The Supreme Court Constitution Bench of Chief Justice Dipak Misra and Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan resumed hearing on the batch of petitions challenging the validity of Aadhaar Act and Aadhaar linkages on Thursday (April 12) with senior counsel Rakesh Dwivedi, speaking for the government, beginning his submissions.
He said Section 8(2)(b) of the Act- relates to consent. The requesting entity shall ensure that the information of an individual shall be used for the central repository. The information is strictly confined for the purposes of authentication process only. Hence, we are specifically restricted to authentication process.
Both section 29(1) and page 4 of the Act deals with the same thing – no sharing of the core biometrics and accordingly, section 29(3) must be understood. Prior permission from the UIDAI is required to bring anyone onboard. Not anyone’s information shall be passed on. No possibility of surveillance.
The DNA of the Aadhaar Act is the design, the narrative and the architecture of the Act. All that can be shared is demographic information and photograph, which is not a core biometric.
Justice Chandrachud said: “We’re completely neutral on the authentication purpose. We’re now focusing on the requesting entity.”
Dwivedi said: “No disclosure of any individual’s core biometrics is done. That I can assure you.”
He further quotes examples to support his argument. He said core biometrics is a complete bar.
Justice Bhushan asked whether the requesting entity shall have any other information? Dwivedi said no. He said if the bench is unsure whether requesting agencies collect information that they are not supposed to then the bench should read down sections 8(3) and 29(3) to make sure that the requesting entities do not know the purpose of the authentication or collect any information.
He quotes the European union data protection law saying that no fundamental rights will ever come in the way of data outflow. He said there is no 100% assurance, but the protection safeguard has to be reasonable, fair and just. This is what flows from article 21. If this is not the case, no legislation would ever survive.
Justice Chandrachud said: “We can use the ‘cut option’ for 8(3) and 29(3).”
“We don’t need to cut and paste anything,” said Dwivedi.
Justice Chandrachud warned: “We don’t know the limitations of commercial engineering. The fact remains that they’re making use of the data.”
The counsel said: “Presently, the apprehensions and fears of today are being looked into by the bench. Later, other issues may arise and the lordships can look into it them. The algorithms are different from what we have and what Google, Facebook, Twitter have. Ours is matching, Google has a learning algorithm. That’s where the problem lies.”
Justice Chandrachud said: “Just because we have a limitation of knowledge, we should not have a blinkered view of the reality.”
Dwivedi said: “The lordships must remove their fear. We don’t have that kind of an analysing data algorithm where the data might be leaked. If this succeeds, the smart cards will become an endangered species. Singapore is already planning to shift from smart cards similar to Aadhaar.”
Justice Chandrachud again said: “The area of concern is because this Aadhaar has a direct connection with the outside world.”
Dwivedi said: “If learning algorithm is there, then only the problem exists.”
Justice Sikri asked: “How can you ensure that the requesting entities don’t misuse the data? Today, guidelines are there but not followed. But we want some monitoring committee to watch.”
Dwivedi said: “We can ensure that the requesting entities to comply with the contract in pursuance of the law. Section 28 of the Act also provides protection of information. The information will be in the control of UIDAI and will be kept secure in CIDR. Section 57 does not allow just anyone to become a requesting entity. It’s a limited exercise. UIDAI will not approve anyone. We’re numbering human beings. This is exactly what Hitler did.” He quotes that the use of numbers 1-10 since Brahma Gupta’s time.
“This is undisputed. However, whether you can number an individual is the disputed question,” said Justice Sikri.
Dwivedi cited an example of the proximity cards issued by the Supreme Court or the boarding passes having PNR number which also does a similar thing – numbers an individual.
Justice Chandrachud asked: “How did the law overcome what is mandatory and what is optional?”
Dwivedi said UIDAI has nothing to do with the mandatory thing. Notifications issued by the central government makes any act mandatory. It is a UIDAI centric design and people centric.
He said that apart from section 7, section 57 consists of two conditions which makes a mandate for the usage of Aadhaar:
- For state, government subsidies
There has to be a prior law and a prior contract before you become a requesting entity, Dwivedi said. “Now, even if the state wants such information, no SRDA is available,” he said. “Once there is a contract established and prior law, UIDAI is not bound to provide information. The necessity of the want of information flows from article 21.”
Justice Chandrachud asked: “How can you decide what is necessary in the given case?”
He said: “The need can be determined via authentication. “Any paanwalla or chaiwalla cannot become a requesting entity. It has to be pursuant to a contract. UIDAI may still refuse an entity from becoming a requesting entity.”
Some techno-legal parleys continued between Dwivedi and the judges, especially vis-à-vis the requesting entity and when is a contract essential.
Dwovedi also said that the rules of IT Act 2000 and the punitive provisions of the Act are also applicable to Aadhaar data under Section 30 of the Aadhaar Act. This is further security. He referred to rule 3 pertaining to sensitive personal data of an individual.
Dwibedi said that Aadhaar is not the panacea for all evils but the problems that were occurring on account of fake identity documents will be solved.
He said petitioners were arguing that there’s no legal mandate to store information in CIDR. Dwivedi mentioned section 10 in this regard. He said petitioners argued that we have hired foreign suppliers. Only software is used by UIDAI as licensee. The hard disks and servers belong to UIDAI. Even technicians are given access to CIDR only when there’s a problem in the process of UIDAI officials.
He further explained the process of extraction once a data packet is received by CIDR. He said that Just because it is probabilistic, it cannot be discarded.
Justice Chandrachud: “If the probability leads to deprivation of fundamental rights, then there should be safeguards in place to ensure that this deprivation doesn’t happen. There should be an administrative machinery in place to ensure no genuine beneficiary is deprived.”
Dwivedi said: “I agree that nobody should be denied benefits due to authentication failure. Our submission is inclusion. In case anything goes wrong with the authentication, section 7 will provide a legal backing to it.”
Aadhar Matter comes again tomorrow.
– India Legal Bureau