Judges: Dipak Misra, C.J.I., A.M. Khanwilkar, A.K. Sikri, Ashok Bhushan and Dr. D.Y. Chandrachud, JJ.

Facts:

The challenge in this batch of cases can be divided in two parts. Firstly, the challenge to Executive's Scheme dated 28.01.2009 notified by the Government of India, by which the Unique Identification Authority of India (hereinafter, 'UIDAI') was constituted to implement the UIDAI Scheme. Secondly, challenge to the constitutional vires of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (hereinafter, 'Aadhaar Act').

Issues:

(i) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

1. What is the magnitude of protection that needs to be accorded to collection, storage and usage of biometric data?
2. Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

(ii) Whether the Aadhaar Act violates right to privacy and is unconstitutional on this ground?

(iii) Whether children can be brought within the sweep of Sections 7 and 8 of the Aadhaar Act?

(iv) Whether the following provisions of the Aadhaar Act and Regulations suffer from the vice of unconstitutionality -

1. Sections 2(c) and 2(d) read with Section 32 
2. Section 2(h) read with Section 10 of CIDR 
3. Section 2(l) read with Regulation 23
4. Section 2(v) 
5. Section 3 
6. Section 5 
7. Section 6 
8. Section 8 
9. Section 9
10. Sections 11 to 23 
11. Sections 23 and 54
12. Section 23(2)(g) read with Chapter VI & VII - Regulations 27 to 32 
13. Section 29
14. Section 33 
15. Section 47 
16. Section 48 
17. Section 57 
18. Section 59

(v) Whether the Aadhaar Act defies the concept of Limited Government, Good Governance and Constitutional Trust?

(vi) Whether the Aadhaar Act could be passed as 'Money Bill' within the meaning of Article 110 of the Constitution?

(vii) Whether Section 139AA of the Income Tax Act, 1961 is violative of right to privacy and is, therefore, unconstitutional?

(viii) Whether Rule 9(a)(17) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and the notifications issued thereunder, which mandate linking of Aadhaar with bank accounts, are unconstitutional?

(ix) Whether Circular dated March 23, 2017 issued by the Department of Telecommunications mandating linking of mobile number with Aadhaar is illegal and unconstitutional?

(x) Whether certain actions of the Respondents are in contravention of the interim orders passed by the Court, if so, the effect thereof?

Law:

Constitution of India, 1950 - Article 14 - Right to equality and equal protection of the laws.

Constitution of India, 1950 - Article 21 - Right to life and personal liberty which includes within its ambit 'right to privacy'.

Constitution of India, 1950 - Article 110 - Defines 'Money Bills'.

Contentions:

Petitioners

(i) Aadhaar Act, which was passed as a money bill, should be struck down since many of its provisions such as Section 57 have no relation to the nature of a Money Bill and bear no nexus to the Consolidated Fund of India.

(ii) Aadhaar project and the Act violate the fundamental right to privacy. Architecture of the Aadhaar project enables pervasive surveillance by the State.

(iii) Fundamental constitutional feature of a 'limited government', which is the sovereignty of the people and limited government authority, is changed completely post Aadhaar and reverses the relationship between the citizen and the State.

(iv) Due to the unreliability of biometric technology, there are authentication failures which lead to the exclusion of individuals from welfare schemes.

(v) A citizen or resident in a democratic society has a choice to identify herself through different modes in the course of her interactions generally in society, as well as in her interactions with the State. Mandating identification by only one mode is highly intrusive, excessive and disproportionate and violates Articles 14, 19 and 21 of Constitution. Aadhaar project conditions the grant of essential benefits upon the surrender of individual rights.

(vi) Procedure adopted by the State before and after the enactment of the law is violative of Articles 14 and 21 of Constitution because -

1. There is no informed consent at the time of enrolment;
2. UIDAI does not have control over the enrolling agencies and requesting entities that collect sensitive personal information which facilitates capture, storage and misuse of information; and
3. Data collected and uploaded into the CIDR is not verified by any government official designated by UIDAI.

(vii) The aggregation and concentration of sensitive personal information under the Aadhaar Act is impermissible because it is capable of being used to affect every aspect of an individual's personal, professional, religious and social life. It is therefore violative of the individual freedoms guaranteed Under Articles 19(1)(a) to 19(1)(g), 21 and 25 of the Constitution. Such aggregation of information is also an infringement of informational privacy, which has been recognised in Puttaswamy case.

(viii) Rule 9 of the PMLA (Second Amendment) Rules, 2017 which requires mandatory linking of Aadhaar with bank accounts is unconstitutional and violates Articles 14, 19(1)(g), 21 and 300A of the Constitution, Sections 3, 7 and 51 of the Aadhaar Act, and is also ultra vires of the provisions of the PMLA Act, 2002.

