2018 (9) TMI 1733 - SC - Indian Laws

Aadhaar project and Act upheld as valid, no surveillance state created through purpose-blind minimal data collection

SC upheld the validity of the Aadhaar project and Aadhaar Act against privacy challenges. The court held that Aadhaar's architecture does not create a ... Right to privacy as a fundamental right - three-fold proportionality test - legitimate State interest in targeted delivery of subsidies - data collection, storage and retention safeguards - restrictions on sharing and disclosure of biometric information - judicial oversight of disclosure for court order and national security - penal and cognizance provisions limiting complainant to the Authority - saving/validating retrospective deeming provision - parental consent for minor enrolment - use of Aadhaar for non-State purposes and contractual use - Aadhaar linkage for financial due diligence and anti-money laundering - administrative directions versus 'law' under Part III - Money Bill certification and judicial reviewRight to privacy as a fundamental right - three-fold proportionality test - Constitutionality of requirement to provide demographic and core biometric information for Aadhaar enrolment - HELD THAT: - The Court held that requiring demographic and biometric information for enrolment is lawful and does not violate the fundamental right to privacy. The enactment and regulatory regime satisfy the three-fold test (existence of law, legitimate State aim and proportionality) articulated in K.S. Puttaswamy, and biometric data as envisaged (photograph, fingerprints, iris) is not disproportionate to the legislative objective of unique identification for targeted delivery of benefits.Requirement to provide demographic and biometric information for Aadhaar enrolment is constitutional.Data collection, storage and retention safeguards - restrictions on sharing and disclosure of biometric information - Validity of statutory scheme governing collection, storage, retention, use and sharing of Aadhaar data - HELD THAT: - The Act and the Regulations create a statutory architecture with specific safeguards (security obligations, prohibition on sharing core biometric data, regulated sharing of other identity information, limits on retention and audit/log requirements). Applying proportionality and examining technical and organisational safeguards, the Court found these provisions adequate to protect privacy rights and rejected the contention that the scheme creates pervasive surveillance.Provisions governing collection, storage, retention, use and sharing of Aadhaar data are constitutional.Aadhaar Act does not create architecture for pervasive surveillance - meta-data and purpose blindness - Whether Aadhaar architecture enables pervasive state surveillance - HELD THAT: - Having considered the form and content of authentication records, logs and regulatory restrictions (including prohibition on purpose-storage and the expressed inability to store purpose of authentication), the Court concluded that the statutory and regulatory design does not amount to an architecture for pervasive surveillance and that meta-data retained is technical and not purpose-tracking in the manner alleged.Aadhaar Act does not create an architecture for pervasive surveillance.Restriction on sharing information - consent and regulated disclosure - Constitutionality of Section 29 (restriction on sharing information) - HELD THAT: - Section 29 prohibits sharing of core biometric information and permits sharing of other identity information only as provided by the Act and Regulations; it further restricts requesting entities from using or disclosing identity information except as specified or with consent. The Court held that Section 29 is regulatory, protective of privacy, and proportionate to legitimate aims; it is not liable to be struck down.Section 29 is constitutional.Disclosure of information pursuant to court order and national security - Article 20(3) and testimonial compulsion - Constitutionality of Section 33 (exceptions for disclosure to courts and in national security) - HELD THAT: - Section 33 permits disclosure only pursuant to a court order not inferior to that of a District Judge or under specified senior executive directions in national security with oversight and time limits. The Court found these safeguards reasonable; disclosure under Section 33 does not engage Article 20(3) protection against self-incrimination in a manner that renders the provision unconstitutional.Section 33 is constitutional and does not violate Article 20(3).Penalties and cognizance by Authority - special Acts limiting private complaints - Constitutionality of Section 47 (cognizance only on complaint by Authority) - HELD THAT: - Section 47 restricts cognizance of Aadhaar Act offences to complaints made by the Authority or authorised officers. The Court observed that similar provisions exist in many statutory schemes, that the limitation serves legitimate enforcement and anti-frivolity aims, and that other criminal remedies under general statutes (including IT Act offences) remain available; therefore Section 47 is not unconstitutional.Section 47 is constitutional.Use of Aadhaar for other purposes - limits of contractual authorization - Validity of Section 57 insofar as it permits use of Aadhaar 'pursuant to any contract' - HELD THAT: - Section 57 permits Aadhaar use pursuant to law, or