These days, telecom operators are relying on Aadhaar data for customer verification before activating SIM cards. Reliance Jio, which is creating waves in the telecom field, is making use of this facility to its fullest potential. Operators like Airtel and Vodafone have also started to make use of Aadhaar date. Ever wondered how such private players are able to make use of Aadhaar data containing personal and sensitive information? Are there any regulations in place to ensure that nothing untoward happens when sensitive information passes into the hands of private agencies? This article attempts to analyse the legal framework within which private entities are using Aadhaar data for giving service benefits.
The Parliament passed the Aadhaar(Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act in March 2016. Section 57 of the Act enables corporates and persons other than government to use Aadhaar number to establish identity of person for any purpose pursuant to a law or contract. Section 57 reads as follows:
Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:
Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.
The proviso makes it clear that the use of Aadhaar number by private entities should be in compliance with Section 8 and Chapter VI of the Act. Section 8 and Chapter VI are based on two fundamental principles recognised by the Aadhaar Act : ‘individual consent’ and ‘confidentiality of information’.
The Act recognises biometric data to be ‘sensitive personal information’, as per Section 30.
Chapter VI of the Act, comprising Sections 28 to 33, deals with safeguard for protection and security of confidential information.
Section 8 deals with the manner in which the consent of individual should be obtained before using his Aadhaar number for ‘authentication’. Before proceeding further, it is important to understand certain concepts regarding the scheme of the Act.
The biometric and demographic information of persons collected under the Act is stored in a centralised database called ‘Central Identities Data Repository’(CIDR), which is under the control of Unique Identification Authority of India (UIDAI).
An entity which wants to use the Aadhaar data to ascertain the identity of a person for giving any service or benefit is called a ‘requesting entity’ (Sec.2(u)). This ‘requesting entity’ could be government department (like Income Tax Dept.), PSUs or banks, telecom operators etc, whether in public or private sector, by virtue of Section 57. The Aadhaar number and biometric data of the intending customer is passed on by the requesting entity to the central depository. If the data supplied by the requesting entity is matching with the information in the central data-base, a positive response is returned by the authority to the requesting entity, verifying correctness of identity. If there is no matching, a negative response is returned. This process is called ‘authentication’ (2(c)).
A requesting entity can use aadhaar number and biometric data of an individual for authentication only with the informed consent of the individual. This is the mandate of Section 8. The individual has to informed be about the nature of information shared for authentication, and also the uses to which the information so received will be put. The information should be given and consent should be obtained in the manner specified in the regulations.
Aadhaar (Authentication) Regulations 2016
The informed consent of the individual has to be obtained in the manner specified in the said Rules. The requesting entity, who is desirous of using Aadhaar data, should register itself with the authority as per the regulations as an ‘authentication user agency (AUA)’. There are agencies which act as intermediaries between the AUA and the UIDAI by providing infrastructure for connectivity and access, registered under the regulations as ‘authentication service agency (ASA)’. The AUA will only get a yes/no response from the authority regarding the data supplied. The authority will not share the demographic or biometric information of the customer with the AUA, except for giving a yes/no response on the basis of verification search. However, if the AUA is registered as a ‘e-KYC user agency (KUA)’, the biometric and demographic information of the customer stored in the central depository will be shown to the agency so that the identity of the customer also could be physically verified by the agency.
Having analysed the scheme of registration under the Regulations, it is pertinent to refer to Regulation 6, which specifies the manner of obtaining consent. Regulation 6 read as:
(1) After communicating the information in accordance with regulation 5, a requesting entity shall obtain the consent of the Aadhaar number holder for the authentication.
(2) A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.(emphasis supplied)
It is clear from the above that mere oral consent of the individual will not fulfil the mandate of the regulation. The consent has to be recorded, preferably in electronic form. Also, the requesting entity has to maintain logs or records of the consent obtained. Requesting entity has also to ensure that ensure that persons employed by it for performing authentication functions, and for maintaining necessary systems, infrastructure and processes, possess requisite qualifications for undertaking such works (Reg.14(f)). The entity has also to maintain logs and records, and preserve them for two years; the Aadhaar number-holder has the right to access such logs and records (Reg.18). The Act also enables the number-holder to access the authentication records (Sec.32).
Worrying practices of non-compliance by agents of telecom operators
Although the Act and regulations prescribe mandatory guidelines to be followed while using demographic and biometric information of the individual, the ground realities show that such guidelines are mostly observed in breach by the agents of telecom operators. When telecom operators like Reliance Jio offer a honey-pot of free internet packages, it is natural that customer swarm to mobile shops for activating new SIM cards. When they are required to provide their biometric data for getting new connection, they will not be reluctant to do so. From the personal experience of this author, it was observed that Reliance Jio is a ‘e-KYC user agency (KUA)’. The customer has to furnish his Aadhaar number and biometric data in the form of finger-prints. Upon pressing the finger in the device of the telecom agent, the authority sends back the Aadhaar information of the customer, including photograph, and other demographic details to the agent after verification. However, this process is done in total contravention of the regulation, particularly Regulation 6(2).
Firstly, the agents in mobile shops who operate the device for taking biometric information are not at all aware about the legal requirements of the process. The customer is not made aware of the ramifications of supplying biometric data. Also, the requirement under Regulation 6(2) is to obtain consent in written form, preferably in electronic form.
There is also a requirement to maintain logs and records of consent obtained. There is a further requirement to maintain records of authentication process as well.
Sadly, none of these requirements are followed in most of the mobile phone shops; the process is done in contravention of regulations. Since the customer is generally unaware and also eager to get a new SIM at the earliest, they too part away with their sensitive information without insisting on compliance with the regulations.
The Act and regulation confer a right on the AADHAAR number-holder to access the logs and records of consent and authentication in future. However since the records and logs of consent and authentication are not maintained as prescribed by the regulations, the said statutory right gets irredeemably frustrated. In short, there is no mechanism to ensure that the process in carried out in a transparent manner, in compliance of all security and protection requirements.
This is not to suggest that the Aadhaar data is being misused by the telecom operators or their agents. However, it is evident that there is total ignorance in this process. There is also total disregard of the regulations in using Aadhaar data for activation of SIM cards. Neither the public nor the mobile operators seem to be aware of the procedure specified by the regulations. Hence, there is complete anarchy in this field.
Also, the situation has to be analysed in the light of the apprehensions and security concerns expressed by several experts regarding collection and storage of Aadhaar data. The Act is criticiSed by many on the ground that there is severe infringement of privacy rights. It is also relevant to note that the matter regarding the validity of Aadhaar and right to privacy was referred to the consideration of the Constitutional Bench of the Supreme Court in August 2015. The Act was passed thereafter in March 2016. The manner in which the Act was passed is also subject to harsh criticism, as it was introduced and passed as Money Bill. Hence, the validity of the manner in which the Act was passed has been challenged before the Supreme Court and the issue is pending.
So, a lot of questions and doubts surround the use of Aadhaar number. In this backdrop, the haphazard manner in which the Aadhaar data is used for authentication in giving mobile connections is a matter of serious concern. The authorities must act to spread awareness about the regulations and to ensure compliance with them. By reposing trust in the state, many citizens have furnished their vital personal information, including biometric information, and when the state is acting as a custodian of biometric and demographic information of crores of Indian citizens, it must act with extra care and caution to ensure that the regulations framed by it are complied with, both in letter and spirit, without any fail; especially so, when such information is passing into the hands of private entities.
Manu Sebastian is an Advocate at High Court of Kerala.
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]
This article has been made possible because of financial support from Independent and Public-Spirited Media Foundation.