INTRODUCTION-
This article is an attempt at understanding the privacy issues emerging from use of biometrics. These days biometrics are being used in varied spheres of life- from office work , maintaining daily records, implementation of government’s welfare schemes among a host of other activities. This article is an attempt at understanding the privacy issues emerging from use of biometrics by studying Aadhar- a central government administered large scale biometric identification process meant to include 1.30 billion Indian citizens. The article aims to answer the following research questions in some detail-
1- What do you mean by biometrics? What are its features?
2- What is Aadhar? What are its features?
3- How does Aadhar possibly violate privacy?
4- What are the important case laws pertaining to Aadhar?
5- How can we overcome privacy issues emanating from Aadhar?
This article will also try to understand the position of the Indian judiciary with the help of appropriate case laws and try and understand possible legal measures to overcome possible cases of infringement of privacy caused by biometric systems like privacy.
MEANING AND FEATURES OF BIOMETRICS-
Biometrics is essentially a process to allow access to data or store data based on human biology and its components like DNA, fingerprints, iris etc. Unlike passwords or personal identification number (PIN) which may be hijacked , biometric systems are relatively more secure as they require physical presence of individuals and cannot be used by other individuals via forgery or theft[1].
Biometric systems have the following features[2]-
1- A sensor device to record physical information like fingerprint and convert it digitally. These devices could be in the form of scanners or microphones.
2- Biometric templates, which are devices meant to match physical data with the digitally encrypted data already stored in the device.
3- After checking the two sets of data- the physical data and the pre-stored encrypted physical data, the system may allow the person to access the system or allow the person to enter new data in case the two sets of data substantially match.
Biometric systems are of two types[3]-
1- ‘Identification” systems- Its use is of “one to many” as it helps in identification of persons without their knowledge. For example- cameras in airports.
2- ‘Verification’ systems- Its use is of “one to one”, i.e. it is meant to ascertain a person’s identity. For example- use of finger prints to open bank vaults.
AADHAR : HISTORY AND FEATURES-
Aadhar started out as National Identity Card- a pilot project to look into creation of a unique national identification system in 2003 in thirteen selected provinces. However, it was only in 2009, with the establishment of Unique Identification Authority of India (UIDAI) under the leadership of Nandan Nilekani, that Aadhar was systematically implemented. Today, it includes about 88 per cent of India’s total population and has created biometric records of those registered based on fingerprints, iris scan and facial photographs[4].
FEATURES OF AADHAR-
Aadhar has the following salient features[5]-
1- Unique- It follows a thorough process of de-duplication by comparing enrolled data with other databases. Any citizen has to register for Aadhar only a single time, post which de-duplication process will ensure that in cases of multiple enrollments the entry is rejected.
2- Portable- Aadhar has pan India authentication. This ensures that in cases of inter-state migration, enrolled users of Aadhar will not face any hassles.
3- Randomly generated number- Aadhar generates a number , which is randomly created to identify enrolled individuals with their biometric details. Aadhar is not allowed to record sensitive personal details like ethnicity, religious conformity etc.
4- Scaled technology architecture- Aadhar data can be authenticated and recorded in a central system via online means. This ensures that authentication and storage process is easy and accessible. Aadhar can authenticate and store 100 million new entries daily.
5- Open source of technology- Aadhar can be recorded using software system available outside and does not involve creation or usage of specialized and expensive customized software.
PRIVACY ISSUES WITH AADHAR-
Biometric systems are not fool-proof and can be wrongly utilized by parties for extra-legal and illegal purposes. They can invade the personal space of individuals without their knowledge- for example, cameras operating in public spaces can be used to track and stalk innocent individuals. Biometric data is stored via software in computer systems, which can be hacked and thus the available data can be utilized for less than honest means. Governments can also sell this data to private corporations without the approval and knowledge of its citizenry. Biometric data is said to be commonly misused resulting in theft of identity , terrorist activities and other fraudulent acts[6].
