As the dust has settled on the Supreme Court verdict on Aadhaar, people searching for certainty as opposed to fuel for arguments have been sorely disappointed. Specifically on the issue of private sector use of Aadhaar, the judgment appears to upend current understanding, implementation, and business models by striking down major parts of Section 57 of the Aadhaar Act. Confusion reigns on whether this can be remedied through a new law authorising private sector use, or if the Court has closed this window completely. The seeds for this confusion were sown a while ago though, and sorting through these events should provide some lessons for policymaking.
Aadhaar was originally conceptualised in 2009 as a project to provide a unique biometric-backed identity number to individuals, to enable better distribution of entitlements and subsidies. It has evolved over time into an identity-as-a-service product, which helps unbundle authentication and know-your-customer (KYC) requirements which are a pre-requisite of many services, particularly in the financial sector.
The Aadhaar programme was set up under an executive order in 2009, with the implicit understanding that it would soon receive legislative backing. But after the failure to pass the National Identification Authority of India Bill, 2010, no serious efforts were made to pass a law until 2016. At the same time, some of those involved in the Aadhaar project seemed to recognise early on that it would have implications for privacy and the chequered history of draft privacy bills began in 2010 as a direct consequence. None of these draft privacy bills ever became law, though.
Under increasing scrutiny by the Supreme Court, and without an overarching privacy or data protection framework to provide bright lines on usage of personal data and private use of Aadhaar infrastructure, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, usually referred to as the Aadhaar Act, was passed in 2016. Its controversial passage as a money bill (thus requiring only a Lok Sabha vote) required it to satisfy a very specific test – it needed to contain only provisions relating to government spending.
The legal challenges to Aadhaar before the Supreme Court date back to 2012. For various reasons though, the Court instead of hearing and deciding the case in a reasonable period of time, stretched this out to six years. This led to charges from some quarters that the Court and the government were creating a fait accompli situation, simply waiting out the clock until Aadhaar was too big to fail. This would then leave no option for the Court except to render a pragmatic judgment based on a hurriedly passed Aadhaar Act and promises of a robust data protection framework being put in place. Designating the Aadhaar Act a money bill may have, however, presented the Court with a different type of fait accompli when it came to testing the constitutionality of provisions of the Aadhaar Act relating to private sector use.
While reaffirming the basis of the project, the majority judgment has struck down large portions of Section 57, which provides the basis for private sector use of services such as Aadhaar e-KYC and eSign. In explaining its reasoning, the Court says that “the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities”, and concludes that this would be a violation of the right to privacy. The expansive language used while striking down these provisions, coupled with the implication that Aadhaar can only be used on the basis of a law that meets the test of ‘proportionality’, leaves uncertainty about how the private sector can use Aadhaar infrastructure in the future.
Why did this happen though? Given a sufficiently robust data protection framework, couldn’t private companies be restricted from exploiting demographic data in a way that violates privacy, while still allowing users the benefit of quick eKYC? And at a factual level, given that biometrics aren’t shared with anyone during an Aadhaar authentication, why was the Court concerned that private parties would commercially exploit biometric information? Why wasn’t leeway left for individuals to voluntarily use Aadhaar authentication in transactions with private parties?
The answer may lie in one of the hacks that the government relied on to pass the Aadhaar Act quickly – designating it a money bill. One of the strongest challenges to the Aadhaar Act by the petitioners was on this issue. The majority judgment unsurprisingly found that the Aadhaar Act was validly designated a money bill – any other conclusion would have invalidated the entire Act. The bench had to jump through a number of hoops in order to reach this highly tenuous conclusion and a provision allowing for private use of Aadhaar infrastructure would have made this conclusion appreciably less tenable. A money bill needs to be directly and primarily related only to government spending and the justification was that the Aadhaar Act was to do with efficient disbursal of government subsidies. An architecture for private sector use of this infrastructure does not sit well with this justification. This is perhaps implicitly acknowledged in the judgment – where it deals with provisions which the petitioners claim are incompatible with a money bill, it states that “in any case, a part of Section 57 has already been declared unconstitutional” and does not go into the merits of the issue.
The fateful decision to pass the Aadhaar Act as a money bill may have, therefore, effectively tied the hands of the Court, leaving them with a Hobson’s choice: limiting Aadhaar exclusively to government use or having to rule the entire Act invalid.
The future roadmap for private sector use of Aadhaar is now an open question, though there is clear determination from the government and private sector to find a solution allowing for it, perhaps relying on existing laws and regulations in the financial sector to allow for use cases relating to financial inclusion. Alternatively, and for broader use cases, given that the Aadhaar Act is a money bill, rather than amending the Act, the government may instead choose to attempt to pass a new law (taken through both houses of Parliament) providing a clear framework for private sector use of Aadhaar infrastructure, with specific safeguards to allay fears of privacy violations. This will throw up interesting questions for the inevitable legal challenge, but might just pass muster. Passing such a law will take time and an expenditure of political capital though and for reasons of expediency, an ordinance could be passed first to address immediate doubts.
The legislative framework behind Aadhaar has always lagged significantly behind the actual progress of the programme, resulting in much of the confusion we see today. Failure by successive governments to quickly put in place an enabling structure for Aadhaar with sufficient checks, balances, and accountability, has resulted in a breakdown of trust, the flourishing of doubts, and an increasingly polarised environment that makes it hard to fix earlier mistakes even if committed in good faith. The tendency to rely on executive fiat instead of legislative consensus can leave even a well-intentioned effort open to attack, with each side digging in their heels.
The inevitable outcome of this has been to invest the Supreme Court with policymaking power which it is ill-equipped to exercise. Left with few options, the Court has attempted to reach a middle ground, sometimes sacrificing facts, procedure, and even legal principles, at the altar of peacemaking.
The only way to avoid this type of outcome is to devote the time and resources required to make good policy and law. This is not an alien concept. There are multiple examples in recent memory from the financial sector and telecom where thoughtful, well-run policymaking processes have resulted in positive and sustainable outcomes.
This is particularly important given that the government currently seems focussed on ensuring that India has a ‘free and fair digital economy’, with a determined effort to use all policy levers available and a seeming willingness to strike out on new paths that other countries haven’t trodden. Given this, it is especially important that an inclusive and consultative process is used while figuring out what makes sense for India. On issues such as data localisation, e-commerce, and cross border data flows, any mistakes made due to hurried policymaking will inevitably be costly. Building on the lessons learned from Aadhaar will be crucial in order to avoid the traps of expansive executive action and legislative shortcuts.
(Disclosure: The author is an advisor to fintech companies which are affected by the judgment.)