“As automation takes hold, it becomes obvious that information is the crucial commodity, and that solid products are merely incidental to information movement.”
- Marshall McLuhan in Understanding Media (1964)
“The authentication process is not exposed to the Internet world.”
- Union Government’s claim recorded in the judgement in justice KS Puttaswamy vs Union of India (2018)
“If a company says that they will maintain their data on an offline computer or on ledger, is there a law that says that they cannot. Is there a law that states that one must only use digital tech to store data and records? No.”
- Justice (Retd) BN Srikrishna, ex-judge of Supreme Court of India
Since 1927, Time magazine has published the Man of the Year issue at the end of each year. But at the end of 1982, its 1983 issue did not do so; its cover read “Machine of the Year: The Computer Moves In.”
Referring to automatic data processing (ADP) machine, Section 2 (1) (i) of the 36-page long Information Technology Act, 2000 states that ‘computer’ means any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or related to the computer in a computer system or computer network.
Its Section 2 (1) (j) states that computer network means the inter-connection of one or more computers or computer systems or communication device through–(i) the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the inter-connection is continuously maintained.
Its Section 2 (1) (t) states that electronic record means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer-generated micro fiche.
Section 2 (41) of the Income Tax Act, 2025 states that ‘document’ includes an electronic record as defined in Section 2(1)(t) of the Information Technology Act, 2000. The significance of Time’s cover story lies in the fact that it captured the moment of the end of the pre-ADP era and the arrival of the ADP era.
The 36-page-long Information Technology Act, 2000 is based on the United Nations Commission on International Trade Law (UNCITRAL)’s Model Law on Electronic Commerce. Notably, UNCITRAL Model Law drew on the 31-page-long report of the UNCITRAL Secretariat entitled "Legal value of computer records" published in December 1985 pursuant to UNCITRAL’s consideration of a report of the UN secretary general containing a discussion of certain legal problems arising in electronic funds transfers at its session in 1982.
With regard to legal value of computer records, the report concluded: “The problem, while of particular importance to international electronic funds transfers, is one of general concern for all aspects of international trade. Generalised solutions would, therefore, be desirable.” The report noted that a more serious legal obstacle to the use of computers and computer-to-computer telecommunications in international trade arose out of requirements that documents had to be signed or be in paper form.
The Information Technology Act mentions ‘computer’ on 184 occasions, ‘computer system’ on 33 occasions, ‘cyber’ on 29 occasions and ‘Information Technology Act, on seven occasions. The 572-page long Income Tax Act, 2025 explicitly mentions ‘computer’ on 82 occasions, ‘computer system’ on 54 occasions and ‘information technology’ on 18 occasions.
In the interpretation of Section 261 (j) of the Income Tax Act, 2015 ‘virtual digital space’ is interpreted. It means “an environment, area or realm, that is constructed and experienced through computer technology and not the physical, tangible world which encompasses any digital realm that allows users to interact, communicate and perform activities using computer systems, computer networks, computer resources, communication devices, cyberspace, internet, worldwide web and emerging technologies, using data and information in the electronic form for creation or storage or exchange and includes––(i) email servers; (ii) social media account; (iii) online investment account, trading account, banking account, etc.; (iv) any website used for storing details of ownership of any asset; (v) remote server or cloud servers; (vi) digital application platforms; and (vii) any other space of similar nature.”
It is evident from this provision that the new income-tax law is inherently linked to Section 2 (k) of the Information Technology Act which states that ‘computer resource’ means ‘computer, computer system, computer network, data, computer data base or software’ and its Section 2 (l) states that ‘computer system’ means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programs, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions. It emerges that ‘virtual digital space’ is part of the computer system and the new income-tax law extends to it.
Over the past 16 years, states’ fiscal sovereignty has been taken away by the Central identities data repository (CIDR), the Aadhaar number database, goods & services tax (GST) and goods services tax network (GSTN) at the behest of the unaccountable and ungovernable international financial institutions and like World Bank group and big data firms.
These state and non-state partners and their eTransform initiative are converging the private sector, government sector and citizens sector with the aim to pave the way for automatic digital colonisation. In his book, World Order: Reflections on the Character of Nations and the Course of History, Henry Kissinger writes: “Cyberspace has colonised the physical space and, at least in major urban centres, is beginning to merge with it.”
