Biometrics, Privacy, and Governance in India: the Unique Identity (‘Aadhaar’) Case
This article was first published in Data Protection Law & Policy, Vol. 12(11), November 2015.
On 11 August 2015, India’s Supreme Court found itself unable to decide a high-profile privacy case until more judges were summoned to create a larger bench. This development has intensified a bitter privacy contest that is underway in India which will hopefully yield judicial clarity on the extent of the right to privacy.
The Aadhaar project
Three years earlier, Justice K.S. Puttaswamy, a retired appellate judge who is the face of a broad privacy campaign, approached the Supreme Court to challenge the Indian government’s collection of biometric information for its mammoth unique identity project called ‘Aadhaar’, a transliteration of a Hindi word which means ‘foundation’ or ‘cornerstone’. The Aadhaar project assigns each Indian resident a unique 12-digit number based on their photographs, fingerprints and scans of their irises. Enrolment is free. By the end of October 2015, around 926.8 million people had been issued an Aadhaar number, more than the combined population of North and South America.
Aadhaar is administered by the Unique Identification Authority of India (UIDAI), a non-statutory body created by an executive order in early 2009. The government argued the collection of biometric information was necessary to verify the true identity of the beneficiaries of its social security schemes. By using Aadhaar numbers to authenticate payments, the government claimed fake identities would be weeded out of the social security system, obviating waste and improving governance.
Many Indians did not share the government’s view. They questioned the premise of the Aadhaar project by arguing the problem was not the unclear identities of beneficiaries but governmental corruption and malfeasance. Some also questioned the reliability of biometric technology; for instance, the fingerprints of a substantial number of underprivileged Indians have been damaged by years of manual labour. However, most of the arguments in the Supreme Court sidestepped the premise of the Aadhaar project altogether to focus on privacy-related objections.
With a current strength of 31 judges, the Supreme Court never sits en banc although it is a constitutional court. Instead, it most commonly sits in simultaneous benches of two or three judges. As of March 2015, the Supreme Court faced a docket of 61,300 pending legal proceedings. A matter of unique constitutional import is heard by a Constitution Bench of at least five judges to establish ratio decidendi (rules) which bind subsequent smaller benches. The largest Constitution Bench ever had 13 judges. Following the Supreme Court’s 11 August 2015 order, the Aadhaar case is now being re-heard by a Constitution Bench of five judges.
Aadhaar and privacy
The Aadhaar project collects biometric information which, since it can result in the identification of a person, falls within the ordinary meaning of personal data. Additionally, since biometric information cannot be anonymised it is sometimes protected by special laws. Clearly, the collection of biometric information triggers a privacy claim. The Supreme Court has previously located privacy within the right to personal liberty guaranteed by Article 21 of the Indian Constitution. This poses a significant problem for the Aadhaar project.
In the Maneka Gandhi case of 1978, the Supreme Court read substantive due process into Article 21, only permitting derogations of personal liberty through statutory law which creates a just, fair, reasonable, and non-arbitrary procedure. But the UIDAI is an executive creation, not a statutory one, and it does not follow such a just, fair, and reasonable procedure. If the Supreme Court finds the right to privacy encompasses biometric information, the Aadhaar project will have to be measured against the Maneka Gandhi test, and it will certainly fail.
To survive constitutional scrutiny, merely enacting statutory law to bless the Aadhaar project with parliamentary sanction will not be enough. Only comprehensive renovation to build in the principles of justice, fairness, and reasonableness will suffice. In the project’s present form, there is no informed consent; respondents from whom biometric information is collected are not told inter alia of the potential uses of their personal data, who it may be shared with, and their recourse against any misuse of their data. There is no opt-out mechanism; once collected, biometric information is perpetually in the government’s possession.
Security, of data and the state
There are also serious concerns regarding the security of the collected information. Two lapses in particular stand out. First, the collection of biometric information is contracted to private entities in a poorly regulated manner resulting in numerous reports of data breaches. Second, the storage of biometric information in large repositories is a considerable security risk. All Aadhaar data is held in the Central Identities Data Repository from whence the danger of data leaks by hacking and hostile espionage is compounded. According to Sunil Abraham, centralising valuable information creates a “honeypot” that incentivises hacking.
Aadhaar’s vast database of biometric information is another pillar of India’s national security state. India is currently engaged in technological projects of astonishing dimensions, a colossally wide array of information collection, communications monitoring, and identity profiling. Biometrics have long been associated with biopower, a Foucauldian concept that is being frequently revisited as the world negotiates pervasive surveillance. The Aadhaar project is a new frontier in biopower: unparalleled in scale and unchecked by law, it is obliterating privacy.
