a. Clauses 2(k), 2(g) & 2(j) which define "biometric information, "core biometric information" and "demographic information" should be strictly defined in the Bill itself and nothing should be left to be specified further by way of regulations. Therefore, the relevant portion in each of these provisions which contains the expression, "may be specified by regulations" should be deleted.[1]
b. Clause 3 r/w 23(2)(g): - A further sub-clause should be added in Clause 3 of the Bill to allow an individual to "opt out" of the Aadhaar Scheme, if he has already enrolled and if he no longer wishes to be part of the Aadhaar system and all data including authentication records as well as demographic and biometric information pertaining to such individual should be destroyed forthwith and a certificate to such effect must be issued to such individual by the Authority. The existing provision relating to omitting and deactivating of an Aadhaar number contained in Clause 23(2)(g) may also be amended in the same manner. This is a critical aspect of the right to privacy.
c. Clause 7 gives the impression that the Government can insist on Aadhaar as a condition for availing government subsidies, benefits or services. However, as per orders passed by the Supreme Court that Aadhaar will be purely voluntary, this proviso to the clause should be modified to state as follows:-
"Provided that if an Aadhar number is not assigned to or if an individual chooses not to opt for enrolment, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service".
d. Clause 8(4): Clause 8(4) empowers the UID Authority to respond to an authentication query with a "positive, negative or any other appropriate response sharing such identity information excluding any core biometric information". This can lead to sale of databases of people based on certain demographic information. The Clause should be amended to say "The Authority shall respond to an authentication query with a positive, negative or non-existent record as the only responses. There shall be no sharing of demographic or biometric information of individuals".
e. Clause 28 deals with security and confidentiality of information and as per sub clause (3) of Clause 28, the Authority shall protect such information against access, use or disclosure not permitted under the Act or regulations made thereunder. In order to avoid sensitive private information of the individual from being disclosed or accessed on the whim of the Executive, the expression "or regulations made thereunder" should be deleted and the disclosure should be strictly in accordance with the Act.
f. Clause 29 which contains a restriction on sharing core biometric information of the individual with anyone for any reason whatsoever should, by way of caution, start with a non-obstante clause which states: "Notwithstanding anything contained in this Act or any other law".
g. Clause 32:- provides for the UID authority to maintain authentication records of individuals. This raises serious privacy concerns and should be deleted since no public purpose is being served by maintaining authentication records at the cost of privacy of the individual.
h. Clause 33 (2): Clause 33(2) deals with disclosure of identity information and authentication records in the interests of national security. National security is too sweeping and loose a term. "National Security" should be changed to "public emergency or in the interest of public safety" as contained in the Indian Telegraph Act, 1885 and as mentioned in Chapter VIII, Clause 48(c) of the Aadhar Bill itself. The conditions for disclosure should strictly follow the 1996 directives of the Supreme Court with regard to the state being allowed to tap telephones. Moreover, the Oversight Committee as mentioned in Clause 33(2) should comprise of an independent member like the CVC or CAG.
i. Clause 47(1): Clause 47(1) states that Courts cannot take cognizance of any offence punishable under the Act unless a complaint is made by the UID Authority or a person authorized by it. This will present a conflict of interest as under the Bill the UID Authority is itself responsible for the security and confidentiality of identity information and authentication records. This Clause should be dropped.
j. Clause 48 which contains emergency provisions giving power to the Central Government to supersede the Authority and replace it with person or persons appointed by the President should be deleted since the Authority is accountable under the Act and the private individual data should be not divulged to any other person even under the directions of the Central Government. Therefore, Clause 48 should be dropped.
k. Clause 57: - At the time of introduction of the Bill, the Government categorically stated that "the Bill confines itself only to governmental expenditure". But Clause 57 which allows private persons to use Aadhar as proof of identity is contrary to the avowed object of the Bill. Thus, Clause 57 should be dropped.