Initial analysis of Indian Supreme Court decision on Aadhaar
Image attribution: By Legaleagle86 at en.wikipedia, CC BY-SA 3.0.
In a long-anticipated judgment, the Indian Supreme Court has ruled that India's controversial identification system Aadhaar is Constitutional. They based their conclusion on notes that there are sufficient measures in place to protect data, and that it is difficult to undertake surveillance of citizens on the basis of Aadhaar.
But there is some good in this ruling. The court has demanded that the Government introduce a 'strong data protection law' as soon as possible. It also requires that Aadhaar not be required for some services, including for people applying to get a SIM card for their mobile phone, for opening a bank account, for government grants, and schools. The court also seems to state that use by the private sector must be limited.
The court also established a hard retention period -- previously the government kept authentication transaction logs for five years, and the court believes that six months is sufficient. This log of transactions within an identity system becomes a map of a human's life: whenever they use an identity and it is verified, a note in the log is generated. In modern life this would be a list of all bank accounts, all uses of a health care system, all benefits at point of use.
The judgment (coming in at a whopping 1448 pages) is not the one we wanted but there are some opportunities for action.
It will be interesting to see how the Government responds to this ruling -- many of the purported benefits of Aadhaar will be limited. Equally, the claims of security seem to be at the core of the court's rationale that Aadhaar is consistent with security and rights safeguards, even though there have been repeated problems (see this timeline).
The dissenting opinion from Justice Chandrachud was scathing on privacy grounds. Highlighting concerns around profiling, the weak legal framework sanctioning the system, and potentials for misuse, the Justice also raises concerns about how the system still gives rise to exclusion.
We are seeing similar identification schemes being deployed around the world from Argentina, Morocco, Kenya, Lebanon, Pakistan and the Philippines with the same flaws and vulnerabilities, and with little or no consideration to the security, privacy and other human rights implications of deploying such broad, unregulated mass identification databases.
Now is the time for civil society in India to redouble their efforts - to push for a strong data protection law, to push for a system that protects people and their data, and doesn't exclude the most vulnerable. By not giving people the ability to make and prove claims about themselves and the identity they self-identify as also threatens other fundamental rights including the right not to be discriminated against, to be treated fairly, and to equal protection of the law. Identity systems should only be created within a context that protects fundamental rights, and identity systems should be designed to protect and enhance rights.
Find out more about PI's work on identity, please see our Topic page.
India's Unique Identity is the world's largest identification number scheme, with the details of over a billion people stored in the databse. It was first implemented in 2010, and Aadhaar enrollment reached 1 billion in April 2016. However, it only received a firm basis in law with the passing of the Aadhaar Act in 2016, pushed through the legislative process as a "money act", that by design receives little scrutiny compared to a regular piece of legislation. The scheme seeks to issue every resident of India a 12-digit identity number based on their biometric information (including all 10 fingerprints, iris scans, and a facial photograph) and demographic data (including address, name, family name, and date of birth.). It is available to any Indian citizen or anyone resident in India. The scheme is run by the Unique Identification Authority of India (UIDAI).
Aadhaar is increasingly widely used. It is mandatory for much of India's benefits system, used for the distribution of food rations and fuel subsidies to India's poor. However, the breadth of ways that Aadhaar has been used has increased, including its use in getting a SIM card and opening a bank account. In January 2018, the Supreme Court of India began hearing the long-awaited petition against the constitutionality of Aadhaar. The case covers a broad range of aspects of Aadhaar, particularly in light of the Supreme Court's landmark right to privacy judgment of August 2017 in the Puttaswamy case, and the mandatory linking of Aadhaar with services such as mobile phones and bank accounts.
About today's court ruling
The Supreme Court explored different issues over the course of the legal proceedings which they summarised in the form of questions in paragraph 447. Below are the key summaries/extracts of their answers for some of these questions (as we quote below):
"Key question on surveillance: Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground? (page 540-545)
The architecture of Aadhaar as well as the provisions of the Aadhaar Act do not tend to create a surveillance state. This is ensured by the manner in which the Aadhaar project operates.
Key question with regards to privacy: Whether the Aadhaar Act violates right to privacy and is unconstitutional on this ground? (page 546-555)
After detailed discussion, it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21. This can be discerned from the reading of Paras 297 to 307 of the ruling judgment.