(ix) Section 139AA of the Income Tax Act, 1961 is liable to be struck down as violative of Articles 14, 21 and 19(g) of the Constitution.

(x) There is no compelling state interest to mandate Aadhaar for children. The fundamental right of a child to education cannot be made subject to production of Aadhaar.

Respondents

(i) For the period prior to coming into force of the Aadhaar Act, because of the interim orders passed by the SC, obtaining an Aadhaar number or 3nrolment number was voluntary, and hence there was no violation of any right.

(ii) Section 59 of the Aadhaar Act protects all actions taken from the period between 2010 till the passage of the Aadhaar Act in 2016.

(iii) Subsequent to the Aadhaar Act, the Petitioners would have to establish that one or more of the tests laid down by the nine judge bench in Puttaswamy render the invasion of privacy resulting from the Aadhaar Act unconstitutional. The tests laid down in Puttaswamy have been satisfied and hence the Aadhaar Act is not unconstitutional.

(iv) The Aadhaar Act was validly passed as a Money Bill.

(v) The demographic information that is required for Aadhaar 3nrolment is already submitted while obtaining a PAN card and therefore individuals do not have a legitimate interest in withholding information. Linking Aadhaar to PAN is in public interest. Section 139AA of the Income Tax Act qualifies test of manifest arbitrariness.

(vi) Fundamental rights are not absolute and can be restricted if permitted specifically. Article 21 expressly envisages deprivation by laws which seek to carry out legitimate objectives and are reasonable and proportionate

(vii) Aadhaar Act does not cause exclusion because if authentication fails after multiple attempts, then the subsidies, benefits and services, can be availed of by proving the possession of an Aadhaar number, either by producing the Aadhaar card or by producing the receipt of the application for enrolment and producing the enrolment ID number.

(viii) Even if there is a conflict between the right to privacy and the right to food and shelter, the Aadhaar Act strikes a fair balance.

(ix) The enrolment and authentication processes under the Aadhaar Act are strongly regulated so that the data is secure. The security of the CIDR is also ensured through adequate measures and safeguards

(x) Aadhaar Act ensures that UIDAI has control over the requesting entity during the authentication process. Enrolment Regulations ensure that the requirement of informed consent of individuals is fulfilled while securing the Aadhaar card.

(xi) Rule 9(14) of the PMLA Rules provides that the Regulator-the RBI in this case, lay down guidelines incorporating the requirements of sub-rules 9(1)-(13), which would include enhanced or simplified measures to verify identity.

Analysis:

Architecture of the Aadhaar project - Whether enables State to create a regime of surveillance

(i) The architecture of Aadhaar as well as the provisions of the Aadhaar Act does not tend to create a surveillance state. This is ensured by the manner in which the Aadhaar project operates.

Law on Data Protection - Legislation in India

(i) Only existing legislation covering data protection related to biometric information are Section 43A and Section 72A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

(ii) IT Act and Rules do not determine the constitutionality of use of biometric data and information by the Aadhaar Act and Rules, they are instructive in determining the safeguards that must be taken to collect biometric information.

(iii) Section 43A of the IT Act attaches liability to a body corporate, which is possessing, handling and dealing with any 'sensitive personal information or data' and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person.

(iv) 'Sensitive personal information or data' is defined under Rule 3 of the Sensitive Personal Data Rules to include information relating to biometric data. Similarly, Section 72A of the IT Act makes intentional disclosure of 'personal information' obtained under a contract, without consent of the parties concerned and in breach of a lawful contract, punishable with imprisonment and fine.

(v) Rule 2(i) of the Sensitive Personal Data Rules define "personal information" to mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Thus, biometrics will form a part of "personal information".

(vi) Sensitive Personal Data Rules provide for additional requirements on commercial and business entities (body corporates as defined under Section 43A of the IT Act) relating to the collection and disclosure of sensitive personal data (including biometric information).

Data Protection - Position in other countries

(i) EUGDPR (European Union General Data Protection Regulation)

EUGDPR which was enacted by the EU in 2016 is a comprehensive legal framework aimed at protection of natural persons from the processing of personal data and their right to informational privacy. It deals with all kinds of processing of personal data while delineating rights of data subjects and obligations of data processors in detail.

(ii) Biometric Privacy Act in the United States of America

In the US context, there is no comprehensive data protection regime. This is because of the federal system of American government; there are multiple levels of law enforcement viz., federal, state, and local. Different states have differing standards for informational privacy. Thus, importance to data protection in processing the data of the citizens is an accepted norm.

