.
These days telecom
operators are relying on AADHAAR data for customer verification before
activating SIM cards. Reliance JIO,
which is creating waves in the telecom field,
is making use of this facility to its fullest potential. Operators like
Airtel and Vodafone have also started to make use of AADHAR date. Ever wondered
how such private players are able to make use of AADHAR data containing
personal and sensitive information? Are there any regulations in place to
ensure that nothing untoward happens when sensitive information passes through
the hands of private agencies.? This article attempts to analyze the legal
framework within which private entities are using AADHAAR data for giving
service benefits.
The Parliament passed
the AADHAAR(Targeted Delivery of Financial and Other Subsidies, Benefits and
Services) Act during March 2016. Section
57 of the Act enables corporates and persons other than Government to use
AADHAAR number to establish identity of person for any purpose pursuant to a
law or contract. Section 57 reads as follows :
Nothing
contained in this Act shall prevent the use of Aadhaar number for establishing
the identity of an individual for any purpose, whether by the State or any body
corporate or person, pursuant to any law, for the time being in force, or any
contract to this effect:
Provided that the use of Aadhaar number under
this section shall be subject to the procedure and obligations under section 8
and Chapter VI.
The proviso makes it clear that the use
of AADHAAR number by private entities should be in compliance with Section 8
and Chapter VI of the Act. Section 8 and Chapter VI are based on two
fundamental principles which are recognized by the AADHAAR Act :- ‘individual
consent’ and ‘confidentiality of information’. The Act recognizes
biometric data to be ‘sensitive personal information’, as per Section 30.
Chapter VI of the Act, comprising Sections 28 to 33, deal with safeguards for
protection and security of confidential information. Section 8 deals with the
manner in which the consent of individual should be obtained before using his
AADHAAR number for ‘authentication’. Before proceeding further, it is important
to understand certain concepts regarding the scheme of the Act.
The biometric and demographic
information of persons collected under the Act is stored in a centralized
database called ‘Central Identities Data Repository’(CIDR), which is under the
control of Unique Identification Authority of India(UIDAI). An entity which
wants to use the AADHAAR data to ascertain the identity of a person for giving
any service or benefit is called a ‘requesting entity’(Sec.2(u)). This
‘requesting entity’ could be government department(like Income Tax Dept.), PSUs
or Banks, Telecom Operators etc, whether in public or private sector, by virtue
of Section 57. The AADHAAR number and
biometric data of the intending customer is passed on by the requesting entity
to the Central Depository. If the data supplied by the requesting entity is
matching with the information in the central data-base, a positive response is
returned by the Authority to the requesting entity, verifying correctness of
identity. If there is no matching, a negative response is returned. This
process is called ‘authentication’(2(c)).
A requesting entity can use AADHAAR
number and biometric data of an individual for authentication only with the informed
consent of the individual. This is the mandate of Section 8. The individual
has to informed be about the nature of
information shared for authentication, and also the uses to which the
information so received will be put. The information should be given and
consent should be obtained in the manner specified in the regulations.
AADHAAR(Authentication) Regulations 2016
The informed consent of the individual
has to be obtained in the manner specified in the said Rules. The requesting entity, who is desirous of
using AADHAAR data, should register itself with the Authority as per the
Regulations as an ‘Authentication User Agency(AUA)’. There are agencies which
act as intermediaries between the AUA and the UIDAI by providing infrastructure
for connectivity and access, registered under the Regulations as
‘Authentication Service Agency(ASA)’ . The AUA will only get a Yes/No response
from the Authority regarding the data supplied. The Authority will not share
the demographic or biometric information of the customer with the AUA, except
for giving a Yes/No response on the basis of verification search. However, if
the AUA is registered as a ‘e-KYC User Agency(KUA)’, the biometric and demographic information of
the customer stored in the Central Depository will be shown to the Agency so
that the identity of the customer also could be physically verified by the
Agency.
Having analysed the scheme of
registration under the Regulations, it is pertinent to refer to Regulation 6,
which specifies the manner of obtaining consent. Regulation 6 reads as :
6. Consent of the Aadhaar number holder.—
(1)
After communicating the information in accordance with regulation 5, a
requesting entity shall obtain the consent of the Aadhaar number holder for the
authentication.
(2)
A requesting entity shall obtain the consent referred to in sub-regulation (1)
above in physical or preferably in electronic form and maintain logs or
records of the consent obtained in the manner and form as may be specified
by the Authority for this purpose.(emphasis supplied)
It is clear from the
above that mere oral consent of the individual will not fulfil the mandate of
the Regulation. The consent has to be recorded, preferably in electronic form.
