Key Highlights of the Aadhaar Judgment

Supreme Court, Aadhaar, Privacy, Privacy Law

The Supreme Court has delivered its much awaited judgment in the Aadhaar case, wherein the majority view, comprised of - Dipak Misra CJI., AK Sikri J., AM Khanwilkar, J. and Ashok Bhushan J. (though Bhushan J. dissented with the majority on certain points) upheld the constitutionality of the Aadhaar Act, 2016 barring a few provisions on disclosure of personal information, cognizance of offences and use of the Aadhaar ecosystem by private corporations. DY Chandrachud J. delivered a dissenting opinion debasing the entire Aadhaar scheme along with the Act. The full text of the judgment is available here.

A summary of the three opinions as delivered by AK Sikri J., DY Chandrachud J. and Ashok Bhushan J. are as follows:

Majority Opinion by Dipak Misra CJI., AK Sikri J. and AM Khanwilkar J.

  • ‘Benefits’ and ‘services’ as mentioned in Section 7 should be those which have the colour of some kind of subsidies etc., namely, welfare schemes of the Government whereby Government is doling out such benefits which are targeted at a particular deprived class. It would cover only those ‘benefits’ etc. The expenditure thereof has to be drawn from the Consolidated Fund of India.

  • Section 33(1) of the Act prohibits disclosure of information, including identity information or authentication records, except when it is by an order of a court not inferior to that of a District Judge. We have held that this provision is to be read down with the clarification that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing. If such, an order is passed, in that eventuality, he shall also have right to challenge such an order passed by approaching the higher court. During the hearing before the concerned court, the said individual can always object to the disclosure of information on accepted grounds in law, including Article 20(3) of the Constitution or the privacy rights etc.

  • Insofar as Section 33(2) is concerned, it is held that disclosure of information in the interest of national security cannot be faulted with. However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. We may point out that such provisions of application of judicial mind for arriving at the conclusion that disclosure of information is in the interest of national security, are prevalent in some jurisdictions. In view thereof, Section 33(2) of the Act in the present form is struck down with liberty to enact a suitable provision on the lines suggested above.

  • Insofar as Section 47 of the Act which provides for the cognizance of offence only on a complaint made by the Authority or any officer or person authorised by it is concerned, it needs a suitable amendment to include the provision for filing of such a complaint by an individual/victim as well whose right is violated.

  • In so far as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.

  • Section 2(d) which pertains to authentication records, such records would not include metadata as mentioned in Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, this provision in the present form is struck down. Liberty, however, is given to reframe the regulation, keeping in view the parameters stated by the Court.

  • Retention of data beyond the period of six months is impermissible. Therefore, Regulation 27 of Aadhaar (Authentication) Regulations, 2016 which provides archiving a data for a period of five years is struck down.

  • Metabase (Metadata) relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.

  • On that basis, CBSE, NEET, JEE, UGC etc. cannot make the requirement of Aadhaar mandatory as they are outside the purview of Section 7 and are not backed by any law.

  • We hold that the provision in the present form does not meet the test of proportionality and, therefore, violates the right to privacy of a person which extends to banking details. This amounts to depriving a person of his property. We find that this move of mandatory linking of Aadhaar with bank account does not satisfy the test of proportionality.

  • Circular dated March 23, 2017 mandating linking of mobile number with Aadhaar is held to be illegal and unconstitutional as it is not backed by any law and is hereby quashed.

  • When it comes to obtaining Aadhaar card, there is no possibility of obtaining duplicate card. Once the biometric information is stored and on that basis Aadhaar card is issued, it remains in the system with the UIDAI. Wherever there would be a second attempt for enrolling for Aadhaar and same person gives his biometric information, it would immediately get matched with the same biometric information already in the system and the second request would stand rejected. It is for this reason the Aadhaar card is known as a Unique Identification (UID).

