The President promulgated Aadhaar and Other Laws (Amendment) Ordinance, 2019 ("Ordinance") on March 2, 2019. The Ordinance amends certain provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act"), the Prevention of Money Laundering Act, 2005 ("PMLA") and the Indian Telegraph Act 1885 ("Telegraph Act") as discussed in this article.
Purpose of the Ordinance
On July 27, 2018, a Committee of Experts chaired by Justice (Retd.) B. N. Srikrishna submitted its report regarding various issues related to data protection along with a draft Personal Data Protection Bill and suggested certain amendments to the Aadhaar Act for, inter alia, protecting confidential data of Aadhaar holders. Thereafter, a Constitution Bench of the Supreme Court, in the case of Justice K.S. Puttaswamy (Retd.) and another vs UOI and others (dated August 24, 2017, W.P. 494 of 2012) ("Privacy Judgement") declared privacy as a fundamental right under Article 21 of the Constitution. Further, the Supreme Court vide its judgment in the matter of Justice K.S. Puttaswamy (Retd.) and another vs UOI and others (dated September 26, 2018, W.P. 494 of 2012) ("Aadhaar Judgement") upheld the constitutional validity of the Aadhaar Act, with certain restrictions and changes to safeguard, inter alia, right to privacy of individuals.
As a result of the foregoing events, the Aadhaar and Other Laws (Amendment) Bill, 2018 ("Bill") was introduced for synchronizing the Aadhaar Act with the findings of the Committee of Experts and the Supreme Court's verdict in the Privacy Judgement and the Aadhaar Judgement. The Bill was passed in the Lok Sabha, however, lapsed in the Rajya Sabha. In view of the important amendments introduced in the Bill, the Ordinance has been promulgated by the President, which became effective on March 2, 2019.
Voluntary use of Aadhaar by authentication or offline verification with the consent of Aadhaar number holder ("Individual")
The Ordinance has introduced the concept of informed consent. An individual is empowered to give his consent to verify his identity through Aadhaar 'authentication'. As per the Aadhaar Act, authentication is a process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for verification.
In order to ensure that an individual is not compelled to use Aadhaar and is aware of alternative means of identification, any entity requesting an individual to provide his Aadhaar for identity verification is required to inform such individual of alternate and viable means of identification. Further, an entity cannot deny service to an individual who refuses or is unable to undergo verification by authentication prescribed by the Aadhaar Act.
The Ordinance has also introduced a new concept of 'offline verification'. Offline verification is defined as a process of verifying the identity of an individual through offline modes. The modes for offline verification have not been specified and left upon Unique Identification Authority of India ("UIDAI") to specify, by means of regulations.
Alternative Virtual Identity
The Ordinance empowers UIDAI to decide whether an entity is permitted to use the actual Aadhaar number or only an 'alternative virtual identity'. The alternative virtual identity is envisaged as a means to conceal the actual Aadhaar number of an individual. The manner of generating the alternative virtual identity has not been specified and left upon UIDAI to introduce, by means of regulations.
Compliance with standards of privacy and security
An entity is permitted to perform authentication only if UIDAI is satisfied that the entity is compliant with the standards of privacy and security specified by UIDAI. The standards have not yet been specified.
Amendments to other acts
Amendments to the Telegraph Act have paved way for telecom companies to verify the identity of its customers by authentication or offline verification under the Aadhaar Act in addition to use of any other officially valid documents or modes of identification.
A new section has been introduced in the PMLA which provides for various ways for verifying identity of clients and beneficial owners of regulated entities in India. Verification of identity of clients and beneficial owners by authentication process prescribed by the Aadhaar Act is exclusively provided to banking companies. All other regulated entities have the option to use the offline verification process proposed by the Ordinance.
Certain provisions of the PMLA have been deleted by the Ordinance. The deleted provisions, to the extent that they formed the basis of the Reserve Bank of India's Know Your Customer (KYC) Directions of 2016 ("KYC directions"), may result in partly or wholly rendering the KYC directions redundant. Reserve Bank of India (RBI) has not come out with any clarifications or modifications to the KYC directions, post promulgation of the Ordinance, resulting in confusion in the minds of regulated entities, especially regulated entities that are not banking companies, with respect to the mode of conducting KYC for the time being.
The Ordinance has introduced a new framework for regulated entities to conduct KYC on clients under the Aadhaar Act while balancing that to protect sensitive private information of individuals by way of offline verification, alternative virtual identity and informed consent of individuals. However, implementation of the new framework contemplates various regulatory authorities (such as UIDAI and RBI) to device regulations to give effect to the new framework for KYC under the Ordinance. The crafting and subsequent implementation of the regulations would ultimately decide the effectiveness of the new framework.
Rashi Dhir, Senior Partner; and
Divya Sharma, Senior Associate
DISCLAIMER: The views and opinions expressed in this article are those of the author and does not constitute a legal opinion/advice by DMD Advocates. The information provided through this article is not intended to create any attorney-client relationship between DMD Advocates and the reader and, is not meant for advertising the services of DMD Advocates or for soliciting work by DMD Advocates. DMD Advocates does not warrant the accuracy and completeness of this article and, the readers are requested to seek formal legal advice prior to acting upon any information provided in this article. Further, applicable laws and regulations are dynamic and subject to change, clarification and amendment by the relevant authorities, which may impact the contents of this article. This article is the exclusive copyright of DMD Advocates and may not be circulated, reproduced or otherwise used by the intended recipient without our prior permission.