Over the last few weeks, there has been a furore over the divulging of Aadhaar details, with the information of the pensioners in Jharkhand to that of a famous cricket player (M. S. Dhoni), being made available publicly. The UIDAI has responded swiftly by filing FIRs against 8 websites, and also shutting down several others to prevent the misuse of data. Other complaints about the Aadhaar have included instances of failure of biometric authentication, server and connectivity problems, cryptic error messages, and identity theft.
A recent paper by CIS reported that around 130-135 million Aadhaar numbers and 100
million bank account numbers were estimated to have leaked from four government portals. It is unclear whether these Aadhaar numbers had been inadvertently published by the
government portals (without realising the consequences of their actions) or had been
displayed as a measure of transparency. Either way, while Dhoni may be famous enough to
reach out to the UIDAI, other ordinary citizens have not been so fortunate.
A key component of a system, especially one that interfaces with individuals, is its ability to
provide protection to its intended users from being harassed, misled, or deceived. One
way of ensuring this is to provide access to a reasonable mechanism of grievance redress,
where citizens can complain and seek remedies. In this post, we focus on the lacunae in the
grievance redress mechanisms and the enforcement concerns that arise in the context of Aadhaar. This is especially important, since, in the absence of an over-arching privacy or data protection law, an effective grievance redress mechanism, through the Aadhaar legal framework, remains the only remedy to Aadhaar holders.
Inadequate details about the procedure for grievance redress
When things go wrong, customers need to have access to a proper complaints mechanism. This can be a call center, a web portal, or physical offices. In the case of Aadhaar, such access is to be provided through the establishment of "contact centers" (Regulation 32 of the Aadhaar Enrolment and Update) Regulations).
The Regulations envisage that a contact centre shall provide a mechanism to log queries, ensure safety of the information received, and comply with the procedures and processes as may be specified by the Authority for this purpose. Residents are also permitted to raise grievances by visiting the UIDAI's regional offices, or through any other officers or channels as may be specified by the Authority for this purpose.
To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI. In a previous article, Is Aadhaar grounded in adequate law and regulations?, we criticised such delegation of power by the UIDAI to its future self. The same criticism applies equally in the case of grievance redress. If the process of grievance redress has not been specified in the Regulations, there remains an unjustifiable ambiguity on the remedial measures available to an Aadhaar number holder. This is worsened by the ambiguity on how the UIDAI will ensure safety of the information received.
The handling of grievance redress in the Aadhaar Regulations suffers from the following problems:
The regulations leave the actual processes of redress, including the procedure for raising a grievance, the composition of the grievance redress/contact centre, and the timelines envisaged for resolving a query unspecified. They are silent on the identity/qualifications of the final decision maker, on whether the inquiry process will be administrative or quasi-judicial in nature, and whether an appellate remedy is provided for. The regulations are also silent on the binding nature of the resolution mechanism, and their relationship with the penalties and liabilities prescribed under the Act. In fact, even after reading the regulations, one is confused about whether the grievance redress mechanism is a simple contact centre or an actual authority, with some powers.
Regulation 32(3) of the Enrolment and Update Regulations states that residents may raise grievances by visiting the regional offices of the UIDAI or through any other offices or channels as may be specified by the Authority. Notably, there are only 8 regional offices, namely Bangalore, Chandigarh, Delhi, Guwahati, Hyderabad, Lucknow, Mumbai, and Ranchi, which are primarily all Tier I cities. Further, these regional offices are not spread out throughout India - for instance, Western India only has one regional office in Mumbai, whereas North India has three offices in Delhi, Chandigarh, and Lucknow. The other channels remain unspecified.
The efficacy and performance of these contact/call centres is hard to assess, since the regulations do not prescribe any minimum standards, or even a Code of Conduct (as in the case of Registrars, Enrolling Agencies, and other service providers) that would govern the behaviour of these centres. The Regulations are also silent on the performance standards of the grievance redress system as a whole, so that the UIDAI can be held accountable.
In the case of the Aadhaar (Authentication) Regulations and the Aadhaar (Data Security) Regulations, no grievance redress mechanism has been specified, and no reference has been made to the grievance redress mechanism provided for in the Aadhaar (Enrolment and Update) and (Sharing of Information) Regulations. This suggests that there is in effect, no mechanism for redress in these two regulations at all.
These issues become particularly important when we consider that Regulation 30(2) of the Enrolment Regulations envisages the use of this grievance redress mechanism to resolve complaints relating to the omission or deactivation of an Aadhaar number. Between September 2010 and August 2016, the UIDAI had deactivated over 85.6 lakh Aadhaar numbers. The consequences of such deactivation can be huge, including the exclusion from receiving various government subsidies, and now potentially, for filing income tax returns. In this context, the silence on substantive matters of grievance redress in the regulations is disconcerting.
No power to file criminal complaints
While the Regulations provide for a contact center, Section 47 of the Aadhaar Act stipulates that only the UIDAI or its authorised officer can file a criminal complaint for violations of the Aadhaar Act. The Aadhaar Act, criminalises, among other things, the disclosure and dissemination of the identity information of an Aadhaar number holder (Section 37), unauthorised access to the Central Identities Data Repository (Section 38), and the unauthorised use of the identity information of an Aadhaar number holder by a requesting entity (Section 40). Consequently, the UIDAI has been given complete discretion in determining if, and when, to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person, is left to rely upon the bonafide actions of the UIDAI.
