Constitutional validity of Aadhaar upheld by majority verdict authored by Justice Sikri and supplemented by Justice Bhushan, Justice Chandrachud the lone dissenter
Conclusions of the Aadhaar verdict authored by Justice AK Sikri with concurrence of Chief Justice Dipak Misra and Justice AM Khanwilkar:
Question before the Constitution Bench
Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?
Incidental Issues: (a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data? (b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?
Conclusion of CJI Misra and Justices Sikri and Khanwilkar (emphasis supplied)
(a) The architecture of Aadhaar as well as the provisions of the Aadhaar Act do not tend to create a surveillance state. This is ensured by the manner in which the Aadhaar project operates.
(b) We have recorded in detail the powerpoint presentation that was given by Dr. Ajay Bhushan Pandey, CEO of the Authority, which brings out the following salient features:
(i) During the enrolment process, minimal biometric data in the form of iris and fingerprints is collected. The Authority does not collect purpose, location or details of transaction. Thus, it is purpose blind. The information collected, as aforesaid, remains in silos. Merging of silos is prohibited. The requesting agency is provided answer only in ‘Yes’ or ‘No’ about the authentication of the person concerned. The authentication process is not exposed to the Internet world. Security measures, as per the provisions of Section 29(3) read with Section 38(g) as well as Regulation 17(1)(d) of the Authentication Regulations, are strictly followed and adhered to.
(ii) There are sufficient authentication security measures taken as well, as demonstrated in Slides 14, 28 and 29 of the presentation.
(iii) The Authority has sufficient defence mechanism, as explained in Slide 30. It has even taken appropriate protection measures as demonstrated in Slide 31.
(iv) There is an oversight by Technology and Architecture Review Board (TARB) and Security Review Committee.
(v) During authentication no information about the nature of transaction etc. is obtained.
(vi) The Authority has mandated use of Registered Devices (RD) for all authentication requests. With these, biometric data is signed within the device/RD service using the provider key to ensure it is indeed captured live. The device provider RD service encrypts the PID block before returning to the host application. This RD service encapsulates the biometric capture, signing and encryption of biometrics all within it. Therefore, introduction of RD in Aadhaar authentication system rules out any possibility of use of stored biometric and replay of biometrics captured from other source. Requesting entities are not legally allowed to store biometrics captured for Aadhaar authentication under Regulation 17(1)(a) of the Authentication Regulations.
(vii) The Authority gets the AUA code, ASA code, unique device code, registered device code used for authentication. It does not get any information related to the IP address or the GPS location from where authentication is performed as these parameters are not part of authentication (v2.0) and e-KYC (v2.1) API. The Authority would only know from which device the authentication has happened, through which AUA/ASA etc. It does not receive any information about at what location the authentication device is deployed, its IP address and its operator and the purpose of authentication. Further, the authority or any entity under its control is statutorily barred from collecting, keeping or maintaining any information about the purpose of authentication under Section 32(3) of the Aadhaar Act.
(c) After going through the Aadhaar structure, as demonstrated by the respondents in the powerpoint presentation from the provisions of the Aadhaar Act and the machinery which the Authority has created for data protection, we are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR. Insofar as authentication is concerned, the respondents rightly pointed out that there are sufficient safeguard mechanisms. To recapitulate, it was specifically submitted that there was security technologies in place (slide 28 of Dr. Pandey’s presentation), 24/7 security monitoring, data leak prevention, vulnerability management programme and independent audits (slide 29) as well as the Authority’s defence mechanism (slide 30). It was further pointed out that the Authority has taken appropriate pro-active protection measures, which included disaster recovery plan, data backup and availability and media response plan (slide 31).
(d) Insofar as use and protection of data is concerned, having regard to the principles enshrined in various cases, Indian and foreign, the matter is examined from the stand point of data minimisation, purpose limitation, time period for data retention, data protection and security (qua CIDR, requisite entities, enrolment agencies and Registrars, authentication service agency, hacking, biometric solution providers, substantive procedural or judicial safeguards).
After discussing the aforesaid aspect with reference to certain provisions of the Aadhaar Act, we are of the view that apprehensions of the petitioners stand assuaged with the striking down or reading down or clarification of some of the provisions, namely:
(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.
