Case Note:
Constitution - Aadhaar scheme - Right to privacy - Articles 14,19,21,110 and 110(1) of Constitution of India and Sections 7,28(5),29,29(1),29(2),33,47,57,59 of The Aadhaar Act, 2016 - Present petitions filed challenging constitutional validity of Aadhaar Act, 2016 and executive's Scheme notified by Government, by which Unique Identification Authority of India (UIDAI) was constituted to implement UIDAI Scheme - In writ petitions scheme had primarily been challenged on ground that it violates fundamental rights of innumerable citizens of India, namely, right to privacy falling under Article 21 of Constitution of India - Whether provisions of Aadhaar Act, 2016 was liable to be struck down as violative of constitution.
Facts:
The present petition filed to challenge The Aadhaar Act, 2016 and executive's Scheme notified by the Government, by which the Unique Identification Authority of India (UIDAI) was constituted to implement the UIDAI Scheme. It was the submission of the Petitioners that the Constitution balances rights of individuals against State interest. The Aadhaar completely upsets this balance and skews the relationship between the citizen and the State enabling the State to totally dominate the individual.
Held, while disposing off the petitions.
A.K. Sikri, J. (For Chief Justice, himself and A.M. Khanwilkar, J.)
(a) The architecture and structure of the Aadhaar Act reveals that the UIDAI was established as a statutory body which is given the task of developing the policy, procedure and system for issuing Aadhaar numbers to individuals and also to perform authentication thereof as per the provisions of the Act. For the purpose of enrolment and assigning Aadhaar numbers, enrolling agencies are recruited by the Authority. All the residents in India were eligible to obtain an Aadhaar number. To enable a resident to get Aadhaar number, he was required to submit demographic as well as biometric information i.e., apart from giving information relating to name, date of birth and address, biometric information in the form of photograph, fingerprint, iris scan was also to be provided. Aadhaar number given to a particular person was treated as unique number as it could not be reassigned to any other individual.
(b) Insofar as subsidies, benefits or services to be given by the Central Government or the State Government, as the case may be, was concerned, these Governments could mandate that receipt of these subsidies, benefits and services would be given only on furnishing proof of possession of Aadhaar number (or proof of making an application for enrolment, where Aadhaar number was not assigned). An added requirement was that such individual would undergo authentication at the time of receiving such benefits etc. A particular institution/body from which the aforesaid subsidy, benefit or service is to be claimed by such an individual, the intended recipient would submit his Aadhaar number and is also required to give her biometric information to that agency. On receiving this information and for the purpose of its authentication, the said agency, known as Requesting Entity (RE), would send the request to the Authority which shall perform the job of authentication of Aadhaar number. On confirming the identity of a person, the individual is entitled to receive subsidy, benefit or service. Aadhaar number was permitted to be used by the holder for other purposes as well.
(c) In this whole process, any resident seeking to obtain an Aadhaar number is, in the first instance, required to submit her demographic information and biometric information at the time of enrolment. She, thus, parts with her photograph, fingerprint and iris scan at that stage by giving the same to the enrolling agency, which may be a private body/person. Likewise, every time when such Aadhaar holder intends to receive a subsidy, benefit or service and goes to specified/designated agency or person for that purpose, she would be giving her biometric information to that RE, which, in turn, shall get the same authenticated from the Authority before providing a subsidy, benefit or service.
(d) Attack of the Petitioners to the Aadhaar programme and its formation/structure under the Aadhaar Act was founded on the arguments that it is a grave risk to the rights and liberties of the citizens of this country which are secured by the Constitution of India. It militates against the constitutional abiding values and its foundational morality and has the potential to enable an intrusive state to become a surveillance state on the basis of information that is collected in respect of each individual by creation of a joint electronic mesh. In this manner, the Act strikes at the very privacy of each individual thereby offending the right to privacy which is elevated and given the status of fundamental right by tracing it to Articles 14, 19 and 21 of the Constitution of India by a nine Judge Bench judgment of this Court in K.S. Puttaswamy.
(e) The Respondents, had attempted to shake the very foundation of the aforesaid structure of the Petitioners' case. They argue that in the first instance, minimal biometric information of the applicant, who intends to have Aadhaar number, is obtained which is also stored in CIDR for the purpose of authentication. Secondly, no other information is stored. It was emphasised that there was no data collection in respect of religion, caste, tribe, language records of entitlement, income or medical history of the applicant at the time of Aadhaar enrolment. Thirdly, the Authority also claimed that the entire Aadhaar enrolment eco-system is foolproof inasmuch as within few seconds of the biometrics having been collected by the enrolling agency, the said information gets transmitted the Authorities/CIDR, that too in an encrypted form, and goes out of the reach of the enrolling agency. Same was the situation at the time of authentication as biometric information does not remain with the requesting agency. Fourthly, while undertaking the authentication process, the Authority simply matches the biometrics and no other information is received or stored in respect of purpose, location or nature or transaction etc. Therefore, the question of profiling does not arise at all.