  • While examining the validity of a particular law that allegedly infringes right to privacy -The question is as to whether the Court is to apply ‘strict scrutiny’ standard or the ‘just, fair and reasonableness’ standard. In the privacy judgment this Court preferred to adopt a ‘just, fair and reasonableness’ standard. Even otherwise, this is in consonance with the judicial approach adopted by this Court while construing ‘reasonable restrictions’ that the State can impose in public interest, as provided in Article 19 of the Constitution.

  • A very important feature which the present case has brought into focus is another dimension of human dignity, namely, in the form of ‘common good’ or ‘public good’. Thus, our endeavour here is to give richer and more nuanced understanding to the concept of human dignity. We, therefore, have to keep in mind humanistic concept of Human Dignity which is to be accorded to a particular segment of the society and, in fact, a large segment. Their human dignity is based on the socio-economic rights that are read in to the fundamental rights.

  • When we read socio-economic rights into human dignity, the community approach also assumes importance along with individualistic approach to human dignity. It has now been well recognised that at its core, human dignity contains three elements, namely, Intrinsic Value, Autonomy and Community Value. These are known as core values of human dignity. These three elements can assist in structuring legal reasoning and justifying judicial choices in ‘hard cases’.

  • When it comes to dignity as a community value, it emphasises the role of the community in establishing collective goals and restrictions on individual freedoms and rights on behalf of a certain idea of good life.

  • There needs to be a balancing of two facets of dignity of the same individual whereas, on the one hand, right of personal autonomy is a part of dignity (and right to privacy), another part of dignity of the same individual is to lead a dignified life as well (which is again a facet of Article 21 of the Constitution). Therefore, in a scenario where the State is coming out with welfare schemes, which strive at giving dignified life in harmony with human dignity and in the process some aspect of autonomy is sacrificed, the balancing of the two becomes an important task which is to be achieved by the Courts. For, there cannot be undue intrusion into the autonomy on the pretext of conferment of economic benefits.

  • The architecture of Aadhaar as well as the provisions of the Aadhaar Act do not tend to create a surveillance state. This is ensured by the manner in which the Aadhaar project operates. During the enrolment process, minimal biometric data in the form of iris and fingerprints is collected. The UIDAI does not collect purpose, location or details of transaction. Thus, it is purpose blind. The information collected, as aforesaid, remains in silos. Merging of silos is prohibited.

  • After going through the Aadhaar structure, as demonstrated by the respondents in the powerpoint presentation (as given during the hearing by the CEO of the UIDAI – Mr. AB Pandey) from the provisions of the Aadhaar Act and the machinery which the Authority has created for data protection, we are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR.

  • After detailed discussion, it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21.

  • The Court is also of the opinion that the triple test laid down in order to adjudge the reasonableness of the invasion to privacy has been made. The Aadhaar scheme is backed by the statute, i.e. the Aadhaar Act. It also serves legitimate State aim, which can be discerned from the Introduction to the Act as well as the Statement of Objects and Reasons which reflect that the aim in passing the Act was to ensure that social benefit schemes reach

  • Right to receive these benefits, from the point of view of those who deserve the same, has now attained the status of fundamental right based on the same concept of human dignity, which the petitioners seek to bank upon.

  • The Constitution does not exist for a few or minority of the people of India, but “We the people”.

  • We again emphasise that no person rightfully entitled to the benefits shall be denied the same on such grounds. It would be appropriate if a suitable provision be made in the concerned regulations for establishing an identity by alternate means, in such situations.

  • For the enrolment of children under the Aadhaar Act, it would be essential to have the consent of their parents/guardian.

  • On attaining the age of majority, such children who are enrolled under Aadhaar with the consent of their parents, shall be given the option to exit from the Aadhaar project if they so choose in case they do not intend to avail the benefits of the scheme.

  • In so far as the school admission of children is concerned, requirement of Aadhaar would not be compulsory as it is neither a service nor subsidy. Further, having regard to the fact that a child between the age of 6 to 14 years has the fundamental right to education under Article 21A of the Constitution, school admission cannot be treated as ‘benefit’ as well.

