Legislation UpdatesRules & Regulations

The Unique Identification Authority of India (UIDAI) on November 09, 2022, issued the Aadhaar (Enrolment and Update) (Tenth Amendment) Regulations, 2022.

The amendment inserts a new clause for Update of Documents which provides that Aadhaar number holders may, on completion of every 10 years from the date of enrolment for Aadhaar, update their supporting documents in Aadhaar, at least once, by submitting Proof of Identity (POI) and Proof of Address (POA) documents as specified under Aadhaar Enrolment so as to ensure the continued accuracy of their information in the Central Identities Data Repository (CIDR), in such manner as may be specified by the Authority from time to time.

Legislation UpdatesRules & Regulations

Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020

Centre in consultation with UIDAI makes the above stated Rules.

Purposes for Aadhaar authentication

(1) The Central Government may allow Aadhaar authentication by requesting entities in the interest of good governance, preventing leakage of public funds, promoting ease of living of residents and enabling better access to services for them, for the following purposes, namely:–

(a) usage of digital platforms to ensure good governance;

(b) prevention of dissipation of social welfare benefits; and

(c) enablement of innovation and the spread of knowledge.

(2) Aadhaar authentication under sub-rule (1) shall be on a voluntary basis.

Preparation of proposal

The Ministry or the Department of the Government of India or the State Government, as the case may be, desirous of utilising Aadhaar authentication for a purpose specified in Rule 3 shall prepare a proposal with justification in regard to such purpose for which Aadhaar authentication is sought and submit the same to the Central Government for making a reference to the Authority.

Examination of proposal

On receipt of the proposal under Rule 4, if the Authority is satisfied that the proposal is in accordance with the purposes mentioned in Rule 3 and the provisions of the Act, it shall inform the Central Government that the requesting entity may be allowed to perform Aadhaar authentication and thereafter, the Ministry or the Department of the Government of India or the State Government, as the case may be, may be authorised by the Central Government to notify the same accordingly.

Read the Rules here: NOTIFICATION

Ministry of Electronics and Information Technology

Notification dt. 05-08-2020

Legislation UpdatesStatutes/Bills/Ordinances

The Union Cabinet, chaired by the Prime Minister Narendra Modi has approved the promulgation of an Ordinance to make amendments to the Aadhaar Act 2016, Prevention of Money Laundering Act 2005 & Indian Telegraph Act 1885. The amendments proposed are the same as those contained in the Bill passed by the Lok Sabha on 4th January 2019.


The amendments would enable UIDAI to have a more robust mechanism to serve the public interest and restrain the misuse of Aadhaar.  Subsequent to this amendment, no individual shall be compelled to provide proof of possession of Aadhaar number of undergo authentication for the purpose of establishing his identity unless it is so provided by a law made by Parliament.

Salient Features

The salient features of the amendments are as follows—

  • Provides for voluntary use of Aadhaar number in physical or electronic form by authentication or offline verification with the consent of Aadhaar number holder;
  • Provides for use of twelve-digit Aadhaar number and its alternative virtual identity to conceal the actual Aadhaar number of an individual;
  • Gives an option to children who are Aadhaar number holders to cancel their Aadhaar number on attaining the age of eighteen years;
  • Permits the entities to perform authentication only when they are compliant with the standards of privacy and security specified by the Authority; and the authentication is permitted under any law made by Parliament or is prescribed to be in the interest of State by the Central Government;
  • Allows the use of Aadhaar number for authentication on voluntary basis as acceptable KYC document under the Telegraph Act, 1885 and the Prevention of Money-laundering Act, 2002.
  • Proposes deletion of Section 57 of the Aadhaar Act relating to use of Aadhaar by private entities;
  • Prevents denial of services for refusing to, or being  unable  to,   undergo authentication;
  • Provides for establishment of Unique Identification Authority of India Fund;
  • Provides for civil penalties, its adjudication, appeal thereof in regard to violations of Aadhaar Act and provisions by entities in the Aadhaar ecosystem.