(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.
(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.
(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.
(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.
(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.
Question before the Constitution Bench
Whether the Aadhaar Act violates right to privacy and is unconstitutional on this ground?
Conclusion of CJI Misra and Justices Sikri and Khanwilkar (emphasis supplied)
(a) After detailed discussion, it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21. This can be discerned from the reading of Paras 297 to 307 of the judgment.
(b) The Court is also of the opinion that the triple test laid down in order to adjudge the reasonableness of the invasion to privacy has been made. The Aadhaar scheme is backed by the statute, i.e. the Aadhaar Act. It also serves legitimate State aim, which can be discerned from the Introduction to the Act as well as the Statement of Objects and Reasons which reflect that the aim in passing the Act was to ensure that social benefit schemes reach the deserving community. The Court noted that the failure to establish identity of an individual has proved to be a major hindrance for successful implementation of those programmes as it was becoming difficult to ensure that subsidies, benefits and services reach the unintended beneficiaries in the absence of a credible system to authenticate identity of beneficiaries. The Statement of Objects and Reasons also discloses that over a period of time, the use of Aadhaar number has been increased manifold and, therefore, it is also necessary to take measures relating to ensuring security of the information provided by the individuals while enrolling for Aadhaar card.
(c) It may be highlighted that the petitioners are making their claim on the basis of dignity as a facet of right to privacy. On the other hand, Section 7 of the Aadhaar Act is aimed at offering subsidies, benefits or services to the marginalised section of the society for whom such welfare schemes have been formulated from time to time. That also becomes an aspect of social justice, which is the obligation of the State stipulated in Para IV of the Constitution. The rationale behind Section 7 lies in ensuring targeted delivery of services, benefits and subsidies which are funded from the Consolidated Fund of India. In discharge of its solemn Constitutional obligation to enliven the Fundamental Rights of life and personal liberty (Article 21) to ensure Justice, Social, Political and Economic and to eliminate inequality (Article 14) with a view to ameliorate the lot of the poor and the Dalits, the Central Government has launched several welfare schemes.
(d) Even the petitioners did not seriously question the purpose and bona fides of the Legislature enacting the law.
(e) The Court also finds that the Aadhaar Act meets the test of proportionality
(f) The Court finds that as the information collected at the time of enrolment as well as authentication is minimal, balancing at the first level is met. Insofar as second level, namely, balancing of two competing fundamental rights is concerned, namely, dignity in the form of autonomy (informational privacy) and dignity in the form of assuring better living standards of the same individual, the Court has arrived at the conclusion that balancing at the second level is also met. The detailed discussion in this behalf amply demonstrates that enrolment in Aadhaar of the unprivileged and marginalised section of the society, in order to avail the fruits of welfare schemes of the Government, actually amounts to empowering these persons. On the one hand, it gives such individuals their unique identity and, on the other hand, it also enables such individuals to avail the fruits of welfare schemes of the Government which are floated as socio-economic welfare measures to uplift such classes. In that sense, the scheme ensures dignity to such individuals. This facet of dignity cannot be lost sight of and needs to be acknowledged.
We are, by no means, accepting that when dignity in the form of economic welfare is given, the State is entitled to rob that person of his liberty. That can never be allowed. We are concerned with the balancing of the two facets of dignity. Here we find that the inroads into the privacy rights where these individuals are made to part with their biometric information, is minimal. It is coupled with the fact that there is no data collection on the movements of such individuals, when they avail benefits under Section 7 of the Act thereby ruling out the possibility of creating their profiles. In fact, this technology becomes a vital tool of ensuring good governance in a social welfare state. We, therefore, are of the opinion that the Aadhaar Act meets the test of balancing as well.
(g) The entire aim behind launching this programme is the ‘inclusion’ of the deserving persons who need to get such benefits. When it is serving much larger purpose by reaching hundreds of millions of deserving persons, it cannot be crucified on the unproven plea of exclusion of some. It is clarified that the Court is not trivialising the problem of exclusion if it is there. However, what we are emphasising is that remedy is to plug the loopholes rather than axe a project, aimed for the welfare of large section of the society. Obviously, in order to address the failures of authentication, the remedy is to adopt alternate methods for identifying such persons, after finding the causes of failure in their cases.