The Court is also of the opinion that the triple test laid down in order to adjudge the reasonableness of the invasion to privacy has been made."
(i) Requirement of law
Answer in judgment:
"The Parliament has now passed Aadhaar Act, 2016. Therefore, law on the subject in the form of a statute very much governs the field and, thus, first requirement stands satisfied. We may point out at this stage that insofar as period from 2009 (when the Aadhaar scheme was launched with the creation of Authority vide notification No. A-43011/02/2009- Admin. I dated January 28, 2009 till the date Aadhaar Act came into force i.e. March 26, 2016, it is the argument of the petitioners that insofar as this period is concerned, it is not backed by any law and, therefore, notification dated January 28, 2009 should be struck down on this ground itself and all acts done including enrolment under the Aadhaar scheme from 2009 to 2016 should be invalidated. This aspect we propose to deal at a later stage. At this juncture, we are looking into the vires of Aadhaar Act. In that context, the first requirement stands fulfilled." paragraph 261, page 331 of 567)
(ii) Whether Aadhaar Act serves legitimate State aim?
Answer in judgment:
"By no stretch of imagination, therefore, it can be said that there is no defined State aim in legislating Aadhaar Act. We may place on record that even the petitioners did not seriously question the purpose bona fides of the legislature in enacting this law. In a welfare State, where measures are taken to ameliorate the sufferings of the downtrodden, the aim of the Act is to ensure that these benefits actually reach the populace for whom they are meant. This is naturally a legitimate State aim." - paragraph 266 (page 341 of 567)
(iii) Whether Aadhaar Act meets the test of proportionality?
This discussion brings out that following four sub-components of proportionality need to be satisfied (as we quote below):
Answer in judgement:
(a) A measure restricting a right must have a legitimate goal (legitimate goal stage).
There is a minimal intrusion into the privacy and the law is narrowly framed to achieve the objective. Here the Act is to be tested on the ground that whether it is found on a balancing test that the social or public interest and the reasonableness of the restrictions outweigh the particular (page 550 of 567)
(b) It must be a suitable means of furthering this goal (suitability or rationale connection stage).
We are also of the opinion that the measures which are enumerated and been taken as per the provisions of Section 7 read with Section 5 of the Aadhaar Act are rationally connected with the fulfillment of the objectives contained in the Aadhaar Act.
(c) There must not be any less restrictive but equally effective alternative (necessity stage).
Insofar as third component is concerned, most of it stands answered while in the discussion that has ensued in respect of component No. 1 and 2. The manner in which malpractices have been committed in the past leaves us to hold that apart from the system of unique identity in Aadhaar and authentication of the real beneficiaries, there is no alternative measure with lesser degree of limitation which can achieve the same purpose. In fact, on repeated query by this Court, even the petitioners could not suggest any such method. (paragraph 280, page 351 of 567)
(d) The measure must not have a disproportionate impact on the right holder (balancing stage).
i) Whether, ‘legitimate state interest’ ensures ‘reasonable tailoring’?
The Court finds that as the information collected at the time of enrolment as well as authentication is minimal, balancing at the first level is met.
ii) There needs to be balancing of two competing fundamental rights, right to privacy on the one hand and right to food, shelter and employment on the other hand.
Insofar as second level, namely, balancing of two competing fundamental rights is concerned, namely, dignity in the form of autonomy (informational privacy) and dignity in the form of assuring better living standards of the same individual, the Court has arrived at the conclusion that balancing at the second level is also met. The detailed discussion in this behalf amply demonstrates that enrolment in Aadhaar of the unprivileged and marginalised section of the society, in order to avail the fruits of welfare schemes of the Government, actually amounts to empowering these persons. On the one hand, it gives such individuals their unique identity and, on the other hand, it also enables such individuals to avail the fruits of welfare schemes of the Government which are floated as socio-economic welfare measures to uplift such classes. In that sense, the scheme ensures dignity to such individuals. This facet of dignity cannot be lost sight of and needs to be acknowledged. We are, by no means, accepting that when dignity in the form of economic welfare is given, the State is entitled to rob that person of his liberty. That can never be allowed. We are concerned with the balancing of the two facets of dignity. Here we find that the inroads into the privacy rights where these individuals are made to part with their biometric information, is minimal. It is coupled with the fact that there is no data collection on the movements of such individuals, when they avail benefits under Section 7 of the Act thereby ruling out the possibility of creating their profiles. In fact, this technology becomes a vital tool of ensuring good governance in a social welfare state. We, therefore, are of the opinion that the Aadhaar Act meets the test of balancing as well.
