The curious case of Section 57

Many businesses preferred using Aadhaar authentication because it cut down Know Your Customer (KYC) costs significantly—from Rs 1,000-1,500 to Rs 10-20—and speeded up the process of signing up customers from a few days to a few minutes. Banking and telecom industry regulators have over years set strict KYC norms as a check against illegal financial and information flows. Traditionally this meant checking the original proofs of identity and address. Aadhaar and eKYC digitised the entire process, making it cheaper and faster. When Reliance Jio launched, it used Aadhaar and eKYC to sign up 130 million customers within a year—that’s 3.5 lakh customers a day.

The lower cost also meant businesses could deal with smaller ticket sizes and design products for the lower end of the economic pyramid. Or, as Haresh Chawla explains here, cater to India 2 and India 3. Thus, it’s not just about regulatory requirements, it’s also about innovations that could be built on top of the identity platform. The certainty that comes from knowing that the system is dealing with a specific individual increases trust multi-fold. And that gives them the room to innovate and come up with more products.

Also, many customers found eKYC more convenient and safer than the other options, such as giving photocopies of license, passport, etc. With eKYC they revealed minimal demographic information.

Policy makers believed opening the Aadhaar platform to the private sector would kick-start innovation just as how opening up GPS led to innovations such as Google Maps and Uber. 

All digital technologies come with risks—bad implementation, digital frauds, cybersecurity breaches and, pertinent to the present case, violation of privacy. Thousands of Airtel customers, for example, found that Airtel had opened a payments bank account for them without their knowledge. Similarly, many found their data, including their Aadhaar numbers, leaked out of insecure websites. Privacy advocates and digital rights activists are worried about the possibility of profiling and mass surveillance.

Several groups of activists have been filing petitions against Aadhaar since 2012, some of them stating that Aadhaar violated the privacy of individuals. At one point, the government’s counsel raised a question on whether privacy was even a fundamental right. Last year, the Supreme Court declared that privacy was indeed a fundamental right. This meant the state cannot restrict a citizen’s privacy unless it passes three tests: “(i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.”

This year, the Supreme Court clubbed over 30 petitions and heard the arguments to determine if Aadhaar passed these tests or if it is unconstitutional. The petitioners argued that the law that backed Aadhaar was not valid, because it was passed as a money bill (which didn’t go through the Rajya Sabha’s approval), it had a number of provisions that wouldn’t stand to legal scrutiny, and that there were less intrusive alternatives to achieve the end that Aadhaar promises to achieve. The Indian government, a few state governments, and some representatives of businesses and civil society argued that Aadhaar had a valid law to back it, it served a legitimate state need, and it was designed to be minimally intrusive.

The arguments went on for 38 days, between January 2018 and May 2018. The five judge bench gave its verdict on Wednesday, 26 September.

The Supreme Court declared Aadhaar constitutional by a majority verdict (4:1). It upheld the use of Aadhaar to provide government subsidies and benefits. It made Aadhaar mandatory for PAN and for filing income tax returns. It also said Aadhaar was not needed to open a bank account or get a mobile phone connection. The most contentious—and confusing—ruling was about Section 57. It said, “That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.”

The Supreme Court was worried that the private sector could misuse the platform. Their concern came from three reasons.

1. The section said Aadhaar can be used for any purpose. That's too broad. The purpose, the judgement said, should not only be backed by a law, but that law should also be subject to judicial scrutiny.
2. The section said as long as there was a contract between an individual and a business, the use of Aadhaar is fine. The judgement felt such contracts don’t make up for the lack of laws.
3. Giving such access to the private sector could enable “exploitation of an individual biometric and demographic information by the private entities” and “would impinge  upon the right to privacy of such individuals.”

In short, the court struck down the part of Section 57 that allowed access to private sector, because it did not want a service that was created by the government to provide government subsidies and benefits to the poor to be used by the private sector for commercial exploitation—especially given that there was no purpose limitation and that too based on contracts between an individual and companies. 

While the judgement pertaining to Section 57 doesn’t cite it as one of the reasons, it is clear that there was a conflict there. The justification for passing the Aadhaar Act as a money bill comes from the government’s use of Consolidated Funds of India, which finances subsidies, benefits and services. However, Section 57 did not have anything to do with the Consolidated Funds, and hence (petitioners argued) should not have been a part of a money bill.

The government in turn argued that the private players had a right to use a public infrastructure—and section 57 was not an enabling provision, but a limiting one. It “limits its use by state, body corporate or a person by requiring it to be sanctioned by any law in force or any contract”.