It is not a coincidence that all the proponents and supporters of UID/ Aadhaar, GST and GSTN are city folk. Is it a coincidence that India’s national data wealth is being shifted to cyberspace and virtual digital space by enacting laws without adequate dialogue about their lethal ramifications?
Nicholas Negroponte, author of Being Digital, has pointed out that world trade had traditionally consisted of exchanging atoms, not bits. Bits form the basis of the cyber world. He predicted that “Like a mothball, which goes from solid to gas directly, I expect the nation State to evaporate without first going into a gooey, inoperative mess, before some global cyber State commands the cyber ether.” He added: ‘‘Without question, the role of the nation state will change dramatically and there will be no room for nationalism than there is for smallpox.”
Both Negroponte and Kissinger imply that national law is becoming irrelevant for the cyber world given the fact that cyber law is essentially global law. The possibility of the country getting colonised yet again by the asymmetry of information created through information, communication, identification, artificial intelligence (AI) and surveillance technologies has become real. By now, it has been realised that all empires have been information and communication-based regimes.
Notably, it has been accepted that Aadhaar number data is entered in various applications. In order to enter quality data of Aadhaar numbers, UIDAI felt the need to validate the entered Aadhaar number. Therefore, “UIDAI has recommended the Verhoeff algorithm for validating the same. Based on the same, a component has been developed to validate the Aadhaar number entered in an application.”
AI-based machine learning algorithms, in which computers learn through trial and error, has been deemed to be a new form of 'alchemy' by AI researchers who admittedly 'do not know why some algorithms work and others don't, nor do they have rigorous criteria for choosing one AI architecture over another'.
It has been admitted in the Supreme Court that 'UIDAI is using matching algorithm'. It is also a fact that the Aadhaar database is stored in the computing cloud, an euphemism for the computer system of someone else which is beyond Indian jurisdiction.
The February 2014 report on the subject 'Cyber Crime, Cyber Security and Right to Privacy' by the parliamentary standing committee on information technology took note of the risk from blind adoption of cloud.
Even the report of the Confederation of Indian Industry (CII) entitled The Indian Cloud Revolution recognised “the jurisdictional problems associated with a lack of harmonised regulations are compounded by the global, physically unfettered nature of Cloud computing. Data storage and processing tend to be fragmented and may even be spread across multiple Clouds in different locations. This creates serious difficulties in terms of tracing problems as well as determining which regulations govern that data.”
The report underlines “the dynamic nature of Cloud computing means that data is more often in transit, both within and away from the Cloud provider, resulting in multiple jurisdictional claims on the same information. The response of some countries has been to exploit the advantages posed by data storage, or, lacking those benefits, to attempt to force network traffic or storage within their countries."
The PATRIOT Act in the US allows federal security agencies to directly utilise Cloud provider’s infrastructure for wiretapping and surveillance purposes.” The report concluded that the “Government needs to work on dual goals of protecting interests of Indian entities in relation to risks from Cloud adoption.”
The parliamentary standing committee on information technology, in its July 2023 report on ‘Cyber Security and Rising Incidence of Cyber/White Collar Crimes’, observed that “Criminals are getting more and more innovative and difficult to track since they can now utilise powerful new technologies and operate in lightly policed or hostile jurisdictions. These new and threatening technologies include generative artificial intelligence (AI), chatbots, and quantum computing, which raises the threat level exponentially.”
Instead of securing data the way China and Russia do, lack of vulnerability mapping of India’s repository of data has ended up compromising the national security of the country in general and our armed forces in particular because their entire data has been handed over to foreign agencies and firms.
Against this backdrop, subsequent to the assent of the president on 21 August 2025, the 572-page-long Income Tax Act, 2025 is all set to be made effective from 1 April 2026. Prior to this, the Income Tax Act, 1961 had replaced the earlier 1922 legislation, based on recommendations from the law commission of India (1958) and the direct tax administration enquiry committee.
India’s Income Tax Act, 1961 was amended nearly 65 times with more than 4,000 amendments over a period of six decades through annual Finance Acts and 19 separate Taxation Laws Amendment Bills.
In July 2024, the finance minister had announced that the Income Tax Act, 1961 would be overhauled. An internal departmental committee of central board of direct taxes (CBDT) undertook a comprehensive review of this law. Like the Income Tax Bill, 2025, the Aadhaar Bill too was introduced by the minister of finance.
