Aadhaar's tryst with privacy
It must be very embarrassing for the UIDAI. They are having to become the champions of 'privacy' of the persons on their database after holding on to a position that privacy was not an issue in the UID project. In the past year, an impressive array of petitioners had approached the Supreme Court challenging the UID project. They were asking the court to intervene and protect the citizenry from a project that was aggressively building a database of residents even after Parliament had said 'no' to it; that there was no law, and no protection against the data being used, mined and shared with all manner of agencies and companies including, significantly, companies with close links with foreign intelligence agencies.
Governments were making UID enrolment mandatory for getting wages, pensions, scholarships, rations, subsidies for kerosene and LPG, and to register marriages, rental agreements, wills and sale deeds … the list seemed to go on without end. Evidence revealed that the UIDAI was canvassing for the UID number to be adopted in all manner of systems. And, 'privacy' was used as a shorthand to express the varied concerns that the project had begun to raise.The UIDAI gave short shrift to the concerns raised about privacy. They said: "The contention that the scheme impinges on the numerous fundamental rights including the right to privacy is denied. The UIDAI seeks only very basic data on demographics like name, age or date of birth, gender and postal address. In case of biometric data, the fingerprint scans and iris are essential to undertake the de-duplication …."
And so these did not constitute any threat to privacy.Now, in February-March 2014, here was the UIDAI before the courts making an elaborate pitch for the fundamental right to privacy of the Indian resident. It began with the CBI being given the task of investigating the rape of a seven-year-old in January 2013 in a toilet in her school in Goa. Months after the occurrence, the CBI claimed to have found a 'chance palm print' to try and identify which, they said, they wanted the UIDAI to hand over to them its database of persons enrolled in Goa; and the Judicial Magistrate obliged them with an order. The UIDAI appealed the order, first to the Bombay High Court, and then to the Supreme Court. And 'privacy' was one of the main planks on which their arguments rested. They invoked Article 14, Article 21, Article 20 (3), Section 124 of the Evidence Act. They referred to a 1997 decision of the Supreme Court which held that the right to privacy is a part of the right to life and personal liberty "enshrined in Article 21 of the Constitution". They sought support from the 'triple test' set out in a case, and said that they could not be asked to disclose information held by them unless the 'triple test' that involved Articles 14, 19 and an emphasis on procedural protection had been met.
They drew on the decision about techniques such as narco analysis that were administered on a person which, the Supreme Court had held, violated the boundaries of privacy. With this, the UIDAI is saying that rules do exist and apply, but only for others; and not for the proponents of this extraordinary project. Interesting take. What the CBI is saying is, plainly, unacceptable: that there is a database, we have an unsolved case that is causing public outrage, so let us do a roving inquiry with a database, now that it exists, and never mind what it means for those who have been made to hand over their biometrics to an entity that, in any case, is not bound by any law. The UIDAI's arguments are valid, all right. But why would privacy not be similarly relevant when dealing with the UIDAI? And where is the UIDAI going to find the forked tongue that will defend and defy privacy rights, in one single contradictory breath?As for the court, on March 24, 2014, it directed that the UIDAI was "restrained from transferring any biometric information of any person who has been allotted the Aadhaar number to any other agency without his/her consent in writing".
The UIDAI says it is okay for it to hang on to the data of residents because they have given it 'voluntarily'. But the UIDAI has been caught out using the 'mandating' of the UID number — it uses the word 'insist' — for all manner of services and subsidies to get people to enrol 'voluntarily'. The court ordered, on September 23, 2013, that "no person should suffer for not having an Aadhaar card" even if some authority had said it would be mandatory. This seems to have been too complicated for the agencies, and the court has had to say it again, in simpler terms, on March 24, 2014.
They had earlier depicted the 0.057 per cent false positive identification rate — where the wrong person may be identified as a match — as a miniscule number. Now they had to admit that "applied on the UIDAI database of 60 crore residents (this) will imply false matches of lakhs of residents….(which) would put lakhs of innocent residents under the scanner."Echoing the concerns raised by those questioning the UID project, the UIDAI said in their petition to the Bombay High Court: "Further, there is also no saying if the said data could be misused by any person in whose possession it is handed." Quite an admission, that.Till this point, the UIDAI strategised like one who 'owns' the database might — planning for a 'revenue model', projecting profits, and independence from the government. Suddenly, they have had to change the language and use terms such as 'custodian' and 'trustee' of the residents' demographic and biometric data. Quite a climbdown, even if it is still only nominal.There is a lot more where that comes from, and a lot more to worry about.
The writer works on the jurisprudence of law, poverty and rights