Also, the requesting entity has to maintain logs or records of the consent
obtained. Requesting entity has also to ensure that ensure that persons
employed by it for performing authentication functions, and for maintaining
necessary systems, infrastructure and processes, possess requisite
qualifications for undertaking such works(Reg.14(f)). The entity has also
to maintain logs and records, and preserve them for two years; the AADHAAR
number-holder has the right to access such logs and records(Reg.18). The Act
also enables the number-holder to access the authentication records(Sec.32).
Worrying practises of
non-compliance by agents of telecom operators
Although the Act and
Regulations prescribe mandatory guidelines to be followed while using
demographic and biometric information of the individual, the ground realities
show that such guidelines are mostly observed in breach by the agents of
telecom operators. When telecom operators like Relaince Jio offer a honey-pot
of free internet packages, it is natural that customer swarm to mobile shops
for activating new sim-cards. When they are required to provide their biometric
data for getting new connection, they will not be reluctant to do so. From the
personal experience of this author, it was observed that Reliance Jio is a
‘e-KYC User Agency(KUA)’. The customer has to furnish his AADHAAR number and
biometric data in the form of finger-prints. Upon pressing the finger in the
device of the telecom agent, the Authorirty sends back the AADHAAR information
of the customer, including photograph, and other demographic details to the
agent after verification. However, this process is done in total contravention
of the Regulation, particularly Regulation 6(2). Firstly, the agents in mobile
shops who operate the device for taking bio-metric information are not at all
aware about the legal requirements of the process. The customer is not made
aware of the ramifications of supplying biometric data. Also, the requirement
under Regulation 6(2) is to obtain consent in written form, preferably in
electronic form. There is also a requirement to maintain logs and records of
consent obtained. There is a further requirement to maintain records of
authentication process as well. Sadly, none of these requirements are followed
in the mobile shops; at least in the mobile shops across city of Kochi, the
process is done in contravention of Regulations, and in all probability the
same is likely to be the situation in other parts of the country as well. The
process is done by the agents in mobile shops with total ignorance of the
Regulations. Since the customers are also unaware, and also eager to get a new sim
at the earliest, they too part away with their sensitive information without
insisting on compliance with the Regulations.
The Act and
Regulation confer a right on the AADHAAR number-holder to access the logs and
records of consent and authentication in future. However, since the records and
logs of consent and authentication are not at all maintained as prescribed by
the Regulations, the said statutory right gets irredeemably frustrated. In short, there is no mechanism to ensure
that the process in carried out in a transparent manner, in compliance of all
security and protection requirements.
This is not to
suggest that the AADHAAR data is being misused by the telecom operators or
their agents. However, it is evident that there is total ignorance in this
process. There is also total disregard of the Regulations in using AADHAAR data
for activation of SIM cards. Neither the public nor the mobile operators seem
to be aware of the procedure specified by the Regulations. Hence, there is complete
anarchy in this field.
Also, the situation
has to be analysed in the light of the apprehensions and security concerns
expressed by several experts regarding collection and storage of AADHAAR data.
The Act is criticized by many on the ground that there is severe infringement
of privacy rights. It
is also relevant to note that the matter regarding the validity of AADHAAR and
right to privacy was referred to the consideration of the Constitutional Bench
of the Supreme Court during August 2015.
The Act was passed thereafter during March 2016. The manner in which the
Act was passed is also subject to harsh criticism, as it was introduced and
passed as a money-bill. Hence, the validity of the manner in which the Act was
passed has been challenged before the Supreme Court and the issue is pending.
So, a lot of questions
and doubts are surrounding regarding AADHAAR. In this backdrop, the haphazard
manner in which the AADHAAR data is used for authentication in giving mobile
connections is a matter of serious concern. The authorities must act to spread
awareness about the Regulations and to ensure compliance with them. By reposing
trust in the State, the citizens have furnished their vital personal
information including biometric information, and when the State is acting as a
custodian of biometric and demographic information of crores of Indian
citizens, it must act with extra care and caution to ensure that the
Regulations framed by it are complied with, both in letter and spirit, without any
fail; especially so, when such information is passing through the hands of
private entities.
Published in 'Live Law' on 05.12.2016 as http://www.livelaw.in/use-aadhaar-get-mobile-sim-connections-legal-issues-involved/