A comparative reading of the old income-tax law and the new income-tax law shows that the provisions regarding Aadhaar number has been incorporated in the new law without factoring in the fact that the constitutionality of the Aadhaar Act is pending before a seven-judge Constitution Bench of the Supreme Court of India.
Like the old income-tax law, the new law also has provision which requires quoting of unique identity (UID)/ Aadhaar number, an identification number of a ‘resident’ of India who is ‘entitled’ to have it, with permanent account number (PAN) for filing income-tax returns.
A joint reading of the relevant provisions of Income Tax Act, 2025, Income Tax Act, 1961 and Aadhaar Act, 2016 reveals that it is only relevant for a 'resident' who has exercised her/ his entitlement and has enrolled as “an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment”, under Section 2 (v) of the Aadhaar Act, 2016.
It is made clearly manifest from Section 3 (1) of the Aadhaar Act, which reads: “Every resident shall be entitled to obtain an Aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment: Provided that the Central government may, from time to time, notify such other category of individuals who may be entitled to obtain an Aadhaar number.”
It is quite clear that the emphasis of the provision is on the word 'entitled', making it applicable solely to those residents of India who have undertaken 'enrolment' as an entitlement. All entitlements are voluntary.
Section 139AA (1) of Income Tax Act, 1961 states that “Every person who is eligible to obtain Aadhaar number shall, on or after the 1st day of July, 2017, quote Aadhaar number—(i) in the application form for allotment of permanent account number; (ii) in the return of income: Provided that where the person does not possess the Aadhaar number, the enrolment ID of Aadhaar application form issued to him at the time of enrolment shall be quoted in the application for permanent account number or, as the case may be, in the return of income furnished by him.” It is quite clear that this provision regarding 'quoting Aadhaar number' does not automatically mean it is mandatory to have Aadhaar number.
Section 262 (5)-(9) of the Income Tax Act, 2025 reads: “5. Every person who is eligible to obtain Aadhaar number shall quote such number in the application form for allotment of permanent account number and in the return of income. (6)(a) For the cases other than sub-section (5), every person who has been allotted permanent account number and who is eligible to obtain Aadhaar number, shall intimate his Aadhaar number to the prescribed income tax authority in such form and manner, as may be prescribed;(b) if a person fails to intimate his Aadhaar number as per clause (a), the permanent account number allotted to that person shall be made inoperative in such manner as may be prescribed. (7) Every person who is required to furnish or intimate or quote his permanent account number under this Act, and who—(a) has not been allotted a permanent account number but possesses the Aadhaar number, may furnish or intimate or quote his Aadhaar number in lieu of the permanent account number, and such person shall be allotted a permanent account number in the manner, as may be prescribed;(b) has been allotted a permanent account number, and who has intimated his Aadhaar number as per sub-section (6) may furnish or intimate or quote his Aadhaar number in lieu of the permanent account number. (8) A person who has already been allotted a permanent account number cannot apply, obtain or possess another permanent account number. (9)(a) Every person entering into such transaction, as may be prescribed, shall quote his permanent account number or Aadhaar number, in the documents pertaining to such transactions and also authenticate such permanent account number or Aadhaar number, in the manner, as may be prescribed; (b) every person receiving any document relating to the transactions referred to in clause (a), shall ensure that permanent account number or Aadhaar number, has been duly quoted in such document and that such permanent account number or Aadhaar number is authenticated as may be prescribed.”
In this provision, the emphasis is on the word 'eligible'. Being 'eligible to obtain Aadhaar number' does not and cannot imply that an individual is under compulsion to exercise one’s eligibility. Nowhere does the provision under Section 139AA of the old law and the provision under Section 262 of the new law, or any other instrumentality of the State have said that 'enrolment' is mandatory; in fact, the opposite is emphasised. The fact is that a person who has not enrolled, will not and cannot have any enrolment ID of Aadhaar application form 'issued to him'. Section 139AA of the old law and section 262 of the new law simply undertakes an exercise in behavioural engineering, to nudge an individual to believe that “it means that she/ he has to “enrol” because she/he is eligible. The legal maxim Nemo dat quod non habet (No man can give what he does not possess) is germane here. No government limited by the Constitution of India can force anyone to indulge in any act that puts individuals to risk including civil death.
