NEED ROBUST LAW TO PROTECT CITIZENS’ SENSITIVE INFO: SC
The Supreme Court on Tuesday said there was a need for a “robust” law to protect sensitive information of citizens and asked the Unique Identification Authority of India (UIDAI) about the safeguards to restrain private entities involved in Aadhaar authentication from parting with it.
A five-judge Constitution Bench headed by Chief Justice Dipak Misra asked UIDAI CEO Ajay Bhushan Pandey about the safeguards employed. “There are two ends of authentication. You say that you do not know the purpose of authentication and the data at your (UIDAI) end is safe. An Authentication User Agency (AUA) may be a private entity, what are the safeguards, if AUA parts with the sensitive information,” the Bench asked.
The Supreme Court said on Tuesday there was a need for a “robust” law to protect sensitive information of citizens.
A five-judge Constitution Bench, headed by Chief Justice Dipak Misra asked Ajay Bhushan Pandey, the chief executive officer of Unique Identification Authority of India (UIDAI), about the safeguards involved to restrain private entities from giving sensitive information of citizens for commercial gains, while conducting the authentication of Aadhaar.
“There are two ends of authentication. You say that you do not know the purpose of authentication and the data at your (UIDAI) end is safe. Authentication user agency (AUA) may be a private entity, what are the safeguards, if AUA parts with the sensitive information,” the Bench asked the UIDAI CEO.
“Let us have a robust law to protect the data of citizens. There is no such law in India,” the Bench, comprising judges A K Sikri, A M Khanwilkar, D Y Chandrachud and Ashok Bhushan, said.
AUA is an entity, engaged by the UIDAI, to provide Aadhaar-enabled services to Aadhaar holders by using the authentication.
Justice Chandrachud, during the hearing, said if he orders pizza from a pizza chain on a regular basis and if that chain shares the information with his health insurance firm, then it will have some bearing because, lifestyle is one of the key factors.
“This is a commercially sensitive information,” the judge said and added there was no “enforceable protection against others” even if the classless inter-domain routing (data repository of UIDAI) was fully secure.
Such sharing is prohibited under the Aadhaar Act, the CEO said, adding that however, there was no control over such sharing of information by private entities, working as AUAs.
The Bench asked the CEO not to bother the court with operational aspects, but to satisfy it as to whether any breach of data was possible.
The CEO said the breaches might take place from others’ end as the UIDAI’s CIDR was safe and not connected to the Internet.
“In last seven years, not a single breach of biometric details has taken place,” he said, adding that now it has been directed that only the last four digits of Aadhaar number would be put in public domain.