Implications Of The Aadhaar Judgment

It is likely that the UIDAI will issue guidelines/instructions setting out how the Aadhaar Judgment will be operationalized and will also hopefully clarify some of the key questions that have arisen...

This note discusses some of the key implications of the decision of the Supreme Court of India (SC) in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India on September 26, 2018 (Aadhaar Judgment) that examined the constitutional validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act).

The majority comprising Justice A.K. Sikri, former Chief Justice of India Dipak Misra, Justice A.M. Khanwilkar and Justice Ashok Bhushan (who wrote a concurring opinion) upheld the constitutionality of the provisions of the Aadhaar Act, with certain exceptions. Justice D.Y.Chandrachud issued the sole dissenting opinion.

Implications on Aadhaar-based e-KYC Authentication

• Legal framework for e-KYC authentication: Section 57 of the Aadhaar Act permitted the use of the Aadhaar number of a person to establish the identity of an individual by the State, body corporate or any person pursuant to either a legal requirement or a contractual arrangement. Under Section 57, private entities (banks, NBFCs, financial services entities, telecom operators) used Aadhaar as a means to onboard customers and undertake e-KYC authentication.
• Constitutionality of Section 57 of the Aadhaar Act: The SC has found Section 57 to be unconstitutional on the ground that it allows private entities to use Aadhaar authentication to establish the identity of an individual for any purpose which was held to be too broad. The SC read down the meaning of for any purpose to mean a purpose backed by law and struck down the provision permitting use of Aadhaar authentication by private entities pursuant to a contract.
• Constitutionality of Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Records Rules): The judgment also considered Rule 9 of the PML Records Rules, which mandated the submission of Aadhaar numbers to reporting

  entities under the Prevention of Money Laundering Act, 2002, for the purposes of KYC authentication. The majority opinion of the SC has held the mandatory requirement of providing Aadhaar details under the PML Record Rules to be violative of the doctrine of proportionality and of the right to privacy of a person and has held Rule 9 of the PML Records Rules to be unconstitutional in its entirety.

• Will e-KYC authentication still be permitted?: Private entities (banks, NBFCs, payment system operators, mobile wallets or any other private bodies) can no longer undertake e-KYC authentication of individuals using Aadhaar, even if done under a contract where

  consent of the individual is obtained. Given that Rule 9 of the PML Records Rules has also been struck down,

  there exists no law that can be used as a basis to require such e-KYC authentication.

Can an Aadhaar holder grant voluntary access to his/her Aadhaar number or data?

The SC has read down Section 57 of the Aadhaar Act as follows: the Aadhaar number may be used for establishing the identity of an individual for any purpose whether by the State or by any body corporate or person, pursuant to any law. In the context of use of Aadhaar by a body corporate, there must be enabling legislation that permits such entity from using the Aadhaar number. Private contractual

arrangements (where consent of the data provider has been obtained) are no longer permitted. Consequently,

in the absence of an enabling legislation, even where an individual grants a private body access to his/her Aadhaar number under a contractual arrangement or otherwise, the Aadhaar number cannot be used to establish identity.

What does this mean for Global AUAs and Local AUAs?

The Aadhaar Judgment does not affect the validity of the Global AUA and Local AUA classification by UIDAI.

However, following the reading down of Section 57 of the Aadhaar Act by the SC, neither a Global AUA nor a

Local AUA can undertake Aadhaarbased e-KYC authentication going forward.

Data Retention Requirements

• Existing Framework: The Aadhaar Act, read with the Aadhaar

  (Authentication) Regulations, 2016 (Authentication Regulations), provides for the following data retention requirements:
  
  o For the UIDAI: Regulations 26 and 27 of the Authentication

  Regulations require the UIDAI to retain authentication transaction data for a period of 6 (six) months and

  subsequently archive the data for a period of 5 (five) years before deletion.
  
  o For requesting entities: Regulations 18(2) and 18(3) of the Authentication Regulations require entities that sought authentication via Aadhaar to maintain logs of authentication transactions for a period of 2 (two) years and archive them for a further 5 (five) years before deletion.
  
  o For Authentication Service Agencies (ASAs): Regulations 20(2) and 20(3) of the Authentication

  Regulations require ASAs to store logs of the authentication transactions processed by them for a period of 2 (two) years and subsequently archive them for a period of 5 (five) years before deletion.

• How has this changed with the Aadhaar Judgment: The SC has said that the retention of data beyond a period of 6 months is impermissible and has prohibited UIDAI from storing authentication transaction data beyond a period of 6 months. While the Supreme

  Court has not introduced similar restrictions re: archiving requirements for requesting entities or ASAs

  (pursuant to Regulations 18(2), 18(3), 20(2) and 20(3) of the Authentication Regulations), given that private

  companies and body corporates are no longer permitted to conduct Aadhaar-based e-KYC authentication, such

  entities will no longer have any access to such data. The SC has not commented on how the existing date

  that has already been collected and stored lawfully by requesting entities or ASAs should be treated. For

  now, in our view, such entities may continue to comply with the data retention requirements as provided in the

  Authentication Regulations, until such time further clarifications are issued by the UIDAI.

• Metadata storage: Under Regulation 26(1)(c) of the Authentication Regulations, the UIDAI was required to store metadata related to the authentication transaction. However, the SC has prohibited retention of business and technical metadata. Consequently, UIDAI is permitted to only retain process metadata. The Supreme Court has directed the government to reframe the Authentication Regulations accordingly.

Mandatory Linkage with PAN, bank accounts and mobile numbers

• Section 139AA of the Income Tax Act, 1961, which mandates the linking of Aadhaar numbers with PAN, has been found to be valid and constitutional. Consequently, all PAN holders must link their Aadhaar number with their PAN.
• The SC has struck down the requirement of mandatory linking of Aadhaar numbers with bank accounts.
• The circular issued by the Department of Telecommunications dated March 23,

  2017 which mandated linking of mobile numbers with Aadhaar has been stated to be unconstitutional and has

  been quashed.

What can we expect next?

• In its reading down of Section 57 of the Aadhaar Act, the SC has indicated that private players may be allowed access to Aadhaar-based authentication if backed by appropriate legislation. Press reports seem to indicate that the Central Government may be open to introducing

  required legislation to allow private players the ability to use Aadhaar numbers for purposes of establishing

  identity (essentially, in order to be able to undertake e-KYC authentication).

• There is no clarity on what private entities who have retained (in their records) lawfully obtained Aadhaarlinked data are required to do with such data going

  forward. Also, where such data was obtained in connection with completing KYC procedures, such data cannot be destroyed without completing an alternative KYC check. We hope that the RBI provides some clarity on

  this issue.

• The position of Global and Local AUAs (categorized by the UIDAI) going forward is unclear given that neither can undertake a Yes/No or an e-KYC authentication.
• There is also no clarity re: whether unregulated financial entities can accept and store copies of Aadhaar cards from individual users for purposes other than identity identification.
• It is likely that the UIDAI will issue guidelines /instructions setting out how the Aadhaar Judgment will be operationalized and will also hopefully clarify some of these issues.

Conclusions

The Aadhaar Judgment has delivered a blow to the payments and digital finance sector. The SC has completely

struck down the ability of non-State players to access Aadhaar data of private individuals (even where it is provided voluntarily). E-KYC provided the FinTech sector with an effective and low-cost means to onboard customers and complete KYC. Now that e-KYC authentication is no longer available, players will need to evaluate costs and revert to physical KYC checks.

The SC has indicated that with the backing of law, private players may still be able to use Aadhaar as a means of authentication and verifying identity. It remains to be seen whether such a law is in fact forthcoming, and if yes, how soon?

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.