Section 262 (10) (2) of the new law states that the central board of direct taxes constituted under the Central Boards of Revenue Act, 1963 may make rules providing for the manner of authentication of permanent account number or Aadhaar number. Can the manner of authentication under the new IT Act be different from the manner provided under the Aadhaar Act?
Section 262 (13) (c) also states that for the purposes of this section, 'authentication' means the process by which the permanent account number or Aadhaar number along with demographic information or biometric information of an individual is submitted to the income-tax authority or such other authority or agency as may be prescribed for its verification and such authority or agency verifies the correctness, or the lack thereof, on the basis of information available with it.
Notably, the term 'authentication' is mentioned on 975 occasions in the 1448-page-long judgement. The judgement records the claim of the government to the effect that “The authentication process is not exposed to the Internet world.”
The majority judgement in this regard reads: ‘We are of the view that apprehensions of the petitioners stand assuaged with the striking down or reading down or clarification of some of the provisions, namely: (i) Authentication records are not to be kept beyond a period of six months, as stipulated in regulation 27(1) of the authentication regulations. This provision which permits records to be archived for a period of five years is held to be bad in law. (ii) Metabase relating to transaction, as provided in regulation 26 of the aforesaid regulations in the present form, is held to be impermissible, which needs suitable amendment. (iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing. (iv) Insofar as section 33(2) of the Act in the present form is concerned, the same is struck down. (v) That portion of section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional. (vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of justice BN Srikrishna (Retd.) committee report with necessary modifications thereto as may be deemed appropriate.”
It is evident that the Union government has been proven wrong and several provisions of the Aadhaar Act have been deemed impermissible even by the majority judgement. By now, it is conclusively established that “despite the report by justice BN Srikrishna led committee and in spite of the fact that the Union government has been assuring the court about the enactment of the privacy law since 2011, as of today there is no data protection and privacy law in the country."
Significantly, the Supreme Court’s unanimous judgement by the nine-judge Constitution Bench mentions “the Privacy Bill” thrice. The judgement reads: “The enactment of a law on the subject is still awaited. This was preceded by the Privacy Bill of the year of 2005 but there appears to have been little progress. It was only in the course of the hearing that we were presented with an office memorandum of the ministry of electronics and information technology dated 31.7.2017, through which a committee of experts had been constituted to deliberate on a data protection framework for India, under the chairmanship of Mr. justice BN Srikrishna, former judge of the Supreme Court of India, in order to identify key data protection issues in India and recommend methods of addressing them. So there is hope! 76. The aforesaid aspect has been referred to for purposes that the concerns about privacy have been left unattended for quite some time and thus an infringement of the right of privacy cannot be left to be formulated by the legislature. It is a primal natural right which is only being recognised as a fundamental right falling in part III of the Constitution of India.”
By now, it is crystal clear that the setting up of the justice Srikrishna-led committee was an exercise in sophistry; it was set up merely to save the Aadhaar Act from being declared totally unconstitutional. A joint study of the justice Srikrishna committee report, the report of the joint parliamentary committee (JPC) and the Digital Personal Data Protection (DPDP) Act, 2023 reveals that DPDP law isn’t sensitive enough towards individual rights and more concerned with the impact of the regulation on the government.
For instance, the Srikrishna report had provided for a data protection authority (DPA) which was independent of executive control. In the DPDP law, the Union government is the sole authority to determine the composition of the DPA, despite the fact that the DPA will regulate government agencies. It reveals that the law is not complying with the unanimous judgement of the Supreme Court in the Puttswamy case.
Significantly, justice Srikrishna has noted that the recommendations of his committee have been thrown away. There is no distinction between sensitive personal data and critical personal data. Citizens’ data is going to be accessed without their consent. The data stored in the physical format is not included under its purview. It is inexplicable as to why it is applicable only to digital data.
The justice Srikrishna committee had proposed that data, irrespective of the format it is stored, will be subject to the Act. Is it surprising that easing of rules on data storage has been welcomed by corporates/ big tech solution providers because the individual is not the focus, protections of their privacy and their rights is not the focus.
What is being demanded of an individual under section 139AA of the old law and Section 262 of the new law is to 'quote Aadhaar number' in the return of income. But this is only possible in the case of those who have already enrolled voluntarily. This demand is addressed to those who have UID/ Aadhaar number, not to those who do not have it. Those who have not enrolled cannot do the impossible, which is, to provide what they are not bound by law to possess.