Collection, storage and usage of biometric data - Magnitude of protection that need to be accorded to

(i) During the enrolment process, minimal biometric data in the form of iris and fingerprints is collected. The Authority does not collect purpose, location or details of transaction. Thus, it is purpose blind. The information collected, as aforesaid, remains in silos. Merging of silos is prohibited. The requesting agency is provided answer only in 'Yes' or 'No' about the authentication of the person concerned. The authentication process is not exposed to the Internet world. Security measures, as per the provisions of Section 29(3) read with Section 38(g) as well as Regulation 17(1)(d) of the Authentication Regulations, are strictly followed and adhered to.

(ii) There are sufficient authentication security measures taken, and the Authority has sufficient defence mechanism.

(iii) There is an oversight by Technology and Architecture Review Board (TARB) and Security Review Committee.

(iv) During authentication no information about the nature of transaction etc., is obtained.

(v) The Authority has mandated use of Registered Devices (RD) for all authentication requests. With these, biometric data is signed within the device/RD service using the provider key to ensure it is indeed captured live. The device provider RD service encrypts the PID block before returning to the host application. This RD service encapsulates the biometric capture, signing and encryption of biometrics all within it. Therefore, introduction of RD in Aadhaar authentication system Rules out any possibility of use of stored biometric and replay of biometrics captured from other source. Requesting entities are not legally allowed to store biometrics captured for Aadhaar authentication Under Regulation 17(1)(a) of the Authentication Regulations.

(vi) Authority gets the AUA code, ASA code, unique device code, registered device code used for authentication. It does not get any information related to the IP address or the GPS location from where authentication is performed as these parameters are not part of authentication (v2.0) and e-KYC (v2.1) API. The Authority would only know from which device the authentication has happened, through which AUA/ASA etc. It does not receive any information about at what location the authentication device is deployed, its IP address and its operator and the purpose of authentication. Further, the authority or any entity under its control is statutorily barred from collecting, keeping or maintaining any information about the purpose of authentication Under Section 32(3) of the Aadhaar Act.

Data Protection and Security

(i) Regulation 3(i) & (j) of Aadhaar (Data Security) Regulation 2016 enables partitioning of CIDR network into zones based on risk and trust and other security measures. CIDR being a computer resource is notified to be a "Protected System" under Section 70 of the IT Act, 2000 by the Central Government on 11.12.2015. Anyone trying to unlawfully gain access into this system is liable to be punished with 10 years imprisonment and fine. The storage involves end to end encryption, logical partitioning, firewalling and anonymisation of decrypted biometric data. Breaches of penalty are made punitive by Chapter VII of the Act.

(ii) From the Aadhaar structure and the machinery which the Authority has created for data protection, it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR.

(iii) Insofar as authentication is concerned, there are sufficient safeguard mechanisms. There are security technologies in place, 24/7 security monitoring, data leak prevention, vulnerability management programme, independent audits as well as the Authority's defence mechanism. Authority has taken appropriate pro-active protection measures, which included disaster recovery plan, data backup, availability and media response plan.

(iv) All security principles are followed inasmuch as -

1. there is PKI-2048 encryption from the time of capture, meaning thereby, as soon as data is given at the time of enrolment, there is an end to end encryption thereof and it is transmitted to the Authority in encrypted form. The said encryption is almost foolproof and it is virtually impossible to decipher the same;
2. adoption of best-in-class security standards and practices; and
3. strong audit and traceability as well as fraud detection.

Above all, there is an oversight of Technology and Architecture Review Board (TARB) and Security Review Committee. This Board and Committee consist of very high profiled officers. Therefore, the Act has endeavoured to provide safeguards.

(v) Insofar as use and protection of data is concerned, having regard to the principles of data minimisation, purpose limitation, time period for data retention, data protection and security (qua CIDR, requisite entities, enrolment agencies and Registrars, authentication service agency, hacking, biometric solution providers, substantive procedural or judicial safeguards) following clarifications of some of the provisions were issued -

(vi) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.

(vii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.

(viii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.

(ix) Insofar as Section 33(2) of the Aadhaar Act in the present form is concerned, the same is struck down.

(x) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.

(xi) Respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

Aadhaar Act - Whether violates right to privacy

(i) All matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21 of Constitution.

(ii) As per Section 7 of the Aadhaar Act, in case, an individual wants to avail any subsidy benefit or services, she is required to produce the Aadhaar number and, therefore, it virtually becomes compulsory for such a person.

(iii) Even if enrolment in Aadhaar is voluntary, it assumes the character of compulsory enrolment for those who want to avail the benefits under Section 7.

(iv) Likewise, authentication, as mentioned in Section 8, also becomes imperative. The relevant question, therefore, is as to whether invasion into this privacy meets the triple requirements or right to privacy.

(i) Requirement of law

The Parliament has now passed Aadhaar Act, 2016. Therefore, law on the subject in the form of a statute very much governs the field and, thus, first requirement stands satisfied.

(ii) Whether Aadhaar Act serves legitimate State aim?

