As new data privacy regulations spring up around the globe with greater frequency, multinational companies face difficulties not only with complying with a patchwork of requirements, but also with the uncertainty of what these requirements will actually mean and how they will be applied. Sometimes, as is the case in India, it will be courts who eventually fill in the gaps—but even court decisions can create uncertainty.

In 2016, India amended its 2009 biometric identification system, known as Aadhaar,¹ to allow both the government and private entities to collect an individual’s ID number for any purpose, which human rights advocates have decried as a violation of privacy.² Despite the growing uncertainty surrounding this authorization, businesses in India continued to require ID numbers for certain services, as well as used the ID numbers for consumer profiling and targeted advertisements.

The Supreme Court of India, however, recently struck down the part of the 2016 Act that allowed private businesses to ask for ID numbers for any purpose.³ As a result, many businesses will be forced to quickly adjust how they conduct business in India, highlighting that for companies facing ambiguous privacy regulations, erring on the side of greater privacy protections may be the better risk-based course.

What was the ruling?

The Supreme Court of India, in a 4-1 decision, found that Section 57 of the Aadhaar Act—which allowed commercial collection and use of ID numbers—violated the right to privacy because it allowed third parties to obtain, and potentially misuse, consumer data without individual consent for “any purpose,” rather than having those purposes specifically authorized in law.⁴ As a result of the holding, the following private-sector-based economic activities cannot be contingent on customers providing their Aadhaar ID number:⁵

• Receiving employee pensions
• Re-verifying cell phone numbers
• Opening a bank account or a credit card
• Investing in a mutual fund
• Obtaining an insurance policy

In addition, companies selling air, train, and movie tickets cannot obtain ID numbers from their customers at all.⁶
  
What are the implications for businesses operating in India?

The fact that Aadhaar cannot be made mandatory for certain services could have a dramatic impact on e-commerce and fintech companies operating in India, especially because of how this ruling intersects with India’s Know Your Customer (KYC) law. India’s KYC law requires financial companies in India to verify the name and address of their customers.⁷ Traditionally, this was done by Indian customers providing proper residential documents at centralized locations. The use of Aadhaar allowed companies to bypass this system and verify customers online, saving both time and money. As a result of the holding, however, companies will be forced to provide a physical alternative to customers who do not wish to link their Aadhaar numbers. The time it takes to physically verify a customer is approximately 5-6 days and costs on average $1.36, while it takes minutes to verify someone online and costs approximately $.02.⁸ Yet, companies will have to provide an option for customers to physically be verified in order to comply with both this most recent Supreme Court ruling and India’s KYC law.

While companies will no longer be able to require customers to provide Aadhaar numbers going forward—unless specific authorizations are passed in law—the holding was unclear on what steps companies must take to delink the Aadhaar numbers they already have on file. Presumably, companies will be required to provide a streamlined process to allow customers to delink their Aadhaar numbers from services like their bank accounts and mobile phones. The Unique Identification Authority of India (UIDAI), the government agency responsible for administering Aadhaar, will likely provide guidelines in the coming weeks about what steps companies must take. We can also likely expect a flurry of legislative proposals to authorize the use of Aadhaar numbers in specific circumstances. In the meantime, businesses cannot require Aadhaar numbers. The UIDAI had already filed over 50 formal complaints against businesses for Aadhaar data violations before the Supreme Court’s recent holding⁹ and will likely be more aggressive in its enforcement after this ruling.

Conclusion

Risk-based decisions on how much privacy to provide need to be made against the backdrop of accelerating legal trend lines in favor of enhanced privacy protections. Particularly because global privacy regulations—like the GDPR and potentially this ruling in India—don’t allow for the grandfathering of legacy data, global companies may want to decide whether costs of waiting for certainty are greater than the cost of proactively applying—or preparing to apply—greater privacy rights.

_____

¹ THE AADHAAR (TARGETED DELIVERY OF FINANCIAL AND OTHER SUBSIDIES, BENEFITS AND SERVICES) ACT (2016), available at https://uidai.gov.in/images/targeted_delivery_of_financial_and_other_subsidies_benefits_and_services_13072016.pdf.

²See e.g., Reetika Khera, The Different Ways in Which Aadhaar Infringes on Privacy, The Wire, July 19, 2017, https://thewire.in/government/privacy-aadhaar-supreme-court.

³Writ Petition (Civil) No. 494 of 2012, Supreme Court of India (2018) available at https://www.supremecourtofindia.nic.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf. See also. Ananya Bhattacharya & Nupur Anand, Aadhaar is Voluntary—But Millions of Indians are Already Trapped, Quartz India, Sep. 26, 2018, https://qz.com/india/1351263/supreme-court-verdict-how-indias-aadhaar-id-became-mandatory/ (“In a much-anticipated ruling today (Sept. 26), a five-judge bench struck down section 57 of the Aadhaar Act, which allowed corporate entities or even individuals to demand an Aadhaar card in exchange for goods or services. As a result, now no school, office, or company can force anyone to reveal the unique 12-digit number. Neither is it mandatory for opening bank accounts or for mobile connections”).

⁴See Writ Petition (Civil) No. 494 of 2012, Supreme Court of India (2018), p. 560, available at https://www.supremecourtofindia.nic.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf. (“Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such ‘law’ is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities”).

⁵ Dezan Shira, Aadhaar Card Update: India’s Supreme Court Verdict Explained, India Briefing, October 3, 2018, https://www.india-briefing.com/news/aadhaar-card-update-india-supreme-court-verdict-explained-17767.html/.

⁶Id.

⁷See Deepa Kaushik, KYC Norms in India: Issues and Challenges, International Journal of Law, Vol. 4, Issue 2, p.1 (March 2018) (“KYC is a bank regulation which enforces financial institutions and regulated companies to perform all that they need to identify, document, and validate the authenticity of the customer prior to any engagement”).

⁸ Shira, supra note 5.

⁹ First Post, SC Strikes Down Section 57 of Aadhaar Act: Humongous task to Audit and Erase Data with Private Firms, Say Experts, Sep. 26, 2018, https://www.firstpost.com/india/sc-strikes-down-section-57-of-aadhaar-act-humongous-task-to-audit-and-erase-data-with-private-firms-say-experts-5267841.html.

[View source.]