Aadhaar: India's National Identification System and Consent-Based Privacy Rights.

• Author: Yalavarthy, Anuitha Sai

TABLE OF CONTENTS I. INTRODUCTION 620 II. BACKGROUND 623 A. What Is Aadhaar? 623 B. Aadhaar Data-Why Biometrics? 625 C. The Structure of the Aadhaar System and its Database 626 D. Aadhaar: The Legal Landscape 629 1. Constitutionality 629 2. Challenges of the Aadhaar System 629 3. The Aadhaar System Post-Puttaswamy II 638 E. Data Privacy and Security and the Aadhaar System 641 III. ANALYSIS 644 A. Principles of Data Protection and Privacy in the West 644 1. The European Union 645 2. The United States 649 B. Data Privacy Principles as Applied to the Aadhaar System 655 1. Necessity 655 2. Consent 657 C. Applicability and Effectiveness of the PDPB and the DPDPB 661 1. Effectiveness of the Consent Clauses 661 2. Effectiveness of the Right to Be Forgotten and Erasure Clauses 663 3. Applicability of the PDPB and DPDPB to the Aadhaar System as a Whole 665 IV. SOLUTION 668 A. The Future of Data Privacy in India 668 1. Embracing Privacy Principles 668 2. Accountability 670 V. CONCLUSION 670 I. INTRODUCTION

In 2021, Afghanistan fell to the Taliban. (1) It did not take long after the takeover was reported for questions to be raised about a myriad of issues; (2) what did the Taliban's takeover mean for the women of Afghanistan, for counterterrorism measures around the world, or for foreign policy in general, for example? (3) One of the most pressing issues presented, however, was that of data and information. (4)

Soon after Kabul fell, the New York Times reported that one of the Taliban's main targets was the headquarters of the National Security Directorate of Afghanistan and the Ministry of Communications. (5) Why? It wanted access to the files of Afghan officials and to be able to track Afghan citizens. (6) Not only did the Taliban manage to get its hands on top-secret files and payroll lists during its takeover of Kabul, but it also obtained biometric devices used by the US military in Afghanistan. (7) These devices, known as Handheld Interagency Identity Detection Equipment, contain both biometric data--such as iris scans and fingerprints--and biographical data on Afghan citizens. (8) The devices can be used to access large, centralized databases containing that information. (9) Such data could be used to identify those who worked with the US government or other forces opposing the Taliban. (10)

Afghan citizens seem to be doing everything they can to hide themselves, their identities, and their histories in the wake of the Taliban takeover. (11) Some have moved and changed their phone numbers, and some have gotten rid of their ID cards and diplomas for the sake of safety. (12) The problem is that while ID cards, names, and phone numbers can be destroyed or changed, biometric data cannot be: you cannot change your fingerprints or iris scans. (13) Once biometric data is collected, it is as close to a permanent form of identification as can be. (14) And once biometric data is linked to an individual's biographical history, there is not much that individual can do about it. (15)

These concerns surrounding data in the hands of the Taliban are troubling, but the collection and use of biometric data is not limited to Afghanistan, and neither are the privacy and security concerns that come with them. Countries across the world have different approaches to the collection and use of biometric data and the laws that surround it. (16) While countries like China rely heavily on biometric data and have excluded biometric and genetic data from their data protection laws, (17) countries like Portugal have forbidden the implementation of biometric databases altogether. (18) These countries mostly seem to have made up their minds on their approaches to biometric data collection and regulation, (19) while other countries and international organizations are still developing their approaches. India falls somewhere in the middle of that spectrum. India currently has one of the largest national biometric databases in the world but is still in the process of establishing a data privacy regime in the country. (20) Not having data privacy laws for such a database compromises the security, and risks the misuse, of the plethora of information that it contains. (21)

