Neha Roy



From the beginning of June 17, the Aadhar and Other Laws (Amendment)Bill, 2019 has been introduced in the ensuring session of Parliament.


As per the new Aadhar Amendment Act, You can now use your Aadhaar numbers on a voluntary basis to comply with the regulator's Know-Your-Customer (KYC) norms. The Reserve Bank of India introduced important amendments to the Master Direction on KYC along with updating its list of documents eligible for identification of individuals.

To understand the customers and financial dealings better, the KYC details fundamentally enables banks and other regulated entities including financial institutions, payment system providers, NBFC’s, prepayment instrument issuers and agents of the Money Transfer Service Scheme. This eventually helps them in managing their risks better.

In end-February, the Union Cabinet had approved the promulgation of Aadhaar and Other Laws (Amendment) Ordinance, 2019, to push through the above amendments. The Ordinance, which allows offline verification' of an individual's identity, without authentication, through modes specified by the Unique Identification Authority of India (UIDAI), among others, got the presidential nod in March. It further allows the voluntary use of the 12-digit unique number as identity proof for opening bank account or procuring mobile phone connection and gives minors an option to exit from the Aadhaar programme on attaining 18 years of age.



 The RBI notification reads that the banks have now been permitted to carry out Aadhar authentication/offline- verification of an individual who voluntarily uses Aadhar number for identification purpose. However, that is subject to the condition that this is submitted as issued by the Unique Identification Authority of India (UIDAI), the Aadhaar-issuing body.

Further changes regarding the norms of KYC is that all non-individual customers, such as partnership firms and companies, have to compulsorily submit the Permanent Account Number (PAN) besides the other entity- related documents. The notification also reads that the PAN/form No. 60 of the authorised signatories shall also be obtained adding to that “For existing bank account holders, PAN or Form No 60 is to be submitted within such timelines as notified by the Government, failing to which account shall be subjected to temporary ceasing till PAN or Form No 60 is submitted”. Moreover, the regulated entities have to give the customer an accessible notice and a reasonable opportunity to be heard before blocking an account.

However, in any case wildcat use of identity information by a requesting entity or offline verification seeking entity would be punishable with imprisonment up to three years or fine which may extend to Rs 10,000 or in case of a company the fine may extend to Rs 1 lakh. Penalisation for unauthorized access to the Central Identities Data Repository and also data tampering is proposed to be extended to 10 years each from the present three years.



The Supreme Court has delivered its much awaited judgment in the Aadhaar case in September 2018. The majority (comprising Dipak Misra ex-CJI, AK Sikri J., AM Khanwilkar, J. and Ashok Bhushan J.) upheld the constitutionality of the Aadhaar Act, 2016 and the Aadhaar project. They list down a few provisions of the Aadhar act like those on the disclosure of personal information, cognizance of offence and use of Aadhar by private entities. A dissenting opinion invalidating the entire Aadhar scheme along with the act was delivered by DY. Chandrachud J.

Section 33(1) of the Aadhar Act prohibits the revelation of information which includes identity information or authentication records, provided it is by an order of a court not inferior to that of a District Judge. The majority opinion read down this provisions stating that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing the right to challenge and such order was passed by approaching the higher court. The impacted individual would also be able to object to the disclosure of information on accepted grounds in law, including Article 20(3) and Article 21 of the Constitution.

Section 47 of the Aadhaar Act notoriously provided for the cognizance of offence under the Act only on a complaint made by the UIDAI or any officer or person authorised by it. The majority opinion made it clear that it needs to be amended to include within its scope the provision of filing of such a complaint by an individual whose rights have been violated by under the Aadhaar Act.

Section 57 permitted the use of the Aadhaar ecosystem for establishing the identity of an individual ‘for any purpose’. Well, all such provisions was read down to intend that such a purpose has to be backed by law. Moreover, any of such law if ever made would be subject to judicial scrutiny.

Further, to minimize any potential misuse of stored data, the court struck down section 27(1) of the Aadhaar Act which allowed storage of authentication data for five years. Now the court has mandated the deletion of such data after six months. It also urged the government to bring in a robust data protection law along the lines of the recommendations made by the Justice BN Srikrishna Committee report.


Aadhaar increasingly resembles a good idea marred by terrible execution. The rush to expand enrolment had led to all sorts of franchisees being roped in to enroll people and indiscriminate authorization of agencies to collect data and authenticate identity by using the Unique Identification Authority of India (UIDAI) database — that would certainly be the most charitable explanation for the incidents of deviations from ideal Aadhaar-related practice that generally get reported. 

UIDAI says that Aadhar Data which includes biometric is safe. Whereas the reality says that it is just the biometric data that can be described as not having been breached. Does the authority  intends to say that accessing other details relating to name, gender, address, date of birth and phone number from the Aadhaar database is proof of Aadhaar security?

Last year, an incident came to light of local storage of the biometric data accessed from the Aadhaar database for the purpose of identification. Data security is not just a question of the technical soundness of the electronic fortification built around a database. It is also, and for practical purposes, primarily, a question of the protocols surrounding usage of the database and human usage of those protocols. The authority seems to appear suffering from serious lapses on the latter count. Moreover, the absence of a stringent data protection law further raises the suspicion of misuse of citizen’s data. This translates to largely unchecked collection of data which further emboldens groups who have their prying eyes on this massive database. 



Please enter the text

Send your queries to

[email protected]
Talk to a Lawyer
Post Your Matter
Request Callback
Contact Us