In his dissenting judgment, Justice Chandrachud examined whether the Aadhar Act fulfils the test of proportionality - that the nature and extent of the State’s interference with the exercise of a right (in this case, the rights to privacy, dignity, choice, and access to basic entitlements) must be proportionate to the goal it seeks to achieve (in this case, purported plugging of welfare leakage and better targeting of subsidies, benefits and services). His judgment includes consideration of the following:
- Lack of accountability and redress: UIDAI lacks institutional accountability mechanisms and that Aadhaar Act failed to establish an independent monitoring authority, redress mechanisms and principles for data protection.
- Facilitates commecial data exploitation and profiling: Allowing private entities to use Aadhaar numbers (under section 57) will lead to commercial exploitation of an individual’s personal data. This will result in a violation of privacy and profiling of citizens. Profiling can impact individuals and their behaviour. Since data collection records the preferences of an individual based on the entities which requested for proof of identity, any such pattern in itself is crucial data that could be used to predict the emergence of future choices and preferences of individuals. These preferences could also be used to influence the decision making of the electorate in choosing candidates for electoral offices.
- Security concerns: It is vital that the State ascertain security vulnerabilities when developing an ID system, yet security concerns relating to the data of 1.2 billion citizens were not addressed.
- Overbreadth & function creep: Whilst Aadhaar is 'voluntary' as a form of identification, it is mandatory for State subsidies, benefits and services (252 schemes and exapanding), therefore "From delivery to deliverance, almost every aspect of the cycle of life would be governed by the logic of Aadhaar." and "If the requirement of Aadhaar is made mandatory for every benefit or service which the government provides, it is impossible to live in contemporary India without Aadhaar"
For these reasons and others, Justice Chandrachaud found that the legitimate aim of the State can be fulfilled by adopting less intrusive measures as opposed to the mandatory enforcement of the Aadhaar scheme as the sole repository of identification.The State has failed to justify its actions and to demonstrate why facilitating the targeted delivery of subsidies, which promote several rights such as the right to food for citizens, automatically entails a sacrifice of the right to privacy when both these rights are protected by the Constitution. One right cannot be taken away at the behest of the other especially when the State has been unable to satisfy this Court that the two rights are mutually exclusive.
Key question on validity of Aadhhar Act: Whether the Aadhaar Act could be passed as ‘Money Bill’ within the meaning of Article 110 of the Constitution? (page 561-564)
We, thus, hold that the Aadhaar Act is validly passed as a ‘Money Bill’.
Question on PAN: Whether Section 139AA of the Income Tax Act, 1961 is violative of right to privacy and is, therefore, unconstitutional? (page 565)
Even after judging the matter in the context of permissible limits for invasion of privacy, namely: (i) the existence of a law; (ii) a ‘legitimate State interest’; and (iii) such law should pass the ‘test of proportionality’, we come to the conclusion that all these tests are satisfied.
The dissenting judgment, Justice Chandrachud said that the seeding of Aadhaar in PAN cards depends on the constitutional validity of the Aadhaar legislation itself and does not stand independently as the Act is unconstituional as a Money Bill.
Question on linking Aadhaar to bank accounts: Whether Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and the notifications issued thereunder which mandates linking of Aadhaar with bank accounts is unconstitutional? (page 565-567)
We hold that the provision in the present form does not meet the test of proportionality and, therefore, violates the right to privacy of a person which extends to banking details.
Question on making Aadhaar mandatory for SIM card registration: Whether Circular dated March 23, 2017 issued by the Department of Telecommunications mandating linking of mobile number with Aadhaar is illegal and unconstitutional? (page 566-567)
Circular dated March 23, 2017 mandating linking of mobile number with Aadhaar is held to be illegal and unconstitutional as it is not backed by any law and is hereby quashed.
Below we identify some of the aspects of the ruling that we believe are more promising, and indicate that India will see many new privacy protections in the foreseeable future.
No mobile company can ask for Aadhaar card
The Supreme Court had earlier this year clarified that Aadhaar is not mandatory for getting a SIM card and its judgement today confirms that. This is an important decision to minimise potential concerns of unfair disconnections of devices in instances where people who cannot identify themselves, the sharing of SIM users' information with government departments and matched with other private and public databases, and enabling the State to create comprehensive profiles of individual citizens.