We have chosen this path which leads to better equilibrium and have given necessary directions also in this behalf, viz:
(i) We have taken on record the statement of the learned Attorney General that no deserving person would be denied the benefit of a scheme on the failure of authentication.
(ii) We are also conscious of the situation where the formation of fingerprints may undergo change for various reasons. It may happen in the case of a child after she grows up; it may happen in the case of an individual who gets old; it may also happen because of damage to the fingers as a result of accident or some disease etc. or because of suffering of some kind of disability for whatever reason. Even iris test can fail due to certain reasons including blindness of a person. We again emphasise that no person rightfully entitled to the benefits shall be denied the same on such grounds. It would be appropriate if a suitable provision be made in the concerned regulations for establishing an identity by alternate means, in such situations.
(h) As far as subsidies, services and benefits are concerned, their scope is not to be unduly expanded thereby widening the net of Aadhaar, where it is not permitted otherwise. In this respect, it is held as under:
(i) ‘Benefits’ and ‘services’ as mentioned in Section 7 should be those which have the colour of some kind of subsidies etc., namely, welfare schemes of the Government whereby Government is doling out such benefits which are targeted at a particular deprived class.
(ii) It would cover only those ‘benefits’ etc. the expenditure thereof has to be drawn from the Consolidated Fund of India.
(iii) On that basis, CBSE, NEET, JEE, UGC etc. cannot make the requirement of Aadhaar mandatory as they are outside the purview of Section 7 and are not backed by any law.
Question before the Constitution Bench
Whether children can be brought within the sweep of Sections 7 and 8 of the Aadhaar Act?
Conclusion of CJI Misra and Justices Sikri and Khanwilkar (emphasis supplied)
(a) For the enrolment of children under the Aadhaar Act, it would be essential to have the consent of their parents/guardian.
(b) On attaining the age of majority, such children who are enrolled under Aadhaar with the consent of their parents, shall be given the option to exit from the Aadhaar project if they so choose in case they do not intend to avail the benefits of the scheme.
(c) Insofar as the school admission of children is concerned, requirement of Aadhaar would not be compulsory as it is neither a service nor subsidy. Further, having regard to the fact that a child between the age of 6 to 14 years has the fundamental right to education under Article 21A of the Constitution, school admission cannot be treated as ‘benefit’ as well.
(d) Benefits to children between 6 to 14 years under Sarv Shiksha Abhiyan, likewise, shall not require mandatory Aadhaar enrolment.
(e) For availing the benefits of other welfare schemes which are covered by Section 7 of the Aadhaar Act, though enrolment number can be insisted, it would be subject to the consent of the parents, as mentioned in (a) above.
(f) We also clarify that no child shall be denied benefit of any of these schemes if, for some reasons, she is not able to produce the Aadhaar number and the benefit shall be given by verifying the identity on the basis of any other documents.
Question before the Constitution Bench
(4) Whether the following provisions of the Aadhaar Act and Regulations suffer from the vice of unconstitutionality:
(i) Sections 2(c) and 2(d) read with Section 32
(ii) Section 2(h) read with Section 10 of CIDR
(iii) Section 2(l) read with Regulation 23
(iv) Section 2(v)
(v) Section 3
(vi) Section 5
(vii) Section 6
(viii) Section 8
(ix) Section 9
(x) Sections 11 to 23
(xi) Sections 23 and 54
(xii) Section 23(2)(g) read with Chapter VI & VII –
Regulations 27 to 32
(xiii) Section 29
(xiv) Section 33
(xv) Section 47
(xvi) Section 48
(xvii) Section 57
(xviii) Section 59
Conclusion of CJI Misra and Justices Sikri and Khanwilkar (emphasis supplied)
(a) Section 2(d) which pertains to authentication records, such records would not include metadata as mentioned in Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, this provision in the present form is struck down. Liberty, however, is given to reframe the regulation, keeping in view the parameters stated by the Court.
(b) Insofar as Section 2(b) is concerned, which defines ‘resident’, the apprehension expressed by the petitioners was that it should not lead to giving Aadhaar card to illegal immigrants. We direct the respondent to take suitable measures to ensure that illegal immigrants are not able to take such benefits.
