COURT MANAGEMENT ASSIGNMENT

ON LEGISLATIVE BRIEF OF THE

AADHAAR (TARGETED DELIVERY OF
FINANCIAL AND OTHER SUBSIDIES,
BENEFITS AND SERVICES) ACT,
2016

Submitted to:
Dr. Faizanur Rahman

Submitted by:
Bhavini Mishra
Section ‘B’
Roll N0-11
Xth semester, Final Year.
Background
During the budget presentation on 29 February 2016, Finance Minister Arun
Jaitley announced that a bill will be introduced within a week which will provide legislative
support to the Aadhaar. On 3 March 2016, the Aadhaar (Targeted Delivery of Financial and
Other Subsidies, Benefits and Services) Bill, 2016 was introduced in the Parliament as
a money bill by Jaitley as it fulfilled Article 110's provisos - 110(1)(c), 110(1)(d) and
110(1)(e) of the Constitution of India. The decision to introduce it as a money bill was
criticised by the opposition parties.
Statement of Objective
The Statement of Objects and Reasons of the Bill states that identification of targeted
beneficiaries for delivery of various government subsidies and services has become a
challenge for the government. At the time of the introduction of the Bill, the government
stated that “the Bill confines itself only to governmental expenditure.” However, the Bill also
allows private persons to use Aadhaar as a proof of identity for any purpose.
Salient Features of the Act
Chapter I

The first section of this act deals with what the Act may be called as that is, Aadhaar
(Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the
extent as well as when this act will come into force. The second section of this act defines the
terms related to this act like “Aadhaar number”, “Aadhaar number holder”, “authentication”
under Section 2(a)-2(x).

Chapter II

Enrollment Process

What the Bill says:

 Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency
will inform the individual of the following details— i) how their information will be used;
ii) what type of entities the information will be shared with; and iii) that they have a right
to access their information, and also tell them how they can access their information.
(Section 3)
 Biometrics and demographics will be collected: Biometric information and demographic
information will be collected at enrollment. Biometric information means photograph,
fingerprint, Iris scan, or any other biological attributes specified by regulations.
Demographic information includes information relating to the name, date of birth, address
and other relevant information as specified by regulations. (Section 2)
 Special measures to ensure enrollment for all: The UIDAI will take special measures to
issue Aadhaar number to women, children, senior citizens, persons with disability,
unskilled and unorganised workers, nomadic tribes or to such other persons who do not
have any permanent residence and similar categories of individuals as specified by the
regulations. (Section 5)

Concerns:

 The Bill fails to address implementation issues: The Bill does not address issues that have
arising during enrolment processes that have already been implemented. These include:
the collection of additional and unnecessary information, unclear retention, storage, and
destruction standards for data collected by enrollment agencies, abuse of methods used to
ensure all have access to the enrollment process, inaccuracy in the collection of data.
Detailed procedure and chain of custody for the enrollment process needs to be addressed
through provisions in the Bill particularly as this process is undertaken by contracted third
party registrars and enrolling agencies.
 Definition of “Biometric Information” is broad and ambiguous: The Bill defines
“biometric information” as “photograph, fingerprint, iris scan, or other such biological
attributes of an individual.” This definition is broad and gives sweeping discretionary
power to the UIDAI / Central Government to determine “other such biological attributes
 of an individual”. The definition should be precise and exhaustive in its scope. Any
modification to this, and other terms in the Bill, should take place only through a
legislative act.

What the Bill says:

 Used to establish identity: The Aadhaar number can be used by any government or
private agency to validate a person’s identity for any lawful purpose, but it cannot be used
as a proof of citizenship. (Sections 4, 6, and 57)

 Mandatory for access to government services: The government can make it mandatory for
a person to authenticate her/his identity using Aadhaar number before receiving any
government subsidy, benefit, or service whose expenditure is incurred from the
Consolidated Fund of India.