The Supreme Court in its judgment dated 26.9.2018 in W.P (Civil) No.494 of 2012 and other tagged petitions held Aadhaar to be constitutionally valid. However, it read down/struck down a few sections of the Aadhaar Act and Regulations and gave several other directions in the interest of protecting the fundamental rights to privacy.

Consequently it was proposed to amend the Aadhaar Act, Indian Telegraph Act and the Prevention of Money Laundering Act in line with the Supreme Court directives and the report of Justice B.N.Srikrishna (Retd.) committee on data protection, in order to ensure that personal data of Aadhaar holder remains protected against any misuse and Aadhaar scheme remains in conformity with the Constitution. Towards this, the Aadhaar and Other Laws (Amendment) Bill, 2018 was passed by the Lok Sabha in its sitting held on 4th January, 2019. However, before the same could be considered and passed in the Rajya Sabha, the Rajya Sabha was adjourned sine die.

[Press Release dt. 28-02-2019]


Conference/Seminars/LecturesLaw School News

Dr. Usha Ramanathan will be delivering a guest lecture on the 25th of July (Wednesday) at 5:30 p.m. at the M.K Nambyar SAARC Law Centre as part of NALSAR Public Policy Lecture Series.

Dr. Ramanathan is an independent lawyer and researcher. A research fellow at the Centre for the Study of Developing Societies, she teaches environmental law, labor law and consumer law at the Indian Law Institute and is a regular guest professor at many universities across the world. She is a member of Amnesty International’s Advisory Panel on Economic, Social and Cultural Rights and has been called upon by the World Health Organisation as an expert on mental health on various occasions. She has devoted her attention to a number of specific issues such as the Bhopal gas disaster, the Narmada valley dams or slum eviction in Delhi, and the UIDAI project.
Dr. Ramanathan will be speaking on the recent UID litigation along with delving into the legality of the project. The discussion will be based on questions that plague the project and the veil of silence enveloping the answers. An eight-part piece that she wrote on the UID Aadhar Card project can be accessed here. Her writings on the same published by The Wire can be accessed here.

Hot Off The PressNews

After Attorney General KK Venugopal sought the permission of the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on Day 20 of the Aadhaar hearing to allow the CEO of UIDAI to present a PowerPoint presentation explaining all technical and security aspects of Aadhaar before it, the Bench allowed the same and asked the petitioners to submit a questionnaire based on the presentation on the next date of hearing i.e. 27.03.2018.

Below are the highlights from the presentation by Ajay Bhushan Pandey, the CEO of UIDAI, on Day 21 and 22 of the Aadhaar hearing:

Day 21:

