India’s Aadhaar Needs Checks and Balances

Over the last ten years, India has rapidly adopted Aadhaar, the world’s largest national identification system. But critics increasingly raise concerns over how Aadhaar operates.

In a recent paper, for example, Vrinda Bhandari, a lawyer, and Renuka Sane, a professor with the National Institute of Public Finance and Policy, argue that the legal framework surrounding Aadhaar suffers from several weaknesses in “accountability, delegation, and grievance redressal and enforcement” and needs to be changed.

The Indian government created the Unique Identification Authority of India (UIDAI) agency to administer Aadhaar via a 2009 executive notification and later the Aadhaar Act of 2016. Aadhaar now assigns a unique 12-digit number to over 1.2 billion people.

For each person, UIDAI collects certain biometric information like fingerprints, iris scans, and photographs, as well as demographic data like addresses and date of birth. The authority then stores these records in the Central Identities Data Repository (CIDR). When people seek services like welfare, other agencies turn to UIDAI to verify applicants’ identities.

The Indian government believes that Aadhaar improves its public welfare system and prevents burdensome duplicate claims. Previously, many Indians lacked an appropriate government-issued identification and faced difficulty obtaining banking and aid services that require such identification. With over 90% of the population now included in the government’s records, Aadhaar allows Indian residents to establish their identities and facilitates the provision of government services.

Prior to Aadhaar, fraud and corruption had been seen as weakening welfare programs. For instance, in 2008 more than half the grain from a government food distribution program failed to reach the intended recipients. Aadhaar proponents argue that the national identity system now enables more efficient distribution of welfare resources by reducing diversion and identifying beneficiaries more easily. Others, like economist Reetika Khera, fear that Aadhaar is not as effective as claimed and that it may become “a tool of exclusion.”

Over time, the government has attempted to expand Aadhaar’s scope by linking IDs to voter registration, bank accounts, and other previously siloed datasets. A 2015 Supreme Court of India order ostensibly prohibits mandatory uses of Aadhaar for some functions like banking, but in practice many services turn away users who lack Aadhaar.

Bhandari and Sane claim that a 2016 law authorizing the Aadhaar system delegates functions excessively and inappropriately to UIDAI. That the Aadhaar Act leaves basic policy decisions like identity data collection, storage, and use to the UIDAI is a “central problem,” according to Bhandari and Sane. They acknowledge that delegation has a role to play in a complex world but assert that the Indian legislature failed to provide appropriate guidelines alongside delegated authority to prevent potential future capricious rule-making by UIDAI.

For example, the Aadhaar Act allows UIDAI to define what constitutes biometric and demographic information by regulation. Although UIDAI has not yet exercised that authority, Bhandari and Sane argue that such definitions should be legislative functions rather than executive.

Such a delegation violates separation-of-powers theory, in which different branches of government should not perform other branches’ core functions, Bhandari and Sane claim. In their opinion, UIDAI’s performance of what should be the legislature’s tasks creates undesirable ambiguity over Aadhaar’s scope and could allow the executive to expand data collection without the safeguards that are inherently built into a democratic legislative process.

Bhandari and Sane also assert that UIDAI requires greater accountability in its administration of Aadhaar. Legislatures may delegate duties to agencies, but agencies should remain accountable to legislatures, they argue. In this case, the Indian legislature failed to provide an adequate accountability framework for Aadhaar, charge Bhandari and Sane.

The Organization for Economic Cooperation and Development recommends building accountability, performance evaluation, and role clarity into the governance of regulators such as UIDAI. The agency functionally serves as a data administrator, by maintaining, authenticating, and verifying Indians’ biometric information. It also serves, however, as a regulator, through its licensing of other Aadhaar-related entities and ability to issue them binding directions. Bhandari and Sane argue that this dual role creates conflicting responsibilities.

For instance, UIDAI maintains the security of the CIDR database but is also the only agency allowed to bring a criminal action against tampering with CIDR. Bhandari and Sane argue that “UIDAI faces a clear conflict of interest in reporting an offense, which would expose its own inadequacies as an administrator.” They call for the legislature to provide UIDAI with additional guidance and to distinguish its various roles clearly.

The current Aadhaar Act also lacks statutorily mandated accountability mechanisms like performance standards and audits, Bhandari and Sane say. The collection of such a large database of identity information creates an attractive target for criminals, they worry. Furthermore, computer scientists raise doubts over Aadhaar’s security, and indeed UIDAI has suffered several data breaches.

Despite discussion of data security policies for UIDAI leading up to the enactment of the Aadhaar Act, the Act’s final language did not provide any mechanism for ensuring policy implementation. The Act also lacks a data breach notification principle, which would require informing victims when their data are compromised. Individuals who are unaware their data have been compromised cannot effectively hold UIDAI accountable.

Bhandari and Sane argue that the government should also revise grievance mechanisms for Aadhaar failures and violations. Scholars have suggested that regulators need timely complaint processing through easily accessible and clear mechanisms, but UIDAI lacks such processes, Bhandari and Sane say. Aadhaar regulations do not specify how to raise grievances or provide timelines for resolving issues. In addition, although users are directed to seek remedies at UIDAI regional offices, their ability to do so successfully is further hindered by the limited distribution of these offices to only eight major cities.

The Aadhaar Act also neither sets minimum standards for regional offices’ behavior nor does it establish performance standards to measure how effectively UIDAI addresses grievances. Bhandari and Sane argue that new regulations should be adopted that provide specific procedures for complaint handling and for more effective resolution of errors in the government’s data.

Over the last decade, Aadhaar has become “almost de facto mandatory” for Indian residents, conclude Bhandari and Sane. To prevent such a pervasive system from operating “in a legal vacuum,” the Aadhaar regulatory framework should be updated to provide more specific guidance for, and checks and balances on, the implementation of the system by UIDAI, they urge.