The Supreme Court of India in its much awaited verdict on Aadhaar, which it deliverd this week, has held the Aadhaar Scheme constitutionally valid, however, it has invalidated Section 57 of the Aadhaar Act to the extent which enabled the contractual use of Aadhaar Data by the State or Body Corporates or any Person.This single observation of holding Section 57 partially invalid, has virtually killed e-KYC facility used by Banks, Mobile Wallets, NBFCs, Fintech, Lending Companies, Insurance Companies and Telecom Companies, which used the e-KYC facility, as enabled by Aadhaar to onboard customers, henceforth, they can’t access authentication facilities from UIDAI servers anymore.
This particular decision of the SC has hit the IndiaStack project, which was appreciated everywhere in the World including Bill Gates who on his India visit had observed and understood the IndiaStack Project and said, “India is on the cusp of leapfrogging!”
IndiaStack and the e-KYC model
IndiaStack is a set of Application Program Interface (APIs) that allows governments, businesses, startups and developers to utilize an unique digital Infrastructure to solve India’s hard problems towards presence-less, paperless, and cashless service delivery. This allow people to store and share personal data, and authenticate using digital signing for documents. IndiaStack is based on Aadhaar, which allows paperless identification, authentication, cashless payment in the form of UPI, sharing e-KYCs to Banks, Telecom Companies etc. The author has explained IndiaStack in detail in this article.
e-KYC facility is the facility which helps the service providers in Public and Private sector to fulfill ‘Know Your Customer’ (KYC) requirements hassle-free, online, paper-less and quick, on the basis of Aadhaar based authentication, in which the Beneficiary (Customer) provides his Aadhaar number to prove his identity, and subsequently, the beneficiary provides his thumb impression to authenticate the genuineness of the identity, then the identity is authenticated by the Service Provider from UIDAI servers. e-KYC facility is subset of IndiaStack.
Section 57 is the mother provision, which has given birth to the IndiaStack and e-KYC. Private Players in Finance, Insurance and Telecom Sectors were using the e-KYC facility, and after the verdict of the SC, Private Players will not be able to access the UIDAI server anymore.
How does it affect Aam Aadmi
Imagine it is year 2010, and you wish to open a Savings Bank Account. You had to walk into the Bank, submit photo, proof of Identity and proof of address along with other forms and requisite docs, despite all this formality it used to take more than 2-3 days for the bank to open your account. For getting a SIM card back in 2010, you had to submit similar set of proof of identity, proof of address and photo to the Telecom Operator and even after that you had to wait for 1-2 days for the connection getting started. In the meanwhile, you were supposed to receive a call in which you had to authenticate yourself by answering security questions like DOB and Mother’s Maiden Name to the tele-caller for proving your identity.
Compare this with scenario in 2018, before the Aadhar verdict, for opening a bank account all you had to do is, walk into the bank with no documents whatsoever, and you could get bank account opened within hours or less by providing Aadhaar Number and thumb impression, within next few hours the bank activates your Saving Account. For buying a SIM card, you just had to walk into the store along with no ID card whatsoever, just quote your Aadhaar number and provide thumb impression. This whole procedure is of less than 5 minutes, including time taken for filling up the form and gathering relevant information. After completion of this activity, within next 10 minutes your SIM card gets ready for usage.
With Aadhaar and e-KYC, it became so easy for every Indian to get any services, not only from Govt. Agencies but also from Private Service Providers. The daily problem of proving your identity to avail any service, was solved and life of millions of Indians was made easy. Consider the case of an Indian Citizen who has just shifted to Mumbai from his home state Bihar. With Aadhaar it was so easy for him to get a local SIM card or open a Bank account. Because in Aadhaar Card, the change of Address is very easy and it is the fastest way than any other available proof of addresses. The Aadhaar has solved the basic problems of aspiring Indian youth, for whom the whole Nation is one, and for whom, he just has to have one identification to avail any service from Government or Private Service Providers. With the Supreme court judgement, we are back to square one, and all the hassles of physical KYC procedure will become a reality.
Blow to Fintech and Startup India
It is e-KYC facility, that has allowed fintech companies like Paytm, Jio and Zerodha to reach new heights in customer acquisition and service delivery to consumers in hassle free on their mobile devices at their home. Reliance Jio would not have been able to acquire 20 million customers in less than 2 years of time, if there was no e-KYC facility. This facility alone has helped Reliance Jio in miraculous way to become fastest growing Telecom Company and most popular Telecom Company across the World. Paytm would not have been what it is today, if there was no e-KYC.
