Justice A. M. Khanwilkar asked Shyam Divan “Are the many notifications issued prior to the Act of 2016, which mandate Aadhaar, not validated by virtue of section 59 of the Act?”
“In my opinion, a violation of Fundamental Rights cannot be validated retrospectively”, replied Mr. Diwan.
As the five-judge Constitution Bench reconvened post lunch hour on Thursday, Senior Counsel Shyam Diwan discussed at great length the 2017 Judgment in (Retd.) Justice K. S. Puttaswamy case, wherein a nine-judge bench of the Supreme Court had upheld the right to privacy as a Fundamental Right.
The Senior Counsel quoted the paragraph of the judgment discussing the article dating back to December, 1890, published in the Harvard Law Review, in which Samuel D. Warren and Louis Brandeis adverted to the evolution of the right to life to mean “the right to enjoy life – the right to be let alone”- “The ringing observations of Warren and Brandeis on the impact of technology have continued relevance today in a globalised world dominated by the internet and information technology. As societies have evolved, so have the connotations and ambit of privacy”.
Mr. Diwan recited the comments in the Justice K. S. Puttaswamy judgment regarding the right to privacy as a “natural and inalienable right”, and in so far as it discusses the observations of the Supreme Court in the 1975 case of Gobind v. State of Madhya Pradesh- “There can be no doubt that privacy-dignity claims deserve to be examined with care and to be denied only when an important countervailing interest is shown to be superior”.
The passage of the Justice K. S. Puttaswamy judgment citing precedents, which read the right to privacy as being implicit in Articles 19(1) and 21, was also quoted- “These would include telephone tapping (PUCL), prior restraints on publication of material on a death row convict (Rajagopal), inspection and search of confidential documents involving the banker - customer relationship (Canara Bank), disclosure of HIV status (Mr X v Hospital Z), food preferences and animal slaughter (Hinsa Virodhak Sangh), medical termination of pregnancy (Suchita Srivastava), scientific tests in criminal investigation (Selvi), disclosure of bank accounts held overseas (Ram Jethmalani) and the right of transgenders (NALSA).
Mr. Diwan referred to the paragraphs of the K. S. Puttaswamy judgement dealing with the Preamble to the Constitution and assurance to the “dignity of the individual”, and in so far it cites the 2006 judgment in M. Nagaraj wherein dignity was observed to be inseparable from human existence.
“In this digitalised world, the Union government has to be an ally of the citizen and ensure that his privacy interests are protected against private or overseas concerns”, remarked Mr. Diwan.
Further, the Senior Counsel quoted the 9 judge bench judgment, in so far as it discusses the 2012 American case of United States v Jones, where it was held unanimously that installing a Global Positioning System (GPS) tracking device on a vehicle and using the device to monitor the vehicle's movements constitutes a Government’s physical intrusion onto the defendant's car for the purpose of obtaining information and therefore a “search”.
At this juncture, the Chief Justice Dipak Misra directs the Senior Counsel to the paragraphs of the Justice Puttaswamy wherein it was observed that “The age of information has resulted in complex issues for informational privacy...Information is nonrivalrous in the sense that there can be simultaneous users of the good...Secondly, invasions of data privacy are difficult to detect because they can be invisible...Thirdly, information is recombinant in the sense that data output can be used as an input to generate more data output”, and that “Data Mining processes together with knowledge discovery can be combined to create facts about individuals. Metadata and the internet of things have the ability to redefine human existence in ways which are yet fully to be perceived...This poses serious issues for the Court. In an age of rapidly evolving technology it is impossible for a judge to conceive of all the possible uses of information or its consequences”.
Mr. Diwan had, on Wednesday, discussed the Organisational Hierarchy under the Aadhaar project- the biometric data of the residents applying for enrolment passing through the enrolling agencies, which may be private players, to the registrars and the Registrar General of India, and finally, to the UIDAI.
On Thursday, he cited names of some private enrolment agencies appointed in the year 2012-13 and their contact persons. He also submitted that even the registrar under the Aadhaar project could be a bank, a university or a private body.
“You have made your point. We have understood that in the course of the execution of the Aadhaar project and the gathering of data, private players been very actively involved at all stages. Citing names of organisations and individuals would not be necessary”, interjected Justice Sikri.
“My object is to bring out that the nature and integrity of the entire process has been affected by the involvement of private parties”, replied Mr. Diwan.
Thereupon, the Senior Counsel drew the attention of the bench to a statement dated April 10, 2017 of the Minister of Law and Minister of Electronics and Information Technology in the Rajya Sabha that the UIDAI has cancelled and blacklisted 34,000 Aadhaar “operators” since the inception of the Aadhaar project.
Further, relying on a press report dated September 12, 2017, Mr. Diwan submitted that by the UIDAI’s own admission, 49,000 such enrolment operators have been blacklisted owing to contraventions of its own operating procedures.