In 2010, a bill was floated to lift the confidentiality of biometric information, allowing it to be shared in the interest of national security. But absent a definition or reasonable limits, national security consecrates all manner of sins. The Aadhaar database is now being integrated with the National Population Register, another large biometric information collection effort. This is an instance of ‘scope creep’: when an open-ended project spawns uncontrollable changes. More scope creep lies ahead as Aadhaar numbers are being linked to bank accounts, cellphone SIM cards, air travel, and more, all in the name of national security.
Questions of privacy
In 2011, the erstwhile Planning Commission constituted a group of experts to suggest the contours of future Indian privacy law. Chaired by Justice Ajit P. Shah, the highly-regarded former Chief Justice of the Delhi High Court, the group considered the implications of the Aadhaar project and proposed nine principles to inform privacy law. These are the principles of notice, informed consent and opt-out choice, collection limitation, purpose limitation, access and correction, non-disclosure, data security, openness, and accountability. They are actually data protection principles, their scope is narrower than the conceptual breadth of privacy.
In stark contrast to Justice Shah’s views, the Indian Attorney-General denied the very existence of the right to privacy while defending the Aadhaar project in the Supreme Court. If there was such a right, he said, Indians did not enjoy it. He selectively based his arguments on outdated cases regarding the police’s powers to search and seize private property. But, while disingenuous, the Attorney-General was not far off the mark. Indian privacy jurisprudence is confused and, as a result, the right to privacy is unclear.
Further, according to the Attorney-General, even were the Supreme Court to declare the Aadhaar project infringed the right to privacy, it was open to people to waive that right by voluntarily handing over their biometric information. This argument sits atop a slippery slope. For instance, if the Constitution’s fundamental rights could be waived, it would be legal to induce sexual trafficking. Constitutional rights serve a public purpose, they are not solely measures for personal gain, so they cannot be waived. This position was affirmed by the Supreme Court in 1958.
Privacy in India
To locate the Aadhaar project on a larger map of Indian privacy demands a brief exercise in taxonomy. The constitutional right to privacy has evolved in three streams. The strongest privacy stream regulates surveillance. Although the Constitution’s drafters chose not to include an explicit right against invasions of correspondence and the home, the Supreme Court has protected both. But although individual freedoms are generally secure, there is a discernible judicial trend that privileges the interests of the state. That is why the Attorney-General based his anti-privacy arguments on surveillance-related cases: so that he could exploit this accompanying narrative of the state’s superior compelling interest.
There is also a nascent privacy stream that seeks to protect the autonomy of fundamental personal choices from social morality. This privacy right was forcefully asserted by the Delhi High Court in 2009 when it struck down India’s antiquated and discriminatory sodomy law. Unfortunately, the High Court’s decision was overturned on appeal by the Supreme Court in late 2013, and private consensual homosexual acts remain criminalised in twenty-first century India.
The third stream concerns biometric and bodily privacy where Indian law is restrictive. The Identification of Prisoners Act, 1920 and the Indian Evidence Act, 1872 permit the forcible taking of biometric information of suspects and convicts. Further, courts have allowed non-consensual collections of bodily information in the interests of public health, public morality, and public safety. In 2001, the Andhra Pradesh High Court dismissed privacy arguments to permit non-consensual HIV tests in certain conditions. And in 2010, the Supreme Court said the non-consensual administration of truth serums, lie detector tests, and brain mapping did not violate the right to privacy; instead, they offended the freedom from self-incrimination.
The need for judicial clarity
However, there is a significant difference between the Aadhaar project and pre-existing law regarding bodily and biometric privacy. On the face of it, the Aadhaar project is unconnected with public health, public morality, or public safety. Knowing this, the Attorney-General tried to justify the project through surveillance-related cases, where the law leans toward the state. Hopefully, the Constitution Bench hearing the Aadhaar case will see through this logical sleight of hand.
The Supreme Court has made mistakes in the past. In 1975, it approvingly cited American personal autonomy cases while hearing an unconnected claim against surveillance but when correctly called upon to protect the private autonomy of consenting Indian homosexuals, it balked. And in 1994, it confused the distinction between the constitutional right to privacy, the tort of privacy, and the crime of libel.
Biometric information collected by the Aadhaar project could also be protected by an appropriate data protection regime, an emerging field of law which has yet to receive judicial attention despite Justice Shah’s well-publicised data protection principles. India issued very basic data protection rules in 2011 which were widely panned for their shoddy drafting and flimsy safeguards. But because the rules only apply to bodies corporate, the UIDAI escapes regulation since it is an executive authority.
More than 90 percent of India’s adult population’s biometric information has already been collected, and Prime Minister Narendra Modi recently called for swift total enrollment. When that is done, the government will present the Aadhaar project to the Constitution Bench as a fait accompli. Nevertheless, the Supreme Court has a unique opportunity to clarify the right to privacy, besides fixing the lack of substantive due process in the Aadhaar project. It must seize this historic opportunity to reiterate its traditional custodianship of the freedoms of India’s citizens.