Tuesday, May 30, 2017

The Aadhaar legal framework is broken

The regulations are weak on grievance redressal and completely absent in the case of authentication and data security

C0-authored with Vrinda Bhandari
30 May 2017
LiveMint

Aadhaar has in recent times become an important tool in the government armoury. From welfare receipts to filing tax returns, an Aadhaar number is now an all-pervasive prerequisite. As Aadhaar becomes the core around which our relationship with the state revolves, we need to ask ourselves if the surrounding legal framework provides enough clarity on the enrolment, authentication, and storage processes. Are there adequate protections against misuse? Do citizens have access to an adequate grievance redressal mechanism? We think the answers to these questions are a resounding no.

Before explaining further, it is important to understand the authority that runs and regulates Aadhaar. The Unique Identification Authority of India (UIDAI) is the agency responsible for Aadhaar enrolment and authentication, ensuring the security of individuals’ identity information, and managing the grievance redressal mechanism. Two legal instruments shape UIDAI’s behaviour: the Aadhaar Act, 2016, and the Aadhaar Regulations, 2016, on enrolment, authentication, data security, and sharing of information. We need these to be precise, and to provide for adequate checks and balances to hold UIDAI accountable.

Herein lies the problem. There is not enough clarity on important aspects pertaining to the Aadhaar scheme. The Aadhaar Act left several aspects, such as the information required for enrolment and verification, the procedure of sharing identity information, and the security protocols, to be specified “by regulations”. So we have a law that has decided to not specify these core issues, in the expectation that they would be fleshed out in future regulations.

However, even the regulations issued by UIDAI left key aspects to be specified by it at a future undetermined date. For instance, the “standards” for collecting biometric and demographic information, and the procedure for updating biometric information of children are to be “specified by the Authority”. Similarly, UIDAI shall generate the Aadhaar number after de-duplication and “other checks as specified by the Authority”. Throughout the regulations, the phrase “specified by Authority” has been used 51 times. So, today, seven years after the first Aadhaar number was issued, we still do not have clarity on several issues that are key to Aadhaar’s functioning.

It may sometimes be justified, as in the case of technical information, for UIDAI to leave things unspecified. But when issues that determine how sensitive, personal information is collected, authenticated, stored, used, and shared with third parties are left unspecified, it becomes cause for concern. Moreover, we do not even know if, and when, UIDAI will specify these issues, as there seems to be no obligation on it to do so.

The regulations are also weak on grievance redressal, and are completely absent in the case of the Aadhaar Regulations on authentication and data security. There is little information about the actual process of redress, how it will work, the composition of the “contact centres”, the performance standards and timelines on which their work will be evaluated, the binding nature of the resolution mechanism, the identity of the final decision-maker, and the possibility of appealing/challenging UIDAI’s decision.

Even when it comes to the omission or deactivation of an Aadhaar number, the regulations provide little panacea. First, there is no requirement for UIDAI to hear the person whose Aadhaar number is sought to be omitted or deactivated, and thus no requirement to follow principles of natural justice. Second, UIDAI’s decision (based on a report submitted by its nominated “agency” after following procedures “to be specified” in the future) is final, and no appellate remedy has been provided for. Finally, the Aadhaar number holder will simply be informed about this decision by text and his/her only remedy will be to use the completely inadequate grievance redressal mechanism (“contact centres”). When you consider the consequences of deactivation, such that a person may get excluded from benefit receipts, or may not be able to file tax returns, the lack of substance in the grievance redressal process becomes hugely problematic.

The Aadhaar Act and regulations also say little on enforcement. The Act has a specific chapter on offences and penalties, where it criminalizes certain actions such as unauthorized access or disclosure of identity information. However, unlike most other statutes, only UIDAI can file a criminal complaint for violations of the Act, and not the person aggrieved. Thus, if UIDAI thinks that a complaint is not worth pursuing, then the Aadhaar number holder has no remedy and no means of holding UIDAI to account. Further, the Aadhaar Act does not talk about damages to the affected person. There are also no clear procedures for imposing liabilities on enrolment or authentication service agencies, thus reducing the incentives of these service providers to comply with the legal framework.

Aadhaar is the centrepiece of the government’s agenda. However, the enrolment and authentication processes are still operating in a sort of legal vacuum. In the absence of a privacy law in India, the need for an effective accountability and enforcement mechanism in the Act becomes even more important. There is thus an urgent need to introduce amendments to the Aadhaar Act and regulations to address these problems.

Sunday, May 7, 2017

Grievance redress and enforcement problems in the Aadhaar legal framework


Over the last few weeks, there has been a furore over the divulging of Aadhaar details, with the information of the pensioners in Jharkhand to that of a famous cricket player (M. S. Dhoni), being made available publicly. The UIDAI has responded swiftly by filing FIRs against 8 websites, and also shutting down several others to prevent the misuse of data. Other complaints about the Aadhaar have included instances of failure of biometric authentication, server and connectivity problems, cryptic error messages, and identity theft.