(f) In the said scenario, it was necessary, in the first instance, to find out the extent of core information, biometric as well as demographic, that is collected and stored by the Authority at the time of enrolment as well as at the time of authentication. This exercise becomes necessary in order to consider the argument of the Petitioners about the profiling of the Aadhaar holders. On going through this aspect, on the basis of the powerpoint presentation given by CEO of UIDAI, and the arguments of both the sides, including the questions which were put by the Petitioners to CEO of UIDAI and the answers thereupon, the Court has come to the conclusion that minimal possible data, demographic and biometric, is obtained from the Aadhaar holders.
(g) The Court also noticed that the whole architecture of Aadhaar was devised to give unique identity to the citizens of this country. No doubt, a person could have various documents on the basis of which that individual can establish her identify. It may be in the form of a passport, PAN card, ration card and so on. For the purpose of enrolment itself number of documents were prescribed which an individual can produce on the basis of which Aadhaar card could be issued. Thus, such documents, in a way, were also proof of identity. However, there was a fundamental difference between the Aadhaar card as a mean of identity and other documents through which identity could be established. Enrolment for Aadhaar card also requires giving of demographic information as well as biometric information which is in the form of iris and fingerprints. This process eliminates any chance of duplication. It was emphasised that an individual could manipulate the system by having more than one or even number of PAN cards, passports, ration cards etc. When it comes to obtaining Aadhaar card, there was no possibility of obtaining duplicate card. Once the biometric information is stored and on that basis Aadhaar card was issued, it remains in the system with the Authority. Wherever there would be a second attempt for enrolling for Aadhaar and for this purpose same person gives his biometric information, it would be immediately get matched with the same biometric information already in the system and the second request would stand rejected. It was for this reason the Aadhaar card was known as Unique Identification (UID). Such an identity was unparalleled.
(h) There was, then, another purpose for having such a system of issuing unique identification cards in the form of Aadhaar card. A glimpse thereof is captured under the heading Introduction above, while mentioning how and under what circumstances the whole project was conceptualised. To put it tersely, in addition to enabling any resident to obtain such unique identification proof, it is also to empower marginalised Section of the society, particularly those who are illiterate and living in abject poverty or without any shelter etc. It gives identity to such persons also. Moreover, with the aid of Aadhaar card, they could claim various privileges and benefits etc. which were actually meant for these people.
(i) Identity of a person had a significance for every individual in his/her life. In a civilised society every individual, on taking birth, is given a name. Her place of birth and parentage also becomes important as she is known in the society and these demographic particulars also become important attribute of her personality. Throughout their lives, individuals were supposed to provide such information, be it admission in a school or college or at the time of taking job or engaging in any profession or business activity, etc. When all this information was available in one place, in the form of Aadhaar card, it not only becomes unique, it would also qualify as a document of empowerment. Added with this feature, when an individual knows that no other person can clone her, it assumes greater significance.
(j) Thus, the scheme by itself could be treated as laudable when it comes to enabling an individual to seek Aadhaar number, more so, when it is voluntary in nature. Howsoever benevolent the scheme may be, it had to pass the muster of constitutionality. According to the Petitioners, the very architecture of Aadhaar was unconstitutional on various grounds. (k) The Court has taken note of the heads of challenge of the Act, Scheme and certain Rules etc. and clarified that the matter was examined with objective examination of the issues on the touchstone of the constitutional provisions, keeping in mind the ethos of constitutional democracy, Rule of law, human rights and other basic features of the Constitution.
Discussing the scope of judicial review, the Court had accepted that apart from two grounds noticed in Binoy Viswam, on which legislative Act can be invalidated [(a) the Legislature does not have competence to make the law and b) law made is in violation of fundamental rights or any other constitutional provision], another ground, namely, manifest arbitrariness, could also be the basis on which an Act could be invalidated. The issues are examined having regard to the aforesaid scope of judicial review.
(l) From the arguments raised by the Petitioners and the grounds of challenge, it becomes clear that the main plank of challenge is that the Aadhaar project and the Aadhaar Act infringes right to privacy. Inbuilt in this right to privacy is the right to live with dignity, which was a postulate of right to privacy. In the process, discussion leads to the issue of proportionality, viz. whether measures taken under the Aadhaar Act satisfy the doctrine of proportionality.
(m) The Court discussed the contours of right to privacy, as laid down in K.S. Puttaswamy, principle of human dignity and doctrine of proportionality. After taking note of the discussion contained in different opinions of Judges, it stands established, without any pale of doubt, that privacy had now been treated as part of fundamental right. The Court had held that, in no uncertain terms, that privacy had always been a natural right which given an individual freedom to exercise control over his or her personality. The judgment further affirms three aspects of the fundamental right to privacy, namel intrusion with an individual's physical body, informational privacy and privacy of choice.
