Since the judgment of the Supreme Court of India in Justice K.S. Puttaswamy & Ors. vs Union of India on September 26, 2018, there was a policy push to make Aadhaar accessible again to private entities.
The Indian government first issued an ordinance in March 2019 to amend the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act"). After this, the Aadhaar and Other Laws (Amendment) Act, 2019, was notified on July 24, 2019 ("Aadhaar Amendment").
Despite this, there is still some lack of clarity on the use of Aadhaar by private entities. We have summarized the state of play here.
|
Central & State Government |
Banks |
Telecoms and ISPs |
PMLA Reporting Entities |
Other Private Companies |
|
|
Aadhaar Requirement |
Mandatory |
Voluntary Only |
Voluntary Only |
Voluntary Only |
Voluntary Only |
|
Type of Authentication |
Biometric/Demogra phic/ OTP |
Biometric/ Demographic/OTP |
Biometric/ Demographic/ OTP |
Biometric/ Demographic/ OTP |
Offline only |
|
Permitted Uses |
Direct benefit transfer |
KYC, opening account, checking balance, cash withdrawal |
KYC |
KYC |
None |
|
e-KYC Authentication |
Permitted |
Permitted |
Permitted |
Permitted for notified entities |
Not permitted |
What is the controversy around the use of Aadhaar by private entities?
Section 57 of the Aadhaar Act had allowed the use of Aadhaar numbers for establishing the identity of an individual for any purpose, including under a private contract. In 2018, the Indian Supreme Court held Section 57 of the Aadhaar Act to be unconstitutional.
Pre 2019 - Online Authentication:
Online Aadhaar 'Authentication' verifies an Aadhaar number held by an individual against the Unique Identification Authority of India ("UIDAI") database. The individual submitted their Aadhaar number along with demographic (name, date of birth, gender, etc.) or biometric (fingerprint or iris) information to a verifying entity (which could be a private company), who then used such information to access the Central Identities Data Repository of the UIDAI for verification. The UIDAI verified the information with respect to such individual, basis the existing information available with it.
Post 2019 - The Aadhaar Amendment:
Online Aadhaar 'Authentication' works in the same manner post the Aadhaar Amendment, but the entity who can collect information has been clearly specified. Private entities can no longer carry out online authentication and may also collect Aadhaar and Aadhaar-related data in a very limited manner. The Aadhaar Amendment introduced 'offline verification' through 'Aadhaar Paperless Offline e-KYC'. In this, digitally signed Aadhaar details and last 4 digits of Aadhaar number and time stamp are generated in a digitally signed XML. There is lack of clarity on how private entities will be able to use this mode.
Who can use Aadhaar, and how?
- Mandatory vs. voluntary - eKYC is mandatory only for receipt of government schemes/ benefits. All other usage of Aadhaar as a mode of identification is voluntary and an individual can choose between Aadhaar and any other officially valid document.
- Banks - can use both online authentication and offline verification, depending on a customer's preference. Voluntary submission by the individual is essential. Basic banking functions like opening of bank account, cash withdrawal, checking of balance, can be carried out using Aadhaar details.
- Telecoms and ISPs - can use both online authentication and offline verification, depending on a customer's preference, to on-board new customers.
- Prevention of Money Laundering - Reporting entities (other than banks) under the PMLA can apply for use of Aadhaar eKYC authentication services, and if approved, be notified as such. Recently, in April 2020, both the Securities and Exchange Board of India and the Ministry of Finance notified some stock market entities (such as BSE, NSE and depositories) and insurance companies as 'reporting entities' who could undertake Aadhaar authentication.
- Aadhaar-enabled payment system and BHIM Aadhaar Pay: The National Payments Corporation of India introduced an 'Aadhaar-enabled payment system' which allows a customer to use his Aadhaar number/linked back account perform basic banking transactions such as cash deposit, withdrawal, balance enquiry, fund transfer (to another Aadhaar linked bank account). BHIM Aadhaar Pay allows merchants to receive payments from customers (through their respective Aadhaar-linked bank accounts) via biometric authentication of the customer.
What's next, and what to look out for:
Private unregulated players are still waiting on clarity on what they can or cannot do with Aadhaar. This becomes crucial because the law prescribes fines and penal punishment for unauthorized collection of Aadhaar, and any lack of clarity will limit uptake. The picture is clearer for regulated fintech and telecom entities, who are allowed to access Aadhaar. Updated regulations post the Aadhaar Amendment are still awaited, which should clarify the impact and working of the Aadhaar Amendment in greater detail. In their absence, use of Aadhaar data by private entities to authenticate, even where the Aadhaar is voluntarily submitted, is not allowed.
A petition was filed in August 2019 before the Supreme Court against the Aadhaar Amendment and the Aadhaar (Pricing of Aadhaar Authentication Services) Regulations, 2019. The primary challenge is that the Aadhaar Amendment enables private entities to access the UIDAI database, thereby bypassing the Supreme Court judgment. The matter is still being heard by the Supreme Court.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
