We have provided our comments on the Draft Aadhaar (Pricing of Aadhaar Authentication Services) Regulations 2021. In our comments, we have called attention to significant issues of exclusion, privacy and surveillance that exist with the Aadhaar programme and highlighted non-compliance with the Supreme Court’s decision in the Puttaswamy judgement. Finally, we recommend that Aadhaar authentication charges be scrapped and private entities be barred from acting as ‘requesting entities’ for authentication.
On 24th September, the Unique Identification Authority of India (UIDAI) released the Draft Aadhaar (Pricing of Aadhaar Authentication Services) Regulations 2021 for consultation. These regulations would supersede the earlier Aadhaar (Pricing of Aadhaar Authentication Services) Regulations, 2019. Now, the 2021 regulations carry forward most of the provisions of the 2019 regulations, such as:
- Rs. 0.50 charge for requesting entities for each Yes/No aadhaar authentication transaction.
- Failed Yes/No Aadhaar authentications and failed e-KYC authentications would also be charged at Rs. 0.50.
- Any authentications carried out by central or state government bodies are exempted from such charges.
- License fees shall be charged separately.
- Delays in payment beyond 15 days from the issue of an invoice would attract interest at 1.5% compounded monthly.
There is, however, one big change: while the earlier regulations specified a charge of Rs. 20 for each e-KYC Aadhaar authentication, the new draft regulations propose a significantly reduced charge of Rs. 3 for e-KYC authentications.Now, prima facie, reduced fees for Aadhaar authentication seem like a good idea. But there is more to this meets the eye.
The Puttaswamy judgement
The Supreme Court, in its judgement in Justice K.S.Puttaswamy(Retd) vs Union Of India, 2018, held the authentication of Aadhaar by private entities to be unconstitutional.The judges denied the use of Aadhaar authentication pursuant to a contract, which has been argued to mean that any instance of Aadhaar authentication by private entities is not permissible. The Court also said that Aadhaar authentication may only be made mandatory for the receipt of certain subsidies, benefits and services, which have been funded by the Consolidated Fund of India (or the Consolidated fund of states).
Obviously, this runs contrary to daily experience, where Aadhaar based authentication is a reality - in fact, in many situations it is ‘effectively mandatory’. From the COVID-19 vaccination roll out to the new Health ID to bank KYCs, Aadhaar authentication is used by private entities during the regular course of business. The Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020 (notified on August 5th, 2020) further legitimise the use of Aadhaar authentication by private entities. As we pointed out in our letter to the Chairperson of the Lok Sabha Committee on subordinate legislation, allowing the use of Aadhaar authentication by private entities violates the Supreme Court’s judgement in Puttaswamy, while also not fulfilling certain tests of proportionality and constitutionality.
So how did such a situation arise? Well, despite the Supreme Court finding that use of Aadhaar authentication by private parties is a disproportionate invasion of privacy, the government soon proposed amendments to the Aadhaar Act which would allow private parties to continue using Aadhaar to establish the identity of their users. Through the Aadhaar and Other Laws (Amendment) Act 2019, private entities were allowed to perform authentication through Aadhaar, if the Unique Identification Authority of India (UIDAI) is satisfied that it is: (i) compliant with certain standards of privacy and security, or (ii) permitted by law, or (iii) seeking authentication for a purpose specified by the central government in the interest of the State. The constitutionality of these amendments has been challenged before the Supreme Court.
The UIDAI has also failed to adequately comply with the Supreme Court’s order. RTI responses indicate that the UIDAI sought the legal opinion of the Attorney General of India (AGI) about how Aadhaar based payments would function in the wake of the Supreme Court’s judgement in Puttaswamy. The AGI, in response to UIDAI’s questions, had stated that:
“The above extract from the judgement would make it clear, in my opinion, that use of the Aadhaar number, including authentication, for the purpose of delivery of subsidies, services and benefits in terms of Section 7 of the Aadhaar Act, remains valid. Banks would, therefore, be entitled to seek authentication of the beneficiaries, who avail of subsidies/benefits/services covered by Section 7 of the Aadhaar Act, for the purpose of the transfer of any monetary subsidy or benefit to the bank account of beneficiary, as well as for facilitating the withdrawal of money by the beneficiary through Aadhaar based micro-ATM machines.”
On this basis, a circular was issued by the UIDAI, allowing banks and private entities to use Aadhaar based Authentication for e-KYCs for the delivery of subsidies and other programmes that depended on direct benefit transfers. Now, while certain safeguards were specified, it is clear that UIDAI has not complied with the orders of the Supreme Court and allowed private entities to use Aadhaar based authentication.
Issues with Aadhaar based authentication
The Aadhaar project has faced several criticisms since its inception; such criticisms have only heightened after its implementation, with a diverse set of actors from the Supreme Court to CAG of India to various civil society bodies questioning the use of Aadhaar based authentication.
Significant issues of privacy and surveillance exist with respect to the Aadhaar programme. As a centralised system with a shared identifier, it may enable mass surveillance by breaking data silos and increasing the profiling of individuals by tracking an individual's activities across multiple domains of service, leading to identification without consent.
The programme may also violate the right to privacy, given the extensive information that is collected via Aadhaar. This includes biometric data, which is deeply sensitive information, the collection of which may violate bodily integrity and lead to unprecedented levels of surveillance. Technical issues also abound, as the Aadhaar database is plagued by massive data breaches. In the absence of an independent regulator to audit the database for leaks, maintain high security standards, and check for function creep, such issues will continue to persist.
Technology failures plague the Aadhaar authentication system, and have already led to serious issues of exclusion from welfare benefits, which are likely to be aggravated.The linkage of Aadhaar to welfare services has caused large numbers of people to be excluded from their welfare benefits, which has caused immeasurable hardship. Increasing the use cases for Aadhaar authentication would only exacerbate this problem, and increases the risk of infringement of the right to privacy. The CEO of UIDAI had noted that in 2018 authentication failure for government services was as high as 12%. The Economic Survey 2016-17 (para 9.67) has also acknowledged the existence of severe exclusion errors due to authentication failure, with failure rates ranging from 5% in Gujarat to 37% in Rajasthan and 49% in Jharkhand.
The effectively mandatory nature of Aadhaar only exacerbates such issues of exclusion, privacy, and surveillance. Additionally, specifying transaction charges for authentication transactions imposes an additional cost on requesting entities, who are likely to at least partially pass on such costs to the consumer. Thus, we have recommended that:
- Remove charges for Aadhaar authentication: Given the objectives of increasing financial inclusion (especially digital financial inclusion), additional charges for authentication transactions may dissuade citizens, especially from those marginalised and deprived backgrounds, from entering the sphere of formal banking. Thus, transaction charges for Aadhaar authentication should be scrapped.
- Bar private entities from acting as ‘requesting entities’: New guidelines must be published that bar private entities from accessing Aadhaar data for authentication. Such guidelines must also specify that ‘requesting entities’, as defined under section 2(u) of the Aadhaar Act, 2016, is to include only central and state government bodies such as ministries and departments that propose to use Aadhaar for the provision of a service the expenditure for which is incurred to the Consolidated Fund of India.
- Draft Aadhaar (Pricing of Aadhaar Authentication Services) Regulations 2021 (link)
- IFF’s comments on the Draft Aadhaar (Pricing of Aadhaar Authentication Services) Regulations 2021 (link)
- Previous blogpost titled “Bad Rules for Good Governance: On the Unconstitutionality of the Aadhaar Good Governance Rules” dated 27th April, 2021 (link)