  • In so far as Section 2(b) is concerned, which defines ‘resident’, the apprehension expressed by the petitioners was that it should not lead to giving Aadhaar card to illegal immigrants. We direct the respondent to take suitable measures to ensure that illegal immigrants are not able to take such benefits.

  • However, apprehension of the petitioners is that this provision entitles Government to share the information ‘for the purposes of as may be specified by regulations’. The Aadhaar (Sharing of Information) Regulations, 2016, as of now, do not contain any such provision. If a provision is made in the regulations which impinges upon the privacy rights of the Aadhaar card holders that can always be challenged.

  • Therefore, Section 7 is the core provision of the Aadhaar Act and this provision satisfies the conditions of Article 110 of the Constitution. Upto this stage, there is no quarrel between the parties. In any case, a part of Section 57 has already been declared unconstitutional. We, thus, hold that the Aadhaar Act is validly passed as a ‘Money Bill’.

  • Even after judging the matter in the context of permissible limits for invasion of privacy, namely: (i) the existence of a law; (ii) a ‘legitimate State interest’; and (iii) such law should pass the ‘test of proportionality’, we come to the conclusion that all these tests are satisfied.

 

Dissenting Opinion by Chandrachud J.

  • The Aadhaar Act, 2016 is declared unconstitutional for failing to meet the necessary requirements to have been certified as a Money Bill under Article 110(1).

  • Adequate norms must be laid down for each step from the collection to retention of biometric data based on informed consent, along with specifying the time period for retention. Individuals must be given the right to access, correct and delete data. An opt-out option should be necessarily provided. The Aadhaar Act is bereft of these provisions.

  • Section 29(4)is over-broad as it gives wide discretionary power to UIDAI to publish, display or post core biometric information of an individual for purposes specified by the regulations.

  • Sections 2(g), (j), (k) and (t) suffer from overbreadth, as the phrase “such other biological attributes” can be expanded.

  • The proviso to Section 28(5) of the Aadhaar Act, which disallows an individual access to the biometric information that forms the core of his or her unique ID, is violative of a fundamental principle that ownership of an individual’s data must at all times vest with the individual.

  • This judgment concludes that the Aadhaar programme violates essential norms pertaining to informational privacy, self-determination and data protection.

  • The measures adopted by the respondents fail to satisfy the test of necessity and proportionality.

  • The architecture of Aadhaar enables surveillance activities through the Aadhaar database. Any leakage in the verification log poses an additional risk of an individual’s biometric data being vulnerable to unauthorised exploitation by third parties.

  • Before the enactment of the Aadhaar Act, MOUs signed between UIDAI and Registrars were not contracts within the purview of Article 299 of the Constitution, and therefore, do not cover the acts done by the private entities engaged by the Registrars for enrolment

  • The Aadhaar Act is also silent on the liability of UIDAI and its personnel in case of their non-compliance of the provisions of the Act or the regulations.

  • Section 47 of the Act violates citizens’ right to seek remedies. Under Section 47(1), a court can take cognizance of an offence punishable under the Act only on a complaint made by UIDAI or any officer or person authorised by it. Section 47 is arbitrary as it fails to provide a mechanism to individuals to seek efficacious remedies for violation of their right to privacy.

  • Making UIDAI which is administering the Aadhaar project, also responsible for providing a grievance redressal mechanism for grievances arising from the project severely compromises the independence of the grievance redressal body [ Section 23(2)(s) ]

  • In the absence of an independent regulatory and monitoring framework which provides robust safeguards for data protection, the Aadhaar Act cannot pass muster against a challenge on the ground of reasonableness under Article 14.