It also serves legitimate State aim, which can be discerned from the Introduction to the Aadhaar Act as well as the Statement of Objects and Reasons which reflect that the aim in passing the Act was to ensure that social benefit schemes reach the deserving community.

Failure to establish identity of an individual has proved to be a major hindrance for successful implementation of those programmes as it was becoming difficult to ensure that subsidies, benefits and services reach the unintended beneficiaries in the absence of a credible system to authenticate identity of beneficiaries.

Section 7 of the Aadhaar Act is aimed at offering subsidies, benefits or services to the marginalised Section of the society for whom such welfare schemes have been formulated from time to time. That also becomes an aspect of social justice, which is the obligation of the State stipulated in Para IV of the Constitution. The rationale behind Section 7 lies in ensuring targeted delivery of services, benefits and subsidies which are funded from the Consolidated Fund of India. These schemes involve 3% percentage of the GDP and involve a huge amount of public money. Right to receive these benefits, from the point of view of those who deserve the same, has now attained the status of fundamental right based on the same concept of human dignity.

The Statement of Objects and Reasons also discloses that over a period of time, the use of Aadhaar number has been increased manifold and, therefore, it is also necessary to take measures relating to ensuring security of the information provided by the individuals while enrolling for Aadhaar card.

(iii) Whether Aadhaar Act meets the test of proportionality?

In order to meet the test of proportionality, four subcomponents of proportionality need to be satisfied -

(a) Legitimate Goal Stage: The purpose of Aadhaar Act, as captured in the Statement of Objects and Reasons and sought to be implemented by Section 7 of the Aadhaar Act, is to achieve the stated objectives.

(b) Suitability or rationale connection stage: The measures which are enumerated and been taken as per the provisions of Section 7 read with Section 5 of the Aadhaar Act are rationally connected with the fulfillment of the objectives contained in the Aadhaar Act. The scheme for enrolling under the Aadhaar Act and obtaining the Aadhaar number is optional and voluntary. It is given the nomenclature of unique identity. A person with Aadhaar number gets an identity. By providing that the benefits for various welfare schemes shall be given to those who possess Aadhaar number and after undergoing the authentication as provided in Section 8 of the Aadhaar Act, the purpose is to ensure that only rightful persons receive these benefits. It becomes the duty of the Government to ensure that it goes to deserving persons. Therefore, second component also stands fulfilled.

(c) Necessity stage: The manner in which malpractices have been committed in the past leaves to hold that apart from the system of unique identity in Aadhaar and authentication of the real beneficiaries, there is no alternative measure with lesser degree of limitation which can achieve the same purpose.

(d) Balancing stage: Balancing has to be done at two levels, rights to privacy on one hand and right to food, shelter and employment on the other hand.

(v) Aadhaar Act truly seeks to secure to the poor and deprived persons an opportunity to live their life and exercise their liberty. By ensuring targeted delivery through digital identification, it not only provides them a nationally recognized identity but also attempts to ensure the delivery of benefits, service and subsidies with the aid of public exchequer/ Consolidated Fund of India.

(vi) The inroads into the privacy rights where these individuals are made to part with their biometric information, is minimal. It is coupled with the fact that there is no data collection on the movements of such individuals, when they avail benefits under Section 7 of the Act thereby ruling out the possibility of creating their profiles. In fact, this technology becomes a vital tool of ensuring good governance in a social welfare state. Therefore, the Aadhaar Act meets the test of balancing as well.

Right to education - Whether children can be brought within the sweep of Sections 7 and 8 of Aadhaar Act

(i) For the enrolment of children under the Aadhaar Act, it would be essential to have the consent of their parents/guardian.

(ii) On attaining the age of majority, such children who are enrolled under Aadhaar with the consent of their parents, shall be given the option to exit from the Aadhaar project if they so choose in case they do not intend to avail the benefits of the scheme.

(iii) Insofar as the school admission of children is concerned, requirement of Aadhaar would not be compulsory as it is neither a service nor subsidy. Further, having regard to the fact that a child between the age of 6 to 14 years has the fundamental right to education under Article 21A of the Constitution, school admission cannot be treated as 'benefit' as well.

(iv) Benefits to children between 6 to 14 years under Sarv Shiksha Abhiyan, likewise, shall not require mandatory Aadhaar enrolment.

(v) For availing the benefits of other welfare schemes which are covered by Section 7 of the Aadhaar Act, though enrolment number can be insisted, it would be subject to the consent of the parents.

(vi) No child shall be denied benefit of any of these schemes if, for some reasons, she is not able to produce the Aadhaar number and the benefit shall be given by verifying the identity on the basis of any other documents.

Other provisions of Aadhaar Act - Validity of

(i) Section 2(d) of Aadhaar Act which pertains to authentication records, would not include metadata as mentioned in Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, this provision in the present form is struck down. Liberty, however, was given to reframe the Regulation, keeping in view the parameters stated by the Court.

