The five-judge Constitutional bench headed by Chief Justice Dipak Misra, comprising Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan on Thursday resumed hearing in the Aadhaar case.

Additional Solicitor General (ASG) Tushar Mehta, appearing for the Unique Identification Authority of India (UIDAI), contended that Rules can prescribe penalties under Prevention of Money-laundering (Maintenance of Records) Rules (PMLA Rules) for not providing or linking Aadhaar number for a bank account. However, the Bench raised several questions on this logic. Chief Justice Misra even asked Mr Mehta to show legal authority to show Rules may prescribe consequences of non-compliance as drastic like freezing bank account when the Act does not provide for it.
The ASG was submitting requirement for linking Aadhaar with bank account, and how failing to which can lead to account being frozen. He said, “There is plenary legislation of a valid statute Section 12 and 15 give the statutory status to the PMLA Rules under challenge.”


ASG: only plenary law is considered with respect to “procedure established by law” is wrong. The rules can also be considered.
Freezing of bank account is not a penalty but just a consequence.
J. Sikri: It is a penalty. You’re depriving someone of their property.


ASG says the point of such a consequence ( freezing of bank accounts) is so that money launderers render their account non operational.
CJI: Our only question is whether the consequence is mandated under law or is it an overreach.

Chief Justice Misra and Justice Bhushan pointed out that those provisions under the Act cannot give sanction to render a new account inoperative after six months. This is violation under Section 300A as alleged by Senior Counsel Arvind Datar in his submission.
“Conditions, limitations, consequences are all different under law,” the Chief Justice pointed out. Senior Advocate Rakesh Dwivedi, who is the representing Gujarat Government, contended that Aadhaar is mere a condition for opening a continuance of account.
Justice Bhushan pointed out that the condition mentioned in 12(c) only applies to verification and not about continuance of accounts.
Referring to existing accounts, Justice Sikri asked, “How you can freeze those accounts under the Act…even those validly opened accounts.”
Justice Chandrachud also opined that by any stretch Section 12 and Section 15 cannot sanction prescribing penalties by Rule making power.


J. Chandrachud:Is the penal consequence authorized by the Act or rules itself?The Act only talks about verification of bank accounts.
Asg: The rules are part of the Act.Penal consequence is just an ancillary provision and can be provided by the rules.J. Chandrachud does not agree

However, ASG Mehta continued to contend that consequences of non-compliance can be prescribed by Rules.
Both Justice Sikri and Justice Chandrachud did not agree with the contention of the ASG. Justice Sikri says, “When someone cannot withdraw his property, it is a deprivation under Section 300A.”
Earlier, Justice Sikri had asked about status of a pensioner who can be deprived from receiving pension and operating own account. “A pensioner who is known to be a pensioner for so many years…what is the need to trouble him and harass him by not allowing him to withdraw on just the ground of no Aadhaar?”

Prasanna S@prasanna_s

Sikri J and DYC J roar at TM when he says this is only a consequence of non compliance and not penal.

Sikri J says when someone cannot withdraw his property, it is a 300A deprivation.

Sikri j earlier also asked about what about a pensioner who has been known to be a pensioner..

Prasanna S@prasanna_s

…who is known to be a pensioner for so many years…what is the need to trouble him and harrass him by not allowing him to withdraw on just the ground of no aadhaar.

The ASG contended that the power under PMLA Act of the law being able to reach the right beneficial owner of any entity is not under challenge.
Interjecting, Justice Sikri pointed out that Rule 9 (4) is challenged on proportionality where there are several other officially valid documents. He said, “What is the need to make Aadhaar compulsory when there are other officially valid documents available?”
Mr Mehta, however said that Aadhaar is the most robust and most fraud proof identity and other IDs do not have biometric.
While the ASG was reading the Rules under PMLA, Justice Chandrachud asked him to respond to contentions from Mr Datar.
Mr Datar had contended that “That the Rules are just subordinate legislation and that it is ultra vires Act. There is no provision under PMLA  to render a validly opened account in-operational and how is life insurance or health insurance included under the Rules?”
Senior Counsel Shyam Divan also raised the question of one time verification versus continuous verification.

Prasanna S@prasanna_s

TM says that is the very mischief sought to be remedied.

DYC J says the overall purpose is clear but that we are into the nitty gritty legalities.

Prasanna S@prasanna_s

Sikri J raises a question about “Designated Business” under the definition of Reporting Entity under PMLA.

TM says may be there are no notifications.

Shyam Divan points out that it is defined under 2 (sa).

TM now defends that (!) saying these are about prize schemes etc.

Senior Counsel Rakesh Dwivedi contended that nobody has been forced to get an Aadhaar and everyone has voluntarily gone and obtained an Aadhaar number!

Gautam Bhatia@gautambhatia88

RD says that he has never felt that he is under surveillance.

RD says that nobody has been forced to get an Aadhaar. In no city or village or any part of India has anyone been forced. He says that we all have voluntarily gone and gotten an Aadhaar card.

Gautam Bhatia@gautambhatia88

RD says that we have all gotten an Aadhaar card because we think it’s a useful thing.

RD says that if the government wants to surveil me, it has ample means. It doesn’t need Aadhaar. For example, it can monitor bank accounts for unusual activity under a master circular.