 Those without a number, must apply for one: If someone attempting to access an
applicable service does not have an Aadhaar number, he/she should make an application
for enrolment, and will be allowed to use an alternative method of identification in the
meantime. (Section 7)

 Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar
number to establish identity for other lawful purposes by the State or other private
bodies. (Section 57)

Concerns:

 Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to
access services, subsidies and benefits, and stipulates that in case one does not have the
Aadhaar number they must apply for it. This is counter to the repeated claims about
Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015
which prevents making Aadhaar mandatory, barring a few specified services. The Bill
does not limit mandatory use of Aadhaar to those services, and leaves the door open for
the government to route more benefits, subsidies and services through the Consolidated
Fund of India and expand the scope of Aadhaar.

 There are limited and unclear alternatives: While there is a proviso in the Act which
speaks for “viable and alternative” means of identification where Aadhaar number is not
issued, the language is not clear and speaks of cases where Aadhaar “is not assigned”
rather than simply stating that it is applicable to anyone who does not have an Aadhaar
number.

 There is a conflict in the objects and actual scope of the Bill: There is a conflict between
the objects of the Bill which is stated as identification of individuals for targeted delivery
of entitlements and Section 57 which allows all entities, public or private, to use the
Aadhaar number for authentication.
Chapter III

Authentication Process

What the Bill says:

 Consent and use limitation during authentication: The Bill states that any requesting
entity will— (a) take consent from the individual before collecting his/her Adhaar
information; (b) use the information only for authentication with the CIDR.

 Notice during authentication: Further, the entity requesting authentication will also
inform the individual of the following— (a) what type of information will be shared for
authentication; (b) what will the information be used for; and (c) whether there is any
alternative to submitting the Aadhaar information to the requesting entity. (Section 8)

 Retention of authentication records: The UIDAI will maintain the authentication records
in the manner and for as long as specified by regulations. (Section 32) The UIDAI will
not collect, keep or maintain any information about the purpose of authentication.
(Section 32)

 Ability to obtain authentication records: Every Aadhaar number holder may obtain his
authentication record as specified by regulations. (Section 32)

 Requirement to update information: The UIDAI has the power to require residents to
update their demographic and biometric information from time to time. (Section 6)

Concerns:

 Lack of strong consent mechanism: While the Bill does provide for seeking consent for
collecting and using an Aadhaar for authentication, the Bill does not specify that this must
be informed consent with an ‘opt out’ mechanism and does not specify the manner in
which such consent should be sought. This leaves it it in the hands of the UIDAI and
possibly the third requesting entity to determine the form of consent that is to be taken.
This could result in ambiguous, misleading, or inconsistent consent mechanisms being
used.

 Lack of strong notice mechanism: While the Bill does provide that individuals should be
given notice of the type of information be shared and what the information will be used
for, and any alternative identity that will be accepted during the authentication process
this is a minimal notice and does not meet the standards in the (Reasonable security
practices and procedures and sensitive personal data or information) Rules 2011 which
require individuals to be notified of a) the fact that the information is being collected b)
the purposes for which the information is being collected c) the intended recipients of the
information d) the name and address of the agency collecting the information and the
agency that will retain the information. Furthermore, the Bill does not require the UIDAI,
 contracted bodies, or requesting entities to notify individuals of any changes in
organizational privacy policies.

 “Obtaining” rather than the right to access: Instead of providing the individual with a
clear right to access the information that the UIDAI holds about him or her, the Bill
waters down this safeguard by giving the individual the ability to obtain only his
authentication record. What ‘obtaining’ will entail and how one will go about it is
delegated to regulations.

 Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out
mechanisms in the Aadhaar Act.This means that individuals cannot:

o Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is
not deleted.

o Opt out of sharing of information at the enrollment stage or authentication stage.

o Opt out of any use, disclosure, or retention of their information prescribed by the
Act.

