SC verdict opens UIDAI licensed entities to legal suits
In its verdict on Wednesday, the Supreme Court (SC) scrapped Section 47 of the Aadhaar Act, which means individual Aadhaar cardholders or citizens can file criminal complaints against the Unique Identification Authority of India (UIDAI) and its licensed entities, if a suitable amendment is effected by Parliament, say legal experts. Section 47 of the Aadhaar Act stated that only the UIDAI or a person/officer authorised by it could register and file criminal complaints against individuals and companies for offences. “This was a contentious part, as people were worried how they could get legal recourse for breaches of Aadhaar security, especially when the UIDAI was unwilling to accept that data breaches are a reality. You can look at the Airtel Payments Bank scam where bank accounts were created for people without their knowledge. This was a subversion of the principle of natural justice,” says Raghu Godavar, member of advocacy group RethinkAadhaar. In its order, the court held: “There could be several circumstances where UIDAI itself or some third-party is guilty of having committed offences under the Act. By restricting the initiation of the criminal process, the Aadhaar Act renders the penal machinery ineffective and sterile.” Ajay Kumar, Associate at MZM Legal, said: “Now that Section 47 is struck down, any person who is aggrieved can file a criminal complaint and set the legal machinery in motion. Under the earlier situation, only the authority could decide whom to prosecute. The law now empowers citizens to seek punishment of those who violate their right to privacy by misusing data.” Petitioners to the case had argued that since personal and biometric information collected and stored by the UIDAI in the Central Identities Data Repository (CIDR) is the property of the individual, this clause in the Act violated the individuals’ right to judicial intervention. There are various offences listed in the Act, under which the UIDAI could file criminal complaints and take cognisable action against individuals and companies. These include unauthorised access to CIDR, impersonation of an Aadhaar holder, unlawful or nonconsensual disclosure and transmission of Aadhaar details, mis-use of information in the CIDR, and theft of identity information, amongst others. Further, Section 43 also makes companies and their management liable for offences committed under the Aadhaar Act. This means that firms can be taken to court if individuals or a group of individuals find clear violations of personal or biometric data by employees or the company itself.