Section 430 of the new income tax law reads: “430. Without prejudice to the provisions of this Act, where a person is required to intimate his Aadhaar number under Section 262(6) and such person fails to do so on or before such date as may be prescribed, he shall be liable to pay such fee, as may be prescribed, not exceeding Rs1,000, at the time of making intimation under the said section after the said date.” This fine is arbitrary and irrational. Can the chief justice of India and other judges, our fellow citizens, be made to pay this fee as fine even before the seven-judge Constitution Bench led by him adjudicates on the constitutionality of the Aadhaar Act?
Section 467 (2)-(4) reads: “(2) If a person, required to quote or intimate his permanent account number or Aadhaar number in any document as referred to in Section 262(9)(a), provides or quotes or intimates a number which is false, knowing or believing it to be false, the assessing officer may impose a penalty of Rs10,000 on him for each such default. (3) If a person fails to quote or authenticate his permanent account number or Aadhaar number in any document referred to in Section 262( 9)(a), the assessing officer may impose a penalty of Rs10,000 on him for each such default. 4. If a person referred to in Section 262(9)(b) responsible for ensuring the correct quoting or authentication of permanent account number or Aadhaar number, in documents relating to transactions prescribed under Section 262(9)(a) fails to do so, the assessing officer may impose a penalty of Rs10,000 on him for each such default.” Can the chief election commissioner and other election commissioners who have recently been granted immunity under the law be made to pay this penalty if they do not provide Aadhaar number?
In the light of the verdict of the nine-judge Constitution Bench of the Supreme Court dated 24 August 2017 in justice KS Puttaswamy vs Union of India, the verdict on Aadhaar Act by the five-judge Constitution Bench of the court dated 26 September 2018 in the justice KS Puttaswamy vs Union Of India and the verdict of the five-judge Constitution Bench dated 13 November 2019 in Roger Mathew vs. South India Bank Ltd, there is a compelling constitutional and legal logic for the income-tax (I-T) department, ministry of finance to put a stay on the execution of the requirement of linking UID/ Aadhaar number with PAN for filing income-tax returns and facilitate filing the same by quoting PAN alone. Unmindful of the most recent judgement of the court, the website of the I-T department does not allow filing without merging/quoting UID/Aadhaar number. In this regard, the following legal propositions merit attention:
(1) On 13 November 2019, the five-judge Constitution Bench of Hon'ble Court observed, “Given the various challenges made to the scope of judicial review and interpretative principles (or lack thereof) as adumbrated by the majority in KS Puttaswamy (Aadhaar-5) and the substantial precedential impact of its analysis of the Aadhaar Act, 2016, it becomes essential to determine its correctness. Being a Bench of equal strength as that in KS Puttaswamy (Aadhaar-5), we accordingly direct that this batch of matters be placed before Hon’ble the Chief Justice of India, on the administrative side, for consideration by a larger Bench.” It asserted unequivocally that “It is clear to us that the majority dictum in KS Puttaswamy (Aadhaar-5) did not substantially discuss the effect of the word ‘only’ in article 110(1) and offers little guidance on the repercussions of a finding when some of the provisions of an enactment passed as a “Money Bill” do not conform to article 110(1) (a) to (g).”
(2) A joint reading of Article 110 (1) of the Constitution of India, Aadhaar Act, 2016, verdict of Supreme Court dated 24 August 2017 in justice KS Puttaswamy vs Union of India on fundamental right to privacy, the verdict on Aadhaar Act by the five-judge Constitution Bench of court dated 26 September 2018 that declared section 57 of Aadhaar Act, 20016 to be unconstitutional in justice KS Puttaswamy vs Union of India and the verdict of the five-judge Constitution Bench of court dated 13 November 2019 in Roger Mathew vs South India Bank Ltd, makes it crystal clear that “the Money Bill must deal with the declaration of any expenditure to be charged on the consolidated fund of India (or increasing the amount of expenditure) and, therefore, Section 7 of the Aadhaar Act did not have the effect of making the bill a Money Bill as it did not declare the expenditure incurred on services, benefits or subsidies to be a charge on the consolidated fund of India.” The Aadhaar Act does not do so. Besides this, when the Hon’ble speaker of Lok Sabha certified the Aadhaar Bill as a “Money Bill”, she did so with respect to a bill which contained section 57 which has now been declared unconstitutional by the Constitution Bench of the court. The constitutionally indefensible provision under section 57 of the Aadhaar Act could not have been part of the bill which was deemed a Money Bill. This makes the Money Bill certification of the Aadhaar Bill constitutionally questionable. When the illegitimacy, illegality, impropriety and immorality of this provision of a “Money Bill” has been conclusively established through Aadhaar Amendment Act 2019, Aadhaar Act enacted as “Money Bill” itself is established as illegitimate.