A recent paper by CIS reported that around 130-135 million Aadhaar numbers and 100
million bank account numbers were estimated to have leaked from four government portals. It is unclear whether these Aadhaar numbers had been inadvertently published by the
government portals (without realising the consequences of their actions) or had been
displayed as a measure of transparency. Either way, while Dhoni may be famous enough to
reach out to the UIDAI, other ordinary citizens have not been so fortunate.


A key component of a system, especially one that interfaces with individuals, is its ability to
provide protection to its intended users from being harassed, misled, or deceived. One
way of ensuring this is to provide access to a reasonable mechanism of grievance redress,
where citizens can complain and seek remedies. In this post, we focus on the lacunae in the
grievance redress mechanisms and the enforcement concerns that arise in the context of Aadhaar. This is especially important, since, in the absence of an over-arching privacy or data protection law, an effective grievance redress mechanism, through the Aadhaar legal framework, remains the only remedy to Aadhaar holders.


Inadequate details about the procedure for grievance redress

When things go wrong, customers need to have access to a proper complaints mechanism. This can be a call center, a web portal, or physical offices. In the case of Aadhaar, such access is to be provided through the establishment of "contact centers" (Regulation 32 of the Aadhaar Enrolment and Update) Regulations).

The Regulations envisage that a contact centre shall provide a mechanism to log queries, ensure safety of the information received, and comply with the procedures and processes as may be specified by the Authority for this purpose. Residents are also permitted to raise grievances by visiting the UIDAI's regional offices, or through any other officers or channels as may be specified by the Authority for this purpose.

To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI. In a previous article, Is Aadhaar grounded in adequate law and regulations?, we criticised such delegation of power by the UIDAI to its future self. The same criticism applies equally in the case of grievance redress. If the process of grievance redress has not been specified in the Regulations, there remains an unjustifiable ambiguity on the remedial measures available to an Aadhaar number holder. This is worsened by the ambiguity on how the UIDAI will ensure safety of the information received.

The handling of grievance redress in the Aadhaar Regulations suffers from the following problems:
The regulations leave the actual processes of redress, including the procedure for raising a grievance, the composition of the grievance redress/contact centre, and the timelines envisaged for resolving a query unspecified. They are silent on the identity/qualifications of the final decision maker, on whether the inquiry process will be administrative or quasi-judicial in nature, and whether an appellate remedy is provided for. The regulations are also silent on the binding nature of the resolution mechanism, and their relationship with the penalties and liabilities prescribed under the Act. In fact, even after reading the regulations, one is confused about whether the grievance redress mechanism is a simple contact centre or an actual authority, with some powers.

Regulation 32(3) of the Enrolment and Update Regulations states that residents may raise grievances by visiting the regional offices of the UIDAI or through any other offices or channels as may be specified by the Authority. Notably, there are only 8 regional offices, namely Bangalore, Chandigarh, Delhi, Guwahati, Hyderabad, Lucknow, Mumbai, and Ranchi, which are primarily all Tier I cities. Further, these regional offices are not spread out throughout India - for instance, Western India only has one regional office in Mumbai, whereas North India has three offices in Delhi, Chandigarh, and Lucknow. The other channels remain unspecified.
The efficacy and performance of these contact/call centres is hard to assess, since the regulations do not prescribe any minimum standards, or even a Code of Conduct (as in the case of Registrars, Enrolling Agencies, and other service providers) that would govern the behaviour of these centres. The Regulations are also silent on the performance standards of the grievance redress system as a whole, so that the UIDAI can be held accountable.

In the case of the Aadhaar (Authentication) Regulations and the Aadhaar (Data Security) Regulations, no grievance redress mechanism has been specified, and no reference has been made to the grievance redress mechanism provided for in the Aadhaar (Enrolment and Update) and (Sharing of Information) Regulations. This suggests that there is in effect, no mechanism for redress in these two regulations at all.

These issues become particularly important when we consider that Regulation 30(2) of the Enrolment Regulations envisages the use of this grievance redress mechanism to resolve complaints relating to the omission or deactivation of an Aadhaar number. Between September 2010 and August 2016, the UIDAI had deactivated over 85.6 lakh Aadhaar numbers. The consequences of such deactivation can be huge, including the exclusion from receiving various government subsidies, and now potentially, for filing income tax returns. In this context, the silence on substantive matters of grievance redress in the regulations is disconcerting.


No power to file criminal complaints

While the Regulations provide for a contact center, Section 47 of the Aadhaar Act stipulates that only the UIDAI or its authorised officer can file a criminal complaint for violations of the Aadhaar Act. The Aadhaar Act, criminalises, among other things, the disclosure and dissemination of the identity information of an Aadhaar number holder (Section 37), unauthorised access to the Central Identities Data Repository (Section 38), and the unauthorised use of the identity information of an Aadhaar number holder by a requesting entity (Section 40). Consequently, the UIDAI has been given complete discretion in determining if, and when, to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person, is left to rely upon the bonafide actions of the UIDAI.


