The UIDAI action should serve as a warning to all entities which have access to Aadhaar data.
The Unique Identification Authority of India (UIDAI) took exemplary action against Bharti Airtel and Airtel Payments Bank by barring them from Aadhaar-based SIM verification of mobile customers using the eKYC process. The telecom operator and its payments bank had opened accounts of 31 lakh mobile phone subscribers without their informed consent using data accessed from the Aadhaar cards which were linked to mobile phone SIM cards. A fine of Rs 2.5 crore was also imposed on the operator. UIDAI later decided to conditionally allow Bharti Airtel to resume Aadhaar-based eKYC verification till January 10, but has not revoked the suspension imposed on the payments bank. UIDAI has also asked Reserve Bank of India, the Department of Telecom and a consultancy firm to audit Bharti Airtel’s processes. The mobile phone service provider brought these actions upon itself by violating the regulations relating to the use of Aadhaar and the trust of its customers.
When Aadhaar was linked to mobile phones, the data contained in the card was to be used only for verification. But Airtel used this to open payments bank accounts for the subscribers without their knowledge. Its mobile app had a pre-checked box, and if the customer did not uncheck it her consent for creating a payments bank wallet using mobile KYC was assumed. It was an easy method of customer acquisition but amounted to fraud and showed the danger of misuse of personal data when it falls into private hands. Many direct benefit transfer (DBT) scheme payments like LPG subsidies go into the accounts to which Aadhaar was last linked, rather than to beneficiaries’ regular accounts. Subsidy amounting to about Rs 138 crore under the DBT mode was deposited in these accounts and many customers were inconvenienced. The amounts have now been credited back to the original accounts, but there are lessons to learn from the episode.
The UIDAI action should serve as a warning to all entities which have access to Aadhaar data. Indiscriminate linking of Aadhaar to everything and for various purposes creates such situations. The government has now amended the rules on payment of subsidies, and they will no longer be transferred to the latest Aadhaar-linked bank account. It has also set up a committee to prepare a report on data privacy. There are certainly other dangers arising from possible misuse of personal data. When Aadhaar data is not safe even with the government and its agencies, the case for entrusting personal data to private players, as is being done now, is weak. It is unlikely that the regulations and safeguards will always be followed. The government should rethink its policy of linking Aadhaar to everything.