Since Aadhar is also a form of biometric system, albeit one that operates on a national level, it suffers from the following privacy concerns according to experts and rights activists[7]-
1- According to senior UIDAI officials, Aadhar data is secured in a Central Identities Data Repository. The officials claim that the central repository is fraud and hacking resistant as the encryption process involved is complex and intricate. But, since Aadhar has been used in Aadhaar-enabled Payments System (AePS), experts claim that it makes it relatively more vulnerable and can be possibly compromised.
2- Since Aadhar has been made compulsory for securing bank services, mobile connectivity etc., it means that individuals have to unwillingly share their private details with agencies inspite of having a high degree of mistrust.
3- Aadhar according to some experts also violates the integrity of a person’s body and completes over-rules “purpose limitation” under Sections 57, 78 and 91 of the Registration Act which sets us rules and conventions for recording and storage of biometric data.
4- Since Aadhar has been compulsory for having access to different essential services, it means that different sets of databases have been “integrated” and as a result important private data of individuals can be accessed by the government or commercial institutions for possibly nefarious purposes.
5- Aadhar can be misused by businessmen and other private entities with big commercial interests to analyse macro and micro level information and mine data to improve credit ratings and find and predict causes across different layers of the economy.
IMPORTANT CASES RELATING TO PRIVACY-
The following cases shaped privacy related laws in India since the post-independence period-
1- M P Sharma & Others vs Satish Chandra, District Magistrate, Delhi & Others (1954 AIR 300) - In 1953, several records of a company were seized and a case for indulging in malpractices was filed against that particular company. The company filed a case against the Delhi administration claiming that such an action violated Article 20 (3) which did not allow any person to be incriminated by himself/herself[8].
An unprecedented bench consisting of eight judges concluded that[9]-
“When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of the fundamental right to privacy, analogous to the American Fourth Amendment, there is no justification for importing into it, a totally different fundamental right by some process of strained construction.”
Thus, the court in essence declared that right to privacy in Indian context is completely different from American jurisprudence and therefore its application in India is highly circumstantial and on a case to case basis[10].
2- Kharak Singh vs The State of UP & others (1963 AIR 1295) - Kharak Singh was a suspected dacoit, who was marked under Regulation 236 of the Uttar Pradesh Police Regulations which allowed the police to keep a check on suspects by organizing sudden raids, asking constables and other junior ranked police officials to keep a regular check on the person in question, asking the suspect to keep them intimated of his movements by filling in a report etc. Kharak Singh in a petition complained that Regulation 236 was against Articles19(1)(d) which ensured “right to freedom of movement” and Article 21 which ensured “protection of life and personal liberty” of the constitution[11].
Like the MP Sharma case, a huge bench of six judges declared almost the whole of Regulation 236 to be valid by stating[12]-
“the right of privacy is not a guaranteed right under our Constitution, and therefore the attempt to ascertain the movements of an individual is merely a manner in which privacy is invaded and is not an infringement of a fundamental right guaranteed in Part III”.
It can be argued that the court did not consider privacy rights to have been explicitly included as part of fundamental rights in part III of the constitution.
3- Govind v. State of M.P (1975 AIR 1378) - This case also centered around a particular infringing provision called Regulation 855 and Regulation 856 under the Madhya Pradesh Police Act. The said provision empowered police officials at the rank of Deputy Superintendent of Police to keep suspected criminals under police watch and be forced to sign a register. The court in this case declared that the right to privacy is very subjective and every case must be analysed on its own merits[13].
4- R. Rajagopal v. State of T.N (1995 AIR 264) - The case dealt with serial killer and death penalty convict Auto Shankar’s autobiography and its publication. The court declared that Article 21 of the constitution implicitly covered the right to privacy in order to ensure the right to life and therefore the release of the book could not be curtailed entirely. However, if the publication of the book possibly caused any possible risk to public security and law and order, then its publication could be curtailed under Article 19(2) of the Indian constitution[14].
The court also added that[15]-
“The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a ‘right to be left alone’. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy” .
Thus, in this case, the courts were able to shake off the ratio as suggested in the cases of MP Sharma and Kharak Singh and came up with a set of criterions to define privacy.
