Aadhaar, India’s biometrics-based unique identity number, has become vital for accessing an ever-widening range of government services, but protections available to its users remain weak even after a law has been passed.

For seven years after it was launched by the United Progressive Alliance government in 2009, the Aadhaar project functioned without a legal framework. This year, in March, the National Democratic Alliance government passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act. But it came under criticism since it was passed in the form of a Money Bill, which preempted amendments by the Rajya Sabha.

While the law provides the broad contours of how Aadhaar can be used, the finer details of its implementation require the notification of regulations.

On September 14, the Modi government introduced five sets of regulations under the Aadhaar Act, that cover enrollment, authentication, information sharing and data security norms. These were placed before the Rajya Sabha on the last day of the winter session of Parliament.

A close examination of the Aadhaar regulations shows that they remain ambiguous and weak.

Who will set the standards under Aadhaar?

The regulations are meant to clarify the standards and norms for the Aadhaar project. But they defer the rule-making power to the Unique Identification Authority of India, the agency which issues the 12-digit numbers and maintains the Aadhaar database.

The Authority can decide and specify regulations at a later date. The term “as may be specified” appears in the draft regulations more than 27 times, which legal experts say make the rules “surprisingly vague.”

The regulations fail to specify how someone who is not able to provide biometrics due to injuries or deformities will enroll in Aadhaar, what procedures public and private agencies setting up Aadhaar enrolment centers should follow, or how their staff collecting sensitive enrolment data will be certified.

The regulations do not even lay down the process for capturing biometrics, and delegate this to a later date.

How can you access your own Aadhaar information?

An individual cannot access his own biometric information under the regulations, pointed out Apar Gupta, a technology lawyer. “Since the individual cannot confirm whether his information is correct by accessing it, therefore, even for initiating the process of correction of biometric records, the decision rests solely with the Authority,” said Gupta.

An Aadhaar number holder shall have the right to access his authentication records subject to conditions laid down by the Authority. A request will have to be made to the Authority within the period of retention of such records before they are archived.

Section 28 says an individual will be asked to pay a fee to access her own information. The Authority may require residents to update demographic and biometrics information, for which they will pay a “convenience fee”. But the regulations do not specify the fee limit.

Your Aadhaar number be “deactivated” without notice.

The regulations say an Aadhaar number may be “omitted” permanently, or “deactivated” temporarily by the Unique Identification Authority of India.

Experts say this could have serious consequences since once “deactivated” or “omitted”, a person might not be able to access important subsidies and services.

Section 28 lists five specific circumstances in which an individual’s Aadhaar number may be “deactivated”. These are:

  • If an existing photograph has been used instead of capturing a fresh photograph
  • If biometrics were not captured despite the resident being able to provide them
  • If enrolment is later found out to have been done without valid documents
  • If information captured is flagged as having “bad data”
  • If a child at 5 or 15 years of age fails to update biometrics afresh within two years of attaining age

There is another omnibus reason: “any other case requiring deactivation as deemed appropriate” by the Unique Identification Authority of India.

The regulations provide for an individual to be informed only after the deactivation. “Given the consequences of such deactivation, proper procedure should have been laid down, with a mandatory notice, and prior hearing mandatory in law,” said lawyer and researcher Prashant Reddy Thikkavarapu.

The regulations say after omission or deactivation, “an agency nominated by UIDAI” may conduct a field enquiry and may hear the person affected. But this is not provided as a right to the number holder. “The regulations do not even mention the designation of an official who will conduct such an enquiry,” Thikkavarapu added.

What is the grievance redressal mechanism?

There is increasing evidence of a high rate of Aadhaar authentication failure even for genuine beneficiaries because of fingerprint errors or inadequate infrastructure. But the regulations fail to establish a system of accountability for such errors, or for compensating individuals for loss of services or benefits.

Section 32 provides for setting up a “contact centre” where people can register their grievances and get a “unique reference number for further tracking.” Section 32(1) mentions access to this facility only through toll-free numbers or email.

Regulations say that users could get grievances resolved by visiting UIDAI’s regional offices, but these exist only in eight states.

Legal experts point out that since the regulations do not delineate proper procedures, standards, this could lead to a potential conflict of interest – the Unique Identification Authority of India, which exercises the decisions, will hold the adjudicatory authority of grievance redressal.

The Aadhaar Act, under section 47(1), bars an Aadhaar number-holder for approaching courts for invoking criminal penalty for any violation under the Act. Such a complaint can only be made by the Unique Identification Authority of India.

Who retains your Aadhaar-authentication data and for how long?

When the Unique Identification Authority of India verifies the identity of individuals against the Aadhaar database, it generates millions of authentication logs every day, containing the request received, the response, and the metadata related to the transaction.

The regulations say the Unique Identification Authority of India will retain these authentication logs for six months, and archive them for five years. The requesting entities – both public agencies and private companies – will maintain the logs, including the Aadhaar number, for two years, and then archive them for five years or longer in the case of a court order.

The Aadhaar Act says the Unique Identification Authority of India will not store the purpose of the authentication. But experts say this is meaningless as the purpose can be easily inferred from the presence of surrounding blocks of information – for instance, who has made the authentication request.

The protections on disclosure which are applicable under Section 29 of the Aadhaar Act apply only to the biometric, demographic and identity information and do not extend to authentication records. “The regulations do not specify where the meta data, or the authentication records, will be stored and protected,” pointed out Gupta.

Privacy experts say data retention over long periods is problematic. “When data is held for longer than is necessary, there is a continued risk of data breaches, but also concerns over potentially invading people’s privacy,” said Tom Fischer, research officer with Privacy International. “In these days of ‘big data’ – and new analytical techniques with data – your data can tell people much more about you than it could in the past.”

Do agencies require your consent to use your Aadhaar number?

The regulations say authorised agencies will have to take consent of the Aadhaar number holder before carrying out any authentication requests on their identity or transaction data. Experts say this does not satisfy standards for “informed consent”.

“If the government is making the number mandatory for benefits such as food rations, then in effect they have extracted consent from you,” said Michael Froomkin, a professor of law at Miami University. “There have to be limits on what agencies can ask you for, or it becomes very difficult for users to know what their data will be used for.”

As of now, the regulations do not provide such limits.

What are the penalties for violations?

Experts say the regulations fail to impose adequate penalties and safeguards.

“As far as imposing liability and taking action for breach of standards, procedures, etc, in Regulation 25(1), the Authority is limiting this to imposing disincentives, or at maximum, suspending the activities of the requesting entity or the Authentication Service Agency,” said Ananta Sharma, a lawyer and researcher with Access Now, an international non-profit working on digital rights. “No other penalties or detailed remedies have been specified.”

The regulations also say the Authority plans to take action in accordance to the provisions of the agreement entered between the agency and the Authority. However, no model agreement has been attached in the regulations.

What happens next

As per section 55 of the Act, Parliament has 30 session days to amend the rules before they come into force. While the Rajya Sabha did not have the power to amend the Aadhaar Act since the government introduced it as a Money Bill, its members can move an amendment or annulment of the regulations. But this will require the approval of both houses of Parliament. If no member of Parliament moves an amendment, the regulations will come into force as they are.

This is the fifth part in a series on the expansion of Aadhaar and the concerns around it. Read the other parts here.