"Having due regard to the test of proportionality which has been propounded in Puttaswamy and as elaborated in this judgment, we do not find that the decision to link Aadhaar numbers with mobile SIM cards is valid or constitutional. The mere existence of a legitimate state aim will not justify the means which are adopted. Ends do not justify means, at least as a matter of constitutional principle. For the means to be valid, they must be carefully tailored to achieve a legitimate state aim and should not be either disproportionate or excessive in their encroachment on individual liberties." - Paragraph 284
"Mobile technology has become a ubiquitous feature of our age. Mobile phones are not just instruments to facilitate a telephone conversation. They are a storehouse of data reflecting upon personal preferences, lifestyles and individual choices. They bear upon family life, the workplace and personal intimacies. The conflation of biometric data with SIM cards is replete with grave dangers to personal autonomy. A constitution based on liberal values cannot countenance an encroachment of this nature. The decision to link Aadhaar numbers to SIM cards and to enforce a regime of e-KYC authentication clearly does not pass constitutional muster and must stand invalidated. All TSPs shall be directed by the Union government and by TRAI to forthwith delete the biometric data and Aadhaar details of all subscribers within two weeks. The above data and Aadhaar details shall not be used or purveyed by any TSP or any other person or agency on their behalf for any purpose whatsoever." - Paragraph 285
Not mandatory for opening of bank account
In 2017, the Indian government had announced amendments to the Prevention of Money Laundering Rules making both Aadhaar and PAN mandatory which would make Aadhaar mandatory for opening a bank account starting on 1 June 2017. The judgement of the Supreme Court has now said that this should not be the case.
"This linking is made compulsory not only for opening a new bank account but even for existing bank accounts with a stipulation that if the same is not done then the account would be deactivated, with the result that the holder of the account would not be entitled to operate the bank account till the time seeding of the bank account with Aadhaar is done. This amounts to depriving a person of his property. We find that this move of mandatory linking of Aadhaar with bank account does not satisfy the test of proportionality. To recapitulate, the test of proportionality requires that a limitation of the fundamental rights must satisfy the following to be proportionate: (i) it is designated for a proper purpose; (ii) measures are undertaken to effectuate the limitation are rationally connected to the fulfilment of the purpose; (iii) there are no alternative less invasive measures; and (iv) there is a proper relation between the importance of achieving the aim and the importance of limiting the right." - Paragraph 432
The dissenting judgment, Justice Chandrachud said the decision to link Aadhaar numbers to SIM cards and to enforce a regime of e-KYC authentication clearly does not pass constitutional muster and must stand invalidated. He added that imposing a uniform requirement of linking Aadhaar numbers with all account based relationships is clearly disproportionate and excessive. It fails to meet the test of proportionality and suffers from manifest arbitrariness.
Not compulsory for EGC, NEET and CBSE
The Supreme Court ruled that Aadhaar should not be compulsory for the University Grants Commission (UGC), the National Eligibility and Entrance Test (NEET) and the Central Board of Secondary Education (CBSE) exams and school admissions. This element is key as concerns had been expressed with Aadhaar being mandatory that children would be denied admission to primary and secondary education and others to tertiary education. There were also concerns that Aadhaar was also preventing young people from applying for scholarships and sitting examinations.
"...CBSE, NEET, JEE, UGC etc. cannot make the requirement of Aadhaar mandatory as they are outside the purview of Section 7 and are not backed by any law." - Paragraph 322 (c)
Reviewing retention of authentification data
The Supreme Court ruled that the mandatory retention policies were too broad and had to be reviewed. Regulation 27 of the Authentication Regulations currently requires the UIDAI to retain the “authentication transaction data” (which includes the meta data) for a period of 6 months and to archive the same for a period of 5 years thereafter. It was argued that this was an unreasonable amount of time.
"We do not find any reason for archiving the authentication transaction data for a period of five years. Retention of this data for a period of six months is more than sufficient after which it needs to be deleted except when such authentication transaction data are required to be maintained by a Court or in connection with any pending dispute." - Paragraph 205
"Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law." - Paragraph 219 (a)
Limit use by private sector
Section 57 of the Act prmitted any corporate actor to use the Aadhaar numbers to establish the identity of an individual just like any other proof of identity. This raised concerns that private actors would have access to very sensitive information about individuals which they could potentially misuse and abuse for corporate purposes. The Supreme Court expressed concern on the use of Aadhaar by private entities and noted that provision in the Aadhaar Act on this matter was weak.
