Many Indians who have an Aadhaar number are eager to break up with it, or at least minimise its presence in their digital lives. But that’s easier said than done.
The trigger is yesterday’s (Sept. 26) Indian supreme court ruling, which said the biometric identity programme was constitutionally valid but must be curtailed. Among the points struck down by the court was section 57 of the Aadhaar Act, which permitted private companies to ask customers for their unique ID number.
So customers can now reach out to banks, telecom companies, online wallets and any other private entity that had previously asked for an Aadhaar, and request for “delinking.” The process, though, is currently mired in confusion, as is the fate of the data already collated by these companies.
Consider Paytm. The online payments firm claimed last month that 100 million of its around 280 million users had completed the know your customer (KYC) process, mandated by the Reserve Bank of India. Although Aadhaar was only one among the options for completing a KYC, Paytm agents reportedly insisted that the biometric ID was mandatory.
Now, the company’s process of delinking Aadhaar seems cumbersome. The Business Standard newspaper reported that customers would have to call up Paytm’s customer-care hotline, ask the representative to send them an email to delink their Aadhaar, and then reply to that message with a “clear picture of your updated Aadhaar card.”
This process is problematic. One reason why people may wish to delink their Aadhaar from private services is to protect their privacy. So, asking customers to send a digital copy of their Aadhaar, which wasn’t even meant to be used as a photo ID, seems to defeat the entire purpose.
Paytm did not respond to questions sent by Quartz.
The process to delink Aadhaar from telecom providers also remains unclear. Some 500 million people, comprising around half of India’s total mobile customer base, have already linked their Aadhaar to mobile subscriptions. In a statement on Sept. 26, the Cellular Operators Association of India (COAI), which represents all major telecom companies, said it is reviewing the judgment and its implications. “We shall await further orders and instructions from DoT (Department of telecom),” said COAI director general Rajan S Mathews.
Questions sent to Airtel, Vodafone and Reliance Jio remained unanswered.
How to opt out?
Then there are banks, which put their back into collecting Aadhaar details of customers.
The rules for delinking are still unclear, bankers told Quartz, but expected clarity in a couple of weeks.
“We are waiting for some communication from the UIDAI or the RBI on how to go about it and then things will become clearer,” said Rishi Gupta, managing director and CEO of FINO payments bank. The UIDAI is the Unique Identification Authority of India, which runs the Aadhaar platform.
“We don’t know if they may ask us to advertise in the papers, or send e-mails, or mention every time we communicate to the customers, so a lot will depend on that,” Gupta added.
R Baskar Babu, CEO of Suryoday Small Finance Bank, a new lender that leveraged Aadhaar in recent months to drive customer acquisition, explained that the process could be streamlined. “If you want to opt-out, a call from the registered number should suffice. It is possible that we will also send push messages or emails that the customers can reply to and get out of it,” he said.
The process may differ from one bank to another, but some bankers believe that few customers are likely to opt out now. “About 95% to 96% of the people are happy to share their Aadhaar details because of the convenience that it provides, so we don’t expect a real rush for delinking,” said Rahul Johri, head of retail banking at Bandhan Bank.
For banks, there is the added conundrum of the personal account number (PAN), which is used by millions of Indians to file their income tax returns. An individual’s bank account is often linked to a PAN card, which in turn is linked to an Aadhaar. In its ruling on Sept. 26, the supreme court upheld this PAN-Aadhaar linkage.
“Therefore, will there be an overlap of data because then indirectly bank account and Aadhaar also get interlinked?” explained Gupta.
“The paper has already travelled”
And what happens to the data after Aadhaar is delinked?
The UIDAI’s Authentication Regulations (pdf) state that an Aadhaar holder “may, at any time, revoke consent given to a KUA for storing his or her e-KYC data or for sharing it with third parties, and upon such revocation, the KUA shall delete the e-KYC data and cease any further sharing.” A KUA, or a KYC User Agency, is one that has performed e-KYC Aadhaar authentication, which is what many private firms used the platform for.
But enforcing this regulation will likely be a whole different story, especially considering the fact that private firms are also in possession of digital copies of customers’ Aadhaar cards.
“There’s no way you can go and be sure that this will be deleted, because anyway, through the chain it went through a series of intermediaries who took on the paper Aadhaar,” said Srikanth Lakshmanan, founder of Cashless Consumer, an education initiative on digital payments. “So the paper has already travelled. And wherever that paper went, people needed to put that into Excel sheets and create their own databases.”
Samir Kelekar, a cybersecurity professional who submitted an affidavit to the supreme court for the Aadhaar case, was unsure how much customers could trust that delinking would protect their sensitive personal data. “Nobody deletes anything nowadays. They could have just archived it. They may not use it, but they may wait for a later day when it could be useful,” he said.
“There has to be a mechanism by which some independent audit has to be done,” Kelekar added, “but it’s tough to check all these things.”