Introduction

Even as the Indian state struggles to secure the biggest bank per buck of taxpayer’s money, resolving the challenges of modern day governance and plugging the leakages in the public delivery system warrants the use of innovative technologies. The Unique Identification Authority of India (UIDAI) is an embodiment of the desire of the Indian government to bring transformative reforms in the design and nature of development intervention. Given that the issue of unique identification numbers (UID) to residents possesses the wherewithal to significantly alter the admittedly tenuous and delicate relationship between the people and the state, this paper underscores that it is imperative to resolve the trade-off between the information requirements of effective governance and the right to privacy of the individual. While the draft bill is scrutinised for potential sources of invasion of privacy both by an activist national government and private agents, insights from the discourse on privacy laws in foreign jurisdictions are used to shed light on the seriousness of the maladies of the legal framework governing privacy in India. It is argued that addressing these lacunae in the present legislation in a manner consistent with the tenets of participatory democracy (and thereby obliterating barriers to enrolment) is of singular importance in fulfilling the mandate of the UID project as a game-changer in the sphere of public service delivery.

UIDAI – Features and Objectives

The UIDAI was established in February 2009 under the aegis of the Planning Commission with a mandate to issue unique, universal and ubiquitous identity numbers based on biometrics to all residents of India. This mammoth and unprecedented exercise under the leadership of Mr. Nandan Nilekani envisions issuing a unique identification number called ‘Aadhaar’ that can be verified and authenticated in an online cost-effective manner which is robust enough to eliminate duplicate and faking identities It is expected to serve as a great enabler to improve targeting and delivery of major government welfare programmes and public services, especially to those who are poor and marginalized The programme is designed to confirm the identity of the 1.2 billion residents of India, making it the largest not to mention incontrovertibly the most expensive identity management programme in the world. The first set of unique identity numbers is expected to be issued in the early part of 2011. Over five years, the Authority plans to issue 600 million UIDs.

In order to facilitate the issuance of UID to solve the singular problem that the UIDAI seeks to address which is of ‘identity’, it will establish an institutional microstructure which will include a Central Identity Data Repository (CIDR) that will manage the central system and a network of Registrars, which will establish resident touch points through Enrolling Agencies for issuing UID numbers to residents. The Registrars would include both Government and Private Sector Agencies which already have the infrastructure in place to interface with the public to provide specified services, for example, Insurance companies, banking and financial institutions, LPG marketing companies, NREGA etc which will require the beneficiaries to enrol to receive continued service.

The residents who have thus enrolled will be required to provide only their basic information which includes name, address and biometrics. This information will be stored in the UID database maintained by CIDR. It has been reiterated with notable consistency that the UIDAI will not be gathering information pertaining to race, religion, caste, tribe, ethnicity, language, income or health, thereby avoiding profiling of residents.

The project bases its legitimacy on its benefits that will be attributed to the poor. It promises that it will give the poor an identity, with which they may become visible to the state. The UID number is expected to plug leakages in the Public Distribution System (PDS), ease payments to be made under the National Rural Employment Guarantee Scheme (NREGS), and enable achievement of targets in consonance with the right to education. Service delivery is a central theme in its promotional literature. The raising of expectations is, however, mollified by a sudden stipulation that the “UID number will only guarantee identity, not rights, benefits, or entitlements”

The UIDAI maintains that the information in the database will be used only for authentication purposes. If anyone seeks to authenticate the identity of another person, they will receive response in the affirmative or negative only Consequently, retrieval of information is not ordinarily possible except under special circumstances mentioned in the legislation

Civil Liberties Issues and Concerns in the light of The National Identification Authority of India Bill, 2010

In June 2010, the UIDAI web site uploaded a proposed draft bill: the National Identification Authority of India Bill, 2010 inviting comments and suggestions from the public. The bill although prima facie establishes National Identification Authority as a statutory body having the power to draft regulations with the approval from Parliament and deals with matters connected therewith or incidental thereto, it is not comprehensive enough to cover all aspects of the UID project particularly when it comes to protecting civil liberties of citizens in the light of privacy and data protection issues. In fact, the potential for invasion of privacy has emerged as the most debated legal consequence of this bill. Inter alia, some of the concerns raised regarding this particular subject are:

