No, the Aadhaar case was about whether the platform, in its present form, passes three tests: legality, necessity and proportionality. Proportionality ensures that an individual does not give up too much in relation to the need. Changes in technology can fundamentally alter that. For example, biometric lock (which the judgement took into account) was not a feature of Aadhaar when it was launched, but became one. Similarly, virtual Aadhaar—which the judgement doesn't talk about—addresses some of the privacy concerns. Virtual Aadhaar ID is 16-digit number mapped with the Aadhaar number. It is temporary and revocable, but can be used for authentication pretty much the same way Aadhaar can be used. It is also a random number, and one cannot guess one’s Aadhaar number based on it. It will be fair to assume that the judges did not want to decide on what technology would do tomorrow—and only wanted to put in enough safeguards, checks and balances so it doesn’t impinge on the privacy of individuals.
In the end, the Supreme Court verdict has left many in the private sector confused. Some believe that regulators—such as the Reserve Bank of India, the Telecom Regulatory Authority of India and others—would bring some clarity. No one is sure how. The judgement has been very clear about linkage of Aadhaar with bank accounts and telecom connections. However, it has not been clear about the use of Aadhaar by the private sector, and in a polarised issue such as Aadhaar, it is only natural that the two opposing sides have two dramatically opposing interpretations.
Both have good reasons to do so. The court has indeed recognised the serious risks that come from using Aadhaar—especially in the absence of good laws open to judicial scrutiny, a legitimate state need, and most importantly, proportionality. Establishing proportionality—especially when it comes to digital technologies that come with unintended consequences—is hard. In such circumstances, it is best to take a precautionary approach, and not let anyone push the country into a situation where no one has any control. If the private sector is not allowed to use Aadhaar, will it guarantee privacy? The answer is no. If the private sector is not allowed to use Aadhaar, will it reduce the risk of privacy violations? The answer is yes.
But, those who are in favour of the private sector say the same argument could be used against automobiles too. We can avoid all the road accidents if there are no automobiles. However, we haven’t banned automobiles. Instead we weigh their costs against the benefits to society. Private sector use of Aadhaar should be looked at in a similar fashion, they argue.
The last few years have clearly given us enough examples of what can go wrong. The risks of security breaches, fraud, and loss of privacy are real. India does not even have a data protection law. Digital risk literacy, even among the educated, is rather low, and there are strong reasons to distrust the idea of ‘informed consent’. That India hasn’t invested much in cybersecurity is definitely true of government, but it’s also true of the private sector.
Fixing these will help not only the applications that are built on or around Aadhaar, it will also help all digital technologies. To fix this, the government, regulators, technologists, businesses, social sector organisations and citizens should look away from the polarising debates, and focus on what needs to be done for the country—irrespective of what happens to Aadhaar.