In the Dhoni case for example, the UIDAI seems to have decided to not file a criminal complaint against the enrollment agency, even though they reportedly tweeted a photo of his application form. In fact, RTI replies of the UIDAI reveal that in the six years from September 2010 to 31st October 2016, it received 1390 complaints about enrollment. However, only three FIRs were filed against the enrolling agencies, and that too, only by UIDAI's regional Bangalore office. The remaining complaints, were either 'resolved', 'dropped', or 'closed' without initiation of any criminal action. Conversely, the UIDAI's Delhi office was quick to register its first FIR in over six years, when a CNN-18 journalist ran a sting operation on security lapses in the Aadhaar enrollment centers.

Indian law, rarely, if ever, permits a third party to file a criminal complaint on behalf of an aggrieved individual, to the exclusion of that individual. Given that we have no access to any explanatory memorandum or notes on clauses, it is difficult to ascertain the reason for introducing such a provision in the Act. Not only does the Aadhaar Act introduce a new framework, it does so without specifying any accountability mechanism between the UIDAI and the aggrieved Aadhaar number holder. The scheme of the Aadhaar Act does not envisage any remedy for an aggrieved Aadhaar number holder if the UIDAI decides that her complaint is not worth pursuing. The UIDAI, thus, has unchecked discretion. It is worth noting that even the CrPC provides judicial recourse to an individual if the police fails to register an FIR.

Low clarity and emphasis on enforcement

Regulations have force, only when enforcement mechanisms leave no ambiguity about the costs of violation. The Aadhaar Regulations are largely silent on enforcement. In fact, as stated above, even the enforceability of any decision of a "contact centre", as part of the Grievance Redress Mechanism, is suspect. This is a result of the lack of power to enforce penalties in the Aadhaar Act itself.

The Regulations suggest, for example, that enrollment activities are to be monitored by the UIDAI, and any violations may result in immediate suspension and eventual cancellation of the service providers' or the concerned persons' credentials and permissions under the Act. However, apart from this penalty, there is no other prescribed liability - in terms of a monetary fine or imprisonment - as the case may warrant, for failure to comply with the code of conduct or any of the other Regulations. Even the application of this penalty is unclear, and left to the complete discretion of the UIDAI, inasmuch as Regulation 26(3) of the Enrolment Regulations only states that such cancellation will take place after 'holding due inquiry as deemed fit by the Authority'.

Similarly, Regulation 25 of the Authentication Regulation only provides that a requesting entity or authentication service agency may be burdened with 'disincentives' by the UIDAI, including suspension of their activities, in case of any contravention of the Act or the regulations. The regulations do not provide for gradation of offences and consequent punishments in terms of monetary penalties to imprisonment depending on the offence. It is also unclear whether, and which, provisions of the Act will apply.

There exists a Code of Conduct (specified in Schedule V of the Enrolment Regulations) which requires service providers to make 'best efforts' to protect the interests of the residents (Rule 1); to not divulge any confidential information about the residents, except when required by law (Rule 5); to ensure 'timely' redress of grievances (Rule 7); to abide by the Act and the regulations there-under (Rule 9); to inform the Aadhaar number holder in case of any breach or non-compliance (Rule 11); and to follow confidentiality, privacy, and security protocols 'as may be specified by the authority' (Rule 23). However, it is completely silent on the consequences of non-compliance. Thus, without proportionate penalties and clear procedures for imposing liabilities, the incentives to comply with the provisions of the Act and the regulations fall.

Inadequate power to conduct grievance redress

Finally, there is even some doubt on the UIDAI's power to regulate issues of grievance redress itself. Section 23(2)(s) of the Aadhaar Act empowers the UIDAI to set up "facilitation centers and grievance redress mechanism for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers". However, Section 54 of the Act, which enumerates the UIDAI's power to make regulations does not refer to this sub-section, despite referring to other sub-sections of Section 23. This assumes importance because all the Aadhaar Regulations derive their power from Section 54. The source of the UIDAI's power to write regulations on grievance redress is thus, unclear.

Way forward

In this new world, where Aadhaar is the centerpiece of the government's agenda and is becoming a necessity to avail multiple government services and benefits, an effective accountability and enforcement mechanism is paramount. Unfortunately, the Aadhaar Act and the Regulations are inadequate and vague.

Enrollment and use is not accompanied by any adequate redress mechanism, leaving us with the problem of a legal vacuum. Seven years, and a law later, there is still no clarity on the accountability and redress frameworks in the Aadhaar Act. A large part of the problem comes from the structure and governance mechanisms of the UIDAI itself, with no separation between the regulatory functions at UIDAI and its operational functions.

These issues are ultimately derived from the poor intellectual capacity in the drafting of law in India. There is an urgent need to introduce amendments in the Aadhaar Act to address these problems. A new data protection framework is reportedly being drafted. Many elements of our research program on Aadhaar have important implications for both these strands of work.


This post is co-authored with Vrinda Bhandari. It first appeared on Ajay Shah's blog on 5 May, 2017.

Rainfall derivatives have arrived in India. We need 3 steps to make them work

The new RAINMUMBAI contract covers the monsoon months and makes a payout based on the occurrence and magnitude of predefined weather conditi...