(ii) For Section 2(b) of Aadhaar Act, which defines 'resident', Respondent was directed to take suitable measures to ensure that illegal immigrants are not able to take benefits enduring from the Aadhaar Act.

(iii) Retention of data beyond the period of six months is impermissible. Therefore, Regulation 27 of Aadhaar (Authentication) Regulations, 2016 which provides archiving a data for a period of five years was struck down.

(iv) Section 29 of Aadhaar Act imposes a restriction on sharing information and is, therefore, valid as it protects the interests of Aadhaar number holders. Aadhaar (Sharing of Information) Regulations, 2016, as of now, do not contain any provision which entitles Government to share the information 'for the purposes of as may be specified by Regulations'. If a provision is made in the Regulations which impinges upon the privacy rights of the Aadhaar card holders that can always be challenged.

(v) Section 33(1) of Aadhaar Act prohibits disclosure of information, including identity information or authentication records, except when it is by an order of a court not inferior to that of a District Judge. This provision is to be read down with the clarification that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing. If such an order is passed, in that eventuality, he shall also have right to challenge such an order passed by approaching the higher court.

(vi) For Section 33(2) of Aadhaar Act, disclosure of information in the interest of national security cannot be faulted with. However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. Section 33(2) of the Act in the present form was struck down with liberty to enact a suitable provision on the lines suggested above.

(vii) Section 47 of Aadhaar Act provides for the cognizance of offence only on a complaint made by the Authority or any officer or person authorised by it is concerned. It needs a suitable amendment to include the provision for filing of such a complaint by an individual/victim as well whose right is violated.

(viii) Section 57 of Aadhaar Act in the present form is susceptible to misuse inasmuch as -

1. It can be used for establishing the identity of an individual 'for any purpose'. This provision is read down to mean that such a purpose has to be backed by law. Further, whenever any such "law" is made, it would be subject to judicial scrutiny.
2. Such purpose is not limited pursuant to any law alone but can be done pursuant to 'any contract to this effect' as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.
3. Apart from authorising the State, even 'any body corporate or person' is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate / person. The impact of the aforesaid features would be to enable commercial exploitation of individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section was declared unconstitutional.

(ix) Other provisions of Aadhaar Act are held to be valid, including Section 59 of the Act which, saves the pre-enactment period of Aadhaar project, i.e. from 2009-2016.

Aadhaar Act - Whether validly enacted law having been passed as a Money Bill

(i) Section 23(2)(h) of Aadhaar Act enables the Authority to specify the manner of use of Aadhaar with specific purpose in mind, namely, for providing or availing of various subsidies, benefits and services. These are relatable to Section 7. However, it uses the expression 'other purposes' as well. The expression 'other purposes' can be read ejusdem generis which would have its relation to subsidies, benefits and services as mentioned in Section 7 and it can be confined only to that purpose i.e. scheme of targeted delivery for giving any grant, relief etc. when it is chargeable to Consolidated Fund of India. Therefore, this provision, can be read as incidental to the main provision and would be covered by Article 110(g) of the Constitution.

(ii) Section 54 of Aadhaar Act confers power upon the Authority to make regulations consistent with the Act and rules made thereunder, for carrying out the provisions of the Act. The interpretation given to Section 23(2)(h) would apply to Section 54(2)(m) as well and, therefore, there is no problem with this provision also. Now Section 57 of the Aadhaar Act mentions that Aadhaar Act would not prevent use of Aadhaar number for other purposes under the law. It is only an enabling provision as it permits the use of Aadhaar number for other purposes as well. This provision is to be viewed in the backdrop that Section 7 is the core provision. It has substantial nexus with the appropriation of funds from the Consolidated Fund of India and is directly connected with Article 110 of the Constitution. To facilitate this, UIDAI is established as Authority under the Act which performs various functions including that of a regulator needing funds for staff salary and it's own expenses. The Authority is the performer in chief, the predominant dramatis personae. It appoints Registrars, enrollers, REs and ASAs; it lays down device and software specifications, and develops softwares too; it enrols; it de-duplicates; it establishes CIDR and manages it; it authenticates; it inspects; it prosecutes; it imposes disincentives; etc. And all this, it does based on funds obtained by appropriations from Consolidated Fund of India (Section 24).

(iii) Section 57 of Aadhaar Act only enables holder of Aadhaar number to use the said number for other purposes as well. That would not take away or dilute the sheen of Section 7, for which purposes the Bill was introduced as Money Bill. In any case, a part of Section 57 has already been declared unconstitutional whereby even a body corporate in private sector or person may seek authentication from the Authority for establishing the identity of an individual.

(iv) For all the said reasons, Bill was rightly introduced as Money Bill. Main provision is a part of Money Bill and other are only incidental and, therefore, covered by of Article 110(g) of the Constitution.