Chapter IV

This chapter covers the Unique Identification Authority of India (UIDAI). It deals with the
establishment, composition, qualifications for appointment of Chairperson and members of
the Authority, their tenure as well as their removal. It also deals with the functions of the
Chairperson, the Chief executive officer, officers and other employees of the Authority as
well as the powers and functions of the Authority.

Chapter V

This chapter deals with grants by Central Government, other fees and revenues and accounts
and audit.

Chapter VI

Security

What the Bill says:

 Security measures for information with UIDAI: The UIDAI will take measures to ensure
that all information with the UIDAI, including CIDR records is secured and protected
against access, use or disclosure and against destruction, loss or damage. (Section 28)

 Security measures through contract: The UIDAI will adopt and implement appropriate
technical and organisational security measures, and ensure the same are imposed through
agreements/arrangements with its agents, consultants, advisors or other persons. (Section
28)
 Security protocol via regulations: The UIDAI has the power to prescribe via regulation
various processes relating to data management, security protocol and other technology
safeguards (Section 54)

Concerns:

 Undefined security measures: The Bill specifies that appropriate technical and
organisational security measures shall be put in place without elaborating upon what
those measure should be or defining any standards that they will adhere to. The Bill gives
the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

 Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its
agents will not reveal any information in the CIDR to anyone. (Section 28) The core
biometric information collected will not be a) shared with anyone for any reason, and b)
used for any purpose other generation of Aadhaar numbers and authentication. (Section
29) Identity information, other than core biometric information, may be shared as per this
Act and regulations specified under it. (Section 29) Identity information available with a
requesting entity will not be used for any purpose other than what is specified to the
individual, nor will it be shared further without the individual’s consent. (Section 29)
Aadhaar numbers or core biometric information will not be made public except as
specified by regulations. (Section 30)

 Application of Information Technology Act: All biometric information collected and

stored in electronic form will be deemed to be “electronic record” and “sensitive personal
data or information” under Information Technology Act, 2000 and its provisions and
rules will apply to it in addition to this Act. (Section 30)

Concerns:

 Aadhaar numbers and biometric information to be made public: It is unclear for what
purposes it would be necessary for Aadhaar numbers and core biometric information to
be made public and it is concerning that such circumstances are left to be defined by
regulation. This is different from the Telegraph Act and the IT Act which define the
circumstances for interception in the Act and define the procedure for carrying out
interception orders in associated Rules. Defining circumstances for such information to
be made public is against the disclosure standards in the 43A Rules - which would be
applicable to the UIDAI and the disclosure of core biometric information.

 Unclear application of Section 43 A Rules: The Bill characterises biometric information

collected as ‘sensitive personal data or information’ under the Information Technology
Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable
 to biometric information. If this is the case, than any body corporate (including the
UIDAI) collecting, processing, or storing biometric information would need to follow
the standards established in the Rules - including standards for collection, consent,
disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make
regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

 Disclosure during authentication: During authentication, the UIDAI will respond to the
authentication request with yes, no, or other appropriate response and share identity
information about the Aadhaar number holder, but not share any biometric information.
(Section 8)

 Exceptions to confidentiality provisions: The UIDAI may reveal identity information,

authentication records or any information in the CIDR following a court order by a
District Judge or higher. Any such order may only be made after UIDAI is allowed to
appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will
not apply with respect to disclosure made in the interest of national security following
directions by a Joint Secretary to the Government of India, or an officer of a higher rank,
authorised for this purpose. (Section 33)

 Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and

Secretaries of two departments — Department of Legal Affairs and DeitY— will review
every direction under 33 B above. Any directions in the interest of national security above
are valid for 3 months, after which they may be extended following a review by the
Oversight Committee. (Section 33)

Concerns:

 Unnecessary disclosure during authentication: Usually authentication would be a binary

process leading to a yes or no result, however, Section 8 also allows sharing of identity
information in certain cases. It is unclear why any additional information would need to
be shared in the authentication process.

 Lack of opportunity to data subject: In case of a court order identity information and
authentication records of an individual can be revealed without any notice or opportunity
of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard,
the Bill does not provide any means by which an individual can contest such an order or
challenge it after it has been passed.

