A case to keep Aadhaar as a voluntary KYC document

In the last 15 years, ever since the first Aadhaar number was issued in 2010, ‘Aadhaar’ and the Unique Identification Authority of India (UIDAI) that governs it have come a long way. The number of Aadhaar card holders are more than 142 crore (as of Aug 2025); the UIDAI has an independent status under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (“Aadhaar Act”); Aadhaar is the centre piece of the JAM trinity as well as the government’s poster child for digital public infrastructure. These are all signs of growth and stability.

However, Aadhaar’s position as a mandatory / non mandatory document for identification has remained turbulent - mostly by practice and sometimes by law – despite the Supreme Court unambiguously settling the position in 2018 in the landmark Justice KS Puttaswamy (Retd.) v. Union of India (“Puttaswamy II”) judgment. 

With recent instances like Aadhaar becoming mandatory for booking Tatkal tickets online, linkage with the APAAR ID and countless other instances at the state and union level, it is necessary to enquire the reasons for this divergence, and more importantly, analyse the pitfalls of making Aadhaar – a hotbed of personal data (such as photograph, biometrics, name, address, date of birth) – a mandatory KYC document for any identification purpose that is not backed by Puttaswamy II.

On January 28, 2009, the UIDAI was notified and given the mandate to build a national unique identification scheme for Indian residents (i.e., the ‘Aadhaar project’). At its origin, Aadhaar was envisaged as a portable identification document that the poor and marginalised sections could use to prove their identity and avail direct benefits from government schemes. The utility of Aadhaar soon spread like wildfire and it was accepted and later mandated for school admissions, bank accounts, mobile connections, you name it. Petitioners in Puttaswamy II had submitted that as on November 30, 2017, approximately 252 government schemes were demanding Aadhaar as a mandatory document! Then came the Supreme Court’s unanimous verdict in Justice KS Puttaswamy (Retd.) v. Union of India in 2017 (“Puttaswamy I”), upholding ‘right to privacy’ as part of the fundamental right to life and personal liberty under Article 21 of the Constitution of India 1950, followed by Puttaswamy II on the Aadhaar Act.

Among other things, the Puttaswamy II judgement upheld Section 7 of the Aadhaar Act that made Aadhaar mandatory for availing State “subsidies, benefits and services” – which were read to mean resources drawn from the Consolidated Fund of India. Benefits earned by an individual (like pensions) or a child’s fundamental right to education were specifically said to not be within the ambit of ‘benefits’ under Section 7. Accordingly, the majority judgement disallowed mandatory Aadhaar requirement for education and examination purposes (specifically CBSE, NEET, JEE, UGC, Sarva Shiksha Abhiyan). Mandatory linking of Aadhaar with bank accounts and SIM cards was struck down since they failed to meet the ‘triple test’, that is, the presence of a central law, legitimate State interest, and proportionality. Thus, Puttaswamy II permitted Aadhaar to be made mandatory for availing “subsidies, benefits and services” drawn from the Consolidated Fund of India (by extension, the Consolidated Fund of State too) and for purposes which can satisfy the stringent ‘triple test’.

Even the Aadhaar Act makes Aadhaar mandatory only for availing government benefits or under a Parliament-made law. It otherwise stipulates that Aadhaar “may be voluntarily used”, can be used only with the “informed consent of the Aadhaar number holder”, and that the Aadhaar number holder “must be informed of alternate and viable means of identification.” In many instances, the UIDAI as well as union ministries have clarified that Aadhaar is not mandatory for a wide range of services.

Despite Puttaswamy II and the Aadhaar Act, the government, both at the State and Union level have pushed to make Aadhaar mandatory. These instances include making Aadhaar mandatory for land registration or digital land survey in Kerala; school admissions in Bihar, Delhi, and West Bengal; examinations in Karnataka and Uttar Pradesh; nomination of EPFO accounts, or slyly requiring Aadhaar ‘linkage’ with Electoral Photo Identity Cards (EPIC). Some bizarre propositions like making Aadhaar mandatory for Sabarimala darshan and garba and dandiya events have also come about.