Section 139AA of Income Tax Act, 1961 - Linking PAN number with Aadhaar number

(i) Section 139AA is enacted to link PAN number with Aadhaar number which is issued under the Act for the purpose of eliminating duplicate PANs from the system with the help of robust technology solution. Therefore, those who have PAN number and have already provided the information required to get PAN number cannot claim to have any legitimate expectation of withholding any data required for Aadhaar under the ground of privacy.

(ii) Also, there was justifiable reason with the State for collection and storage of data in the form of Aadhaar and linking it with PAN insofar as Section 139AA of the 1961 Act is concerned. The provisions of Section 139AA of the Income Tax Act, 1961 meet the triple test of right to privacy, contained in K.S. Puttaswamy.

Prevention of Money Laundering Rules - Validity of amendments in

(i) Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and the notifications issued thereunder which mandates linking of Aadhaar with bank accounts in the present form does not meet the test of proportionality and, therefore, violates the right to privacy of a person which extends to banking details.

(ii) This linking is made compulsory not only for opening a new bank account but even for existing bank accounts with a stipulation that if the same is not done then the account would be deactivated, with the result that the holder of the account would not be entitled to operate the bank account till the time seeding of the bank account with Aadhaar is done. This amounts to depriving a person of his property.

(iii) This move of mandatory linking of Aadhaar with bank account does not satisfy the test of proportionality.

Linking of Mobile Number with Aadhaar

(i) By a Circular dated March 23, 2017, the Department of Telecommunications has directed that all licensees shall reverify the existing mobile subscribers (pre-paid and post-paid) through Aadhaar based e-KYC process.

(ii) It amounts to mandatory linking of mobile connections with Aadhaar, which requirement is not only in respect of those individuals who would be becoming mobile subscribers, but applies to existing subscribers as well. Not only such a circular lacks backing of a law, it fails to meet the requirement of proportionality as well. It does not meet 'necessity stage' and 'balancing stage' tests to check the primary menace which is in the mind of the respondent authorities.

(iii) For the misuse of such SIM cards by a handful of persons, the entire population cannot be subjected to intrusion into their private lives. It also impinges upon the voluntary nature of the Aadhaar scheme. It is disproportionate and unreasonable state compulsion. Every individual/resident subscribing to a SIM card does not enjoy the subsidy benefit or services mentioned in Section 7 of the Act. The Circular dated March 23, 2017 was declared as unconstitutional.

Ashok Bhushan, J.

(i) Requirement under Aadhaar Act to give one's demographic and biometric information does not violate fundamental right of privacy.

(ii) Provisions of Aadhaar Act requiring demographic and biometric information from a resident for Aadhaar Number pass three-fold test as laid down in Puttaswamy case, hence cannot be said to be unconstitutional.

(iii) Collection of data, its storage and use does not violate fundamental right of privacy.

(iv) Aadhaar Act does not create architecture for pervasive surveillance.

(v) Aadhaar Act and Regulations provides protection and safety of the data received from individuals.

(vi) Section 7 of the Aadhaar Act is constitutional. The provision does not deserve to be struck down on account of denial in some cases of right to claim on account of failure of authentication.

(vii) State while enlivening right to food, right to shelter etc. envisaged under Article 21 of Constitution cannot encroach upon the right of privacy of beneficiaries.

(viii) Provisions of Section 29 of Aadhaar Act is constitutional.

(ix) Section 33 of Aadhaar Act is not unconstitutional as it provides for the use of Aadhaar data base for police investigation nor it can be said to violate protection granted under Article 20(3) of Constitution.

(x) Section 47 of the Aadhaar Act is not unconstitutional on the ground that it does not allow an individual who finds that there is a violation of Aadhaar Act to initiate any criminal process.

(xi) Section 57 of Aadhaar Act, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. "or any contract to this effect" is struck down.

(xii) Section 59 of Aadhaar Act has validated all actions taken by the Central Government under the notifications dated 28.01.2009 and 12.09.2009 and all actions shall be deemed to have been taken under the Aadhaar Act.

(xiii) Parental consent for providing biometric information under Regulation 3 and demographic information under Regulation 4 has to be read for enrolment of children between 5 to 18 years to uphold the constitutionality of Regulations 3 & 4 of Aadhaar (Enrolment and Update) Regulations, 2016.

(xiv) Rule 9 as amended by PMLA (Second Amendment) Rules, 2017 is not unconstitutional and does not violate Articles 14, 19(1)(g), 21 and 300A of Constitution and Sections 3, 7 and 51 of the Aadhaar Act. Further, Rule 9 as amended is not ultra vires to PMLA Act, 2002.

(xv) Circular dated 23.03.2017 is unconstitutional.

