The TRAI chairman, RS Sharma’s controversial Aadhaar challenge has now been followed by a UIDAI warning against the disclosure of Aadhaar numbers, terming it as an act that is ‘not in accordance with the law’. The challenge led to others also similarly posting their Aadhaar numbers online and issuing similar challenges. While the point the TRAI chief was trying to prove, that the knowing Aadhaar number can do him no harm, remains unproven, his act has triggered a serious law and order problem.
The first question that arises is whether the TRAI chief himself violated the law by disclosing his own number. The second is on how to deal with people who have come to believe that disclosing their sensitive personal data can do them no harm.
What the Aadhaar Act says
To answer these questions, the relevant provisions under the Aadhaar Act itself need to be looked at. The most relevant provision is Section 29(2), which states that identity information (which includes Aadhaar numbers) may be shared ‘only in accordance with the provisions of this Act and in such manner as may be specified by regulations’. This is supplemented by Section 29(4), which further states that no Aadhaar number/core biometric information collected or created under the Aadhaar Act can be ‘published, displayed or posted publicly, except for the purposes as may be specified by regulations’.
Violation of these provision attracts a penalty of 1-year imprisonment or a fine of Rs 25,000 under Section 42. Section 37, further punishes the intentional dissemination of any identity information that was collected in the course of enrolment or authentication with 3 years or a fine of Rs 10,000.
Does the Aadhaar Act punish publishing your own data?
Technically, the sharing of the TRAI chief’s own Aadhaar numbers is not ‘in accordance with the provisions of the Aadhaar Act’, nor has it been shared for the ‘purposes as may be specified in the regulations’. However, traditionally, no privacy law puts a bar on what information people choose to disclose about themselves. This is a choice that the people are allowed to make and forms the basis of the use of consent in data protection laws.
To read into these provisions that the Aadhaar Act prohibits a person from publishing his own Aadhaar number is thus a bit of a stretch. In fact, to place a bar on a person revealing his own sensitive personal information, could well include a bar on that person publishing his own photographs. Consider Section 29 of the Aadhaar Act above, which places a bar on the sharing of core biometric information as well. A person sharing a picture which reveals his fingerprints, or which allows the generation of face recognition data on par with, could similarly be considered to be a violation of the law.
Aadhaar regulations don’t discuss publishing your own data
There is further support to this from the Aadhaar (Sharing of Information) Regulations, 2016, which does not discuss persons publishing their own data. The only reference is to publication by persons/entities other than the Aadhaar number holders. Regulation 6(1) specifically states that ‘The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency’. This makes it clear that the reference is to the publishing of the Aadhaar number of an individual by (another) person, and not the individual himself.
Implications for others sharing the TRAI chief’s number
Thus, while interpreting these provisions, the normal interpretation is that if one person were to publish the Aadhaar number of another person, then he is violating the law. Thus, on this basis, every person who retweeted the TRAI chief’s Aadhaar number, or every news agency that published it, or anyone who otherwise shared it, has violated the law.
This is, in fact, yet another law and order problem that the TRAI chief created since it can well be argued that all such persons had the implicit consent of the TRAI chief, who gave this out when he put his number in the public domain and posed a challenge to the world at large. However, by the same line of thought, if a hacker tomorrow uses this to empty out the TRAI chief’s bank accounts, he could similarly claim to have the TRAI chief’s consent to do so. The Aadhaar Act itself makes no mention of publication of the Aadhaar number with the person’s consent. Sharing his Aadhaar number is thus a huge risk, and ‘doing him harm’ will be a violation of the law. People thus must refrain from both these acts.
UIDAI’s contribution to normalising the sharing of Aadhaar numbers
A major part of the problem is the UIDAI’s own conflicting stands over the years on the disclosure of the Aadhaar number.
These have ranged from making a call to keep Aadhaar discreet to recommending that these should be freely shared. The UIDAI has, in fact, dismissed the threat caused by Aadhaar number leaks multiple times.
Recall the UIDAI’s response to French researcher Elliot Alderson’s find of 20,000 Aadhaar cards within 3 hours, in March this year. The UIDAI’s response included that the Aadhaar number can be freely shared, the Aadhaar card is never to be treated as a confidential document, and that the disclosure of Aadhaar numbers, PAN numbers and the like, cannot harm the security of banking and other systems. Such statements, having no regard for the dangers revealing such sensitive information can actually lead to (discussed in detail here), have definitely played a role in creating the present situation.
Dealing with the law and order problem generated
The TRAI chief’s disclosure and challenge certainly generated a major law and order problem. The UIDAI describes this disclosure by a person of their own Aadhaar numbers as an act that is ‘not in accordance with the law’. This is, in fact, the only way to describe the situation triggered by the TRAI chief’s act.
If disclosure of sensitive information is normalised this way, this could well necessitate an interpretation of Section 29 to make persons disclosing their own Aadhaar numbers punishable under the law.
If anything good has come from the TRAI chairman’s challenge it is this — the UIDAI has finally admitted to the cruciality of keeping an Aadhaar number confidential. The officials need to put more thought into the consequences of their statements and actions. Whether they admit or not, putting out crucial personal information, including the Aadhaar number, in the public domain can only spell trouble.
The author is a lawyer specialising in technology, privacy and cyber laws