 Lack of defined functions and responsibilities of oversight mechanisms: Section 33

currently specifies a procedure for oversight by a committee, however, there are no
substantive provisions laid down as the guiding principles establishing the responsibilities
and powers of the oversight mechanism.
 Low standards for disclosure order: Though a court order from a District Judge is
required to authorize disclosure of information, the Bill fails to define important standards
that such an order must meeting including that the order is necessary and proportionate.

 Sweeping exception of National Security: Disclosures that are made ‘in the interest of
national security’ do not require authorization by a judge and instead can be authorized by
the Joint Secretary of the Government of India - a standard lower than that established in
the Telegraph Act and IT Act for the interception of communications.

Chapter VII

This chapter lists penalties and offences under this act such as:

 Penalty for impersonation at time of enrolment.

 Penalty for impersonation of Aadhaar number holder by changing demographic
information or biometric information.
 Penalty for disclosing identity information.
 Penalty for unauthorised access to the Central Identities Data Repository.

Chapter VIII

This chapter deals with the miscellaneous provisions. Section 48 confers power to Central
Government to supersede authority. Section 54 confers power to Authority to make
regulations for carrying out provisions in this Act.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

 The process of collecting information,

 Verification of information,

 Individual access to information,

 Sharing and disclosure of information,

 Alteration of information,

 Request and response for authentication,

 Defining use of Aadhaar numbers,

 Defining privacy and security processes,

 Specifying processes relating to data management, security protocols and other

technology safeguards under this Act

 Establishing redressal mechanisms.

Concerns:

 Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the
Information Technology Act, which allows the executive a very high degree of
discretionary power. As mentioned above, a number of important powers which should
ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI
has been administrating the project since its inception, and a number of problems have
already been documented in process such as collection, verification, sharing of
information, privacy and security processes. Rather than addressing these problems, the
Bill allows the UIDAI to continue to have similar powers.

 Lack of independence of grievance redressal mechanism: Within the text of the Bill there
are no grievance redressal mechanism created under the Bill. The power to set up such a
mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However,
making the entity administering a project, also responsible for providing for the
frameworks to address the grievances arising from the project, severely compromises the
independence of the grievance redressal body.

Authority under this Act

Unique Identification Authority of India (UIDAI)

Unique Identification Authority of India (“Authority/UIDAI”) has its Headquarters (HQ) in

New Delhi and eight Regional Offices (ROs) across the country. UIDAI has two Data
Centres, one at Hebbal (Bengaluru), Karnataka and another at Manesar (Gurugram), Haryana

Composition of the Authority

The Authority consists of a Chairperson appointed on part-time basis, two part-time Members
and a Chief Executive Officer who shall be the Member-Secretary of the Authority.

Shri J. Satyanarayana, IAS (Retd.) (1977, AP cadre) is appointed as part-time Chairman of

the Authority.

Dr. Anand Deshpande, Founder, Chairman and Managing Director of Persistent Systems is
appointed as part-time member of UIDAI.

The Chief Executive Officer (CEO), Dr. Ajay Bhushan Pandey, IAS (1984, Maharashtra
cadre), is the legal representative and administrative head of the Authority.

Headquarters (HQ)

At the HQ, the CEO is assisted by seven Deputy Directors General (DDGs), Joint Secretary
level Officers of Government of India, as in-charge of various wings of UIDAI. The DDGs
are supported by Assistant Directors General (ADGs), Deputy Directors, Section Officers and
Assistant Section Officers. The HQ has a total sanctioned strength of 127 officers and staff
members, including the Accounts and IT branches.

Regional Offices (ROs)

Each of the eight Regional Offices of UIDAI is headed by a Deputy Director General (DDG)
and the support structure comprises of Assistant Directors General, Deputy Directors, Section
Officers, Assistant Section Officers, Senior Accounts Officer, Accountant and personal staff.