Amendment) Ordinance, 2019 (“Ordinance”). The Ordinance proposes the same amendments as those contained in the Aadhaar Bill, 2018, which had been passed in the Lok Sabha this January. Most importantly, despite deleting section 57, the Ordinance re-introduces private sector use of the Aadhaar infrastructure through amendments to the Telegraph Act and the Prevention of Money Laundering Act.
In this article we try to demystify what this ordinance says and what it means for us,
Aadhaar ecosystem has been defined:
Aadhaar ecosystem has been defined by the Ordinance and the same classifies offline verification seeking entities and any other entity or group of entities as may be specified under the regulations as Aadhaar ecosystem i.e. a larger group of entities like Banks and Telecom companies, working around Aadhaar have been given legislative acknowledgement.
Further, the definition of Aadhaar number has been changed to include any alternative virtual identity to the actual Aadhaar number of an individual as may be further specified by regulations. But the Ordinance does not further expressly explain what the alternate virtual identities might include.
New rights introduced for Aadhaar holder:
New provisions have been introduced which specifically deal with Aadhaar related requirements for minors. The consent of the parent/guardian is required for enrolling a minor into Aadhaar ecosystem. Minor retains the right to opt out of the same upon reaching majority. A child cannot be denied a subsidy in the event Aadhaar is not furnished by him/her.
This is a very inclusive provision as it seeks to protect the rights of minors and acknowledges that minors have a complete right to choose their privacy.
Voluntary Aadhaar authentication allowed:
Every Aadhaar number holder may voluntarily use his/her Aadhaar in physical or electronic form by way of authentication and online verification with informed consent to an entity who is allowed to perform authentication if UIDAI is satisfied. This change has been made to accommodate the September, 2018 Supreme Court of India judgment which abolished mandatory seeking of Aadhaar by authentication agencies, by making the same voluntary now.
The Ordinance does not specify who would be allowed to perform authentication. The silence of the Ordinance in further describing this criteria can be interpreted to mean that UIDAI will retain wide discretion in determining who will be allowed to perform authentication.
Scope for new AUAs to enter:
The Ordinance lays out that requesting entity with such standards of privacy and security, can be permitted to offer authentication services under any other law made by the Parliament or if the authentication is done in the “interest of the State.” This provision takes away the power of UIDAI as the single most important decision making authority in allowing new players into the Aadhaar ecosystem, as the Parliament can permit new entities from providing authentication services by enacting a legislation. However, once again the Ordinance does not define what “interest of State” means.
Era of alternative Identities:
Under the Ordinance, now, requesting authority may provide alternate means of identification of the individual for failure to authenticate Aadhaar for several reasons including old age, infirmity, technical reasons, etc. This opens the window for alternate modes of authentication such as offline voice based and video identity based KYC and creates multiple modes of authentication available to Aadhaar card holders.
The Ordinance further amends the Telegraph Act and Prevention of Money Laundering Act. It amends the aforesaid legislation to provide that any person who establishes, works or maintains a telegraph or a banking companies, financial institutions, intermediaries (“banking companies”) within any part of India shall use-authentication under Aadhaar, offline verification under Aadhaar, use of passport, use of other official valid documents. The Ordinance also requires that Telegraph and banking companies make other modes of identification available to such people.
UIDAI may by regulations decide whether a requesting entity shall be permitted the use of the actual Aadhaar number during authentication or an alternate virtual identity. The permission to let in alternate virtual identities is creating a platform wherein Aadhaar will not be the single most relied upon document for authentication.
However, the failure of the Ordinance to further mention the kind of virtual identities allowed will create a huge confusion. What would be the kind of virtual identities which can be used for authentication?
Supreme Court judgment upheld by the Ordinance:
The Ordinance further requires that banking and telecom companies use of modes of identification will be individual choice of each person and no person shall be denied service for lack of Aadhaar, This is an adoption of Supreme Court judgment which requires that no benefit can be denied on the basis of non-presentment of the Aadhaar card.
The Ordinance has taken a step forward in incorporating major directions of the September, 2018, Supreme Court judgment, such as stipulating non denial of services in the event Aadhaar is not presented. As a result of the Ordinance, now, only private companies following privacy rules will be allowed to issue Aadhaar authentication and also meta data will not be stored.