5- Justice K.S. Puttaswamy (Retd.) v. Union of India (In the Supreme Court of India, Writ Petition (Civil) No. 494 of 2012)- The Supreme Court, with an unprecedented bench of nine judges decided that right to privacy emerged from right to life and liberty as ascribed in Article 21, with part III of the constitution dealing with fundamental rights also supporting the same. The bench also over-ruled the decisions taken by the court in M.P. Sharma v Satish Chandra, District Magistrate, Delhi (1954) and Kharak Singh v State of Uttar Pradesh (1962) where privacy as an implied right under Article 21 was not accepted, which were also decided upon by six to eight judges making up the bench [16].
The court also added that privacy will not be considered as an “absolute right” and any act that invaded private rights of an individual ought to[17]-
1- Violate any legally sanctioned privacy rights
2- Not be a legitimate action by the government
3- Proportional relationship between any action taken by the government and steps taken by the state to achieve it.
The court defined privacy as[18]-
“condition or state of being free from public attention to intrusion into or interference with one’s acts or decisions”
The court also commented on biometric systems and Aadhar[19]-
“In a social welfare state, the government embarks upon programmes which provide benefits to impoverished and marginalised sections of society. There is a vital state interest in ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients”
Thus, the court while recognizing the inherent importance of privacy, also upholds the need for having a biometric system like Aadhar. It tries to balance individual rights with national interests as it recognizes the conditions where privacy may be compromised and the situations where such a compromise may be justified[20].
It can be inferred that Puttaswamy judgment is quite close in spirit to judgments like R Rajagopal where privacy rights have been given a lot of importance. It can also be reasonably inferred that courts too have relaxed their approach to privacy being a right under Article 21 over the years and have over the years come up with innovative ratios to help protect the unsuspecting citizenry from illegal snooping by the government or possible unethical activities by corporates.
NEED FOR A SPECIALISED LAW AND REGULATORY FRAMEWORK TO PROTECT PRIVACY FROM POSSIBLE BIOMETRIC INFRINGEMENT -
In the year 2010, the Department of Personnel and Training (DoPT), Government of India, came up with a Privacy Bill- a specialized enactment to ensure that no electronically or digitally recorded data of any individual be used without his/her approval and for extra-legal or business related reasons. But, for unknown reasons, the bill remained in limbo and was not enacted into a law. The DoPT’s efforts at securing privacy were succeeded by the Planning Commission coming up with a dedicated “Group of Experts”, who were directed to look at privacy rights in depth and give suggestions to secure the same better. The committee looked into domestic laws as well as international regulations and in 2012 gave a report that directed the government to come up with a single specialized act that covered state and other private entities in terms of regulating possible infringement into the privacy of individuals. The report also suggested that institutions like EU, OECD, and APEC which follow the concepts of “notice, choice and consent, collection and purpose limitation, disclosure of information, security and accountability”. It also suggested the creation of the post of “Privacy Commissioners”, with other self- regulated institutions to implement and enforce measures to protect privacy. As a result the Privacy Bill of 2010 was significantly changed and improved, but the law and the rest of the measures are yet to be implemented[21].
CONCLUSION-
Thus, in conclusion, I would like to point out that biometric systems have become an integral part of our lives. It cannot be simply removed as there are not adequate replacements available. The need of the hour is to adapt it while also ensuring that innocent people don’t end up losing their privacy related results as a bargain. As my analysis of Aadhar proves, social needs of citizens should be fulfilled while ensuring that their core fundamental rights are not ignored. The Indian judiciary has evolved- from cases like Kharak Singh v State of UP and MP Sharma v Satish Chandra , where the judiciary clearly refused to read the right to privacy under Article 21 of the constitution to cases like R Rajagopal v State of Tamil Nadu and Puttaswamy V Union of India, where they broadly included it. There is also a need to introduce a specialized law in India to help implement privacy rights better as pointed out by the Group of Experts appointed by the planning commission in 2010. The government must come up with a fool-proof law to ensure privacy of its citizenry is adequately protected.