India's "Aadhaar" system provides individuals with a unique identification number that links biographical and biometric information including name, birthday, fingerprints, iris scans, and facial identification, along with information about family members. (22) As a country with one of the largest national biometric databases in the world to hold all this information, and one where privacy has been declared a constitutional and fundamental right, (23) India is in need of a comprehensive legal framework for data protection and privacy. This need has been recognized by the Supreme Court of India and has been acknowledged by the legislature, as it introduced the Personal Data Protection Bill (PDPB) in 2019. (24) However, the PDPB was withdrawn in August of 2022, because the government believed it had gotten too complicated as it was amended over the past few years. (25) In November of 2022, the Ministry of Electronics and Information Technology released a draft of a new bill, the Digital Personal Data Protection Bill (DPDPB), and invited public feedback on the draft. (26)

This Note will provide an overview of the Aadhaar system and how it works, in theory and in practice, and discuss the legal landscape surrounding it, its constitutionality, and the challenges it faces today. (27) It will discuss the principles of data privacy that have emerged in the European Union and how those principles have been applied in the United States as well. The Note will then discuss the Personal Data Protection Bill of 2019 and the Digital Personal Data Protection Bill of 2022, (28) in the context of the EU's data privacy principles, and what the bill got right and where it fell short. (29) It will then continue to provide some insight into how embracing these principles in future legislation can support a more robust data privacy regime in India and bolster protections for the highly sensitive biographical and biometric data that is collected for the Aadhaar system.

2. BACKGROUND

   1. What Is Aadhaar?

      "'Aadhaar" is the name given to the unique identification number assigned to individuals in India, similar to the Social Security number in the United States, (30) by a government agency called the Unique Identification Authority of India (the Authority). The Authority was officially launched in 2009 and the first Aadhaar number was issued in 2010. (31) However, it was only after the Aadhaar program was challenged in court in 2012 for not having a legislative basis for its implementation that the Indian Parliament enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act in 2016 (the Aadhaar Act), (32) thus giving the Authority statutory powers. By its own description, the Aadhaar Act is meant to

      provide for. as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals and for matters connected therewith or incidental thereto. (33) Under the Aadhaar Act, the Authority has the power to collect biographical and biometric data on Indian residents who want to access these benefits and services, which is then linked to a unique Aadhaar number issued to individuals in the country. (34) Aadhaar numbers have been used extensively over the years for identification by both governmental and nongovernmental organizations and have become a de facto necessity for Indian residents for day-to-day activities as well. (35)

   2. Aadhaar Data--Why Biometrics?

      To issue an Aadhaar number, the Authority collects a wide range of biographical information from an individual, including their name, birthday, gender, age, contact information, and even details of family members and proof of those relationships. (36) Additionally, the Authority collects biometric information like fingerprints, iris scans, and a photograph. (37)

      The Aadhaar Act distinguishes between "biometric information" and "core biometric information." (38) "Core biometric information" includes fingerprints, iris scans, and "other biological information," and "biometric information" includes core biometric information, plus photographs. (39)

      The Aadhaar program collects this biometric information for what is called the "de-duplication" process. (40) One of the most important features of the Aadhaar number, as stated by the Authority as well as the Supreme Court, is the "uniqueness" of the identification number--each individual can have only one Aadhaar number without any chance of duplication. (41) When data is initially collected for the issuance of an Aadhaar number, the individual's biometrics are essentially run through the centralized Aadhaar database to ensure there is no match. (42) This is the de-duplication process. It is meant to ensure an accurate national database as well as to ensure that no one can apply or register for two Aadhaar numbers; biometrics are used in this process because they are inherently unique to an individual and cannot be faked, changed, or erased. (43)

      When the Aadhaar Act and the Aadhaar system were challenged in court, as will be discussed further below, the de-duplication process was important to the Supreme Court's analysis. (44) Specifically, the Court considered the need for the biometric data to serve the government's purpose of providing unique identification to Indian residents for access to government benefits and services and how de-duplication aids that purpose. (45)

   3. The Structure of the Aadhaar System and its Database

      The data collected through and for the Aadhaar system can move through a range of entities and people as it makes its way from collection to...