contracts; the Court held that use pursuant to valid law is permissible subject to Section 8 and Chapter VI safeguards. However, permitting use merely pursuant to private contracts (the phrase 'or any contract to this effect') lacks the requisite backing of law and proportional safeguards and is therefore unconstitutional to that extent. The offending contractual clause was struck down while leaving the remainder of Section 57 operative for uses pursuant to statute.Section 57 is constitutional except insofar as it allows use of Aadhaar 'pursuant to any contract', which is struck down.Retrospective validation / deeming provision - Section 59 savings - Validity and effect of Section 59 (deeming past executive actions valid under the Act) - HELD THAT: - Section 59 retrospectively deems actions taken under earlier executive notifications to have been validly done under the Act. The Court applied established principles on legislative validating or curative statutes and held that Parliament may create such a legal fiction to validate prior executive acts; Section 59 validly saves actions taken under the cited notifications.Section 59 is valid and deems prior actions under the cited notifications to be valid under the Aadhaar Act.Parental consent for minor enrolment - consent in enrolment regulations - Constitutionality of collecting identity information of children aged 5-18 years - HELD THAT: - Regulations already provide special measures for children below five; the Court read parental/guardian consent into the enrolment regime for children aged 5-18 to safeguard minors and to maintain constitutionality of the Enrolment and Update Regulations in relation to that age-group.Parental/guardian consent is required for enrolment of children aged 5-18; Regulations are to be read accordingly.PMLA customer identification and Aadhaar e-KYC - Aadhaar for anti-money-laundering - Validity of Rule 9 as amended by Prevention of Money-Laundering (Second Amendment) Rules, 2017 - HELD THAT: - Amendments require specified identity proofs (including Aadhaar where eligible) for reporting entities and impose transitional/time-bound compliance requirements; the Court found the amendments to pursue legitimate AML and fiscal objectives, to be proportionate and within rule-making power, and not violative of Articles 14, 19(1)(g), 21 or 300A or of the Aadhaar Act or PMLA.Rule 9 as amended by the PMLA (Second Amendment) Rules, 2017 is constitutional.Administrative circulars versus 'law' - e-KYC re-verification of existing subscribers - Validity of Department of Telecommunications circular dated 23.03.2017 mandating Aadhaar-based e-KYC re-verification of all existing mobile subscribers - HELD THAT: - The circular was an executive instruction implementing an administrative plan and relied on a Court disposition describing an undertaking; it was not a statute or rule backed by the Aadhaar Act or some other statutory authorisation; the Court held that the circular is not 'law' under Part III and cannot compel Aadhaar re-verification of existing subscribers absent valid legislative authority and therefore set aside the circular.The 23.03.2017 DoT circular is unconstitutional and is set aside.Money Bill certification - judicial review of Speaker's certification - Whether Aadhaar Act was properly enacted as a Money Bill and whether Speaker's certification is immune from judicial review - HELD THAT: - The Court held that the Aadhaar Act's core object - enabling identity-based conditioning of subsidies/benefits drawn from the Consolidated Fund - falls within Article 110(1)(c) and (e); incidental provisions fall within clause (g). Importantly, the Court rejected the notion that Speaker's certification is absolutely immune: certification is amenable to judicial review where constitutionally relevant illegality is alleged. On merits, the Aadhaar Bill could be validly treated as a Money Bill.Aadhaar Act was validly certified as a Money Bill; certification is subject to judicial review but here the certification did not infringe constitutional limits.Linking Aadhaar and PAN (Section 139-AA) - proportionality and legitimate aim in fiscal regulation - Constitutionality of Section 139 AA of the Income tax Act requiring Aadhaar linkage for PAN and related obligations - HELD THAT: - Section 139 AA pursues legitimate fiscal and anti-evasion objectives (eliminating duplicate PANs, curbing black money and tax evasion). Applying the Puttaswamy proportionality framework and related precedent, the Court found Section 139 AA to be a lawful measure that does not, on its face, violate the right to privacy.Section 139 AA does not violate the right to privacy and is constitutional.Interim judicial orders and subsequent legislation - voluntariness of Aadhaar enrolment - Whether the Aadhaar Act violates interim orders previously issued in these proceedings (e.g., that Aadhaar enrolment/use be voluntary) - HELD THAT: - Interim directions earlier issued dealt with an administrative scheme predating the Act; Parliament subsequently enacted a statutory regime that provides legal sanction and safeguards. The Court held that enactment of the Aadhaar Act does not offend those interim orders such that the Act must be struck down, and that legislation may supersede or regularise earlier executive practices.The Aadhaar Act does not contravene earlier interim orders in the petitions; it regularises the