It is believed that this move will improve access to efficient Aadhaar-enabled services, foster the development of innovative digital solutions leveraging Aadhaar authentication, and strengthen government partnerships with other entities for enhanced governance solutions. Further, the new amendments will enable individuals to seamlessly avail the services in sectors like e-commerce, travel, tourism, hospitality and health sector, provided by non-governmental entities.[2]
Background
Following the judgment of the Supreme Court in Justice K S Puttaswamy (retd) & Anr. v. Union of India & Ors. [WP(C) No.494 of 2012], the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, was amended in 2019 to ensure that entities could be allowed to perform authentication subject to the requesting entity’s compliance with standards of privacy and security as prescribed by regulations. Another requirement introduced by the 2019 amendment was that the requesting entity sought authentication for only such purposes as prescribed by the Central Government.
Accordingly, the 2020 Rules were notified, permitting Aadhaar authentication on a voluntary basis for the following purposes:
- usage of digital platforms to ensure good governance;
- prevention of dissipation of social welfare benefits; and
- enablement of innovation and the spread of knowledge.
The 2020 Rules envisaged submission of proposals by the Department or Ministry of Government of India or a State Government desirous of using Aadhaar authentication for the purposes mentioned above.
MeitY’s Notification
The latest notification makes changes to Rules 3, 4 and 5 of the 2020 Rules. Here is an overview of the amendments:
- Purposes for Aadhaar authentication extended to include, “promoting ease of living of residents and enabling better access to services for them”. Consequently, the purposes for which Aadhaar authentication may be allowed under the amended Rules are as follows:
- usage of digital platforms to ensure good governance;
- promoting ease of living of residents and enabling better access to services for them;
- prevention of dissipation of social welfare benefits; and
- enablement of innovation and the spread of knowledge.
- Entities other than the Ministry or the Department of the Central Government or a State Government desirous of using Aadhaar authentication may also prepare proposals, to be submitted to the concerned Ministry or Department, which will forward the proposal if a) it fulfils a purpose specified in Rule 3, and b) is in the interest of the State.
It follows that the amended Rules envisage the submission of proposals by:
-
- the Ministry or the Department of the Central Government or a State Government desirous of utilising Aadhaar authentication for a purpose specified in Rule 3; and
- entities other than the Ministry or Department of the Central Government or a State Government desirous of utilising Aadhaar authentication for a purpose specified in Rule 3 and in the interest of the State.
- If the Unique Identification Authority of India (UIDAI) is satisfied that the proposal is in order, it will inform the same to MeitY. Based on MeitY’s approval and confirmation, the Ministry or Department will notify the entity for Aadhaar usage.
Shift in Approach
The challenges to the Aadhaar project before the Supreme Court prompted the government to opt for a guarded stance, restricting private access to the Aadhaar infrastructure. However, such a restriction is not envisaged under the provisions of the Aadhaar Act. Specifically, the term ‘requesting entity’, as defined under Section 2(u) of the Act, is quite broad and encompasses not only government organisations but also private entities. Section 8 of the Act read with Section 2(u) envisages the performance of authentication by UIDAI of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, i.e., including private entities, in relation to his biometric information or demographic information.
Moreover, in the Puttaswamy judgment, the Supreme Court did not narrow the definition of the term ‘requesting entity’ under Section 2(u) to exclude private entities. This suggests that neither the Parliament nor the Supreme Court intended to prevent private access to the Aadhaar infrastructure.
MeitY’s recent notification signals a shift in the government’s approach by allowing even private entities to use Aadhaar authentication and extending the purposes for which such authentication can be used to include “promoting ease of living of residents and enabling better access to services for them”.
Striking a Balance
The recent amendments to the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020, significantly expand the scope of Aadhaar authentication by allowing private entities to use it for purposes beyond social welfare. While the government aims to enhance ease of living and foster innovation, this raises serious legal and privacy concerns. The Supreme Court in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. had emphasised that Aadhaar authentication should be limited to necessary and proportionate uses, ensuring privacy and security. The expansion to sectors like e-commerce, tourism, and hospitality, risks function creep, where Aadhaar could become a de facto digital identity system without sufficient safeguards. Additionally, compliance with data protection laws, potential breaches, and the lack of clear guidelines on data retention and sharing pose significant risks.
From a practical standpoint, the implementation of these amendments could face challenges such as bureaucratic delays, unfair advantages for large corporations, and technical failures in authentication. The multi-step approval process—where private entities must route proposals through government departments before obtaining MeitY and UIDAI’s approval—could hinder efficiency. Furthermore, user consent and data security remain major concerns, especially in the absence of robust regulatory oversight. To ensure that Aadhaar authentication remains a tool for innovation without compromising privacy, the government must establish clear data-sharing rules, sector-specific implementation strategies, and stronger user control mechanisms. While the move may unlock new digital opportunities, its success depends on striking the right balance between innovation and fundamental rights.
Key Legal Considerations and Practical Implications
-
Constitutional & Privacy Concerns
Aadhaar authentication should be used only for purposes backed by law, the requesting entity must comply with privacy and security standards.
The authentication process should not be coercive. While the amended Rules do not directly violate these principles, they introduce new risks.
Initially, Aadhaar authentication was permitted for digital governance and welfare programs. The new amendments extend it to private entities under the broad justification of ease of living. This raises questions about whether such an expansion aligns with the necessity and proportionality test set by the Supreme Court.
-
Compliance & Data Protection Risks
With private entities accessing Aadhaar authentication, there is an increased risk of data breaches and unauthorised use. The amendments do not specify whether private entities can store authentication logs, whether UIDAI will conduct audits, or what penalties exist for misuse.
-
Practical Challenges in Implementation
Private entities must submit proposals via a government ministry or department, which will then forward them to UIDAI and MeitY for approval; this multi-step process could lead to delays and inefficiencies, making Aadhaar authentication less attractive for businesses. Larger corporations with government influence may secure approvals more easily than startups or SMEs, creating an uneven playing field.
Moreover, many individuals may not be fully aware of where and how their Aadhaar data is used.
Conclusion
The amendments represent a major step toward digital innovation but come with significant legal and practical risks. For effective implementation:
- UIDAI must establish clear guidelines on authentication data usage, retention, and security.
- Individuals should have better control over when and how their Aadhaar data is used, with easy opt-out mechanisms.
- Aadhaar authentication should be introduced selectively in sectors where it is necessary and proportionate.
While private-sector Aadhaar authentication could drive digital transformation, the government must ensure that it does not compromise user privacy, create monopolistic advantages, or lead to unintended exclusions. The success of this policy will depend on striking the right balance between innovation and fundamental rights.