Safeguarding Aadhaar
Experts say the government should expedite proposed data protection legislation
The public consultations by the Srikrishna Committee, drafting the legal framework for data protection, could not have come at a more opportune time. The committee, headed by retired Supreme Court (SC) judge B N Srikrishna, currently on a month-long tour of cities, including Delhi, Hyderabad, Bengaluru and Mumbai, is seeking suggestions on what should be the underlying principles for the country's proposed data protection law.
The brouhaha over recent unauthorised access to the Aadhaar database has put the spotlight on the ability of the Aadhaar Act, 2016, to protect and secure an individual’s personal data. This comes at a time when the SC will begin final hearing from on Wednesday on the petitions challenging the Aadhaar scheme.
Legal experts note that the implementation of the Aadhaar Act has accentuated the gaps in various data security and privacy laws in the country. “The current Aadhaar Act is outdated as the government moves to make Aadhaar mandatory,” says Pavan Duggal, advocate, Supreme Court. The Act does not adequately deal with parameters for cyber security and privacy protection of the Aadhaar system, he adds.
The Act is specific to the Aadhaar enrolment and use, points out Tejas Karia, partner, Shardul Amarchand Mangaldas & Co. What galls legal experts is that in case of any breach or misuse of data, all remedial powers are concentrated with the Unique Identification Authority of India (UIDAI). “Only the UIDAI can take action against any such breach,” says Vaibhav Parikh, partner, Nishith Desai Associates. What does not help matters is that the UIDAI is essentially a technology company, not an enforcement agency, experts point out.
Duggal is in favour of amending the Aadhaar Act and make it topical to current ground realities. The Act needs to specifically define the roles, duties and responsibilities of various stakeholders in the Aadhaar ecosystem, he adds.
However, many legal experts believe amendments to the Act need not be necessary. A data protection law, currently being framed by the Srikrishna committee, could be the answer to the data security issues faced by the UIDAI.
“A data protection law will address the data security-related issues facing Aadhaar, as it will provide a framework for collecting, processing and transferring personal data,” says Karia. Most legal experts want the government to expedite the framing of such legislation.
The proposed data protection law needs to be umbrella legislation, something on the lines
of the Indian Penal Code, feels Supratim Chakraborty, associate partner, Khaitan & Co. However, the challenge for the country's data protection law will be to strike a balance between innovation and privacy. This is more so with technologies such as Big Data, the Internet
of Things and Artificial Intelligence going mainstream in the coming years.
The White Paper on Data Protection Framework, released by the Srikrishna Committee in November clearly spells out the challenges ahead in framing a data security
law: “Despite an obligation to adopt adequate security safeguards, no database is 100 per cent secure. In the light of this, the interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed”.