(xvi) Aadhaar Act has been rightly passed as Money Bill. The decision of Speaker certifying the Aadhaar Bill, 2016 as Money Bill is not immune from judicial review.

(xvii) Section 139-AA of IT Act does not breach fundamental Right of Privacy as per Privacy judgment in Puttaswamy case.

Conclusions:

(i) Aadhaar Act is unconstitutional for failing to meet the necessary requirements to have been certified as a Money Bill under Article 110(1) of Constitution.

(ii) Doctrine of pith and substance cannot be invoked to declare whether a Bill satisfies the requirements set out in Article 110 of the Constitution to be certified as Money Bill.

(iii) Architecture of the Aadhaar Act seeks to create a unique identity for residents on the basis of their demographic and biometric information. There is a legitimate state aim in maintaining a system of identification to ensure that the welfare benefits provided by the State reach the beneficiaries who are entitled, without diversion.

(iv) Aadhaar Act and Regulations are bereft of the procedure through which an individual can access information related to his or her authentication record.

(v) Sections 29(1) and (2) of Aadhaar Act create a distinction between two classes of information (core biometric information and identity information), which are integral to individual identity and require equal protection. Section 29(4) suffers from overbreadth as it gives wide discretionary power to UIDAI to publish, display or post core biometric information of an individual for purposes specified by the Regulations.

(vi) Sections 2(g), (j), (k) and (t) suffer from overbreadth, as these can lead to an invasive collection of biological attributes. These provisions give discretionary power to UIDAI to define the scope of biometric and demographic information and empower it to expand on the nature of information already collected at the time of enrollment, to the extent of also collecting any "such other biological attributes" that it may deem fit.

(vii) No clarity on how an individual is supposed to update his/her biometric information, in case the biometric information mismatches with the data stored in CIDR. The proviso to Section 28(5) of the Aadhaar Act, which disallows an individual access to the biometric information that forms the core of his or her unique ID, is violative of a fundamental principle that ownership of an individual's data must at all times vest with the individual.

(viii) Aadhaar programme violates essential norms pertaining to informational privacy, self-determination and data protection.

(ix) Aadhaar project has failed to account for and remedy the flaws in its framework and design which has led to serious instances of exclusion of eligible beneficiaries. Dignity and the rights of individuals cannot be made to depend on algorithms or probabilities. Constitutional guarantees cannot be subject to the vicissitudes of technology. Denial of benefits arising out of any social security scheme which promotes socio-economic rights of citizens is violative of human dignity and impermissible under our constitutional scheme.

(x) Measures adopted by the Respondents fail to satisfy the test of necessity and proportionality for the following reasons -

1. Storage of data in Aadhaar ecosystem is in violation of widely recognized data minimisation principles which mandate that data collectors and processors delete personal data records when the purpose for which it has been collected is fulfilled. Moreover, using the meta-data related to the transaction, the location of the authentication can easily be traced using the IP address, which impacts upon the privacy of the individual.
2. From the verification log, it is possible to locate the places of transactions by an individual in the past five years. It is also possible through the Aadhaar database to track the current location of an individual, even without the verification log. Architecture of Aadhaar poses a risk of potential surveillance activities through the Aadhaar database. Any leakage in the verification log poses an additional risk of an individual's biometric data being vulnerable to unauthorised exploitation by third parties.
3. The biometric database in the CIDR is accessible to third-party vendors providing biometric search and de-duplication algorithms, since neither the Central Government nor UIDAI have the source code for the de-duplication technology which is at the heart of the programme. The source code belongs to a foreign corporation. UIDAI is merely a licensee. The protection of the data of 1.2 billion citizens is a question of national security and cannot be subjected to the mere terms and conditions of a normal contract.
4. Before the enactment of the Aadhaar Act, MOUs signed between UIDAI and Registrars were not contracts within the purview of Article 299 of the Constitution, and therefore, do not cover the acts done by the private entities engaged by the Registrars for enrolment. Since there is no privity of contract between UIDAI and the Enrolling agencies, the activities of the private parties engaged in the process of enrolment before the enactment of the Aadhaar Act have no statutory or legal backing.
5. Under the Aadhaar architecture, UIDAI is the sole authority which carries out all administrative, adjudicatory, investigative, and monitoring functions of the project. While the Act confers these functions on UIDAI, it does not place any institutional accountability upon UIDAI to protect the database of citizens' personal information. UIDAI also takes no institutional responsibility for verifying whether the data entered and stored in the CIDR is correct and authentic. The task has been delegated to the enrolment agency or the Registrar.
6. Section 47 of the Aadhaar Act violates citizens' right to seek remedies. Under Section 47(1), a court can take cognizance of an offence punishable under the Act only on a complaint made by UIDAI or any officer or person authorised by it. Section 47 is arbitrary as it fails to provide a mechanism to individuals to seek efficacious remedies for violation of their right to privacy. Further, Section 23(2)(s) of the Act requires UIDAI to establish a grievance redressal mechanism. Making the authority which is administering a project, also responsible for providing a grievance redressal mechanism for grievances arising from the project severely compromises the independence of the grievance redressal body.
7. While the Aadhaar Act creates a regime of criminal offences and penalties, the absence of an independent regulatory framework renders the Act largely ineffective in dealing with data violations. Sans any independent regulatory and monitoring framework which provides robust safeguards for data protection, the Aadhaar Act cannot pass muster against a challenge on the ground of reasonableness under Article 14 of Constitution.
8. No substantive provisions, such as those providing data minimization, have been laid down as guiding principles for the oversight mechanism provided under Section 33(2) of Aadhaar Act, which permits disclosure of identity information and authentication records in the interest of national security.
9. Allowing private entities to use Aadhaar numbers, under Section 57, will lead to commercial exploitation of the personal data of individuals without consent and could also lead to individual profiling. This is contrary to privacy protection norms. Data cannot be used for any purpose other than those that have been approved. By failing to protect the constitutional rights of citizens, Section 57 violates Articles 14 and 21 of Constitution.
10. Section 57 of Aadhaar Act is manifestly arbitrary, it suffers from overbreadth and violates Article 14.
11. Section 7 suffers from overbreadth since the broad definitions of the expressions 'services and 'benefits' enable the government to regulate almost every facet of its engagement with citizens under the Aadhaar platform. If the requirement of Aadhaar is made mandatory for every benefit or service which the government provides, it is impossible to live in contemporary India without Aadhaar. Section 7 is therefore arbitrary and violative of Article 14 of Constitution in relation to the inclusion of services and benefits as defined.
12. State has failed to demonstrate that a less intrusive measure other than biometric authentication would not subserve its purposes.
13. State has failed to satisfy this Court that the targeted delivery of subsidies which animate the right to life entails a necessary sacrifice of the right to individual autonomy, data protection and dignity when both these rights are protected by the Constitution.

