What are the key privacy concerns surrounding Aadhaar's use as digital identity?

Conceptual
~ 6 min read

Direct Answer

The key privacy concerns surrounding Aadhaar's use as a digital identity revolve around the potential for state surveillance, data security breaches, and the infringement of the fundamental right to privacy. The centralised collection of biometric and demographic data in the Central Identities Data Repository (CIDR) creates a "honeypot" for attackers and enables the state to track an individual's activities by linking various services to a single unique ID, a process known as "profiling." This challenges the principles of data minimisation and purpose limitation, which are central to privacy protection.

Background

Aadhaar was introduced in 2009 by the Unique Identification Authority of India (UIDAI), initially as an executive initiative to provide a unique identity to every resident. Its primary goal was to improve the delivery of welfare services and reduce leakages. However, its legal framework was established much later with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. This Act was controversially passed as a Money Bill, a move that was challenged but ultimately upheld by the Supreme Court. The journey of Aadhaar has been marked by a constant tussle between the state's objective of efficient governance and the individual's fundamental rights.

A brief timeline highlights this evolution:

  1. 28 January 2009: The Unique Identification Authority of India (UIDAI) is established via an executive notification.
  2. 26 November 2012: The Supreme Court, in a series of interim orders, states that Aadhaar cannot be made mandatory for accessing essential services.
  3. 25 March 2016: The Aadhaar Act, 2016 is passed by Parliament as a Money Bill.
  4. 24 August 2017: In the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), a nine-judge bench of the Supreme Court unanimously declares the Right to Privacy a fundamental right under Article 21 (Right to Life and Personal Liberty) of the Constitution of India.
  5. 26 September 2018: A five-judge bench in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2019) upholds the constitutional validity of the Aadhaar Act but strikes down certain provisions, such as Section 57, which allowed private entities to use Aadhaar for verification.

Core Explanation

The privacy concerns stem from the architecture and implementation of the Aadhaar system itself:

  1. Centralisation and Surveillance: Aadhaar links multiple databases (bank accounts, mobile numbers, PAN, welfare schemes) to a single unique number. This creates a 360-degree profile of an individual, enabling the state to track their movements, financial transactions, and personal associations. This is a direct threat to informational privacy and personal autonomy.

  2. Data Security and Breaches: The Central Identities Data Repository (CIDR), which stores the biometric and demographic data of over a billion people, is a high-value target for cyberattacks. While the UIDAI claims the data is secure, numerous reports of data leaks and unauthorised access have raised serious questions about the robustness of its security infrastructure.

  3. Biometric Reliability and Exclusion: Biometrics (fingerprints and iris scans) are not infallible. They can change due to age, injury, or manual labour, leading to authentication failures. This can result in the exclusion of genuine beneficiaries from essential services like PDS rations or MGNREGA wages, violating their right to life under Article 21.

  4. Purpose Limitation: The principle of purpose limitation requires that data collected for one purpose should not be used for another. Aadhaar was initially introduced for welfare delivery, but its use was expanded to income tax filings, bank accounts, and SIM card verification, leading to "function creep" and a violation of this core data protection principle.

FeatureAadhaar (Centralised ID)Decentralised ID Models
Data StorageCentralised in the CIDR, controlled by UIDAI.User-controlled, stored on personal devices or distributed ledgers.
ControlGovernment/UIDAI controls the identity and its verification.Individual has sovereign control over their own identity data.
PrivacyProne to mass surveillance and single-point-of-failure breaches.Privacy-preserving by design; data is shared on a need-to-know basis.
ConsentConsent is often bundled and not granular.Requires explicit, granular consent for each data-sharing transaction.

Why It Matters

The debate over Aadhaar is a microcosm of the larger conflict between state security/efficiency and individual liberty in the digital age. It directly impacts the interpretation and enforcement of the fundamental right to privacy, guaranteed under Article 21. The Supreme Court's judgment in the Puttaswamy cases established a three-part test for any state intrusion into privacy:

  1. Legality: The action must be sanctioned by law.
  2. Legitimate State Aim: The action must pursue a legitimate state interest.
  3. Proportionality: There must be a rational nexus between the intrusion and the aim, and the extent of intrusion must be the least restrictive means to achieve the objective.

The mandatory linking of Aadhaar to various services was scrutinised against this proportionality test. While the Court upheld its use for welfare schemes and PAN linking (a legitimate state aim to curb black money), it struck down its use by private companies as disproportionate. This judicial scrutiny is vital for preventing the creation of a surveillance state and protecting the democratic fabric of the nation.

Related Concepts

  • Right to Privacy (Article 21): As established in K.S. Puttaswamy (2017), this is the constitutional bedrock for challenging Aadhaar's intrusive aspects.
  • Money Bill (Article 110): The classification of the Aadhaar Act as a Money Bill bypassed the Rajya Sabha's power to amend or reject it, raising questions about parliamentary procedure and federal balance.
  • Data Protection Legislation: The Aadhaar debate highlighted the urgent need for a comprehensive data protection law. The Digital Personal Data Protection Act, 2023 is the legislative response, aiming to regulate the processing of digital personal data.
  • Doctrine of Proportionality: A key legal principle used by the judiciary to balance fundamental rights with state interests. It was central to the Supreme Court's Aadhaar verdict.

UPSC Angle

Examiners will look for a nuanced understanding that goes beyond a simple pro- or anti-Aadhaar stance. They expect candidates to:

  1. Link to Constitutional Principles: Connect the privacy concerns directly to Article 21 and the principles laid down in the Puttaswamy judgment.
  2. Understand the Judicial Scrutiny: Clearly explain the Supreme Court's reasoning in upholding parts of the Aadhaar Act while striking down others, using the proportionality test.
  3. Distinguish Statutory vs. Constitutional: Differentiate between the Aadhaar Act, 2016 (a statute) and the Right to Privacy (a constitutional right).
  4. Analyse Governance Implications: Discuss the tension between welfare delivery efficiency, national security, and individual liberty.
  5. Show Awareness of Legislative Developments: Mention the role of the Aadhaar Act and the subsequent need for and enactment of the Digital Personal Data Protection Act, 2023.

A

polity governance policy e governance digital india aadhaar upi
Was this helpful?

Study Companion

Scholarly Layers

What are the key privacy concerns surrounding…

Topic
Governance and Public PolicyE-Governance and Digital IndiaDigital Identity (Aadhaar) and Payments (UPI)