While government departments are generally infamous to push the envelope with settled case-laws, the Madras High Court’s June 2025 ruling in the Play Games 24x7 Pvt. Ltd. & Anr. vs. State of Tamil Nadu case (W.P. No. 6784 of 2025) is perhaps the first instance when a court has ruled in favour of mandatory Aadhaar in defiance of Puttaswamy II, a testament to the fact that there is limited understanding and appreciation of Aadhaar’s status as a mandatory / non mandatory document for identification.

So, why the general preference for Aadhaar as a mode of identification? The reasons could be technical: like Aadhaar being backed by fool-proof biometric de-duplication (making it impossible for a person to have multiple enrolments) or its ability to be authenticated through OTP on the holder’s registered mobile number. They could be political given the fervour with which the government and UIDAI advertise it. Or purely social where seeking Aadhaar is convenient and there is limited resistance from the holders. Regardless of the reasons, it is important to analyse why Aadhaar should not be made mandatory for every other identification purpose in India.

Apart from this practice being in direct conflict with the current jurisprudence on the subject (as we have articulated above), there are other principle-based and long-term repercussions of making Aadhaar mandatory for an increasing number of purposes.

Lack of data minimization: Data minimization is a key indicator of a robust privacy regime and is well-adopted in the European Union and Singapore and also present in principle in the to-be-enforced Digital Personal Data Protection Act 2023 (“DPDP Act”). Data minimization requires entities to limit their data collection to only those aspects that are absolutely necessary for the intended purpose. However, across different authentication/verification modes today, an entity has an ability to receive anywhere between four and seven data points while requesting Aadhaar. This is often more than what they need to achieve the purpose of seeking Aadhaar – for e.g.: entry to examination centers, checking-in to a hotel, etc. which ideally require no more than your name, age and residential address. Disregarding data minimization adds operational costs as well as increases compliance burden.

Increasing risk of data breach: Making Aadhaar mandatory leads to more entities and stakeholders being privy to its data. While ‘authentication’ processes are relatively stringent and cast more responsibilities on the ‘requesting entity’, the ‘offline verification’ process is relatively lax with limited restrictions on ‘offline verification seeking entities’ and frugal provisions to protect Aadhaar information from third parties. With data leak cases reportedly increasing every year, it is prudent to limit the number of entities that receive access to Aadhaar data as a consequence of making it mandatory.

Expectation mismatch: In many instances, Aadhaar does not achieve the intended purpose for which it is collected. For instance, Aadhaar is most commonly asked today as a proof of age/date of birth. However, not only a catena of judgments but also the UIDAI itself says that Aadhaar is not to be used as proof of date of birth. Courts have expressed dismay at numerous Aadhaar cards having 1^st January as the date of birth or having only the year of birth mentioned. Similarly, most entities collect paper-based Aadhaar without performing the accompanying UIDAI-prescribed actions to check its authenticity. This defeats the purpose of trusting Aadhaar in these instances.

Disregard to individual autonomy and privacy: The Supreme Court in Puttaswamy I held unequivocally that “informational privacy” is a facet of the fundamental right to privacy. Informational privacy includes giving individuals control over dissemination of material personal to them and disallowing its unauthorised use. This arguably extends to an individual having full autonomy to choose the identity document they want to use for a particular purpose. If an individual chooses to limit the use and dissemination of their biometrics-based, sensitive identity document to specific use-cases only, they should have the autonomy to do that – especially when the constitutional framework permits.

Aadhaar’s journey from a voluntary tool for socio-economic inclusion to a near-mandatory identification document highlights a growing gap between its intended purpose, the legal jurisprudence and current practices. With personal data becoming the cornerstone for every aspect of digital commerce today, minimising Aadhaar usage is imperative to avoid instances of data breach, misuse and identity fraud. Only by restoring its voluntary nature (except for a few legally permissible mandatory use-cases) can Aadhaar fulfill its promise as an instrument of empowerment, rather than becoming a tool of exclusion or an impending personal data risk.

About the authors: Ranjana Adhikari is a Partner, Sarthak Doshi is a Principal Associate, and Shashi Shekhar Misra is a Senior Associate at Shardul Amarchand Mangaldas & Co.

Views expressed are strictly personal to the authors and do not, in any way, reflect the views of the law firm.

Disclaimer: The opinions expressed in this article are those of the author. The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.