scheme under statute.Criminal disclosure orders and Section 33 - limits on disclosure by subordinate magistrates - Validity of lower court order (Judicial Magistrate First Class) directing UIDAI to disclose biometric data to investigating agency - HELD THAT: - Section 33(1) permits disclosure only pursuant to an order of a court not inferior to that of a District Judge; an order by a Judicial Magistrate First Class therefore exceeded the statutory threshold. The Court set aside the Magistrate's order and related High Court order that sustained it.Order of Judicial Magistrate First Class directing disclosure to investigating agency is set aside; Section 33 requires higher-court order for disclosure.Contempt applications - Whether contempt proceedings arising in these matters should be pursued - HELD THAT: - Having examined the record and the reliefs granted, the Court found no basis to proceed with contempt prosecutions arising in relation to these matters and dismissed the contempt petitions.All contempt petitions are dismissed/closed.Final Conclusion: The Constitution Bench upholds the Aadhaar enactment and its principal regulatory framework as constitutional subject to specific read downs and directions: demographic and biometric enrolment requirements, data security, retention and restricted sharing provisions survive constitutional challenge; Section 57 is severed to the extent it permitted use of Aadhaar merely 'pursuant to any contract'; Section 59 validly saves prior executive actions; parental consent must be read into enrolment of minors aged 5-18; Rule 9 under PMLA (2017) stands; the DoT circular of 23.03.2017 is set aside; certification of the Aadhaar Bill as a Money Bill is amenable to judicial review but, on merits, held valid; orders below requiring disclosure by subordinate magistrates are set aside; and related contempt proceedings are dismissed. Issues: (i) Whether the Aadhaar Act and its requirements for collection of demographic and biometric information violate the fundamental right to privacy; (ii) Whether collection, storage, retention, use and sharing of Aadhaar data and the authentication architecture effectuate impermissible mass surveillance; (iii) Whether Section 7 (proof of Aadhaar for receipt of subsidies/benefits/services) is constitutional and whether socio-economic entitlements can override privacy; (iv) Whether provisions restricting sharing (Section 29), disclosure (Section 33), penalties and cognizance (Section 47) are constitutional; (v) Whether Section 57 permitting use of Aadhaar beyond the Act is constitutional; (vi) Whether Section 59 validating prior executive acts is valid; (vii) Whether regulations concerning children, PMLA Rule 9 (as amended), Telecom circular (23.03.2017), Money Bill certification, and Section 139-AA of Income-tax Act are constitutionally valid.Issue (i): Whether the Aadhaar Act and its requirement to furnish demographic and biometric information violates the right to privacy.Analysis: The statutory scheme authorises enrolment, storage and authentication of specified demographic and biometric data; contains provisions on security, confidentiality, restrictions on sharing and criminal penalties; and is subject to regulations. Application of the three-fold Puttaswamy test (lawfulness, legitimate state aim, proportionality) requires assessment of the enacted provisions and regulatory safeguards against arbitrariness and disproportionate intrusion.Conclusion: Requirement to provide demographic and biometric information under the Aadhaar Act does not violate the fundamental right to privacy; the provisions and regulations satisfy the three-fold test and are constitutional.Issue (ii): Whether collection, storage, retention, use and sharing of Aadhaar data and authentication architecture create an impermissible surveillance regime.Analysis: The statute and regulations limit collection items, prohibit sharing of core biometric data, restrict storage of purpose, mandate security measures, prescribe limited retention of authentication logs and criminalise unauthorised disclosure; meta-data retained is technical and purpose-storage is prohibited. International precedents on data retention and surveillance inform proportionality analysis but do not control statutory design here.Conclusion: The Act and Regulations, as constituted, do not create an architecture for pervasive surveillance; collection, storage and retention as provided do not breach the right to privacy.Issue (iii): Whether Section 7 (conditioning receipt of subsidies/benefits/services on Aadhaar authentication) is unconstitutional or overrides socio-economic rights.Analysis: Section 7 is an enabling statutory power limited to schemes funded from the Consolidated Fund and includes provisos requiring alternate/viable means where Aadhaar is not assigned. The legislative objective of targeted delivery and prevention of leakage in welfare disbursement is a legitimate State aim. Implementation shortcomings and instances of exclusion require administrative remedy but do not render the provision inherently arbitrary.Conclusion: Section 7 is constitutional; provisioning of welfare entitlements does not take precedence so as to nullify privacy protections and the provision satisfies proportionality.Issue (iv): Whether Sections restricting sharing (Section 29), permitting disclosure on judicial/national security orders (Section 33), and