1. Dilution of the voluntariness of subscription: In pursuance of protecting right to privacy and freedom of choice of citizens, it has to be ensured that the aadhar number is strictly voluntary. Though it has been clarified repeatedly by UIDAI that there will be no compulsion, it has not been expressly mentioned in the bill. In situations where other agencies make the UID number mandatory in their operations, it is a different matter altogether. The UIDAI has been signing memoranda of understanding (MOUs) with a range of agencies including banks, state governments and the Life Insurance Corporation of India (LIC) to be “registrars”, who then may insist that their customers enrol on the UID to receive continued service. Accordingly a prohibition against the denial of goods, services, entitlements and benefits (private or public) for lack of a UID number – provided that an individual furnishes equivalent ID is necessary7 . This real possibility of the ‘convergence’ of different ‘silos’ of information held by different agencies of government (and private players) could also aid the surveillance, tracking and profiling of aadhaar number holders. Whereas the realisation of the objective of the UID project as an enabler of substantive policy reform would rely on such ‘convergence’, as explained above, this poses real threats to fundamental freedoms.
2. National Security: One of the provisions that have raised concern is clause 338 , which reads: ‘33. Nothing contained in the sub-section (3) of section 30 shall apply in respect of – (a) any disclosure of information (including identity information or details of authentication) made pursuant to an order of a competent court; or (b) any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge’ and rightly so. Given that employing the pretext of national security for multifarious infringements upon individual liberties has been commonplace in India, just as it is with the Right to Information Act, 2005 (which precludes access to a certain range of information with public authorities on this same basis), the draft bill does injustice to the citizen/resident in favour of the government and as is known to any student of law, the honesty of purpose of those in power cannot be trusted upon as a basis for freeing them from the ambit of the law.
3. Sharing of Information: When the bill provides that the functions of the Authority includes “sharing, in such manner as may be specified by regulations, the information of aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by direct order”, what has been overlooked is an outright conflict with other provisions of this very bill. For example, whereas the task of obtaining written consent from every potential beneficiary of a public scheme for the ‘below poverty line’ population might be impeded significantly by the logistics involved, dovetailing the UID database with (an agency that holds) information on BPL status (based on income/ consumption expenditure data) would come in direct conflict with a well-meaning provision in this Act that forbids collection of information on income of the aadhaar number holder. The draft bill therefore falls short of allaying the fears of those who contend that such sharing of information must be contingent on the meaningful consent of the aadhaar number holder
4. Surveillance, Tracking and Other Means of State Control: With the promulgation of this law, the doors would be opened for active surveillance, tracking, profiling and other modes of state control over the citizenry and would pave the way for serious violations of civil liberties. The “Awareness and Communication Report” commissioned by the UIDAI rightly pointed out that sidestepping the unease of a potential aadhaar number holder over having to give out information without being fully aware of its implications and all potential uses to which it would be put10. This threat is particularly strong given that the objectives of this project (read “uses to which the UID database would be put”) would surely only fully evolve with time. The project with its potential for ensuing ‘function creep’ (a term used to describe the way in which information is collected for one limited purpose but gradually gets used for other purposes) could do what social security numbers did to the American people and much more The bill lacks in that it does not require the Authority, registrars, enrolling agencies and service providers to delete/anonymize/obfuscate transaction data according to defined principles after appropriate periods of time in order to protect the privacy of citizens

The above account summons our attention to the inadequacies of the draft bill in providing the aadhaar number hold a guarantee (i.e. appropriate legal recourse) against invasion of privacy. The scenario that this bill would engender is clearer from a better appreciation of the implications of the bill’s provisions for the information giver.

Privacy: Preliminaries and Foreign Jurisprudence

Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties. Privacy underpins human dignity and other key values such as freedom of association and freedom of speech. Nearly every country in the world includes a right of privacy in its constitution. Most recently written constitutions include specific rights to access and control one’s personal information. In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions and international agreements that recognize privacy rights have been adopted into law

The term “privacy” has been described as “the rightful claim of the individual to determine the extent to which he wishes to share of himself with others and his control over the time, place and circumstances to communicate with others. It means his right to withdraw or to participate as he sees fit. It also means the individual’s right to control dissemination of information about himself; it is his own personal possession” In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person’s affairs

Among the various aspects of privacy, the one that is pertinent in the present context is that of “information privacy” which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records and thereby links data protection laws with privacy. The present position on this subject in Europe and US are as briefly stated below.

In Europe, the comprehensive model of privacy protection is adopted. The Council of Europe’s 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (signed by nearly thirty countries) and the Organization for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Trans border Data Flows of Personal Data15 enunciate specific rules covering the handling of electronic data. These rules describe personal information as data which are protected at every step from collection to storage and dissemination. The right of people to access and amend their data is a crucial element of these rules.

