The TRAI chairman, RS Sharma’s controversial Aadhaar challenge has now been followed by a UIDAI warning against the disclosure of Aadhaar numbers, terming it as an act that is ‘not in accordance with the law’. The challenge led to others also similarly posting their Aadhaar numbers online and issuing similar challenges. While the point the TRAI chief was trying to prove, that the knowing Aadhaar number can do him no harm, remains unproven, his act has triggered a serious law and order problem.
The first question that arises is whether the TRAI chief himself violated the law by disclosing his own number. The second is on how to deal with people who have come to believe that disclosing their sensitive personal data can do them no harm.
What the Aadhaar Act says
To answer these questions, the relevant provisions under the Aadhaar Act itself need to be looked at. The most relevant provision is Section 29(2), which states that identity information (which includes Aadhaar numbers) may be shared ‘only in accordance with the provisions of this Act and in such manner as may be specified by regulations’. This is supplemented by Section 29(4), which further states that no Aadhaar number/core biometric information collected or created under the Aadhaar Act can be ‘published, displayed or posted publicly, except for the purposes as may be specified by regulations’.
Violation of these provision attracts a penalty of 1-year imprisonment or a fine of Rs 25,000 under Section 42. Section 37, further punishes the intentional dissemination of any identity information that was collected in the course of enrolment or authentication with 3 years or a fine of Rs 10,000.
Does the Aadhaar Act punish publishing your own data?
Technically, the sharing of the TRAI chief’s own Aadhaar numbers is not ‘in accordance with the provisions of the Aadhaar Act’, nor has it been shared for the ‘purposes as may be specified in the regulations’. However, traditionally, no privacy law puts a bar on what information people choose to disclose about themselves. This is a choice that the people are allowed to make and forms the basis of the use of consent in data protection laws.
To read into these provisions that the Aadhaar Act prohibits a person from publishing his own Aadhaar number is thus a bit of a stretch. In fact, to place a bar on a person revealing his own sensitive personal information, could well include a bar on that person publishing his own photographs. Consider Section 29 of the Aadhaar Act above, which places a bar on the sharing of core biometric information as well. A person sharing a picture which reveals his fingerprints, or which allows the generation of face recognition data on par with, could similarly be considered to be a violation of the law.
Aadhaar regulations don’t discuss publishing your own data
There is further support to this from the Aadhaar (Sharing of Information) Regulations, 2016, which does not discuss persons publishing their own data. The only reference is to publication by persons/entities other than the Aadhaar number holders. Regulation 6(1) specifically states that ‘The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency’. This makes it clear that the reference is to the publishing of the Aadhaar number of an individual by (another) person, and not the individual himself.