Our review article examines the Aadhaar program, which is the largest biometric identification program in the world, and its impact on privacy in India.

Aadhaar is a unique 12-digit identification number that can be voluntarily obtained by Indian citizens or foreign residents who have resided in India for more than 182 days in the past year.

Data is collected by the Unique Identification Authority of India (UIDAI), which was established in 2009 by the Government of India under the Ministry of Electronics and Information Technology. The data collected includes iris and facial photographs, fingerprints, name, gender, date and place of birth. The Indian government has encouraged citizens to link their numbers to various services, such as mobile SIM cards, some social welfare schemes and bank accounts.

Creating this large database has simplified access to services that require verification, but has also created a significant security risk because it contains sensitive personal information. The processing and confidentiality of this data requires special security measures, and the creation of these databases has also attracted the attention of criminals and companies alike. The database also suffered a security breach, which exposed the personal information of millions of people. For example, in May 2017, the Bangalore-based Center for Internet and Society (CIS) obtained the details of 130 million Aadhaar cards by breaking into government websites. These details include the names, religion, caste, addresses, telephone numbers and even bank account numbers of 100 million people.

In January 2018, The Tribune newspaper pointed out how access to data collected in the Aadhaar database was particularly vulnerable due to its technical structure, unclear governance and inadequate security controls. The newspaper’s survey showed that for as little as 500 rupees (about 5.90 euros) it was possible to buy a digital identity, and the survey also highlighted the ease of access to the entire data database for financial gain.

Many in India have called for Aadhaar to be shut down, citing its use as unconstitutional. The scheme, which was initially introduced through an Executive Notice, was first challenged in the Supreme Court in 2012. In 2016, the Aadhaar Act (for the targeted provision of subsidies, benefits and services) was adopted. The Aadhaar Act has been the target of much criticism and India’s Supreme Court issued two landmark decisions in 2017 and 2018 regarding its constitutionality.

On August 24, 2017, a panel of nine judges at India’s Supreme Court unanimously ruled that “the right to privacy is intrinsic to Section 21 (of the Constitution), which protects life and liberty”.

Until then, the Indian Constitution (1950) did not explicitly mention the inalienable right to privacy of individuals, but it was implicit in the fundamental charter. The Government of India argues that this right can be conditional on access to resources deemed necessary to improve the lives of the majority.

In its September 2018 ruling, five judges in India’s Supreme Court ruled that India’s Parliament has the power to pass the Aadhaar Act 2016 as a money bill under Article 110 of the Constitution. Several motions for review were filed against this decision in December 2018.

In November 2019, five other judges of India’s Supreme Court upheld the constitutional validity of Aadhaar but overturned certain provisions, including the obligation to link Aadhaar to bank accounts, SIM cards and school admissions.

The court also clarified that the use of Aadhaar is voluntary and no one can be refused service for not having an Aadhaar card. However, the Aadhaar program remains active and the Indian government continues to link it with various services.

In conclusion, Aadhaar is a controversial program that sparked debates about privacy and government surveillance in India.

Marc-Olivier Boisset (EHESS) and Jean Langlois-Berthelot