UIDAI handbook for registrars
Mr. Diwan quoted content of the UIDAI’s handbook for registrars in support of his arguments-
“How will Aadhaar be built?
Aadhaar will be built in partnership with Registrars. Registrars will collect demographic & biometric data from residents directly or through Enrolment Agencies...Registrars have the flexibility to collect additional data, which will be referred to as KYR+ fields for the various applications they have in mind...”
With a view to further emphasise on the overreaching powers conferred on the registrars, Mr. Diwan cited the roles and responsibilities accorded thereto- “Registrars may retain the biometric data collected from residents enrolled by them. However, the Registrar will have to exercise a fiduciary duty of care with respect to the data collected from residents and will be responsible for loss, unauthorized access to and misuse of data in their custody...the registrars shall define their own security policy and protocols to ensure safety of the biometric data...The Registrars must retain the Proof of Identity / Proof of Address /Consent for enrolment documents in proper custody...”
“The UIDAI does not seem to be shouldering any responsibility”, remarked Mr. Diwan.
Frequently Asked Questions (FAQs) on the UIDAI website
Further, The Senior Counsel for the petitioners quoted the answer on the UIDAI website to the question as to who the Registrar is- “‘Registrar’ is any entity authorized or recognized by the UID Authority for the purpose of enrolling the individuals for UID numbers. Registrars are typically departments or agencies of the State Government/Union territory, public sector undertakings and other agencies and organizations, who interact with residents in the normal course of implementation of some of their programs, activities or operations”
He also read out replies to identical queries in respect of the verifier, the introducer, the enrolment agency, the operator and the supervisor- “For Verification based on Documents, the verifier present at the Enrolment Centre will verify the documents. Registrars must appoint personnel for the verification of documents. Generally, the services of retired government officials are to be procured, but in case of non-availability thereof, the Registrar may be even outsource the work”.
“Introducers are individuals (for example, Registrar’s employees, elected local body members, members of local administrative services etc.) identified by a Registrar”
“The UIDAI is not in the picture at all”, commented the Senior Counsel.
“Enrolment Agencies are entities hired by the Registrars for undertaking demographic and biometric data collection for UID enrolment”.
“An Operator is employed by an Enrolment Agency to execute enrolment at the enrolment stations”.
“A Supervisor is employed by an Enrolment Agency to operate and manage enrolment centres”.
Memorandum of Understanding (MoU) between the UIDAI and the Government of NCT of Delhi
Mr. Diwan quoted the definition of ‘registrar’ as provided in the MoU dated June 28, 2010- “Registrars are departments or agencies of the government of NCT of Delhi, which in the normal course of some of their programmes or activities interact with the residents, and are authorised by the government of NCT of Delhi to enrol residents into the UID system”
“The Registrars were to be agencies of the government? And the Registrar could himself also be an enrolment agency?” asked Justice Chandrachud. “Yes”, replied the Senior Counsel.
Referring to the list of obligations of the registrar under the MoU, inter alia, entitling the registrar to collect any information in addition to that prescribed by the UIDAI for the purpose of rendering any services on the UID number, Mr. Diwan called it an “open ended” provision.
MoU between the UIDAI and the Allahabad bank
Mr. Diwan discussed the provisions of the MoU pertaining to the Registrars and enrolment agencies- “‘Registrar’ means the Allahabad bank including its agents like the service providers, business correspondents and the business facilitators”.
“‘Enrolling agencies’ mean agencies hired by the bank or the other registrars to perform enrolment functions on their behalf”.
The Senior Counsel also drew the attention of the bench to the provision permitting the bank to collect additional data for the purpose of their business operations.
Making a reference to Article 299 of the Constitution, which provides that “All contracts made in the exercise of the executive power of the Union or of a State shall be expressed to be made by the President, or by the Governor of the State, as the case may be, and all such contracts and all assurances of property made in the exercise of that power shall be executed on behalf of the President or the Governor by such persons and in such manner as he may direct or authorise”, Mr. Diwan submitted, “Such MoUs do not even amount to contracts in the eye of law. There is palpable arbitrariness in engaging in this massive infrastructure of sucking up biometric data without any statutory backing or even a contract”.
At this point, Justice A. M. Khanwilkar sought to inquire, “Are the many notifications issued prior to the Act of 2016, which mandate Aadhaar, not validated by virtue of section 59 of the Act?”
“In my opinion, a violation of Fundamental Rights cannot be validated retrospectively”, replied Mr. Diwan.
Seeking permission of the Court to make a slight departure from the thread of submissions, Mr. Diwan narrated, as an instance of the glaring security lacunae in the UIDAI’s enrolment procedure and its misplaced reliance on biometrics, “In September 2017, the Uttar Pradesh Special Task Force unearthed operations whereby of a group of individuals was issuing fake Aadhaar numbers by accessing the UIDAI’s enrolment software as well as cloning the fingerprints of the authorised agents”.
The hearing shall resume on Tuesday.