Written By Anwesha Sen
On January 31, the Ministry of Electronics and Information Technology (MeitY) notified the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Amendment Rules, 2025, an amendment to the 2020 rules. This change permits private entities to use Aadhaar authentication for service delivery, a move that MeitY claims will ease access to services for users. However, while the intention behind this amendment may seem to be to streamline service delivery, it opens the door to more concerning issues — threats to privacy and inclusion. Due to the lack of clarity and transparency around the system and its processes, the extent to which this move may impact surveillance and privacy is unclear.
The Aadhaar and Digital Public Infrastructure (DPI) ecosystem in India has already faced significant challenges, particularly in terms of data security and privacy. Some of the largest data breaches in India’s history have involved Aadhaar-related data, including the 2023 breach of the CoWIN portal and the ICMR database, the latter of which exposed personally identifiable information of at least 815 million Indians. The centralisation of this data — linking a single Aadhaar number to each individual — makes the system especially vulnerable to cyber-attacks. With this latest amendment, the potential for such breaches grows exponentially as the scope of Aadhaar’s usage expands, leaving even more sensitive data susceptible to misuse.
Aadhaar was initially intended as a voluntary identity verification system. However, in practice, it is increasingly becoming a requirement for accessing public services. By 2021, access to 312 government schemes had been made conditional on possessing a biometric-linked Aadhaar number. With this amendment, Aadhaar is set to become equally essential for accessing private services, making it functionally mandatory. This contradicts the Supreme Court’s 2018 ruling, which declared that Aadhaar should remain voluntary. Furthermore, the same ruling struck down Section 57 of the Aadhaar Act, which had allowed private entities to use Aadhaar for identity verification, primarily to prevent commercial profiteering from demographic and biometric information, as well as profiling. This amendment, therefore, not only undermines the Court’s decision but also brings us closer to a system where Aadhaar is no longer voluntary but instead de facto compulsory for accessing both public and private services.
Aadhaar is based on an exclusionary principle — its primary goal was to curb welfare fraud. However, this has resulted in the exclusion of many marginalised groups from accessing public services. In a 2021 survey in Delhi, 40 per cent of individuals faced exclusion due to authentication errors. This problem is especially severe for people who, due to their circumstances, have never been able to obtain an official identity card. Migrant labourers and construction workers, for instance, often lack the required address proof, making it nearly impossible for them to apply for an Aadhaar card. As more services, both public and private, become contingent on Aadhaar, these vulnerable groups face even greater barriers to receiving the support they need.
Furthermore, this exclusionary aspect of Aadhaar extends beyond just service access. By tying essential services like healthcare, education, and social welfare to a single identification system, the government and private sector are further expanding the existing digital divide that disproportionately impacts those who are already marginalised. For these individuals, Aadhaar is not a tool for inclusion but a barrier to participation in society and access to their state-assured rights.
The expansion of Aadhaar’s use raises significant concerns for privacy and inclusion. As the system moves from a voluntary identity verification method to an essential requirement for accessing both public and private services, the risk of widespread surveillance becomes more pronounced. Considering the opacity around this system and its processes, the extent of these risks is unknown. If data is collected, linked, and stored in Aadhaar’s database, it can be used to track individuals in ways that threaten personal privacy. Given the massive data breaches and security flaws already present in the system, there is no guarantee that sensitive information, if collected, will be safe.
The government must take a step back and consider the broader implications of expanding Aadhaar’s use. Moreover, policymakers need to ensure that the use of Aadhaar does not go beyond its intended purpose, respecting the Supreme Court’s 2018 ruling and preventing the erosion of individuals’ rights to privacy and dignity. This amendment implicitly leads to Aadhaar becoming the foundational identification for Indians and such a step should necessarily involve more transparency about the system and its processes, as well as a public consultation, not just a gazette notification.
The writer is assistant programme manager, The Takshashila Institution