(n) As succinctly put by Nariman, J., first aspect involves the person himself/herself and guards a person's rights relatable to his physical body thereby controlling the uncalled invasion by the State. Insofar as second aspect, namely, informational privacy is concerned, it does not deal with a person's body but deals with a person's mind. In this manner, it protects a person by giving her control over the dissemination of material that is personal to her and disallowing unauthorised use of such information by the State. Third aspect of privacy relates to individual's autonomy by protecting her fundamental personal choices. These aspects have functional connection and relationship with dignity. In this sense, privacy was a postulate of human dignity itself. Human dignity had a constitutional value and its significance was acknowledged by the Preamble. Further, by catena of judgments, human dignity was treated as fundamental right as a facet not only of Article 21, but that of right to equality (Article 14) and also part of bouquet of freedoms stipulated in Article 19. Therefore, privacy as a right was intrinsic of freedom, liberty and dignity. Viewed in this manner, one could trace positive and negative contents of privacy. The negative content restricts the State from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the State to take all necessary measures to protect the privacy of the individual.
(o) In developing the said concepts, the Court had been receptive to the principles in international law and international instruments. It was a recognition of the fact that certain human rights could not be confined within the bounds of geographical location of a nation but have universal application. In the process, the Court accepts the concept of universalisation of human rights, including the right to privacy as a human right and the good practices in developing and understanding such rights in other countries had been welcomed. In this hue, it could also be remarked that comparative law had played a very significant role in shaping the aforesaid judgment on privacy in Indian context, notwithstanding the fact that such comparative law has only persuasive value. The whole process of reasoning contained in different opinions of the Judges would, thus, reflect that the argument that it was difficult to precisely define the common denominator of privacy, was rejected. While doing so, the Court referred to various approaches to formulating privacy.
(p) This court also remarked the taxonomy of privacy, namely, on the basis of harms, interest and aggregation of rights. This court also discussed the scope of right to privacy with reference to the cases at hand and the circumstances in which such a right can be limited. In the process, we have also taken note of the passage from the judgment rendered by Nariman, J. in K.S. Puttaswamy stating the manner in which law had to be tested when it was challenged on the ground that it violates the fundamental right to privacy.
(q) One important comment which needs to be made at this stage relates to the standard of judicial review while examining the validity of a particular law that allegedly infringes right to privacy. The question was as to whether the Court was to apply strict scrutiny standard or the just, fair and reasonableness standard. In the privacy judgment, different observations were made by the different Judges and the aforesaid aspect was not determined authoritatively, may be for the reason that the Bench was deciding the reference on the issue as to whether right to privacy was a fundamental right or not and, in the process, it was called upon to decide the specific questions referred to it. This Court preferred to adopt a just, fair and reasonableness standard which was in tune with the view expressed by majority of Judges in their opinion. Even otherwise, this is in consonance with the judicial approach adopted by this Court while construing reasonable restrictions that the State could impose in public interest, as provided in Article 19 of the Constitution. Insofar as principles of human dignity were concerned, the Court, after taking note of various judgments where this principle was adopted and elaborated, summed up the essential ingredients of dignity jurisprudence by noticing that the basic principle of dignity and freedom of the individual was an attribute of natural law which becomes the right of all individuals in a constitutional democracy. Dignity had a central normative role as well as constitutional value.
(r) As per Dworkin, there are two principles about the concept of human dignity, First principle regards an intrinsic value of every person, namely, every person has a special objective value which value was not only important to that person alone but success or failure of the lives of every person was important to all of us. It could also be described as self respect which represents the free will of the person, her capacity to think for herself and to control her own life. The second principle was that of personal responsibility, which means every person had the responsibility for success in her own life and, therefore, she must use her discretion regarding the way of life that would be successful from her point of view.
(s) Sum total of this exposition could be defined by explaining that as per the aforesaid view dignity was to be treated as empowerment which makes a triple demand in the name of respect for human dignity, namely respect for one's capacity as an agent to make one's own free choices, respect for the choices so made and respect for one's need to have a context and conditions in which one could operate as a source of free and informed choice.
(t) In the entire formulation of dignity right, respect for an individual is the fulcrum, which was based on the principle of freedom and capacity to make choices and a good or just social order was one which respects dignity via assuring contexts and conditions as the source of free and informed choice. The said discourse on the concept of human dignity is from an individual point of view. That was the emphasis of the Petitioners as well. That would be one side of the coin. A very important feature which the present case had brought into focus was another dimension of human dignity, namely, in the form of common good or public good. Thus, endeavour here was to give richer and more nuanced understanding to the concept of human dignity.
(u) Therefore, this court have to keep in mind humanistic concept of Human Dignity which was to be accorded to a particular segment of the society and, in fact, a large segment. Their human dignity was based on the socio-economic rights that were read in to the Fundamental Rights. When read socio-economic rights into human dignity, the community approach also assumes importance along with individualistic approach to human dignity. It had now been well recognise that at its core, human dignity contains three elements, namely, Intrinsic Value, Autonomy and Community Value. These were known as core values of human dignity. These three elements could assist in structuring legal reasoning and justifying judicial choices in hard cases.
(v) When it comes to dignity as a community value, it emphasises the role of the community in establishing collective goals and restrictions on individual freedoms and rights on behalf of a certain idea of good life. The relevant question was in what circumstances and to what degree should these actions be regarded as legitimate in a constitutional democracy. The liberal predicament that the state must be neutral with regard to different conceptions of the good in a plural society was not incompatible, of course, with limitation resulting from the necessary coexistence of different views and potentially conflicting rights. Such interferences, however, must be justified on grounds of a legitimate idea of justice, an overlapping consensus that could be shared by most individuals and groups. Whenever such tension arises, the task of balancing was to be achieved by the Courts.