[1] Techopedia, Biometrics, available at https://www.techopedia.com/definition/10239/biometrics (Last visited on February 28, 2018). [2] Id.,1. [3] CSE, IIT Kharagpur, What is biometrics, available at https://www.cse.iitk.ac.in/users/biometrics/pages/what_is_biom_more.htm (Last visited on February 28,2018). [4] India Today, The Indian identity: How Aadhaar came into being, August 11, 2017, available at https://www.indiatoday.in/magazine/cover-story/story/20170821-aadhaar-nda-uidai-world-largest-biometrics-based-identity-platform-1028855-2017-08-11 (Last visited on February 28, 2017). [5] UNIQUE IDENTIFICATION AUTHORITY OF INDIA (UIDAI), Features of Aadhar, available at https://uidai.gov.in/your-aadhaar/about-aadhaar/feature-of-aadhaar.html (Last visited on February 28, 2018). [6] Scientific American, Biometric Security Poses Huge Privacy Risks, January 1, 2014, available at https://www.scientificamerican.com/article/biometric-security-poses-huge-privacy-risks/ (Last visited on February 28,2018). [7] The Wire, The Different Ways in Which Aadhaar Infringes on Privacy, July 19, 2017, available at https://thewire.in/159092/privacy-aadhaar-supreme-court/ (Last visited on February 28,2018). [8] The Indian Express, M P Sharma and Kharak Singh: The cases in which SC ruled on privacy, July 19,2017, available at http://indianexpress.com/article/explained/m-p-sharma-and-kharak-singh-the-cases-in-which-sc-ruled-on-privacy-4756964/ (Last visited on February 28,2018). [9] Id., 8. [10] Id., 9. [11] Id., 10. [12] Id.,11. [13] B D Agarwala, Right to Privacy: A Case-By-Case Development, (1996) 3 SCC (Jour) 9. [14] Id.,13. [15] Id.,14. [16] The Wire, Key Highlights of Justice Chandrachud’s Judgment in the Right to Privacy Case, August 27,2017, available at https://thewire.in/171325/justice-chandrachud-judgment-right-to-privacy/ (Last visited on February 28, 2018). [17] IT IS THE LAW, Aadhaar: A Barter Of Rights With Benefits And Analysis Of The Puttuswamy Judgement, November 8, 2017, available at http://itisthelaw.in/articles/aadhaar-a-barter-of-rights-with-benefits-and-analysis-of-the-puttuswamy-judgement/ ( Last visited on February 28, 2018). [18]Id., 17. [19] Id., 18. [20] Id., 19. [21] Firstpost, Supreme Court to decide on Aadhaar-privacy issue: Can your right over personal data be negotiated?, July 19, 2017, available at http://www.firstpost.com/india/supreme-court-to-decide-on-aadhaar-privacy-issue-today-can-your-right-over-personal-data-be-negotiated-3829139.html (Last visited on February 28, 2018). [1]Online Resource Centre of Perry4Law Organisation, Law Of Domicile In India, October 6, 2015, available at http://perry4law.org/?p=76 (Last visited on March 3, 2017). [2] Id., 1. [3] The Practical Lawyer, Concept of domicile under Private International Law, available at http://www.supremecourtcases.com/index2.php?option=com_content&itemid=5&do_pdf=1&id=20970 (Last visited on March 3, 2017). [4] Supra note 1. [5] uslegal.com, Distinctions Between Domicile and Residence, available at https://domicile.uslegal.com/distinctions-between-domicile-and-residence/ (Last visited on March 3, 2017). [6] Id., 5. [7] Id., 6. [8] Supra note 4. [9] Id., 8. [10] AIR 2010 Utr 36. [11] AIR 1984 SC 1420. [12] Writ Petiton (Civil) No. 1410 of 1987 . [13] 1991 SCR (2) 821. [14] CKLG Accountants, Residence and Domicile, May 2014, available at https://www.cklg.co.uk/Upload/cklgaccountantsPWP_APU_May14_residencedomicile.pdf (Last visited on March 3, 2017). [15] Id., 14. [16] Id., 15. [17] Id., 16. [18] American Foreign Service Association, Residence and Domicile, available at http://www.afsa.org/residence-and-domicile (Last visited on March 3 , 2017). [19] Id., 18. [20] Id., 19. [21] Id., 20.
About The Author
Saurabh Kumar is from 2013-2018 batch WBNUJS. He has keen interest in Family Law and Constitutional Law as well as Strategic affairs.
Comments