(xi) Section 59 of the Aadhaar Act seeks to retrospectively validate the actions of the Central Government done prior to the Aadhaar Act pursuant to Notifications dated 28 January 2009 and 12 September 2015. The absence of a legislative framework for the Aadhaar project between 2009 and 2016 left the biometric data of millions of Indian citizens bereft of the kind of protection which must be provided to comprehensively protect and enforce the right to privacy. Section 59 therefore fails to meet the test of a validating law since the complete absence of a regulatory framework and safeguards cannot be cured merely by validating what was done under the notifications of 2009 and 2016.

(xii) Since the Aadhaar Act itself is now held to be unconstitutional for having been enacted as a Money Bill and on the touchstone of proportionality, the seeding of Aadhaar to PAN under Section 139AA of IT Act does not stand independently.

(xiii) The 2017 amendments to the PMLA Rules fail to satisfy the test of proportionality. The imposition of a uniform requirement of linking Aadhaar numbers with all account based relationships proceeds on the presumption that all existing account holders as well as every individual who seeks to open an account in future is a potential money-launderer. No distinction has been made in the degree of imposition based on the client, the nature of the business relationship, the nature and value of the transactions or the actual possibility of terrorism and money-laundering. The Rules also fail to make a distinction between opening an account and operating an account. Moreover, the consequences of the failure to submit an Aadhaar number are draconian. In their present form, the Rules are clearly disproportionate and excessive.

(xiv) Decision to link Aadhaar numbers with mobile SIM cards is neither valid nor constitutional. The biometric information and Aadhaar details collected by Telecom Service Providers shall be deleted forthwith and no use of the said information or details shall be made by TSPs or any agency or person or their behalf.

(xv) Technology deployed in the Aadhaar scheme reduces different constitutional identities into a single identity of a 12-digit number and infringes the right of an individual to identify herself/himself through a chosen means. It must not be allowed to obliterate constitutional identity.

(xvi) The entire Aadhaar programme, since 2009, suffers from constitutional infirmities and violations of fundamental rights. The enactment of the Aadhaar Act does not save the Aadhaar project. The Aadhaar Act, the Rules and Regulations framed under it, and the framework prior to the enactment of the Act are unconstitutional.

(xvii) To enable the government to initiate steps for ensuring conformity with this judgment, it is directed Under Article 142 that the existing data which has been collected shall not be destroyed for a period of one year. During this period, the data shall not be used for any purpose whatsoever. At the end of one year, if no fresh legislation has been enacted by the Union government in conformity with the principles which have been enunciated in this judgment, the data shall be destroyed.

Important Precedents:

(i) Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. MANU/SC/1044/2017

(ii) Yogendra Kumar Jaiswal and Ors. v. State of Bihar and Ors. MANU/SC/1441/2015