(w) In this way, the concept of human dignity had been widened to deal with the issues at hand. As far as doctrine of proportionality was concerned, after discussing the approaches that are adopted by the German Supreme Court and the Canadian Supreme Court, which were somewhat different from each other, this Court has applied the tests as laid down in Modern Dental College & Research Centre, which were approved in K.S. Puttaswamy as well. However, at the same time, a modification was done by focusing on the parameters set down of Bilchitz which were aimed at achieving a more ideal approach. [446]
Dr. D.Y. Chandrachud, J.
(1) In order to deal with the challenge that the Aadhaar Act should not have been passed as a Money Bill, this Court was required to adjudicate whether the decision of the Speaker of the Lok Sabha to certify a Bill as a Money Bill, could be subject to judicial review. The judgment had analyzed the scope of the finality attributed to the Speaker's decision, by looking at the history of Article 110(3) of the Constitution, by comparing it with the comparative constitutional practices which accord finality to the Speaker's decision, by analyzing other constitutional provisions which use the phrase shall be final, and by examining the protection granted to parliamentary proceedings under Article 122. This judgment holds that the phrase shall be final used under Article 110(3) aims at avoiding any controversy on the issue as to whether a Bill was a Money Bill, with respect to the Rajya Sabha and before the President. The language used in Article 110(3) did not exclude judicial review of the Speaker's decision. This also applies to Article 199(3). The immunity from judicial review provided to parliamentary proceedings under Article 122 was limited to instances involving irregularity of procedure. The decisions of this Court in Special Reference, Ramdas Athawale and Raja Ram Pal hold that the validity of proceedings in Parliament or a State Legislature can be subject to judicial review when there is a substantive illegality or a constitutional violation. These judgments make it clear that the decision of the Speaker is subject to judicial review, if it suffers from illegality or from a violation of constitutional provisions. Article 255 had no relation with the decision of the Speaker on whether a Bill is a Money Bill. The three Judge Bench decision in Mohd. Saeed Siddiqui erroneously interpreted the judgment in Mangalore Beedi to apply Articles 212 (or Article 122) and 255 to refrain from questioning the conduct of the Speaker (under Article 199 or 110). The two judge Bench decision in Yogendra Kumar followed Mohd. Saeed Siddiqui. The correct position of law is that the decision of the Speaker under Articles 110(3) and 199(3) is not immune from judicial review. The decisions in Mohd. Saeed Siddiqui and Yogendra Kumar were accordingly overruled. The existence of and the role of the Rajya Sabha, as an institution of federal bicameralism in the Indian Parliament, constitutes a part of the basic structure of the Constitution. The decision of the Speaker of the Lok Sabha to certify a Bill as a Money Bill had a direct impact on the role of the Rajya Sabha, since the latter had a limited role in the passing of a Money Bill. A decision of the Speaker of the Lok Sabha to declare an ordinary Bill to be a Money Bill limits the role of the Rajya Sabha. The power of the Speaker could not be exercised arbitrarily in violation of constitutional norms and values, as it damages the essence of federal bicameralism, which is a part of the basic structure of the Constitution. Judicial review of the Speaker's decision, on whether a Bill was a Money Bill, was therefore necessary to protect the basic structure of the Constitution.
(2) To be certified a Money Bill, a Bill must contain only provisions dealing with every or any one of the matters set out in Sub-clauses (a) to (g) of Article 110(1). A Bill, which had both provisions which fall within Sub-clauses (a) to (g) of Article 110(1) and provisions which fall outside their scope, will not qualify to be a Money Bill. Thus, when a Bill which had been passed as a Money Bill had certain provisions which fall beyond the scope of Sub-clauses (a) to (g) of Article 110(1), these provisions could not be severed. If the bill was not a Money Bill, the role of the Rajya Sabha in its legislative passage could not have been denuded. The debasement of a constitutional institution cannot be countenanced by the Court. Democracy survives when constitutional institutions were vibrant.
(3) The Aadhaar Act creates a statutory framework for obtaining a unique identity number, which was capable of being used for any purpose, among which availing benefits, subsidies and services, for which expenses were incurred from the Consolidated Fund of India, was just one purpose provided under Section 7. Clause (e) of Article 110(1) requires that a Money Bill must deal with the declaring of any expenditure to be expenditure charged on the Consolidated Fund of India (or increasing the amount of the expenditure). Section 7 fails to fulfil this requirement. Section 7 does not declare the expenditure incurred to be a charge on the Consolidated Fund. It only provides that in the case of such services, benefits or subsidies, Aadhaar could be made mandatory to avail of them. Moreover, provisions other than Section 7 of the Act deal with several aspects relating to the Aadhaar numbers enrolment on the basis of demographic and biometric information, generation of Aadhaar numbers, obtaining the consent of individuals before collecting their individual information, creation of a statutory authority to implement and supervise the process, protection of information collected during the process, disclosure of information in certain circumstances, creation of offences and penalties for disclosure or loss of information, and the use of the Aadhaar number for any purpose. All these provisions of the Aadhaar Act did not lie within the scope of Sub-clauses (a) to (g) of Article 110(1). Hence, in the alternate, even if it was held that Section 7 bears a nexus to the expenditure incurred from the Consolidated Fund of India, the other provisions of the Act fail to fall within the domain of Article 110(1). Thus, the Aadhaar Act was declared unconstitutional for failing to meet the necessary requirements to have been certified as a Money Bill under Article 110(1).