(3) The enrolment for an UID/ Aadhaar number is voluntary as per the Aadhaar Act, 2016. “Enrolment for Aadhaar is voluntary”, replied the Union minister of state for electronics and information technology in the Parliament in response to the unstarred question No. 687, dated 2 February 2019.
(4) It has escaped the attention of the ministry of finance and the income tax department that the Supreme Court has refrained from declaring that enrolment for an UID/ Aadhaar number is mandatory. There is no order stating that "enrolment for an Aadhaar number" is mandatory. No instrumentality of the State has done so. Disregarding the court’s verdict, the new IT Act, like the old IT Act, is stating that "quoting" one's Aadhaar number is mandatory. The fact is that mandatory quoting of one's Aadhaar number to one's PAN is meant only for a taxpayer who has an UID/ Aadhaar number, subject to the outcome of the verdict by the seven-judge Bench.
(5) The website of the IT department does not have the facility to file returns for those who have not enrolled and therefore do not have an UID/ Aadhaar number. The IT department is fully aware that to simply quote the Aadhaar number or link it to PAN while filing the IT returns, one must have an UID/ Aadhaar number in the first place. The income tax department is illegitimately coercing those citizens/ taxpayers who do not want to enrol for Aadhaar (since such enrolment is voluntary) by instilling fear of penalty for not filing their income tax returns in time and the threat to cancel PAN for not linking the same with the UID/ Aadhaar number. Such an act of coercion by the IT department amounts to transgression of taxpayers/ citizens’ fundamental rights. Further, as per paragraph (2) above this act also amounts to contempt of the Supreme Court.
(6) Unmindful of the verdict of the nine-judge Bench of the court dated 24 August 2017, there is no right to data protection and privacy law in force as yet. Notably, Jitin Prasada, the Union minister for electronics and information technology informed the Rajya Sabha on 25 July 2025 that the Draft Digital Personal Data Protection Rules, 2025, which aim to operationalise the Act, were published for public consultation. 6,915 feedback/ inputs have been received from citizens and stakeholders. This information demonstrates the gnawing concerns of the citizens regarding the vulnerability of their digital personal data. Although more than two years have passed since the Digital Personal Data Protection (DPDP) Act, 2023 received the assent of the president on 11 August 2023 amidst bitter criticism of the law, the rules under it are yet to see the light of day because of the tremendous undue influence of the tech tycoons. The legislation in this regard was introduced only after the court refused to accept the government’s questionable claim that right to data protection and privacy is not a fundamental right. A nine-judge Constitution Bench of the court has unanimously held that right to data protection and privacy is part of Article 21 of the Constitution and the right to data protection and privacy is considered part of right to life and personal liberty. The ministry of finance, the Income Tax Act and the income tax department still have no protection of data and privacy built into their law or process. In the absence of a law protecting data and privacy, the requirement for UID/ Aadhaar violates the court’s unanimous verdict of August 2017.
(7) UID/Aadhaar is an unverified ID, and therefore insecure, and capable of misuse, and fraught with unprecedented risk.
Therefore, the failure of the new Income Tax Act to modify the pre-existing illegitimate and questionable provisions regarding quoting of Aadhaar number and to modify the software code of its website to facilitate the filing of ITR for those who do not have an Aadhaar number, bars income-tax payers, including judges, legislators and editors from filing their ITR. After the Supreme Court concluded in its last judgement in the Roger Mathew case in November 13, 2019 that the Aadhaar Act is not a Money Bill, the requirement for Aadhaar Number constitutes unreasonableness, arbitrariness and blatant violation of the Supreme Court’s last reasoned judgement, which prevails over unreasoned observation of the previous judgment of September 26, 2018 with regard to Money Bill in particular given the fact that unjust law is no law and unreasoned law is unjust law. Now that after the publication of the 6-page long
Repealing and Amending Act, 2023 in the Gazette of India on December 18, 2023, its Section 2 has repealed the 10-page long
Aadhaar and Other Laws (Amendment) Act, 2019, which enacted as Money Bill and which was initially promulgated as the 12-page long
Aadhaar and Other Laws (Amendment) Ordinance, 2019 on March 2, 2019 ‘as per the directions of the Supreme Court and recommendations of Justice B.N.Srikrishna (Retd) Committee, it is not clear as to whether Unique Identification Authority of India (UIDAI) which was exempted from paying income-tax or any other tax in respect of its income, profits or gains under Income Tax Act, 1961 or any other enactment for the time being in force relating to tax on income, profits or gains”, remains exempt or not. The repeal implies that under Article 141 of the Constitution of India, the Supreme Court’s last reasoned judgement is the law of the land, which alone has the force of the law, which is binding.''