Calling petitioners to be engaged with ‘rhetorics’, Mr Dwivedi contended, “Reality of India is that the top 1% have 73% of the wealth. And the petitioners are saying that the government is spending time in real time surveillance.”
Mr Dwivedi admitted that surveillance has been happening, but there is not need of Aadhaar for this. “No government needs Aadhaar to surveil anybody. Every time he made a speech, some person from the special branch was present. If the government wants to surveil, it will do so without Aadhaar.”
Justice Chandrachud said the point is that technology is a powerful enabler of surveillance and misuse of data is one of the most pressing problems.
Responding to this, Mr Dwivedi, asked “Which data? Merely saying ‘metadata’ does not lead us anywhere. Aadhaar data cannot be compared with Google and Facebook. UIDAI does not have those kinds of tools.”

Gautam Bhatia@gautambhatia88

RD says that we don’t have learning algorithms. He says that the petitioners have been trying to confuse the Court. He says that S 32 prohibits the UIDAI from knowing the purpose of a transaction.

Chandrachud J says that that’s only a prohibition on sharing.

Gautam Bhatia@gautambhatia88

RD says that it is for the petitioners to show that the Act allows such powers.

Chandrachud J says that the Act doesn’t preclude you from acquiring those powers.

RD says that if the Court finds there is such power, it can strike it down.

The Counsel for Gujarat contended that the only purpose of Aadhaar is authentication.
Justice Chandrachud asked, “Then why you store the metadata? When the CEO of UIDAI made his presentation, technical experts showed that they learnt a lot about him from that.”
Replying to this, Mr Dwivedi said, “I do not know about Pandey. But I challenge anyone to disclose what they know about me, on any media. I am issuing an open challenge to technical experts”
Justice Sikri pointed out that the metadata tells you a lot about the nature of transaction. Mr Dwivedi, said, “The UIDAI does not know this.”
Justice Sikri says, “You will know if the authentication request has come from a hospital, or a chemist, or…”
Mr Dwivedi argued that this does not work like that. “The authentication request will come from, say, I will not know if it comes from a hospital, or from anything else. Let us assume an authentication request comes from Apollo Hospital. I will not know which Apollo it is in the country – Chennai or Mumbai or Delhi. I will only know that it was Apollo. The only way in which surveillance can happen is if the government breaks the law and colludes with the UIDAI and sends the Central Bureau of Investigation (CBI) to find out if it was Apollo Delhi or Apollo Chennai. This is far fetched.”
Justice Chandrachud said, “The problem is not only at your end. We still do not have a data protection law. What about the requesting entity?”
Mr Dwivedi asked “What will the requesting entities surveil?”
Justice Chandrachud said, “Commercial surveillance is exactly what is happening. This will happen to your farmers as well.”


RD: The authentication request will show from where the authentication request came (for example from Apollo hospital) but there’s no way to know the location from where it came. Also the identity of the person who requested authentication is not revealed.


J. Chandrachud: the requesting entity can store the data, considering there is not even a robust data protection law. Commercial information about an individual is also a gold mine. Surveillance doesn’t have to be interpreted in the traditional sense.

The Counsel for Gujarat told that Bench that individual information about his is ‘trash’ and has no worth. “What use are my photographs to anyone. It is like molasses thrown out by factories. It later became a goldmine but at that time it was a nuisance. Mr Divan might be worried about privacy, but I am not. And I have spoken to hundreds of people and they are not either,” Mr Dwivedi said.
Justice Chandrachud, however, disagreed with this contention. He said, “It is not about whether 1.9 billion people care about privacy, but about information being unavailable.”
Mr Dwivedi contended, “Fingerprint information is only of interest to palmists and for the growth of palmistry.”
Justice Chandrachud said that, “The concern is not about fingerprints per se. The American cases are about the localised use of fingerprints such as entering some place. The issue is storage and then use for authentication.”


RD: Millions like me do not care about privacy.
J. Chandrachud: Giving fingerprints for a limited particular purpose is okay. Under Aadhaar, fingerprints are means for storing data in a central database for the purpose of authentication. Thats a problem.


RD says the biometrics are encrypted. Also the data is not shared with anyone. Even EU data protection law does not have the kind of protection that Aadhaar act has.
There is no reasonable expectation of privacy wrt demographic information

Ignoring this observation, Mr Dwivedi argued that the only pleading of petitioners is that the UIDAI can surveil and there is no pleading by them (petitioners) that the requesting entities can surveil and there is no challenge. “Petitioners are NGOs, they are better off suggesting improvements than picking at all the stitches,” he said.
Justice Chandrachud and Justice Sikri pointed out Section 29(3)(b) read with Section 57 allow for information to be shared with third parties even under contracts.
Mr Dwivedi, contended, “This is why you need a data protection law, to specify the terms of consent and an overseeing mechanism. In any case, you can never share core biometric information under Section 29(1).”

Gautam Bhatia@gautambhatia88

RD says that in any case you can never share core biometric information under Section 29(1).

Gautam Bhatia@gautambhatia88

Chandrachud J says that this Act is not just about Section 7 or the UIDAI, but goes much beyond, and must be interpreted very carefully.

RD says that the Court can interpret the Act to make it reasonable. The court should not be a crusader, but a medical man.

Justice Chandrachud pointed out that Section 29(3) makes it possible to share biometric information.
“It can be read down to exclude sharing of biometric information. The requesting entity cannot retain a copy of the PID block. So it must be read like that. The core biometric data is kept in the CIDR and cannot be shared,” Mr Dwivedi replied.
Justice Chandrachud pointed out that UIDAI can only control what it has control over.