(4) The argument that the Aadhaar Act was in pith and substance a Money Bill, with its main objective being the delivery of subsidies, benefits and services flowing out of the Consolidated Fund of India and that the other provisions were ancillary to the main purpose of the Act also holds no ground, since the doctrine of pith and substance was used to examine whether the legislature had the competence to enact a law with regard to any of the three Lists in the Seventh Schedule of the Constitution. The doctrine could not be invoked to declare whether a Bill satisfies the requirements set out in Article 110 of the Constitution to be certified a Money Bill. The argument of the Union of India misses the point that a Bill could be certified as a Money Bill only if it deals with all or any of the matters contained in Clauses (a) to (g) of Article 110(1).
(5) Having held that the Aadhaar Act was unconstitutional for having been passed as a Money Bill this judgment has also analysed the merits of the other constitutional challenges to the legislation as well as to the framework of the project before the law was enacted.
(6) The architecture of the Aadhaar Act seeks to create a unique identity for residents on the basis of their demographic and biometric information. The Act sets up a process of identification by which the unique identity assigned to each individual was verified with the demographic and biometric information pertaining to that individual which was stored in a centralised repository of data. Identification of beneficiaries was integral and essential to the fulfilment of social welfare schemes and programmes, which were a part of the State's attempts to ensure that its citizens have access to basic human facilities. This judgment accepts the contention of the Union of India that there was a legitimate state aim in maintaining a system of identification to ensure that the welfare benefits provided by the State reach the beneficiaries who are entitled, without diversion.
(7) The Aadhaar programme involves application of biometric technology, which uses an individual's biometric data as the basis of authentication or identification and is therefore intimately connected to the individual. While citizens had privacy interests in personal or private information collected about them, the unique nature of biometric data distinguishes it from other personal data, compounding concerns regarding privacy protections safeguarding biometric information. Once a biometric system is compromised, it is compromised forever. Therefore, it ws imperative that concerns about protecting privacy must be addressed while developing a biometric system. Adequate norms must be laid down for each step from the collection to retention of biometric data. At the time of collection, individuals must be informed about the collection procedure, the intended purpose of the collection, the reason why the particular data set is requested and who would have access to their data. Additionally, the retention period must be justified and individuals must be given the right to access, correct and delete their data at any point in time, a procedure familiar to an opt-out option.
(8) Prior to the enactment of the Aadhaar Act, no mandatory obligation was imposed upon the Registrars or the enrolling agencies, to obtain informed consent from residents before recording their biometric data, to inform them how the biometric data would be stored and used and about the existence of adequate safeguards to secure the data. Moreover, prior to the enactment of the Act, while UIDAI had itself contemplated that an identity theft could occur at the time of enrollment for Aadhaar cards, it had no solution to the possible harms which could result after the identity theft of a person.
(9) The Regulations framed subsequently under the Aadhaar Act also did not provide a robust mechanism on how informed consent was to be obtained from residents before collecting their biometric data. The Aadhaar Act and Regulations were bereft of the procedure through which an individual can access information related to his or her authentication record. The Aadhaar Act clearly had no defined options that should be made available to the Aadhaar number holders in case they did not wish to submit identity information during authentication, nor do the Regulations specify the procedure to be followed in case the Aadhaar number holder did not provide consent for authentication.
(10) Sections 29(1) and (2) of the Act create a distinction between two classes of information (core biometric information and identity information), which were integral to individual identity and require equal protection. Section 29(4) of Act suffers from overbreadth as it gives wide discretionary power to UIDAI to publish, display or post core biometric information of an individual for purposes specified by the Regulations.
(11) Sections 2(g), (j), (k) and (t) suffer from overbreadth, as these could lead to an invasive collection of biological attributes. These provisions give discretionary power to UIDAI to define the scope of biometric and demographic information and empower it to expand on the nature of information already collected at the time of enrollment, to the extent of also collecting any "such other biological attributes" that it may deem fit.
(12) There is no clarity on how an individual is supposed to update his/her biometric information, in case the biometric information mismatches with the data stored in CIDR. The proviso to Section 28(5) of the Aadhaar Act, which disallows an individual access to the biometric information that forms the core of his or her unique ID, was violative of a fundamental principle that ownership of an individual's data must at all times vest with the individual. UIDAI is also provided wide powers in relation to removing the biometric locking of residents. With this analysis of the measures taken by the Government of India prior to the enactment of the Aadhaar Act as well as a detailed analysis of the provisions under the Aadhaar Act, 2016 and supporting Regulations made under it, this judgment concludes that the Aadhaar programme violates essential norms pertaining to informational privacy, self-determination and data protection.