The majority judgement delivered as part of the 1448-page-long Aadhaar judgement dated 26 September 2018 outlawed section 57 of the Aadhaar Act which allowed for use of Aadhaar authentication and e-KYC by private companies.
The pre-existing Section 57 of the Act reads: “Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect: Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and chapter VI.”
At page No. 560 of the judgement, the majority judgement on Section 57 reads: “(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.” (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.” “(c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.”
This implies that there cannot be any use of Aadhaar authentication unless it is for a service, subsidy or benefit and a notification has been duly issued under section 7 of the Aadhaar Act. There cannot be any use of Aadhaar authentication or e-KYC for any purpose unless such purpose has been validly legislatively provided for. There cannot be any use of Aadhaar authentication or e-KYC by private companies for any purpose. The private companies cannot be requesting entities to use Aadhaar authentication services under any situation. No private company can allow for voluntary e-KYC. Had voluntary use been permitted, the portion relating to 'contract' would not have been struck down. It is settled law that contract is by definition a voluntary creation.
Unmindful of the fact that the Aadhaar Act does not have any provision for an Aadhaar card, in Association for Democratic Reforms (ADR) & Ors. vs Election Commission of India (2025), the Supreme Court’s division bench of justices Surya Kant and Joymalya Bagchi passed an order dated 8 August 2025 referring to the unsigned receipt of Aadhaar number as an Aadhaar card. The relevant part of the order reads: “There is no quarrel that as per the statutory status assigned to Aadhaar card under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, it is not a proof of citizenship and therefore shall not be accepted as proof of citizenship. However, keeping in view Section 23(4) of the Representation of People Act, 1950, the Aadhaar card is one of the documents enumerated for the purpose of establishing the identity of a person. Accordingly, we direct the election commission of India and its authorities to accept Aadhaar card as a proof of identity for the purpose of inclusion or exclusion in the revised voter list of the state of Bihar. Aadhaar card, for this purpose, shall be treated as the 12th document by the authorities. It is, however, made clear that the authorities shall be entitled to verify the authenticity and genuinity of the Aadhaar card, like any of the other enumerated documents, by seeking further proof/documents.”
Will someone educate the division bench that the Aadhaar Act does not mention Aadhaar card? Aadhaar number can neither authenticate voters nor taxpayers, by any stretch of imagination.
The current legal status is that the constitutionality of the Aadhaar Act is pending before a seven-judge Constitution bench and, therefore, there was/ is a compelling Constitutional logic for the framers of the new income-tax law to await the outcome of the Supreme Court’s adjudication.
You may also want to read…
(Dr Gopal Krishna is a lawyer and a researcher of philosophy and law. His current work is focused on the philosophy of digital totalitarianism and the monetisation of nature. He has appeared before the Supreme Court's Committees, Parliamentary Committees of Europe, Germany and India and UN agencies on the subject of national and international legislation. He is the co-founder of the East India Research Council (EIRC). He is the convener of the Citizens Forum for Civil Liberties (CFCL) which has been campaigning for freedom from UID/Aadhaar/NPR and DNA profiling through criminal identification procedures since 2010. He had appeared before the Parliamentary Standing Committee on Finance that questioned and trashed the biometric identification of Indians through UID/Aadhaar Number. He is an ex-Fellow, Berlin-based International Research Group on Authoritarianism and Counter Strategies (IRGAC). He is also the editor of www.toxicswatch.org.)
The dangerous facts described in this article should be taken into cognisance by the Supreme Court suo motu, and declare that all first-time income taxpayers, who refuse to succumb to the unconstitutional demand for an Aadhaar number under the Income Tax Act, are not liable for any penalty after the lapse of the due date.