  • No substantive provisions, such as those providing data minimization, have been laid down as guiding principles for the oversight mechanism provided under Section 33(2), which permits disclosure of identity information and authentication records in the interest of national security

  • Section 57 violates Articles 14 and 21. it is manifestly arbitrary, it suffers from overbreadth and violates Article 14.

  • Section 7 suffers from overbreadth since the broad definitions of the expressions ‘services and ‘benefits’ enable the government to regulate almost every facet of its engagement with citizens under the Aadhaar platform. The inclusion of services and benefits in Section 7 is a pre-cursor to the kind of function creep which is inconsistent with the right to informational self-determination. Section 7 is therefore arbitrary and violative of Article 14 in relation to the inclusion of services and benefits as defined.

  • Section 59 does not validate actions of the state governments or of private entities. Section 59 fails to meet the test of a validating law since the complete absence of a regulatory framework and safeguards cannot be cured merely by validating what was done under the notifications of 2009 and 2016.

  • The judgment accepts that there is a legitimate state aim but the existence of a legitimate aim is insufficient to uphold the validity of the law, which must also meet the other parameters of proportionality spelt out in Puttaswamy.

  • Since the Aadhaar Act itself is now held to be unconstitutional for having been enacted as a Money Bill and on the touchstone of proportionality, the seeding of Aadhaar to PAN under Article 139AA does not stand independently

  • The 2017 amendments to the PMLA Rules fail to satisfy the test of proportionality. The imposition of a uniform requirement of linking Aadhaar numbers with all account based relationships proceeds on the presumption that all existing account holders as well as every individual who seeks to open an account in future is a potential money-launderer.

  • The conflation of biometric information with SIM cards poses grave threats to individual privacy, liberty and autonomy. Having due regard to the test of proportionality which has been propounded in Puttaswamy and as elaborated in this judgment, the decision to link Aadhaar numbers with mobile SIM cards is neither valid nor constitutional.

  • It is directed under Article 142 that the existing data which has been collected shall not be destroyed for a period of one year. During this period, the data shall not be used for any purpose whatsoever. At the end of one year, if no fresh legislation has been enacted by the Union government in conformity with the principles which have been enunciated in this judgment, the data shall be destroyed.

 

Partially Concurring Opinion of Ashok Bhushan J.

  • The requirement of demographic and biometric information under Aadhaar Act, 2016 does not violate fundamental right to privacy. It passes the three fold test as laid down in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors(Privacy Judgement).

  • Moreover, safeguards are available in Aadhaar Act, 2016 and there is no architecture for pervasive surveillance.

  • There should be a balance between social benefits disbursal by state with right to privacy.

  • Sec 7 of Aadhaar Act, 2016, making Aadhaar number necessary for receipt of certain subsidies, benefits and services etc. is held as constitutional. J. Bhushan observed that some cases of authentication failure should not nullify the entire provision.

  • Sec 29 which deals with restriction on sharing information, is upheld.

  • Sec 33 which provides for the use of Aadhaar data-base for police investigation, is upheld and found not violative of Art 20(3).

  • Sec 47 which disallows an individual to file a complaint for an offence under the Act, was upheld.

  • The last part of Sec 57 which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract is held unconstitutional.

  • Parental consent for providing biometric information under Regulation 3 & demographic information under Regulation 4 of Aadhaar (Enrolment and Update) Regulations, 2016 is made necessary.

  • Rule 9 as amended by PMLA (Second Amendment) Rules, 2017 making linkages of Aadhaar with bank accounts necessary is upheld and found not to violate Articles 14, 19(1)(g), 21 & 300A of the Constitution.

  • Circular dated 23.03.2017 by Department of Telecommunications, seeking Aadhaar-SIM linking is held unconstitutional.

  • Passing of Aadhaar Act as Money Bill is found to be valid but decision of Speaker certifying a Bill as Money Bill is not immune from Judicial Review.

  • Section 139AA of IT Act, 1961 which provides for linking of Aadhaar for filing of income tax returns is upheld and found not to violate Right to Privacy.