Deleting stored data will be a Herculean task, say experts
Private entities might now have to delete Aadhaar data they have collected, but ensuring they actually do so is going to be an uphill task, claim experts.
With a data-protection law in India, there is no entity to audit whether or not private companies are actually deleting personal data of customers. “It is going to open a Pandora’sBox,” saidPavanDuggal, a Supreme Court (SC) lawyer.
He also said, “Even as we speak, much of the data could have already been migrated to other territories. So, who will conduct the audit to see the whole data is deleted within the time frame stipulated by the SC?”
Telecom companies such as Reliance Jio, exclusively signed up users through the e-Know Your Customer process. Other telecom companies also pushed customers to link their Aadhaar numbers in order to continue to use their service, before the SC in an interim verdict said any such data collection should be put on hold.
Cyber experts said getting private firms to delete this data will certainly remove any chance of it being misused. They, however, added that with the lack of any data localisation or data privacy laws in India, there was been no way to ensure this.
They also said the government and the regulators would face challenges in ascertaining that the SC’s judgment was actually followed as none of these firms were incentivised to delete this data. “We have seen instances of data breaches in the recent past. There were also reports suggesting data was easily available in the black market for a price,” added Duggal.
The SC also said that if Aadhaar data was collected for authentication, it could not be stored for more than six months. Earlier, it could be stored for five years.