Section 47 (cognizance limited to Authority) are unconstitutional.Analysis: Section 29 prohibits sharing of core biometric data and conditions other sharing on Act/Regulations and consent; Section 33 allows disclosure only on court order not inferior to District Judge or by specified high-level national security direction with oversight; Section 47 confines cognizance of Aadhaar offences to complaints by the Authority or authorised officers, comparable to provisions in other special statutes and balanced by general criminal remedies under other laws (e.g., IT Act).Conclusion: Sections 29 and 33 are constitutional and proportionate; Section 47 is not unconstitutional and falls within legislative design for specialised enforcement and prevention of frivolous prosecutions.Issue (v): Whether Section 57 permitting use of Aadhaar 'for any purpose' including by private parties or pursuant to contracts is constitutional.Analysis: Section 57 permits use of Aadhaar for establishing identity 'pursuant to any law' or contract but makes such use subject to Section 8 and Chapter VI safeguards. Use 'pursuant to any law' presupposes a valid legislative basis subject to privacy scrutiny. Use by contract alone (i.e., without a legislative mandate) would permit unregulated private adoption and lacks the necessary statutory safeguards and proportionality review.Conclusion: Section 57 is constitutional only insofar as use is pursuant to law and subject to statutory safeguards; the phrase 'or any contract to this effect' is struck down as unconstitutional.Issue (vi): Whether Section 59 (deeming prior executive actions valid under the Act) is void.Analysis: Section 59 is a legislative deeming provision validating actions taken under earlier executive notifications by treating them as done under the Act; legislative bodies may enact retrospective validating provisions when within constitutional competence, subject to limits of constitutionality.Conclusion: Section 59 validly validates prior actions under the stated notifications and is constitutional within the scope of legislative power and statutory interpretation.Issue (vii): Whether consent and parental-protection requirements and specific subordinate instruments are constitutional: (a) enrolment of children 518; (b) Rule 9 (PMLA Second Amendment, 2017); (c) DoT circular 23.03.2017; (d) Money Bill certification; (e) Section 139-AA Income-tax Act.Analysis: (a) Regulations require parental/guardian consent for minors; reading parental consent into the enrolment scheme preserves constitutionality for ages 518. (b) Amended Rule 9 imposes identity/verification obligations on reporting entities (including Aadhaar authentication) to prevent money-laundering and shell/ghost accounts; measures are targeted, time-limited for account verification, and permit limited exceptions; proportionality and legitimate State aims (anti-money-laundering, financial integrity) are satisfied. (c) The DoT circular mandated mass re-verification of existing mobile subscribers by Aadhaar e-KYC; executive circulars are not legislative 'law' under Part III and the circular lacked independent statutory backing for compulsory re-verification; absent statutory authorisation the circular is unconstitutional and set aside. (d) The Aadhaar Act's core objective relates to delivery of subsidies/services from the Consolidated Fund; provisions fall within Article 110(1)(c)/(e) and incidental matters in (g); certification as a Money Bill was sustainabled on merits, but certification by the Speaker is amenable to judicial review for substantive illegality; here the certification was upheld. (e) Section 139-AA (linking Aadhaar with PAN) pursues legitimate fiscal and anti-evasion aims and, subject to privacy proportionality, is constitutionally valid.Conclusion: (a) Parental consent must apply for enrolment of children 518; (b) Rule 9 as amended is constitutional and not ultra vires PMLA; (c) DoT circular dated 23.03.2017 is unconstitutional and set aside; (d) Aadhaar Act properly fits within Money Bill parameters and certification is judicially reviewable but here is upheld on substance; (e) Section 139-AA does not violate the right to privacy.Final Conclusion: The Aadhaar Act and the framed Regulations (with the reading-in for parental consent) are, in their operative parts, constitutionally valid under the three-fold privacy test and proportionality analysis; targeted uses for welfare delivery, financial integrity and law enforcement are legitimate and proportionate when subject to the statutory safeguards and oversight specified in the Act and Regulations. The contract-based authorization in Section 57 is severed; the DoT circular of 23.03.2017 is quashed; prior executive actions are validated by Section 59; subordinate instruments and rules are otherwise sustained where consistent with statutory safeguards.Ratio Decidendi: A statutory scheme authorising collection and authentication of limited biometric and demographic identifiers for legitimate State aims (targeted welfare delivery, financial integrity and crime prevention) is constitutional if enacted lawfully, pursues legitimate aims, and employs proportionate, statutory safeguards (including limits on sharing, retention, security obligations, oversight for disclosures and remedies); absent statutory mandate, executive instruments imposing compulsory biometric-based re-verification are invalid.