Aadhaar project and Act upheld as valid, no surveillance state created through purpose-blind minimal data collection

SC upheld the validity of the Aadhaar project and Aadhaar Act against privacy challenges. The court held that Aadhaar's architecture does not create a surveillance state as it operates in a purpose-blind manner, collecting only minimal biometric data without transaction details, purpose, or location information. The system includes sufficient security measures making it difficult to create individual profiles from stored biometric and demographic data in CIDR.

---

---

Issues: (i) Whether the Aadhaar Act and its requirements for collection of demographic and biometric information violate the fundamental right to privacy; (ii) Whether collection, storage, retention, use and sharing of Aadhaar data and the authentication architecture effectuate impermissible mass surveillance; (iii) Whether Section 7 (proof of Aadhaar for receipt of subsidies/benefits/services) is constitutional and whether socio-economic entitlements can override privacy; (iv) Whether provisions restricting sharing (Section 29), disclosure (Section 33), penalties and cognizance (Section 47) are constitutional; (v) Whether Section 57 permitting use of Aadhaar beyond the Act is constitutional; (vi) Whether Section 59 validating prior executive acts is valid; (vii) Whether regulations concerning children, PMLA Rule 9 (as amended), Telecom circular (23.03.2017), Money Bill certification, and Section 139-AA of Income-tax Act are constitutionally valid.

Issue (i): Whether the Aadhaar Act and its requirement to furnish demographic and biometric information violates the right to privacy.

Analysis: The statutory scheme authorises enrolment, storage and authentication of specified demographic and biometric data; contains provisions on security, confidentiality, restrictions on sharing and criminal penalties; and is subject to regulations. Application of the three-fold Puttaswamy test (lawfulness, legitimate state aim, proportionality) requires assessment of the enacted provisions and regulatory safeguards against arbitrariness and disproportionate intrusion.

Conclusion: Requirement to provide demographic and biometric information under the Aadhaar Act does not violate the fundamental right to privacy; the provisions and regulations satisfy the three-fold test and are constitutional.

Issue (ii): Whether collection, storage, retention, use and sharing of Aadhaar data and authentication architecture create an impermissible surveillance regime.

Analysis: The statute and regulations limit collection items, prohibit sharing of core biometric data, restrict storage of purpose, mandate security measures, prescribe limited retention of authentication logs and criminalise unauthorised disclosure; meta-data retained is technical and purpose-storage is prohibited. International precedents on data retention and surveillance inform proportionality analysis but do not control statutory design here.

Conclusion: The Act and Regulations, as constituted, do not create an architecture for pervasive surveillance; collection, storage and retention as provided do not breach the right to privacy.

Issue (iii): Whether Section 7 (conditioning receipt of subsidies/benefits/services on Aadhaar authentication) is unconstitutional or overrides socio-economic rights.

Analysis: Section 7 is an enabling statutory power limited to schemes funded from the Consolidated Fund and includes provisos requiring alternate/viable means where Aadhaar is not assigned. The legislative objective of targeted delivery and prevention of leakage in welfare disbursement is a legitimate State aim. Implementation shortcomings and instances of exclusion require administrative remedy but do not render the provision inherently arbitrary.

Conclusion: Section 7 is constitutional; provisioning of welfare entitlements does not take precedence so as to nullify privacy protections and the provision satisfies proportionality.

Issue (iv): Whether Sections restricting sharing (Section 29), permitting disclosure on judicial/national security orders (Section 33), and Section 47 (cognizance limited to Authority) are unconstitutional.

Analysis: Section 29 prohibits sharing of core biometric data and conditions other sharing on Act/Regulations and consent; Section 33 allows disclosure only on court order not inferior to District Judge or by specified high-level national security direction with oversight; Section 47 confines cognizance of Aadhaar offences to complaints by the Authority or authorised officers, comparable to provisions in other special statutes and balanced by general criminal remedies under other laws (e.g., IT Act).

Conclusion: Sections 29 and 33 are constitutional and proportionate; Section 47 is not unconstitutional and falls within legislative design for specialised enforcement and prevention of frivolous prosecutions.