(13) The State was under a constitutional obligation to safeguard the dignity of its citizens. Biometric technology which is the core of the Aadhaar programme was probabilistic in nature, leading to authentication failures. These authentication failures have led to the denial of rights and legal entitlements. The Aadhaar project had failed to account for and remedy the flaws in its framework and design which has led to serious instances of exclusion of eligible beneficiaries as demonstrated by the official figures from Government records including the Economic Survey of India and research studies. Dignity and the rights of individuals could not be made to depend on algorithms or probabilities. Constitutional guarantees cannot be subject to the vicissitudes of technology. Denial of benefits arising out of any social security scheme which promotes socio-economic rights of citizens was violative of human dignity and impermissible under our constitutional scheme.
(14) The violations of fundamental rights resulting from the Aadhaar scheme were tested on the touchstone of proportionality. The measures adopted by the Respondents fail to satisfy the test of necessity and proportionality for the following reasons:
(a) Under the Aadhaar project, requesting entities can hold the identity information of individuals, for a temporary period. It was admitted by UIDAI that AUAs may store additional information according to their requirement to secure their system. ASAs had also been permitted to store logs of authentication transactions for a specific time period. It had been admitted by UIDAI that it gets the AUA code, ASA code, unique device code and the registered device code used for authentication, and that UIDAI would know from which device the authentication took place and through which AUA/ASA. Under the Regulations, UIDAI further stores the authentication transaction data. This was in violation of widely recognized data minimisation principles which mandate that data collectors and processors delete personal data records when the purpose for which it had been collected is fulfilled. Moreover, using the meta-data related to the transaction, the location of the authentication could easily be traced using the IP address, which impacts upon the privacy of the individual.
(b) From the verification log, it was possible to locate the places of transactions by an individual in the past five years. It was also possible through the Aadhaar database to track the current location of an individual, even without the verification log. The architecture of Aadhaar poses a risk of potential surveillance activities through the Aadhaar database. Any leakage in the verification log poses an additional risk of an individual's biometric data being vulnerable to unauthorised exploitation by third parties.
(c) The biometric database in the CIDR is accessible to third-party vendors providing biometric search and de-duplication algorithms, since neither the Central Government nor UIDAI have the source code for the de-duplication technology which is at the heart of the programme. The source code belongs to a foreign corporation. UIDAI was merely a licensee. Prior to the enactment of the Aadhaar Act, without the consent of individual citizens, UIDAI contracted with L-1 Identity Solutions (the foreign entity which provided the source code for biometric storage) to provide to it any personal information related to any resident of India. This is contrary to the basic requirement that an individual has the right to protect herself by maintaining control over personal information. The protection of the data of citizens was a question of national security and could not be subjected to the mere terms and conditions of a normal contract.
(d) Before the enactment of the Aadhaar Act, MOUs signed between UIDAI and Registrars were not contracts within the purview of Article 299 of the Constitution, and therefore, did not cover the acts done by the private entities engaged by the Registrars for enrolment. Since there was no privity of contract between UIDAI and the Enrolling agencies, the activities of the private parties engaged in the process of enrolment before the enactment of the Aadhaar Act had no statutory or legal backing.
(e) Under the Aadhaar architecture, UIDAI was the sole authority which carries out all administrative, adjudicatory, investigative, and monitoring functions of the project. While the Act confers these functions on UIDAI, it did not place any institutional accountability upon UIDAI to protect the database of citizens' personal information. UIDAI also takes no institutional responsibility for verifying whether the data entered and stored in the CIDR was correct and authentic. The task has been delegated to the enrolment agency or the Registrar. Verification of data being entered in the CIDR was a highly sensitive task for which the UIDAI ought to have taken responsibility. The Aadhaar Act was also silent on the liability of UIDAI and its personnel in case of their non-compliance of the provisions of the Act or the Regulations.
(f) Section 47 of the Act violates citizens' right to seek remedies. Under Section 47(1) of Act, a court can take cognizance of an offence punishable under the Act only on a complaint made by UIDAI or any officer or person authorised by it. Section 47 was arbitrary as it fails to provide a mechanism to individuals to seek efficacious remedies for violation of their right to privacy. Further, Section 23(2)(s) of the Act requires UIDAI to establish a grievance redressal mechanism. Making the authority which was administering a project, also responsible for providing a grievance redressal mechanism for grievances arising from the project severely compromises the independence of the grievance redressal body.
(g) While the Act creates a regime of criminal offences and penalties, the absence of an independent regulatory framework renders the Act largely ineffective in dealing with data violations. The architecture of Aadhaar ought to have, but had failed to embody within the law the establishment of an independent monitoring authority (with a hierarchy of regulators), along with the broad principles for data protection. This compromise in the independence of the grievance redressal body impacts upon the possibility and quality of justice being delivered to citizens. In the absence of an independent regulatory and monitoring framework which provides robust safeguards for data protection, the Aadhaar Act could not pass muster against a challenge on the ground of reasonableness under Article 14.
(h) No substantive provisions, such as those providing data minimization, had been laid down as guiding principles for the oversight mechanism provided under Section 33(2) of Act, which permits disclosure of identity information and authentication records in the interest of national security.