But, the bench did not buy this argument. In effect, either Section 57 had to go, or the entire Act had to be struck down. In fact, the judgement justifies the validity of the Aadhaar Act as a money bill by citing that it has struck down Section 57. 

Money bills don’t have to go through the Rajya Sabha, and the BJP-led National Democratic Alliance government did not have a majority there. The opposition had objections to some of the provisions of the bill, including the ones that made it mandatory, and Section 57, which was too broad in scope. Knowing that it will not pass in the Rajya Sabha, the government called it a money bill, and got it passed. It is a reason why the dissent opinion by Justice DY Chandrachud called it a “fraud on constitution”, a term that’s used when a government bypasses a full-fledged parliamentary approval, by using executive orders or ordinances. 

The confusion is mostly around whether the Supreme Court had left any door open for private players—and how exactly to go about it.

Some argue that there is no room for private companies to use Aadhaar. They cannot use Aadhaar as an authentication tool. They cannot request authentication or eKYC services from UIDAI. The intent of the judges has been made clear. Let's call it an “all-doors-shut” interpretation.

Some others argue that this interpretation is wrong. We will look at their arguments in detail in the following questions, but in short, these are the reasons.

1. Government subsidies/benefits and the private sector are often joined at the hip, because the government uses the private sector as a distribution channel.
2. The judgement has not touched a few other sections such as Section 8 and Section 2(U) in the law that allow private use (with conditions).
3. Interpreting it this way could impinge on the rights of individuals, businesses, social sector organisations and the government. If we followed the hearing and read the judgement as a whole, it will be clear that the judges’ intention was not to impinge on these rights. What they wanted was safeguards, checks and balances.
4. Interpreting it this way would also assume that the court is taking calls on specific technologies.

Let’s call it a ‘doors-still-open’ interpretation. The arguments today are really between the ‘all-doors-shut’ group and ‘doors-still-open’ group. 

Many government benefits reach individuals through the private sector. For example, in Krishna district in Andhra Pradesh, NREGA payments are made right at the work site through banking correspondents carrying a micro ATM device; pensions are delivered to several old people at their homes using such devices. And these are operated not by the government but by private sector banks. To say that private sector cannot use Aadhaar would mean these benefits might have to be stopped till the government builds a parallel infrastructure. 

Section 8 of the Aadhaar Act says UIDAI has to provide its services to any requesting entity, and Section 2(U) of the act defines requesting entity as an agency or a person, and doesn't restrict it to government agencies alone. If the court’s intent had been to disallow private entities altogether, it would have flagged off these sections as well. In effect, it has given the private sector room for the use, provided there are appropriate laws.

The ‘doors-still-open’ group also argues that the judgement’s concern for privacy comes from the risk of “exploitation of an individual biometric and demographic information by the private entities”. In this, what differentiates Aadhaar is only biometric information, for private players can anyway ask for demographic information via other means, often in the form of photocopies. However, the Aadhaar platform doesn’t share biometric information with any requesting entity. It only says, with a yes or no answer, if an Aadhaar number matches with the biometric details provided.

In effect, they argue, private players can use Aadhaar if the nexus between existing laws and purpose for which Aadhaar is used is strengthened, by passing new laws, and by using technology to allay the concerns.

However, there are two counter arguments to this. The Supreme Court seems to be worried about the private sector exploiting a platform that was built for delivering government services (the raison d'être as a money bill). And second, while demographic details can be shared, Aadhaar number is supposed to be private.

The ‘doors-still-open’ group argues that if the doors are not open, it doesn’t bode well for the rights of individuals, organisations and the state, and therefore it’s wrong to interpret the Supreme Court judgement too narrowly.

Let’s look at their arguments one by one.

Individuals: Individuals have the right to use Aadhaar as a proof of identity and address, if they prefer it. In some cases, Aadhaar might be the only identity they have. As the petitioners argued in the court, over 2.19 lakh people got their Aadhaar numbers using the introducer method. It means they didn’t have any other form of identity. Assuming half of them got other forms of identity post Aadhaar, there would still be at least a lakh who depend entirely on Aadhaar as proof of identity and address. To say they cannot use the only identity they have to access any service from the private sector that demands one, is to impinge on their rights. Besides, the judgement recognises that the individual owns his or her data, and the UIDAI is merely a custodian. (Striking down the section that allows only UIDAI to file a complaint is an example).