However, the Ordinance does not prescribe an oversight procedure to ensure that prevalent players in the Aadhaar ecosystem are complying with the same. As of date, unless the UIDAI gets to know of any such contravention directly from the aggrieved party, there are no other transparent means to verify the same.
A whole new Justice system has been structured:
The whole new concept of adjudication officer has been introduced under the Ordinance.
UIDAI may appoint such officers and employees as required for discharge of its functions under the Act. This shows that the government is very serious about overseeing the functioning of the Aadhaar ecosystem. We are moving into a regime wherein both public and private players are accruing substantial additional costs to ensure better privacy standards to the common man.
The Ordinance further prescribes that UIDAI may issue such directions to such entity in the Aadhaar ecosystem as may deem necessary and every direction issued will be complied with the entity in the Aadhaar ecosystem. The inclusion of this provision means that the government can single out players in the Aadhaar ecosystem to address any specific concerns. The most important aspect which can be taken note of here is that directions do not amount to binding rules in legal jargon. This means that the private players are likely to not be penalized for non-compliance with the rules.
However, the Ordinance prescribes huge penalty for failure to provide information, reports, etc, as required by UIDAI. Such acts would attract penalty of Rs. 1 crore and for every continuing day of non compliance additional amount of Rs. 10 lakh. Imprisonment of 3 years and fine which may extend to 1 lakh rupees or both has been stipulated if requesting entity or offline verification entity using information in contravention.
The Ordinance further prescribes that the Adjudicating officer will be joint secretary with such experience for holding an inquiry for not complying with rules laid out under the Act and the Ordinance.
Telecom Disputes Settlement and Appellate Tribunal has been stipulated to be appellate tribunal for holding an inquiry on matters relating to infringement of rules regarding the Rules. Aadhaar has demonstrated extensive application in banking and mobile industry. Why have telecom regulators been chosen exclusively? Why not other regulators such as RBI?
Further, the Ordinance prescribes that an appeal lies from order of appellate tribunal to Supreme Court. 45 days period has been provided to file appeal. This can be waived if Supreme Court feels there was no sufficient cause for filing under this period.
Civil court has been barred from jurisdiction to try Aadhaar related matters by the Ordinance, recognizing a justice system addressing a highly specialized ecosystem.
A ray of hope for Aadhaar based E-KYC?
The Ordinance provides that the mandatory authentication of an Aadhaar number holder will be possible if such authentication is required by a law made by the Parliament. This is wonderful news for Aadhaar ecosystem as this keeps a window open for E- KYC based Aadhaar authentication to return if the same is allowed by a future law made by the Parliament. The Ordinance is basically empowering the Parliament to bypass the Supreme Court judgment by using its lawmaking authority.
Many unanswered questions:
The provision of the Ordinance providing that no identity information available with a requesting entity or offline verification entity shall be used for any purpose other than the purpose informed in writing to the individual at the time of submitting information to the individual for authentication or offline verification, is a breakthrough provision.
But, will it serve the purpose to provide a written confirmation to tens of crores of illiterate citizens who make up India’s population who communicate in atleast 28 different languages? What about communication barriers with the blind, deaf Aadhaar cardholders? Should not publishing in vernacular languages be allowed considering India’s lingual diversity?
The Ordinance, further provides that if a reporting company other than banking company complies with the standards of privacy prescribed under the Act, then such entity can perform authentication by notification which is to always be issued after consulting with UIDAI. Note here that UIDAI will be a mere consultant and not a regulating entity in ensuring such a significant decision of allowing a new player into the authentication market. Has the government knowingly reduced the power granted to UIDAI?
So, are we entering an era where the decision making powers of UIDAI with respect to the Aadhaar ecosystem will be lesser and lesser? If, yes, will the government ensure that there will be a well informed regulator in place?
The Ordinance has made a decent attempt on further clarifying upon key issues bugging the Aadhaar ecosystem, such as, stipulating the adjudicating authority and the alternate means of identity which can be accepted by banks and telecom companies. But we still have a whole new bunch of unanswered questions as a result of the Ordinance.
How this would ultimately pan out? Only time would tell, but as of now, the future looks hopeful.