Further, the European Union enacted the Data Protection Directive in 1995. The Directive not only furthered the baseline, setting common standards for privacy to be followed throughout the EU but also set out new rights. It intends to create a zone of free flow of personal information without making a distinction between public and private sector, both of which have the same level of protection. The Directive has made express unambiguous provisions for data quality requirements, use and disclosure of data (the finality principles), right of the data subject, mandatory consent and so on by which comprehensive safeguards are maintained to protect the right of privacy and freedom of individuals

In US, “sectoral approach” is adopted which concentrates on making multiple legislations to safeguard the right depending on the sector involved. Through various judgements and legislations which includes the Privacy Act of 1974 , Computer Matching and Privacy Act and US-EU Safe Harbor Agreement , sufficient safeguards in conformity with the rules established by its European Counterparts to protect personal data and individual liberties have been put in place. These safeguards guarantee the protection of personal information in federal databases and provide individuals certain rights over information contained in those databases.

Privacy and Data Protection in India

The discourse on Privacy laws in India has been a relentlessly changing and nebulous one having a curious ephemeral quality to its juristic life The Constitution of India does not expressly recognize the right to privacy. However, judicial activism has brought the Right to Privacy within the realm of Fundamental Rights. The Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under “protection of life and personal liberty” given by Article 21 of the Constitution, which states, “No person shall be deprived of his life or personal liberty except according to procedure established by law”.

Further in R. Rajgopal v. State of Tamil Nadu, Justice Jeevan Reddy observed that in recent times the right to privacy has acquired constitutional status. The learned Judge observed that “the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”. Once the facts in a given case constitute a right to privacy, Article 21 is attracted, he concluded.

Notwithstanding the above recognition of right to privacy, when it comes to data protection, we still do not have an express and unambiguous legislation. Currently there are no measures to limit government intrusion and prevent mismanagement of sensitive private data of individuals. Though the subject matter of data protection and privacy has been dealt within the Information Technology Act, 2000, it has not been covered in a comprehensive and exclusive manner. It being a generic legislation does not lay down any specific data protection or privacy principles. Accordingly, there is no an actual legal framework in the form of Data Protection Authority, data quality and proportionality, data transparency etc. which rigorously addresses and covers data protection and privacy issues in accordance with the principles of the EU Directive, OECD Guidelines or other international principles and conventions This lack of definitive safeguards in terms of appropriate legal recourse calls for an impending need to update our jurisprudence through enactment of an adequate and lucid legislation on privacy and data protection

Conclusion

The above discussion establishes the absence of safeguards against ‘being let alone’ by the state, giving rise immediately to a debate on just how elusive the goals of the UID exercise are. We deem it important to refute two key elements of this debate as it has shaped itself in the public domain in the recent past. The first relates to the fact that no serious cost-benefit analysis has been conducted whereby it could be clearly discerned that the project itself is good use of public money. Given the range of development initiatives that could be streamlined with this scheme and the gigantic scale of most of them, one cannot pronounce a negative verdict on the feasibility of this project even after accounting for the many (purely economic) costs that it would entail (as is apparent at this juncture and from the experience of foreign nations with similar ventures). We submit further that if one also allows additive weights in favour of the income poor in this calculus, it would overwhelmingly give an answer in the affirmative. The second deals with comparisons with the UK exercise of a similar nature which has recently been done away with. As opposed to that scheme (one of the innumerable public projects that have been scrapped or downsized by a conservative government on an austerity drive) designed exclusively for internal security reasons and thereby extremely intrusive and inefficient, ours holds enormous possibility for advancing living standards if one subscribes to the official version of the mandate of the UIDAI. Whereas a number of arguments have been advanced against the viability of the project, it is posited here that information sharing and data protection concerns are probably the soundest objections that can be raised and further that there is no such problem that can more or less be eliminated with a well-thought out legal framework. As is almost always the case with employing technology in human advancement, misuse is highly probable if one contemplates on the consequences of the draft bill. What has been asserted above is the need for a shift from the reliance on judicial activism to define the limits and extent of the right to privacy to one on an exclusive and unambiguous legislative framework. The genuine fears of the information giver could only be satisfactorily addressed through the institution of appropriate legal (and not treacherous administrative) protection. Drawing generously from the experience of foreign nations with privacy and data protection laws, building a supporting legislation to allow for the meaningful coexistence of the well-meaning UID numbers and the inalienable right to privacy of the UID number holder should not be as cumbersome as it is often made out to be. Once the right (in all its layers and dimensions) is recognised and the necessary protection guaranteed through a proper legislation, with a few pragmatic changes in the present bill, the Indian Parliament can hope to realise its vision of enabling inclusive growth through an efficacious public service delivery mechanism based on a secure database of information on the identity of its benefactors.