(c) Retention of data beyond the period of six months is impermissible. Therefore, Regulation 27 of Aadhaar (Authentication) Regulations, 2016 which provides archiving a data for a period of five years is struck down.
(d) Section 29 in fact imposes a restriction on sharing information and is, therefore, valid as it protects the interests of Aadhaar number holders. However, apprehension of the petitioners is that this provision entitles Government to share the information ‘for the purposes of as may be specified by regulations’. The Aadhaar (Sharing of Information) Regulations, 2016, as of now, do not contain any such provision. If a provision is made in the regulations which impinges upon the privacy rights of the Aadhaar card holders that can always be challenged.
(e) Section 33(1) of the Act prohibits disclosure of information, including identity information or authentication records, except when it is by an order of a court not inferior to that of a District Judge. We have held that this provision is to be read down with the clarification that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing. If such an order is passed, in that eventuality, he shall also have right to challenge such an order passed by approaching the higher court. During the hearing before the concerned court, the said individual can always object to the disclosure of information on accepted grounds in law, including Article 20(3) of the Constitution or the privacy rights etc.
(f) Insofar as Section 33(2) is concerned, it is held that disclosure of information in the interest of national security cannot be faulted with. However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. We may point out that such provisions of application of judicial mind for arriving at the conclusion that disclosure of information is in the interest of national security, are prevalent in some jurisdictions. In view thereof, Section 33(2) of the Act in the present form is struck down with liberty to enact a suitable provision on the lines suggested above.
(g) Insofar as Section 47 of the Act which provides for the cognizance of offence only on a complaint made by the Authority or any officer or person authorised by it is concerned, it needs a suitable amendment to include the provision for filing of such a complaint by an individual/victim as well whose right is violated.
(h) Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.
(i) Other provisions of Aadhaar Act are held to be valid, including Section 59 of the Act which, according to us, saves the pre-enactment period of Aadhaar project, i.e. from 2009-2016.
Question before the Constitution Bench
Whether the Aadhaar Act could be passed as ‘Money Bill’ within the meaning of Article 110 of the Constitution?
Conclusion of CJI Misra and Justices Sikri and Khanwilkar (emphasis supplied)
The petitioners accept that Section 7 of the Aadhaar Act has the elements of ‘Money Bill’. The attack is on the premise that some other provisions, namely, clauses 23(2)(h), 54(2)(m) and 57 of the Bill (which corresponds to Sections 23(2)(h), 54(2)(m) and 57 of the Aadhaar Act) do not fall under any of the clauses of Article 110 of the Constitution and, therefore, Bill was not limited to only those subjects mentioned in Article 110.
Section 7 is the core provision of the Aadhaar Act and this provision satisfies the conditions of Article 110 of the Constitution. Upto this stage, there is no quarrel between the parties.
On examining of the other provisions pointed out by the petitioners in an attempt to take it out of the purview of Money Bill, we are of the view that those provisions are incidental in nature which have been made in the proper working of the Act. In any case, a part of Section 57 has already been declared unconstitutional. We, thus, hold that the Aadhaar Act is validly passed as a ‘Money Bill’.
Question before the Constitution Bench
Whether Section 139AA of the Income Tax Act, 1961 is violative of right to privacy and is, therefore, unconstitutional?
Conclusion of CJI Misra and Justices Sikri and Khanwilkar (emphasis supplied)
Validity of this provision was upheld in the case of Binoy Viswam by repelling the contentions based on Articles 14 and 19 of the Constitution. The question of privacy which, at that time, was traced to Article 21, was left open. The matter is reexamined on the touchstone of principles laid down in K.S. Puttaswamy. The matter has also been examined keeping in view that manifest arbitrariness is also a ground of challenge to the legislative enactment. Even after judging the matter in the context of permissible limits for invasion of privacy, namely: (i) the existence of a law; (ii) a ‘legitimate State interest’; and (iii) such law should pass the ‘test of proportionality’, we come to the conclusion that all these tests are satisfied.
Read the full Aadhaar verdict, along with the dissenting verdict by Justice DY Chandrachud and concurring verdict by Justice Ashok Bhushan here:
https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf
— India Legal Bureau