With the e-KYC, the cost of acquiring the customer and providing various services came down drastically. It has helped the service providers to rapidly tap India’s big market and provide services at lessor cost and with much ease. E-KYC provided the ease of authentication and had done away hassles of paperwork, all that was possible at a much lower costs.
Was it possible for a startup like Paytm to open offices everywhere in India to acquire customers and that too on physical KYC model? Imagine the cost of all this, and most importantly, whether the consumer, who adopted Paytm with all love and enthusiasm, would have gone for physical KYC hassle unless it was an absolute necessity. Holding Section 57 invalid partially would have a far reaching impact for Indian Startups and Fintech space.
What did Supreme Court actually do?
For understanding that, we need to understand what was Section 57 of The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, the section reads as…
“Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect: Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.”
This section actually enabled Government agencies and private players to use the Aadhaar data and provide services to Indians on the basis of Aadhaar based identity. Abuse of the Aadhaar data by Govt agencies and private players could not have been possible, as necessary safeguards were put in place as this use was restricted by Section 8 and Chapter VI.
Section 8 put necessary safeguards as regards to access the Aadhaar Data, so that it can not be misused and violate privacy of an individual. Section 8 mandated that for accessing the Aadhaar Data, the requesting entity have to pay necessary fee, obtain necessary consent of the Individual who wished to be authenticated from Aadhaar Data, ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication. Not only this, the requesting entity was mandated to inform the individual submitting his identity information for authentication, that the nature of information that may be shared upon authentication. The uses to which the information received during authentication may be put by the requesting entity and alternatives to submission of identity information to the requesting entity. Furthermore, Chapter VI provided necessary safeguard for Protection of Information and Aadhaar Data.
Hence, Section 57, though allowed Private Players to access Aadhaar data, however it came with necessary protection of data and safety mechanism, which safeguards the data from falling in wrong hands.
The Supreme Court in its judgment has concluded that, “Section 57, to the extent, which permits use of Aadhaar by the State or any Body Corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.”
The SC, in its Aadhaar verdict, has observed that Section 57 makes use of Aadhaar on two bases. Firstly, “pursuant to any law, for the time being in force” and secondly “any contract to this effect”. When the legislature uses the phrase “pursuant to any law, for the time being in force”, obviously the word law used in Section 57 is a law other than Section 57 of Aadhaar Act, 2016 and the Regulations framed thereunder. When any law permits user of Aadhaar, its validity is to be tested on the anvil of threefold test as laid down in Puttaswamy case (i.e. The Right to Privacy judgement), but permitting use of Aadhaar on any contract to this effect, is clearly in violation of Right of Privacy. A contract entered between two parties, even if one party is a State, cannot be said to be a law.
What is the way forward?
The SC has put Section 57 on test in view of Right to Privacy, and accordingly, the SC has not stopped use of the Aadhaar Data by Govt or Private Entities, if the same is backed by necessary law, which in turn have to be constitutionally valid. All what the SC has done is invalidated use of Aadhaar data when the same is backed by Contracts between UIDAI and other entities.
Responding to the Aadhaar verdict on Section 57 of the Aadhaar Act, FM Arun Jaitley has said, “There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing. So my answer in general, the generic answer will depend on what is the rationale… for instance on these private entities, it needs to be backed by law. That’s my understanding. I still have a detailed reading of the judgement to do”. He further added “The prohibited areas do not assume are perpetually prohibited, they could be procedurally prohibited or they could be prohibited as such,” and “If it is backed by law, it is not unconstitutional”
The SC should have raised concerns regarding safety of the data, however it has totally invalidated contractual use of Aadhaar data. It is for the Government to undo what has been done by providing legal backing to the use of Aadhaar data by private players, at the same time, the safety of the data needs to be further increased. The UIDAI should provide authorised biometric devices for the use of third party agencies, which should be temper proof and protocol for communication of data between Aadhaar server and handheld device from which services are provided, should be set in such a way that would make impossible for local storage of Aadhaar and biometric data on any device. The Government as a measure of further safeguard can mandate that no data can travel from UIDAI servers to the service delivery device, except for what is required for authentication of the beneficiary. The practice which is being followed currently that Name, Address, DOB and Photo is being fetched by Private players from the Aadhaar Server can be stopped and just authentication of identity and Aadhaar number can be allowed, and such data sharing can be stopped.
The Government should come up with necessary law, which would provide legal backing to use of Aadhaar Data by Private Entities. There is a pressing need of bringing up such law to enable private players to use Aadhaar Data within the constitutional framework, to keep the dream of Digital India alive. Gone are the days of Nehruvian Socialist era, where the Growth of India would only include Growth of Government. The India growth story is incomplete without the growth of its Industries, Businesses, Entrepreneurs, Startups and Public at large.