In the Dhoni case for example, the UIDAI seems to have decided to not file a criminal complaint against the enrollment agency, even though they reportedly tweeted a photo of his application form. In fact, RTI replies of the UIDAI reveal that in the six years from September 2010 to 31st October 2016, it received 1390 complaints about enrollment. However, only three FIRs were filed against the enrolling agencies, and that too, only by UIDAI's regional Bangalore office. The remaining complaints, were either 'resolved', 'dropped', or 'closed' without initiation of any criminal action. Conversely, the UIDAI's Delhi office was quick to register its first FIR in over six years, when a CNN-18 journalist ran a sting operation on security lapses in the Aadhaar enrollment centers.
Indian law, rarely, if ever, permits a third party to file a criminal complaint on behalf of an aggrieved individual, to the exclusion of that individual. Given that we have no access to any explanatory memorandum or notes on clauses, it is difficult to ascertain the reason for introducing such a provision in the Act. Not only does the Aadhaar Act introduce a new framework, it does so without specifying any accountability mechanism between the UIDAI and the aggrieved Aadhaar number holder. The scheme of the Aadhaar Act does not envisage any remedy for an aggrieved Aadhaar number holder if the UIDAI decides that her complaint is not worth pursuing. The UIDAI, thus, has unchecked discretion. It is worth noting that even the CrPC provides judicial recourse to an individual if the police fails to register an FIR.
Low clarity and emphasis on enforcement
Regulations have force, only when enforcement mechanisms leave no ambiguity about the costs of violation. The Aadhaar Regulations are largely silent on enforcement. In fact, as stated above, even the enforceability of any decision of a "contact centre", as part of the Grievance Redress Mechanism, is suspect. This is a result of the lack of power to enforce penalties in the Aadhaar Act itself.
The Regulations suggest, for example, that enrollment activities are to be monitored by the UIDAI, and any violations may result in immediate suspension and eventual cancellation of the service providers' or the concerned persons' credentials and permissions under the Act. However, apart from this penalty, there is no other prescribed liability - in terms of a monetary fine or imprisonment - as the case may warrant, for failure to comply with the code of conduct or any of the other Regulations. Even the application of this penalty is unclear, and left to the complete discretion of the UIDAI, inasmuch as Regulation 26(3) of the Enrolment Regulations only states that such cancellation will take place after 'holding due inquiry as deemed fit by the Authority'.
Similarly, Regulation 25 of the Authentication Regulation only provides that a requesting entity or authentication service agency may be burdened with 'disincentives' by the UIDAI, including suspension of their activities, in case of any contravention of the Act or the regulations. The regulations do not provide for gradation of offences and consequent punishments in terms of monetary penalties to imprisonment depending on the offence. It is also unclear whether, and which, provisions of the Act will apply.
There exists a Code of Conduct (specified in Schedule V of the Enrolment Regulations) which requires service providers to make 'best efforts' to protect the interests of the residents (Rule 1); to not divulge any confidential information about the residents, except when required by law (Rule 5); to ensure 'timely' redress of grievances (Rule 7); to abide by the Act and the regulations there-under (Rule 9); to inform the Aadhaar number holder in case of any breach or non-compliance (Rule 11); and to follow confidentiality, privacy, and security protocols 'as may be specified by the authority' (Rule 23). However, it is completely silent on the consequences of non-compliance. Thus, without proportionate penalties and clear procedures for imposing liabilities, the incentives to comply with the provisions of the Act and the regulations fall.
Inadequate power to conduct grievance redress
Finally, there is even some doubt on the UIDAI's power to regulate issues of grievance redress itself. Section 23(2)(s) of the Aadhaar Act empowers the UIDAI to set up "facilitation centers and grievance redress mechanism for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers". However, Section 54 of the Act, which enumerates the UIDAI's power to make regulations does not refer to this sub-section, despite referring to other sub-sections of Section 23. This assumes importance because all the Aadhaar Regulations derive their power from Section 54. The source of the UIDAI's power to write regulations on grievance redress is thus, unclear.
In this new world, where Aadhaar is the centerpiece of the government's agenda and is becoming a necessity to avail multiple government services and benefits, an effective accountability and enforcement mechanism is paramount. Unfortunately, the Aadhaar Act and the Regulations are inadequate and vague.
Enrollment and use is not accompanied by any adequate redress mechanism, leaving us with the problem of a legal vacuum. Seven years, and a law later, there is still no clarity on the accountability and redress frameworks in the Aadhaar Act. A large part of the problem comes from the structure and governance mechanisms of the UIDAI itself, with no separation between the regulatory functions at UIDAI and its operational functions.
These issues are ultimately derived from the poor intellectual capacity in the drafting of law in India. There is an urgent need to introduce amendments in the Aadhaar Act to address these problems. A new data protection framework is reportedly being drafted. Many elements of our research program on Aadhaar have important implications for both these strands of work.
This post is co-authored with Vrinda Bhandari. It first appeared on Ajay Shah's blog on 5 May, 2017.