(i) Allowing private entities to use Aadhaar numbers, under Section 57 of Act would lead to commercial exploitation of the personal data of individuals without consent and could also lead to individual profiling. Profiling could be used to predict the emergence of future choices and preferences of individuals. These preferences could also be used to influence the decision making of the electorate in choosing candidates for electoral offices. This was contrary to privacy protection norms. Data cannot be used for any purpose other than those that have been approved. While developing an identification system of the magnitude of Aadhaar, security concerns relating to the data of billion citizens ought to be addressed. These issues had not been dealt with by the Aadhaar Act. By failing to protect the constitutional rights of citizens, Section 57 violates Articles 14 and 21.
(j) Section 57 of Act was susceptible to be applied to permit commercial exploitation of the data of individuals or to affect their behavioural patterns. Section 57 could not pass constitutional muster. Since it is manifestly arbitrary, it suffers from overbreadth and violates Article 14.
(k) Section 7 suffers from overbreadth since the broad definitions of the expressions services and benefits enable the government to regulate almost every facet of its engagement with citizens under the Aadhaar platform. If the requirement of Aadhaar was made mandatory for every benefit or service which the government provides, it was impossible to live in contemporary India without Aadhaar. The inclusion of services and benefits in Section 7 was a pre-cursor to the kind of function creep which is inconsistent with the right to informational self-determination. Section 7 of Act was therefore arbitrary and violative of Article 14 in relation to the inclusion of services and benefits as defined.
(l) The legitimate aim of the State could be fulfilled by adopting less intrusive measures as opposed to the mandatory enforcement of the Aadhaar scheme as the sole repository of identification. The State had failed to demonstrate that a less intrusive measure other than biometric authentication would not subserve its purposes. That the state has been able to insist on an adherence to the Aadhaar scheme without exception was a result of the overbreadth of Section 7 of Act.
(m) When Aadhaar was seeded into every database, it becomes a bridge across discreet data silos, which allows anyone with access to this information to re-construct a profile of an individual's life. This was contrary to the right to privacy and poses severe threats due to potential surveillance.
(n) One right could not be taken away at the behest of the other. The State had failed to satisfy this Court that the targeted delivery of subsidies which animate the right to life entails a necessary sacrifice of the right to individual autonomy, data protection and dignity when both these rights are protected by the Constitution.
(15) Section 59 of the Aadhaar Act seeks to retrospectively validate the actions of the Central Government done prior to the Aadhaar Act pursuant to Notifications. Section 59 did not validate actions of the state governments or of private entities. Moreover, the notification of 2009 did not authorise the collection of biometric data. Consequently, the validation of actions taken under the notification by Section 59 did not save the collection of biometric data prior to the enforcement of the Act. While Parliament possesses the competence to enact a validating law, it must cure the cause of infirmity or invalidity. Section 59 fails to cure the cause of invalidity prior to the enactment of the Aadhaar Act. The absence of a legislative framework for the Aadhaar project left the biometric data of millions of Indian citizens bereft of the kind of protection which must be provided to comprehensively protect and enforce the right to privacy. Section 59 therefore fails to meet the test of a validating law since the complete absence of a regulatory framework and safeguards could not be cured merely by validating what was done under the notifications.
(16) The decision in Puttaswamy recognised that revenue constitutes a legitimate state aim in the three-pronged test of proportionality. However, the existence of a legitimate aim was insufficient to uphold the validity of the law, which must also meet the other parameters of proportionality spelt out in Puttaswamy.
(17) The seeding of Aadhaar with PAN cards depends on the constitutional validity of the Aadhaar legislation itself. Section 139AA of the Income Tax Act 1962 was based on the premise that the Aadhaar Act itself was a valid legislation. Since the Aadhaar Act itself was now held to be unconstitutional for having been enacted as a Money Bill and on the touchstone of proportionality, the seeding of Aadhaar to PAN Under Article 139AA did not stand independently.
(18) The 2017 amendments to the PMLA Rules fail to satisfy the test of proportionality. The imposition of a uniform requirement of linking Aadhaar numbers with all account based relationships proceeds on the presumption that all existing account holders as well as every individual who seeks to open an account in future was a potential money-launderer. No distinction had been made in the degree of imposition based on the client, the nature of the business relationship, the nature and value of the transactions or the actual possibility of terrorism and money-laundering. The Rules also fail to make a distinction between opening an account and operating an account. Moreover, the consequences of the failure to submit an Aadhaar number are draconian. In their present form, the Rules were clearly disproportionate and excessive. This holding would not preclude the Union Government in the exercise of its Rule making power and the Reserve Bank of India as the regulator to re-design the requirements in a manner that would ensure due fulfillment of the object of preventing money-laundering, subject to compliance with the principles of proportionality as outlined in this judgment.
