Recently, the Unique Identification Authority of India (UIDAI) filed a first information report (FIR) against a reporter of The Tribune
for unauthorized access of Aadhaar data (for a story that exposed the
vulnerability of the Aadhaar database), and for allegedly violating the
provisions of the Aadhaar Act. Last year, the UIDAI filed an FIR against
a CNN-News 18 journalist for a report on how it was possible to obtain
two separate Aadhaar enrolment numbers. In contrast, the UIDAI did not
initiate criminal prosecution against any of the 210 government websites
that displayed the details of Aadhaar number holder, nor did it file an
FIR against Airtel, when it was found out that Airtel used the
Aadhaar-eKYC-based verification process to open payments bank accounts
of its subscribers without their consent. These instances are
interesting for two reasons.
First, it seems that over the last
seven years since Aadhaar has been operational, we have heard of only
the UIDAI filing FIRs. Second, it seems that some cases are pursued,
while others are not. Why might this be?
The answer lies in
Section 47 of the Aadhaar Act. This section only permits the UIDAI to
initiate criminal prosecution for any violations of the Aadhaar Act,
while eliminating the involvement of the Aadhaar number holder entirely.
Suppose you were a victim of fraud by an enrolment agency or your
personal data had been stolen from the centralized Aadhaar database.
What are the choices you have? Unfortunately, under the current
framework of the Aadhaar Act, you have only one choice. Let the UIDAI
know, and hope that the UIDAI files a case on your behalf.
Such a
provision is unique, since Indian law rarely, if ever, empowers a third
party to file a criminal complaint on behalf of an aggrieved individual,
to the exclusion of that individual. It is almost as if when there is a
theft in your house, the best you can do is to tell your local
residents welfare association, and hope that they file a case on your
behalf. Parliament had obviously intended that, notwithstanding the
provisions of the Indian Penal Code, certain actions should be
specifically penalized under the Aadhaar Act. Nevertheless,
having designated certain actions as criminal offences, the Act deprives
aggrieved individuals from accessing the criminal justice system.
Some
may argue that there is a good reason for giving all the power to the
UIDAI—despite the inherent conflict of interest in the UIDAI being
responsible for ensuring the confidentiality of identity information of
individuals, while also having the sole prerogative to initiate criminal
prosecution in case of a security breach or violation of the Act.
Perhaps as an administrative and regulatory body, it has the wherewithal
to deal with our broken criminal justice system that we as individuals
will find hard to navigate. But this is pure speculation, since we have
no explanation from the drafters of the law, nor any parliamentary
debates, to help explain why such a contrarian position was taken.
If
the law takes away the power from you to file a complaint, and gives it
to a third party, namely the UIDAI, you might expect that it imposes
concomitant obligations on the UIDAI qua you. After all, the UIDAI is
meant to be acting on your behalf. Unsurprisingly, perhaps, this is not
the case. There is nothing in the Aadhaar Act, or the accompanying
regulations that require the UIDAI to give details about the number of
FIRs filed by it annually, or to explain why it chose to drop one
complaint, or pursue another. Nor does the Act provide the aggrieved
individual with any remedy if the UIDAI decides that their complaint is
not worth pursuing. In contrast, even the Code of Criminal Procedure
(CrPC) provides judicial recourse to an individual if the police fails
to register an FIR.
Notably, as revealed by Right to Information
(RTI) queries, between September 2010 (when the first Aadhaar number was
issued) and October 2016, the UIDAI received 1,390 complaints about
enrolment agencies, but registered FIRs in only three cases, with the
other cases being “resolved”, “dropped”, or “closed”. In fact, the UIDAI
has only filed 30 FIRs till date.
This is only one of the many serious flaws in the existing Aadhaar legal framework, but it is illustrative of the weak accountability mechanism embedded in the Aadhaar Act for the UIDAI.
The
UIDAI is responsible for the enrolment and authentication process, data
quality, security and confidentiality of data, and grievance redress.
However, apart from a financial audit, the Aadhaar Act fails to
prescribe any ex-ante or ex-post accountability mechanisms. In fact, the
Aadhaar Act does not even require the UIDAI to inform the Aadhaar
number holder if their data has been compromised.
Some have
argued that a data protection authority (DPA) will solve these
problems. A data protection framework and a DPA will certainly be a step
forward in addressing some of these concerns, but no such law exists
yet. In any event, a DPA will be burdened with far more than Aadhaar,
and it seems strange to wait for the setting up of a new agency, instead
of fixing the problems in the agency designed specifically to deal with
Aadhaar.
Till then, we will be left with a situation where an
agency that is holding our data in public trust and is supposed to work
in our best interest, is choosing to go after those individuals who are
exposing the vulnerabilities in the Aadhaar framework, rather than those
responsible for exploiting the vulnerabilities. Unfortunately, there is
nothing that we can do about it.
(This article is co-authored with Vrinda Bhandari. It first appeared in the Mint, 12 January, 2018)
No comments:
Post a Comment