Businesses: The all-doors-shut interpretation would favour big companies such as Reliance, Airtel, and Paytm which have already used a cheaper and efficient method of authentication/eKYC against not only startups but also other tiny businesses. For example, a street vendor, who got access to cheaper loans in part because of her ability to authenticate herself cheaply, might now find it relatively more difficult to run her business. In effect, unless it specifically bans all Aadhaar transactions by private parties retrospectively, it would impact the startups. But doing so would be unfair to individuals who accessed those services. In any case, the judgement itself doesn’t say anything about what to do with data already collected, and transactions that have already happened.

Social enterprises: Aadhaar is a digital public infrastructure. If it helps the government to include more people and provide welfare, there is no reason to assume it will not help social enterprises—say, the ones that are into healthcare or access to finance—to provide the same services. One can assume that the court knows that to deny a social service organisation to use a public infrastructure—thereby increasing the cost of operations—would only decrease the social good.

State: To interpret the judgement as if it’s against private usage also denies the government a chance to provide authentication services, in competition with private sector companies. The market is now dominated by companies such as Google, Facebook and Twitter—many e-commerce, education and non-profit sites prompt users to sign in via these three. In fact authentication service providers see UIDAI as a competition. To deny private sector use of Aadhaar will deny an opportunity for UIDAI to become a self-sustaining organisation.

In fact, during the arguments on May 4, Justice Chandrachud observed that Section 57 was necessary because a) it imposes a limitation on private use through a proviso and b) it enables the government to turn the Aadhaar infrastructure into a self-sustaining enterprise. (An old PwC report suggested a possible business model for UIDAI wherein it charges a small amount of money for providing its authentication and eKYC services for private sector use.) Whether government should be in authentication business or not is a bigger question, but it is fair to assume that the court did not want to take that decision. 

No, the Aadhaar case was about whether the platform, in its present form, passes three tests: legality, necessity and proportionality. Proportionality ensures that an individual does not give up too much in relation to the need. Changes in technology can fundamentally alter that. For example, biometric lock (which the judgement took into account) was not a feature of Aadhaar when it was launched, but became one. Similarly, virtual Aadhaar—which the judgement doesn't talk about—addresses some of the privacy concerns. Virtual Aadhaar ID is 16-digit number mapped with the Aadhaar number. It is temporary and revocable, but can be used for authentication pretty much the same way Aadhaar can be used. It is also a random number, and one cannot guess one’s Aadhaar number based on it. It will be fair to assume that the judges did not want to decide on what technology would do tomorrow—and only wanted to put in enough safeguards, checks and balances so it doesn’t impinge on the privacy of individuals.

In the end, the Supreme Court verdict has left many in the private sector confused. Some believe that regulators—such as the Reserve Bank of India, the Telecom Regulatory Authority of India and others—would bring some clarity. No one is sure how. The judgement has been very clear about linkage of Aadhaar with bank accounts and telecom connections. However, it has not been clear about the use of Aadhaar by the private sector, and in a polarised issue such as Aadhaar, it is only natural that the two opposing sides have two dramatically opposing interpretations.

Both have good reasons to do so. The court has indeed recognised the serious risks that come from using Aadhaar—especially in the absence of good laws open to judicial scrutiny, a legitimate state need, and most importantly, proportionality. Establishing proportionality—especially when it comes to digital technologies that come with unintended consequences—is hard. In such circumstances, it is best to take a precautionary approach, and not let anyone push the country into a situation where no one has any control. If the private sector is not allowed to use Aadhaar, will it guarantee privacy? The answer is no. If the private sector is not allowed to use Aadhaar, will it reduce the risk of privacy violations? The answer is yes.

But, those who are in favour of the private sector say the same argument could be used against automobiles too. We can avoid all the road accidents if there are no automobiles. However, we haven’t banned automobiles. Instead we weigh their costs against the benefits to society. Private sector use of Aadhaar should be looked at in a similar fashion, they argue.

The last few years have clearly given us enough examples of what can go wrong. The risks of security breaches, fraud, and loss of privacy are real. India does not even have a data protection law. Digital risk literacy, even among the educated, is rather low, and there are strong reasons to distrust the idea of ‘informed consent’. That India hasn’t invested much in cybersecurity is definitely true of government, but it’s also true of the private sector.

Fixing these will help not only the applications that are built on or around Aadhaar, it will also help all digital technologies. To fix this, the government, regulators, technologists, businesses, social sector organisations and citizens should look away from the polarising debates, and focus on what needs to be done for the country—irrespective of what happens to Aadhaar.