  • In pre Aadhaar times, most people didn’t have IDs. Even I didn’t have an ID since I come from a small village. From 2000-09 also, people didn’t have IDs. Voter ID also doesn’t solve the problem. Children can’t get it.
  • Getting a ration card was also difficult because it required other IDs to procure a ration card. Voter id and ration cards are region specific. It’s not nationally accepted.
  • Aadhaar is nationally verifiable digital ID. It’s not difficult to procure. Genuineness of ration card is not easy to ascertain.
  • The 12 digit Aadhaar number is a completely random no. Once issued, it’s never issued again, even if the person dies. We did not want to link it with citizenship and it includes transgenders and children.
  • People may not be able to provide biometrics due to reasons like leprosy, but we have made exceptions for such cases.
  • Enrollment and updation can happen in any part of the country. It’s a portable entitlement. Not region specific, unlike other IDs. There’s no data sharing without consent.
  • Data is shared only on the instructions of district judge and for national security.
  • Even father’s name is not necessary. No info on religion, caste etc is collected. In the US, to get a birth certificate, a lot of information is collected. Even info like the kind of pregnancy is taken.
  • Chandrachud, J: What is the biometrics exception for people who can’t possibly give their biometrics?
  • Pandey:
    • Authentication will happen through OTP in such cases.
    • Enrollment agencies are both public and private. We empanel these agencies based on certain criteria. Then registrars decide of an agency is fit to be an enrollment agency.
    • We have operator certification agencies along with 30k enrollment centres. Decentralized enrollment, but the data is stored in a centralized place. There’s a safe button with enrollment agencies to encrypt data (2048-bit).  It’ll require the strength of the entire universe to break that encryption! Traceability of all actors is ensured through audit trail.
  • Sikri, J: Why did you de-register so many agencies then?
  • Pandey: It was due to corruption mostly. Also some operators were not entering the details properly. We have very strict quality control standards.
  • Sikri, J: It’s incomprehensible that 49,000 people fall in that category.
  • Pandey: We have high quality parameters. 120.3 cr have enrolled. we enrol children as soon as they are born. We don’t take biometrics of the infant. Only photograph is taken. Biometrics of parents are collected. At the age of 5, we take the child’s biometrics and then again at age 15.
  • Sikri, J:  Do you contact the child or do they have to come to you? This was one of the arguments related to exclusion.
  • Pandey: Anganwadi workers themselves become enrollers. Also, enrollment camps are set up in schools. (Gives details on Aadhaar customer care and how to locate Aadhaar agencies)
  • Chandrachud, J:  What happens when a person’s biometrics change? For eg, for workers and labourers.
  • Pandey:  People can go to enrolment centres and get their details updated.
  • Sikri, J: Many people might not know that their biometrics have changed. What do they do?
  • Pandey:
    • In such cases, a person goes for authentication, for example to a PDS shop and his Biometrics don’t match, then an error code is sent to UIDAI and then the person will be asked to update his biometrics. (Chandrachud, J is not convinced with this method. Says this will lead to exclusion.)
    • A circular was issued yesterday, which said that if a person’s authentication through biometrics does not happen, then he shall not be denied benefits for that reason.
    • Every Aadhaar card has a QR code, which prevents de duplication. The QR code will also show the person’s photo. This method can also be resorted to if biometrics don’t match.
  • Chandrachud, J: You’ll know when there’s an authentication failure in your database, but you won’t know if there has been denial of service.
  • Pandey: We tell entities to make exception handling measures.
    • Aadhaar enrollment is done in prison also. We are starting enrollment centres in banks and post offices. Enrollment and updation of Aadhaar is a continuing process. The total cost of an aadhaar card is less than one dollar.
  • Khanwilkar, J: Other side claims that Aadhaar software is designed outside india, and is prone to tampering.
  • Pandey:
    • Only biometrics matching software has been taken from the world’s best companies. Rest has been developed in India. The servers are ours. We have 6000 servers. Just because we are using the services of these companies, doesn’t mean that they have our data. The biometrics is also anonymized by a reference number before it’s matched against the biometrics stored in the central database.
    • Till now no agency has taken biometrics data for the purpose of national security. We have denied data to CBI also.
    • We have registered devices for authentication. The devices use our key for encryption. The biometrics is not shared with the requesting entity also. Authentication process takes less than a second. We don’t collect purpose, location and details of the transaction.
    • We are doing four crore authentications everyday. We don’t know the purpose of these authentications. Information remains in the silos and merging of silos is also prohibited.

 Day 22:

