India’s Aadhaar Law and Cyber Security, with a legal eye
Issues pertaining to cyber security of Aadhaar ecosystem need to be very well examined and analyzed. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 not only symbolizes the biometric identity of individuals, but it also symbolizes biometric and demographic face of the biggest democracy in the world.
By Pavan Duggal
The month of March, 2016 was a historic month in the legislative history of India. This was the month in which the Parliament of India debated and passed a legislation dedicated on Aadhaar being the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The said Act has received the assent of the President of India on 25th March, 2016 and came into effect thereafter.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is indeed very significant as this has for the first time provided legal sanctity and validity to the Aadhaar ecosystem. It is pertinent to note that earlier in 2009, when Aadhaar was introduced it was done by means of an act of the Executive. From 2009 to 2016, there was not a single legislation that was passed by Parliament, which granted legality to the Aadhaar ecosystem. Meanwhile, various Public Interest Litigations were filed in the Supreme Court of India and the Supreme Court held that Aadhaar cannot be made mandatory by the Government till such time privacy related issues concerning Aadhaar ecosystem are not effectively determined by the Supreme Court.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is a law that is aiming to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is provided from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals.
The said legislation deals with enrolment and grant of Aadhaar Numbers on the receipt of demographic information and biometric information from the applicant. The term “demographic information” has been defined to include information relating to name, date of birth, and other relevant information as may be specified for the purposes of issuing an Aadhaar Number. However, the definition of demographic information does not include race, religion, caste, tribe, language, records of entitlement, income or medical history. Further, since Aadhaar is based on biometric information, biometric information has been defined to mean photograph, finger print, Iris scan, or such other biological attributes of an individual as may be specified by regulations.
The legislation has provided for the establishment, operation and maintenance of the Central Identities Data Repository for all the biometric and demographic information of Aadhaar Number holders. Further, Unique Identification Authority of India (UIDAI) has been given the responsibility of authentication of the Aadhaar Number of Aadhaar Number holders in relation to his or her biometric or demographic information provided, on the request made to the said Authority by any requesting party.
Given the fact that Aadhaar deals with the biometric information, the same is sensitive personal data within the meaning of the law, as defined under the Information Technology Act, 2000 and rules and regulations made thereunder. In the context of the Aadhaar ecosystem, thus the security of identity information becomes critical.
The Unique Identification Authority of India (UIDAI) has been straddled with this primary responsibility of ensuring the security of identity information and authentication records of individuals. Further, the Authority has been mandated to take all necessary steps to ensure that information in its possession or control is secured and protected against access, use or disclosure not permitted under the law and against loss, destruction or damages.
A perusal of a number of offences under Chapter VII of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 including unauthorized access to Central Identities Data Repository shows that they have not been given the kind of deterrent effect that matches the expectations of people.
In this regard, the cyber security protection elements pertaining to Aadhaar assume tremendous significance. Under Section 28 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the Authority has been mandated to adopt and implement appropriate technical organization security measures for the information in question. However, what the said appropriate technical and security measures will be, have not been defined.
The Indian Cyberlaw mandates that reasonable security practices and procedures must be undertaken by a legal entity dealing, handling or processing sensitive personal data. Further, the Indian Cyberlaw has made ISO 27,001 as an embodiment of reasonable security practices and procedures. In this context, we find that the specified cyber security parameters in respect of Aadhaar ecosystem, has not been so prescribed, thereby leading to potential confusion.
The issues pertaining to cyber security as defined under the Information Technology Act, 2000, in my opinion, are equally applicable in the context of the Aadhaar ecosystem. The Aadhaar legislation has not really gone much deeper into the issue of protection and preservation of cyber security pertaining to the Aadhaar ecosystem. It is important to appreciate that the Aadhaar ecosystem is a Critical Information Infrastructure of India and as such, there is a need for specific provisions to enhance the cyber security of the said Critical Information Infrastructure.
Further, it is pertinent to note that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 itself does not have any specific provisions for protection and preservation of cyber security in the context of the Aadhaar ecosystem. However, it is pertinent to note that the Central Government has been given the discretion to make rules to carry out the provisions of this Act. The Central Government can come up with specific cyber security parameters for protecting and preserving not just the Aadhaar Numbers, but also the connected biometric and demographic information and also all contents pertaining to the Central Identities Data Repository.
Issues pertaining to cyber security of Aadhaar ecosystem need to be very well examined and analyzed. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 not only symbolizes the biometric identity of individuals, but it also symbolizes biometric and demographic face of the biggest democracy in the world. As such, it is likely to expect that with the passage of time, the Aadhaar ecosystem could potentially be targeted by various state and non-state actors. Unauthorized breach into the cyber security could also prejudicially impact its security and also prejudicially impact the preservation and protection of India’s cyber security, sovereignty and integrity. In case, if this aspect will not given the requisite focus and emphasis, this could lead to potential cyber security breaches which could impact not just the Aadhaar ecosystem as a whole, but could also impact people’s confidence and trust in the Aadhaar ecosystem as the identity system
All stakeholders are looking up to the Government to come up with appropriate cyber security mechanisms, processes and procedures which can help make the Aadhaar ecosystem far more protected, from unauthorized intrusion by state and non-state actors. This is a matter of urgent and immediate concern. It is common knowledge that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 was passed very quickly. In this context, the responsibility lies on the Central Government to ensure that it puts in place adequate norms, procedures and mechanisms, in addition to the norms already stipulated under the Information Technology Act, 2000, to deal with cyber security aspects of biometric information of Aadhaar in the Central Identities Data Repository, for making the Aadhaar ecosystem far safer and more secure.
The author Pavan Duggal, Advocate, Supreme Court of India, and leading expert and authority on Cyberlaw, Cybersecurity Law & Mobile Law. The author is also President of Cyberlaws.net; and Head of Pavan Duggal Associates, Advocate
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]