"That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional." - Paragraph 219 (e)
"Section 57 of the Aadhaar Act allows the use of an Aadhaar number for establishing the identity of an individual “for any purpose” by the state, privateentities and persons. Allowing private entities to use Aadhaar numbers will lead to commercial exploitation of an individual’s personal data without his/herconsent and could lead to individual profiling. The contention is that Section 57 fails to meet the requirements set out in the Puttaswamy judgment." - Paragraph 241
National security grounds revisited slightly
Section 33(1) of the Aadhaar Act was about how a court order could give access to the demographic data in CIDR, but not the biometrics. Section 33(2) of the Aadhaar Act allowed, for the purpose of national security, access to the Aadhaar databse (including biometrics) if authorised by an intelligence officer of Joint Seretary or above. That has been declared unconstitutional. That means that, on a national security justification, access would require authorisation by a court. The details of the judgment are a little unclear about this process however (see paragraphs 214-219).
c) Section 33 of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing. d) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down. - Paragraph 219 (c) and (d)
Demand that data protection law be passed immediately
The Supreme Court has noted the urgency for the Indian government to adopt and enforce a robust data protection law.
"We have also impressed upon the respondents, as the discussion hereinafter would reveal, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate." - Paragraph 219 (f)
This demand was echoed in dissenting judgment from Justice Chandrachud who said: The invisible threads of a society networked on biometric data have grave portents for the future. Unless the law mandates an effective data protection framework, the quest for liberty and dignity would be as ephemeral as the wind." (Paragraph 244, page 337)
Much more problematic components to the judgment are identified in this section.
Upheld validity of Aadhaar Act
In 2016, the Aadhaar Act was adopted as a Money Bill meaning that it bypassing a more inclusive legislative process. The Aadhaar Act was discussed only in Lok Sabha (the Lower House), and the amendments suggested by the Rakya Sabha (The Upper House) were rejected and it was passed unilaterally by the Lower House.
The ruling judgment said that the Aadhaar Act was not valid despite having been passed as a Money Bill.
The Dissenting judgment from Justice Chandrachud opined that the Aadhar Act did not qualify as a Money Bill and should not have been qualified as such by the Speaker. This meant that the Act bypassed the constitutional authority of the Rajya Sabha, damaging the delicate balance of bicameralism which is part of the basic structure of the Indian Constitution. A Money Bill is legislation that only deals with certain (limited) provisions and thus has a specific legislative procedure with limited scope for amendment by the Rajya Sabha.
Sufficient security safeguards in place
It is deeply troubling that the Supreme Court has deemed there were sufficient security safeguards in place to protect data and that it would difficult to launch surveillance on citizens on basis of Aadhaar. Since the establishment of Aadhaar numerous cases have emerged demonstrating the weaknesses and vulnerabilities of Aadhaar. Securing identity systems is particularly challenging, as the number of data breaches across the world continue to mount. Identity data, in the modern world, and particularly as governments come to require it so much more often, becomes the key to perpretrate fraud and undertake surveillance.
This is why it is so concerning that given the available evidence illustrating the vulnerabilities of the system are being downplayed in the ruling judgement, such as in the context of hacking:
"It may, however, be mentioned that of late certain reports have appeared in newspapers to the effect that some people could hack the website of CIDR, though it is emphatically denied by the UIDAI. Since there are only newspapers reports to this effect which appeared after the conclusion of hearing in these cases and, therefore, parties could not be heard on this aspect, we leave this aspect of the matter at that with a hope that CIDR would find out the ways and means to curb any such tendency." - Paragraph 212, page 289 of 567)
The dissenting judgmenet from Justice Chandrachud recognised that once a biometric system is compromised, it is compromised forever. Therefore, it is imperative that concerns about protecting privacy must be addressed while developing a biometric system. Adequate norms must be laid down for each step from the collection to retention of biometric data. He flagged that biometric technology technology can lead to human rights violations - citing Privacy International's work which flags that when adopted in the absence of strong legal frameworks and strict safeguards, biometric technologies pose grave threats to privacy and personal security.