  • Pandey: Operators check individual packets of data received during enrollment. There are 65 operators who are responsible for verifying biometrics.
  • Chandrachud, J:  Is it possible for the enroller to make copies of the data before the data is encrypted and sent to CIDR?
  • Pandey: Enroller does not have access to biometrics. it’s collected by uidais software. Also retaining data by the operator is an offence. We have zero tolerance policy. We have started phasing out private enrolment agencies. Now only banks and post offices will do it. A notification was issued in July that says that 12500 banks and 15000 post offices will become operator agencies.
  • Sikri, J: That is because you don’t need so many enrollment agencies now. People have already enrolled.
  • Pandey: We are doing it for updation of Aadhaar. Our central authentication server is not connected to the internet for security purposes.
  • Chandrachud, J: Central authentication server is not connected to the internet for security purposes.
  • Pandey: Few dozen.
  • Chandrachud, J: AUA has a record of how many times an authentication request was made even if UIDAI doesn’t.Parting with that data is a commercially profitable enterprise. The private sector AUA can misuse that data.
  • Pandey: They are prohibited under Section 29(3) of the Aadhaar Act. Section 38(g) also prohibits it. Further there are regulations to prevent such misuse. Regulation 17(1)(d) for example.
  • Chandrachud, J: The problem area is that private service providers have a record of authentication requests which can be misused in various ways to profile individuals.
  • Khanwilkar, J: The state has to clear the apprehensions of the petitioners with respect to the software of Aadhaar.
  • Pandey: Software is secure and there hasn’t been one data leak till date. (Tells court to not believe media reports. Denies recent report of breach by ZDnet). Now we have made it a standard practice to only display the last four digits of the Aadhaar no., wherever needed.
  • Chandrachud, J: The high level of security maintained at CIDR is not maintained at the other end like AUA also. Unless the security at the other end of the spectrum is secured, Aadhaar will be a problem.
  • Pandey:
    • Aadhaar based authentication and other services like withdrawal of funds is akin to a walking ATM. (physically demonstrates the process of authentication. Shows what all information is displayed. Says location, purpose etc is not showed.) 
    • Debit cards and pin nos. are difficult to use by most people in India. Aadhaar makes it simpler and allows people to be financially included.
    • A person can enter his/her Aadhaar details on uidais website to check her authentication history. This way he/she can know if her Aadhaar no.was misused.
    • We have no meta data that reveals anything about an individual such as likes and dislikes.
    • The technology and architecture board review the technology of Aadhaar. Similarly the security review board reviews the security of Aadhaar. Security is an ongoing challenge and we need to keep upgrading it. (discusses the privacy safeguards in Aadhaar like virtual I’d, uid token, purpose and use limitation, strict confidentiality, online access to authentication history, biometrics lock, strict punishment under the Aadhaar act)
    • We can make further regulations if there are any concerns related to the security and privacy of the Aadhaar ecosystem.
  • Sikri, J: It cannot be ruled out that authentication history will not be shared under section 33.
  • Pandey: Till date we haven’t shared data with any other agency.
  • Sikri, J (on Virtual Aadhaar ID generation): How many people will be able to use it? You can’t explain illiterate people to use virtual ID.
  • Pandey: this is just an additional safeguard apart from the Act.
  • Sikri, J: If the authentication logs are kept with the authentication/requesting entity. What is the nature of this data?
  • Pandey:
    • Details except biometrics are kept.
    • Audits are done on AUAs, and requesting agencies, by UIDAI itself or by an agency appointed by them to ensure smooth functioning of the system. Anil Jain, professor of Michigan state university, and expert on biometrics, was consulted. He suggested multi modal biometrics authentication i.e both iris and fingerprints should be combined for the process of identification and authentication. Another expert was consulted and he suggested that iris should be used, because fingerprints often don’t work.
  • Bench: AG should be making such arguments, not CEO of UIDAI.
  • Pandey: Using virtual ID and uid token ensures that databases are not joined. We make distinctions between what agencies require real Aadhaar no.and what agencies do not. For eg. Telecom does not require real Aadhaar no. But income tax does.
  • Bench: Submit a note explaining Virtual id and uid token and how their usage prevents duplication.
  • Pandey:
    • UID token is a 72 character alpha numeric string meant only for system usage. For the same resident, different AUAs or KUAs will have different uid tokens. Aadhaar cannot be reverse engineered from the token.
    • Central database of biometrics is important, to ensure uniqueness. Uniqueness may not hold true in the case of smart card, and one person can have multiple cards with different identities and same biometrics. There’s no identity theft if Aadhaar is lost. The same cannot be said of smart cards.
    • Surveillance is not possible with CIDR as silos are not merged. Surveillance is possible by smart cards by merging databases.
    • Keeping too much information on a smart card is not a good idea. Replacement of smart card with a better technology in the future is a huge responsibility. Changing encryption kept on a smart card from time to time is not possible. Says offline smart card is not a substitute for online authentication. (On Singapore like Smart card system)
  • CJI:  Does the enroller or requesting entity has access to any data?
  • Pandey: Data is encrypted and sent to CIDR, so there’s no question of misuse.

Petitioners then submitted a list of questions based on the presentation. They also argued that the deadline for Section 7 benefits should also be extended. Fourteen crore forty eight lakh authentication failures have taken place for section 7 benefits and subsidies. CJI, however, refused to extend the deadline.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU SIngh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin