Consent in theory and its absence in practice

The Aadhaar Act 2016, section 8(2), mandates consent of the holder, for authentication and other purposes.

A requesting entity shall —
(a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations

Hence there was much justified outrage about the fact that HDFC Bank published the T&C that showed that it can obtain the Aadhaar number of the resident from other sources.

Given the confusion over whether banks are indeed allowed to seed without consent, a detailed explanation is warranted.

Seeding without consent is government policy

On March, 2016, The Economic Times published an article that all government welfare schemes are on track to be linked with Direct Benefit Transfer (DBT). The last paragraph is clear that explicit consent is not required for bank account seeding.

A panel of secretaries headed by cabinet secretary has suggested that instead of waiting for beneficiaries to visit a bank branch to give consent for seeding their accounts with Aadhaar, and if the consent of the beneficiaries for use of Aadhaar has already been obtained, any further consent may not be insisted upon and data provided by government agencies to the bank be used to seed PMJDY accounts.

There also exists a Cabinet Secretary note, on November, 2015, which further makes this explicit.

Cabinet Secretary note on consent.

The above note is just a restatement and emphasis of the “no explicit consent” policy from 2012, which pre-dated the Aadhaar act, 2016 (Department Order 6/23/2012-FI available in archive.org)

Relevant paragraphs pointing out Seeding does not require consent.

Conclusion

One primary reason why seeding without consent is prevalent is to achieve 100% seeding of a target database (including bank accounts and PAN cards). We are notoriously prone to the bandwagon fallacy of argumentum ad populum.

The Union of India in it’s rejoinder had claimed that seeding, by itself, indicates that people have confidence in the system for adopting and using it in a large scale.

Union of India’s affidavit to the Supreme Court in November 2017

Setting aside the ongoing “seed or else” coercion, an official policy of seeding which ignores consent, even when the Aadhaar Act explicitly requires it, points to how consent in theory and practice are exactly the opposite.

Hence it is no surprise that consent is ignored by Airtel Payments Bank to open new accounts, in the guise of re-verifying telephone connections.

Consent is broken in practice, in Aadhaar, because it is designed to be broken, by official policy. As the deadline of Dec 31, 2017 nears, it is obvious that banks will resort to automation to link as many accounts as possible without the account holder’s concern.

Hopefully this would be brought to the court’s notice when the main Aadhaar case comes up for hearing as the right to privacy judgement explicitly notes that individual consent is crucial to any state programme based on data collection and data mining.