The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar act), and the related regulations create an extensive framework regulating requesting entities and their usage of Aadhaar information.
In sharp contrast, private entities that collect Aadhaar information are regulated far less stringently, and somewhat tangentially, by the Aadhaar (Sharing of Information) Regulations, 2016, and the Unique Identification Authority of India’s (UIDAI) circular on data vaults dated 25 July 2017.
Private entities used Aadhaar numbers under section 57 of the Aadhaar act, which enabled the use of “Aadhaar number for establishing the identity of an individual for any purpose, whether by the state or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect”.
Unsurprisingly, this was strongly challenged by the petitioners in the Aadhaar Writ Petition on which the Supreme Court pronounced its judgment on 26 September 2018. The court tested section 57 against the three-part test of legality, legitimate aim and proportionality. The court held that the three-part test was not satisfied due to the possibility of commercial exploitation of people’s identities at the hands of private entities and accordingly removed their ability to use Aadhaar authentication.
Separately, as the Aadhaar act was passed as a money bill, the court ruled that Aadhaar authentication could take place only for the purpose of subsidies, benefits or services funded from the Consolidated Fund of India (CFI subsidies). The court also struck down the seventh amendment to the Prevention of Money Laundering Rules, 2017, which enabled Aadhaar-based know your customer (KYC) verification by entities regulated by the Reserve Bank of India (RBI), and a circular dated 23 March 2017, which did so for entities regulated by the Department of Telecommunications (DoT). Finally, the court observed that the use of Aadhaar as a general form of identification would be permissible.
A variety of entities including telecom service providers (TSPs), fintech companies, banks, non-banking finance companies, private entities and requesting agencies had been using Aadhaar authentication to establish the identity of individuals to satisfy KYC obligations, or meet other legal and contractual requirements. However, following the judgment, there has been much debate and uncertainty as to its interpretation, and whether such use could continue.
The UIDAI, as the guardian of the Aadhaar database, is primarily responsible for resolving these issues. Having obtained further clarificatory advice (reportedly from the Attorney General of India) on the judgment, the UIDAI has concluded that: 1) certain entities are prevented from accessing the Aadhaar repository for any purpose; and 2) other entities may be permitted to access the Aadhaar repository for the limited purpose of offering CFI subsidies.
The UIDAI has thereafter issued various directions on Aadhaar authentication. It directed TSPs to submit an exit plan for Aadhaar authentication within a specified timeframe, and the DoT thereafter required them to cease usage of Aadhaar authentication forthwith. The UIDAI also clarified that banks may only use Aadhaar e-KYC authentication for opening bank accounts in which the account holder wishes to receive CFI subsidies. It also reportedly directed various private requesting entities, including mutual fund registrars and payment wallet operators, to cease Aadhaar authentication with immediate effect.
As an alternative to Aadhaar authentication, the UIDAI has proposed the evolution of an offline verification mechanism, using either QR codes or digitally signed XML files. Entities have also been urged to collect e-Aadhaar, or masked Aadhaar cards as proof of identity and store them in masked form, i.e., with only the last four digits being visible.
While a question remains as to whether the above alternatives fully implement the letter and spirit of the judgment, it is clear that the recognition of offline verification mechanisms by the RBI, DoT or other regulators as valid KYC will be of essence to their adoption and survival.
Further, balancing the data protection principles of purpose limitation and data minimisation, as identified in the judgment against commercial viability and the sectoral guidelines underlying authentication will require much legal and technological innovation on the part of various stakeholders who wish to use the Aadhaar framework.
Cyril Amarchand Mangaldas is India’s largest full-service law firm. Arun Prabhu is a partner at the firm. He was assisted by Samraat Basu, a consultant at the firm.
Peninsula Corporate Park,
Lower Parel, Mumbai – 400 013 India
New Delhi | Bengaluru | Hyderabad | Chennai | Ahmedabad
Tel: +91 22 2496 4455
Fax: +91 22 2496 3666