On Day 4 of the Aadhaar hearing, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ, heard submissions of Senior Advocate Shyam Divan who continued with discussing the various provisions of the Aadhaar Act, 2016. On Day 3 of the hearing, Shyam Divan had discussed the scope and applicability of the 9-judge bench Privacy verdict on the Aadhaar issue and was taking the Court through various provisions of the Aadhaar Act, 2016 when the Bench rose for the day. Below are the highlights from Day 4 of the hearing:
Discussion on Section 59 of the Aadhaar Act, 2016:
- Shyam Divan: Section 59 of the Aadhaar Act, which validates all acts of the UIDAI prior to the Act, applies only to central government actions, as per its text. This section does not control acts of private entities, like enrolment agencies. Their actions are not protected.
- Sikri, J: Central Government appointed UIDAI in the pre-Act era, and all the acts flow from that.
- Shyam Divan: The notification establishing the UIDAI might protect the actions of the Central Government in entering into the MoU, but doesn’t cover the actions of the registrars.
- Chandrachud, J: Actions of the registrars are traced back to the MoU.
- Shyam Divan: Enrollment agencies are not covered even under the MoUs. As for the Registrars, there actions are not the actions of the central government. Therefore, the enrollment prior to the Act are not validated by Section 59. In any case, you cannot have a retrospective validation of a fundamental right violation.
- Chandrachud, J: Privacy judgment says that there must be a basis in law. Section 59 attempts to provide that by bringing about a legal fiction. It will have to be considered how you deal with data breaches prior to the Act.
- Shyam Divan: Informed consent is crucial, and you can’t have a retrospective validation saying that there was always consent, prior to the Act. Even if this provision is to be upheld, it should be given the narrowest reasonable construction.
Heads of challenge to the Aadhaar Act as specified and explained by Shyam Divan :
- The State is empowered to collect records over the course of an individual’s lifetime. On the basis of aggregation, over time, the State acquires a profile of an individual, a community, a segment of society. The Constitution does not permit a surveillance State.
- Every electronic device linked to the internet has a unique number. In addition when the device is linked to CIDR, the devices exchange information.The device is assigned a number qua Aadhaar. A specific ID at the first interaction. Thereafter, the transmission will be recognised as emanating from that device.
- A unique electronic path attaches to each transmission. This identifies the links through which the transmission is done. Each link is identifiable. It is technically possible to track every transaction. It is possible to track the location of every device in real time.
- Discussion between Chandrachud, J and Shyam Divan:
- Chandrachud, J: To what extent the Court can go into questions of technical evidence? There is also a distinction between the existence of a mechanism and its abuse. If the distinction between fingerprints on your iPhone and Aadhaar is only if degree. Should the Court second-guess the decision of the executive government, especially when no system in the world is secure?
- Shyam Divan: These affidavits confirm that there is a complete mapping of the electronic path, which happens in real time, and that you can track the location.
- Chandrachud, J: Aren’t we accepting Google Maps tracking us, and other private corporations?
- Shyam Divan: When you are tracked by the State in real time, it is tantamount to a police State. The Constitution does not allow this. Google is not the Indian State, and the issue is one of consent. Google, powerful though it is, is not as powerful as the State.
- Chandrachud, J: I should have no objections to the State knowing whether I’m paying my taxes. So there should be a distinction between collecting data and using it. If the use of data is limited to its purpose, then what is the problem with collection. We live in times of terrorism and money laundering and welfare expenditure, and this has to be balanced. Surveillance is about how data is used, not collected.
- Senior Advocate Kapil Sibal: The problem is of giving the State that kind of information. ‘Big brother’ will have the information. He may use it and you won’t know it. By the time you do, he will become a bigger brother.
- Shyam Divan: The point of this whole case is to prevent that situation where ‘Big Brother’ is watching.
- Violation of Privacy: Between 2010 and 2016, there was no law authorising the violation of privacy. Even after the Aadhaar Act, the violation continues. The citizen is compelled to report her activities to the State through the electronic footprint. Even for availing of subsidies, an alternative means of identification should be allowed. In a digital society, an individual has the right to protect herself by maintaining control over personal information
- Limited Government: Constitution is not about the power of the State but about limits to that power. Aadhaar allows the State to dominate the individual through an architecture that enables profiling, and by the power to cause civil death by deactivating Aadhaar. Instead of the State being transparent to the individual, the individual is made transparent to the State.
- Aadhaar Act being passed as a Money Bill
- Violation of Articles 14 and 21 of the Constitution:
- There is no informed consent. There is no opt-out option. UIDAI has no direct relationship with the collecting agencies. The data collected and stored lacks integrity.
- Biometrics are untested, and probabilistic. The use of biometrics has led to exclusion from welfare schemes. If biometrics don’t work, then a flesh and blood individual ceases to exist. If your biometrics don’t match, you become a ghost. A citizen in a democratic society has the right and choice to identify herself in a reasonable manner. Mandating a single highly intrusive form of identity is inconsistent with democracy.
- Authentication records include the time of authentication and the requesting entity. This can be stored for 2 + 5 years. This enables real-time surveillance.
- Information about the specific details of the CIDR is not in the public domain because of natural security concerns. (Answering Chandrachud, J’s question as to who maintains the CIDR)
- Private enrollment agencies cannot be entrusted with the crucial task of ensuring informed consent.
- Definition of “resident” is arbitrary and has no verification magazine.
- The individual has a right to remain free of monitoring as long as they have not violated any criminal law.
- On cancellation of Aadhaar, the services will be disabled personally. You can just switch off a person.
The bench will now continue the hearing on 30.01.2018.