1 week Ago
New Delhi: As India’s data privacy law approaches notification, another law that is behind a unique identification number for citizens is being prepped for overhaul to bring it in sync with the new privacy law, a move industry experts said is overdue but needs wider consultation. Bhuvnesh Kumar, the new chief executive of Uidai (Unique Identification Authority of India), the governing body behind Aadhaar identification, said in a conversation with that discussions “will now begin and take its due course of lawmaking" for a new law to replace the near-decade-old Aadhaar Act, 2016. “Just an amendment won’t be sufficient—we need a new law to bring Aadhaar up to speed with the Digital Personal Data Protection Act (DPDP Act), 2023," Kumar said in his first media interview since taking charge of Uidai on 3 January.
Pointing out that the DPDP Act was not there when the Aadhaar law was made, Kumar, who is also the additional secretary at the ministry of electronics and information technology (Meity), said the current Aadhaar law is quite restrictive and needs to be changed. | “Aadhaar’s usage has been limited by legal restrictions and the requirement for authentication. It is linked to benefits and subsidies, but has far more potential than that," he added.
To be sure, the current Aadhaar Act was enacted nearly a decade ago and, thus, does not comply with the rules under the DPDP Act. This includes data sharing, data transfer and a host of other regulations. At stake is not just a legal revamp of Aadhaar, which has over 1.
4 billion registered individuals in the government’s database, but also a potential widening of its scope of use. “In line with the law, we are also expanding the scope of usage of Aadhaar at businesses, while minimizing the risk of the identity document being misused by entities," Kumar added. Uidai is also making a new Aadhaar app that eases on-the-move verification of an individual’s identity without the need for an active internet connection.
| “It’s not just for benefits—Aadhaar’s QR-scan feature, for instance, can be used to verify the authenticity of a person in line with government laws by a business without third parties getting involved," said Kumar. He added that other areas where Aadhaar can be integrated in line with the new law and Aadhaar app include verifying parental consent on social media platforms as mandated by the DPDP Act’s soon-to-be-notified rules, if technology platforms so desire. For perspective, technology platforms can decide how they want to comply with verifiable parental consent for underage users of online platforms, and Aadhaar is not mandatory for it.
For example, companies can accept a voluntary age disclosure form to onboard underage users. Security of the crucial document is on the radar as well. “Uidai is also setting up a data sharing instrument that businesses can buy from us.
This will help businesses automate identity verification without human intervention or people taking photos of your document that can later be misused," Kumar said. On 9 April, Union IT minister Ashwini Vaishnaw mentioned the need for “a new law" for Aadhaar for the first time—calling for India’s most-issued government identification document to be “harmonized vis-à-vis the DPDP Act keeping human interest at the centre". The 12-digit identification document is the most widely used government identity today, for which Uidai attracts 75,000 applications per day for new Aadhaar issuance.
As per Kumar, 99.5% of adults in India are already under Aadhaar’s ambit, covering 1.41 billion entries in the Aadhaar database.
Timely move Policy consultants and stakeholders believe the move is necessary, but certain safeguards need to be considered. Isha Suri, research lead for technology policy and data privacy at think-tank, Centre for Internet and Society (CIS), sought an extensive public consultation process to understand gaps that a new Aadhaar law should address. On his part, Kumar said public consultation will be a part of the lawmaking process, which will “take its due course and time".
Suri added, “Instead of retrospectively looking at which areas of the law would need to be filled in as technology and private sector’s tech adoption evolves, a robust consultation with civil society and private entities alike can help frame a law that better addresses user privacy and the efficacy of Aadhaar." The new Aadhaar Act will look to make Aadhaar data verification more seamless through new sharing mechanisms, reduce the number of people in the middle with access to a person’s own data, and more. | Kumar, a career bureaucrat who joined public services with the 1995 Uttar Pradesh cadre, is keen to showcase Aadhaar as a seamless identification document that can help authenticate identity and transaction, while minimizing the number of hands through which data transfers take place.
“The only time we share data with entities is in requests for e-know your customer (KYC). Aadhaar is the only document that can be verified through a mobile phone itself—without needing internet connectivity or a specialized device. This increases the scope of usage of the document," Kumar said, adding that all of this is expected to widen Aadhaar’s scope in fields such as hospitality, financial services, .
At stake is also a question around minimizing the amount of data shared with entities and reducing the number of intermediaries in the data sharing process. Underlining that data storage and retention, as defined by the DPDP Act, is “principle-based", Kumar said that for Aadhaar, any individual challenging the tenure of data retention will have the power to first request the business holding the data. In case of no resolution, the Data Protection Board—an empowered entity under India’s privacy law—can intervene and rule on a per-case basis.
| However, identity scammers have doubled down on attempts to breach data security by generating Aadhaar identification lookalikes through artificial intelligence platforms, such as OpenAI’s ChatGPT. Such identification, privacy advocates have underlined, pose a key challenge to information sanctity when presented to businesses. Kumar underlined that it is “impossible" to generate an Aadhaar from any AI engine.
“What it is generating is a look-alike image of something, which is replicated," he said, adding that this won’t work as there is no supporting biometric..