Issue (v): Whether Section 57 permitting use of Aadhaar "for any purpose" including by private parties or pursuant to contracts is constitutional.

Analysis: Section 57 permits use of Aadhaar for establishing identity "pursuant to any law" or contract but makes such use subject to Section 8 and Chapter VI safeguards. Use "pursuant to any law" presupposes a valid legislative basis subject to privacy scrutiny. Use by contract alone (i.e., without a legislative mandate) would permit unregulated private adoption and lacks the necessary statutory safeguards and proportionality review.

Conclusion: Section 57 is constitutional only insofar as use is pursuant to law and subject to statutory safeguards; the phrase "or any contract to this effect" is struck down as unconstitutional.

Issue (vi): Whether Section 59 (deeming prior executive actions valid under the Act) is void.

Analysis: Section 59 is a legislative deeming provision validating actions taken under earlier executive notifications by treating them as done under the Act; legislative bodies may enact retrospective validating provisions when within constitutional competence, subject to limits of constitutionality.

Conclusion: Section 59 validly validates prior actions under the stated notifications and is constitutional within the scope of legislative power and statutory interpretation.

Issue (vii): Whether consent and parental-protection requirements and specific subordinate instruments are constitutional: (a) enrolment of children 518; (b) Rule 9 (PMLA Second Amendment, 2017); (c) DoT circular 23.03.2017; (d) Money Bill certification; (e) Section 139-AA Income-tax Act.

Analysis: (a) Regulations require parental/guardian consent for minors; reading parental consent into the enrolment scheme preserves constitutionality for ages 518. (b) Amended Rule 9 imposes identity/verification obligations on reporting entities (including Aadhaar authentication) to prevent money-laundering and shell/ghost accounts; measures are targeted, time-limited for account verification, and permit limited exceptions; proportionality and legitimate State aims (anti-money-laundering, financial integrity) are satisfied. (c) The DoT circular mandated mass re-verification of existing mobile subscribers by Aadhaar e-KYC; executive circulars are not legislative "law" under Part III and the circular lacked independent statutory backing for compulsory re-verification; absent statutory authorisation the circular is unconstitutional and set aside. (d) The Aadhaar Act's core objective relates to delivery of subsidies/services from the Consolidated Fund; provisions fall within Article 110(1)(c)/(e) and incidental matters in (g); certification as a Money Bill was sustainabled on merits, but certification by the Speaker is amenable to judicial review for substantive illegality; here the certification was upheld. (e) Section 139-AA (linking Aadhaar with PAN) pursues legitimate fiscal and anti-evasion aims and, subject to privacy proportionality, is constitutionally valid.

Conclusion: (a) Parental consent must apply for enrolment of children 518; (b) Rule 9 as amended is constitutional and not ultra vires PMLA; (c) DoT circular dated 23.03.2017 is unconstitutional and set aside; (d) Aadhaar Act properly fits within Money Bill parameters and certification is judicially reviewable but here is upheld on substance; (e) Section 139-AA does not violate the right to privacy.

Final Conclusion: The Aadhaar Act and the framed Regulations (with the reading-in for parental consent) are, in their operative parts, constitutionally valid under the three-fold privacy test and proportionality analysis; targeted uses for welfare delivery, financial integrity and law enforcement are legitimate and proportionate when subject to the statutory safeguards and oversight specified in the Act and Regulations. The contract-based authorization in Section 57 is severed; the DoT circular of 23.03.2017 is quashed; prior executive actions are validated by Section 59; subordinate instruments and rules are otherwise sustained where consistent with statutory safeguards.

Ratio Decidendi: A statutory scheme authorising collection and authentication of limited biometric and demographic identifiers for legitimate State aims (targeted welfare delivery, financial integrity and crime prevention) is constitutional if enacted lawfully, pursues legitimate aims, and employs proportionate, statutory safeguards (including limits on sharing, retention, security obligations, oversight for disclosures and remedies); absent statutory mandate, executive instruments imposing compulsory biometric-based re-verification are invalid.

---