(19) Mobile phones had become a ubiquitous feature of the lives of people and the linking of Aadhaar numbers with SIM cards and the requirement of e-KYC authentication of mobile subscribers must necessarily be viewed in this light. Applying the proportionality test, the legitimate aim of subscriber verification, had to be balanced against the countervailing requirements of preserving the integrity of biometric data and the privacy of mobile phone subscribers. Mobile phones were a storehouse of personal data and reflect upon individual preferences, lifestyle and choices. The conflation of biometric information with SIM cards poses grave threats to individual privacy, liberty and autonomy. Having due regard to the test of proportionality which had been propounded in Puttaswamy and as elaborated in this judgment, the decision to link Aadhaar numbers with mobile SIM cards was neither valid nor constitutional. The mere existence of a legitimate state aim would not justify the disproportionate means which had been adopted in the present case. The biometric information and Aadhaar details collected by Telecom Service Providers shall be deleted forthwith and no use of the said information or details shall be made by TSPs or any agency or person or their behalf.
(20) Defiance of judicial orders (both interim and final) be it by the government or by citizens negates the basis of the Rule of law. Both propriety and constitutional duty required the Union government to move this Court after the enactment of the Aadhaar Act for variation of this Court's interim orders. Institutions of governance were bound by a sense of constitutional morality which requires them to abide by judicial orders.
(21) Identity was necessarily a plural concept. The Constitution also recognizes a multitude of identities through the plethora of rights that it safeguards. The technology deployed in the Aadhaar scheme reduces different constitutional identities into a single identity of a twelve-digit number and infringes the right of an individual to identify herself/himself through a chosen means. Aadhaar was about identification and was an instrument which facilitates a proof of identity. It must not be allowed to obliterate constitutional identity.
(22) The entire Aadhaar programme, since 2009, suffers from constitutional infirmities and violations of fundamental rights. The enactment of the Aadhaar Act did not save the Aadhaar project. The Aadhaar Act, the Rules and Regulations framed under it, and the framework prior to the enactment of the Act were unconstitutional.
(23) To enable the government to initiate steps for ensuring conformity with this judgment, it is directed under Article 142 that the existing data which has been collected shall not be destroyed for a period of one year. During this period, the data shall not be used for any purpose whatsoever. At the end of one year, if no fresh legislation had been enacted by the Union government in conformity with the principles which had been enunciated in this judgment, the data shall be destroyed.
Creating strong privacy protection laws and instilling safeguards may address or at the very least assuage some of the concerns associated with the Aadhaar scheme which severely impairs informational self-determination, individual privacy, dignity and autonomy. In order to uphold the democratic values of the Constitution, the government needs to address the concerns highlighted in this judgment which would provide a strong foundation for digital initiatives, which are imminent in today's digital age. However, in its current form, the Aadhaar framework does not sufficiently assuage the concerns that have arisen from the operation of the project which had been discussed in this judgment. [787]
Ashok Bhushan, J.
(1) The requirement under Aadhaar Act to give one's demographic and biometric information does not violate fundamental right of privacy.
(2) The provisions of Aadhaar Act requiring demographic and biometric information from a resident for Aadhaar Number pass three-fold test as laid down in Puttaswamy (supra) case, hence could not be said to be unconstitutional.
(3) Collection of data, its storage and use did n`ot violate fundamental Right of Privacy.
(4) Aadhaar Act did not create an architecture for pervasive surveillance.
(5) Aadhaar Act and Regulations provides protection and safety of the data received from individuals.
(6) Section 7 of the Aadhaar was constitutional. The provision did not deserve to be struck down on account of denial in some cases of right to claim on account of failure of authentication.
(7) The State while enlivening right to food, right to shelter etc. envisaged under Article 21 could not encroach upon the right of privacy of beneficiaries nor former could be given precedence over the latter.
(8) Provisions of Section 29 of Act was constitutional and did not deserves to be struck down.
(9) Section 33 of Act could not be said to be unconstitutional as it provides for the use of Aadhaar data base for police investigation nor it can be said to violate protection granted under Article 20(3).
(10) Section 47 of the Aadhaar Act could not be held to be unconstitutional on the ground that it did not allow an individual who finds that there was a violation of Aadhaar Act to initiate any criminal process.
(11) Section 57 of Act, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect was unconstitutional and void. Thus, the last phrase in main provision of Section 57 of Act, i.e. or any contract to this effect was struck down.
(12) Section 59 of Act had validated all actions taken by the Central Government under the notifications and all actions shall be deemed to have been taken under the Aadhaar Act.
(13) Parental consent for providing biometric information Under Regulation 3 and demographic information under Regulation 4 had to be read for enrolment of children between five to eighteen years to uphold the constitutionality of Regulations 3 and 4 of Aadhaar (Enrolment and Update) Regulations, 2016.
(14) Rule 9 as amended by PMLA (Second Amendment) Rules, 2017 was not unconstitutional and did not violate Articles 14, 19(1)(g), 21 and 300A of the Constitution and Sections 3, 7 and 51 of the Aadhaar Act. Further Rule 9 as amended was not ultra vires to PMLA Act, 2002.
(15) Circular being unconstitutional was set aside.
(16) Aadhaar Act had been rightly passed as Money Bill. The decision of Speaker certifying the Aadhaar Bill, 2016 as Money Bill was not immuned from Judicial Review.
(17) Section 139-AA of Act did not breach fundamental Right of Privacy as per Privacy judgment in Puttaswamy case. [1173]
Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. (26.09.2018 - SC) : MANU/SC/1054/2018