He examined the Aadhar legislation in two parts, first in the run up to the role of biometrics in the legislation and second the relevant provisions concernign the intersection of biometric technology and privacy, finding that consideration of risks and implementation of safeguards were lacking. Procedures for alternatives were also not provided, security concerns not addressed, core biometric and identify information, not given equal protection and the powers of the UDAI were overly wide. He concluded that "With this analysis of the measures taken by the Government of India prior to the enactment of the Aadhaar Act as well as a detailed analysis of the provisions under the Aadhaar Act, 2016 and supporting Regulations made under it, this judgment concludes that the Aadhaar programme violates essential norms pertaining to informational privacy, self-determination and data protection."
Mandatory for accessing welfare
The Supreme Court ruled that Aadhaar would continue to be mandatory for accessing and delivering welfare services. We are concerned by that Justice AK Sikri stated "Aadhaar empowers the marginalised section of the society and gives them an identity, Aadhaar is also different from other ID proofs as it can't be duplicated." Identity systems are too often framed as the silver bullet to marginalisation and exclusion, yet they may in fact increase exclusion and discrimination and targeting.
We are particularly concerned by the rationale developed by the ruling judgment in relations to the link made between accuracy and exclusion:
"(k) Insofar as the argument based on probabilistic system of Aadhaar, leading to ‘exclusion’ is concerned, the Authority has claimed that biometric accuracy is 99.76% and the petitioners have also proceeded on that basis. In this scenario, if the Aadhaar project is shelved, 99.76% beneficiaries are going to suffer. Would it not lead to their exclusion? It will amount to throwing the baby out of hot water along with the water. In the name of 0.232% failure (which can in any case be remedied) should be revert to the pre-Aadhaar stage with a system of leakages, pilferages and corruption in the implementation of welfare schemes meant for marginalised section of the society, the full fruits thereof were not reaching to such people?
(l) The entire aim behind launching this programme is the ‘inclusion’ of the deserving persons who need to get such benefits. When it is serving much larger purpose by reaching hundreds of millions of deserving persons, it cannot be crucified on the unproven plea of exclusion of some."- Paragraph 447, page 553 of 567)
Linking to PAN (tax) accounts
The PAN is the tax number that is required for people who are earning enough to pay income tax; for running a business above a certain size; or for the buying and selling of property or cars.
The judgment upheld that it was not in violation of the right to privacy and not unconstitutional. It noted that there was "a justifiable reason with the State for collection and storage of data in the form of Aadhaar and linking it with PAN insofar as Section 139AA of the Income Tax Act is concerned." - Paragraph 424, page 501 of 567)
A tool for managing migration
The court ruled that illegal migrants must be excluded from the identity system. This renders a system that was supposed to capture all people in India to empower them into a tool that will be used to exclude. This has to be seen in the context of Assam, where hundreds of thousands of people are being told that they are not Indian, and not legally in India. This exclusion will continue, and new ones may arise, and now be enforced using Aadhaar.
The judgment result is this: Aadhaar is now mandatory for a large proportion of India's population. That means, for anyone who is claiming their welfare entitlements, and for anyone who is eligible to pay income tax, they must surrender their biometrics to a scheme that is, at the moment, lightly regulated by law.
To put this into a larger context, the Supreme Court majority seems to imagine that Aadhaar is a sophisticated version of the US Social Security Number or the UK's National Insurance Number, where it is appropriate to be made mandatory for an individual's financial interactions with the state (e.g. tax, welfare) but not other things. But first, even if this was true, Aadhaar should have more safeguards on it akin to safeguards elsewhere in the world. And second, Aadhaar isn't a single numbering system alone, it is a giant centralised biometric database. Questions of constitutionality, proportionality, and necessity need to consider these realities in great detail, including interrogating claims of technical efficiency and technological capabilities.
This is exactly why this quotation from the dissenting opinion is so apt.
"The invisible threads of a society networked on biometric data have grave portents for the future. Unless the law mandates an effective data protection framework, the quest for liberty and dignity would be as ephemeral as the wind."
PI would argue that much more is required than a mere data protection law -- that law should have been on the books prior to the deployment of any government scheme involving personal data, and a data protection law has long been needed in India to regulate the private sector too. Much more is required, and we all need to watch India as it finds the necessary solutions. Sadly this court ruling will not be sufficient inspiration for deep thinking and reconsideration of plans that were entrenched without legal basis, without consideration of what's necessary in a democratic society.