Data is secure, some info isn’t private: SC
NEW DELHI: On data security and privacy, the Supreme Court on Wednesday sided with the Unique Identification Authority of India (UIDAI), rejecting the petitioners’ concerns that Aadhaar could lead to the establishment of a surveillance regime and the lack of adequate provisions for data protection . At the same time, the court empowered citizens to control their data.
The UIDAI collects demographic and biometric data of an individual during enrolment. The major concern raised by the petitioners, the court noted, was the “storage and retention of this data whenever authentication takes place” and not collection of data for enrolment or authentication process.
The court addressed four major issues in its verdict on the constitutional validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.
DATA SECURITY
The court expressed trust in UIDAI systems and said the Central Identities Data Repository (CIDR) — central database where biometrics and demographics are stored — is secure.
On technical questions concerning data security, the judges extensively referred to UIDAI CEO Ajay Bhushan Pandey’s presentation on Aadhaar’s architecture that he made before the court. “There are sufficient authentication security measures taken,” the court noted, quoting specific slide numbers from Pandey’s presentation, adding that UIDAI “has sufficient defence mechanism”.
The court mentioned newspaper reports that suggested that “some people could hack the website of CIDR”— which the UIDAI denies. But those reports were not taken into consideration as they appeared “after the conclusion of hearing in these cases” and the judges left that matter with “a hope that CIDR would find out the ways and means to curb any such tendency”.
Critics, however, take a more expansive view of Aadhaar data security, looking towards the entities on the periphery — such as a ration shop in a remote village — interacting with the central database. This ecosystem challenge was not the focus of Supreme Court judgment.
PRIVACY
Privacy concerns are a serious issue in the age of information, the judgment said.
The term “reasonable expectation of privacy” found repeated mention in the ruling, referring to court’s interpretation that an individual can’t expect privacy for all kinds of data. “Data such as medical information would be a category to which a reasonable expectation of privacy attaches,” the court said. But information collected during Aadhaar enrolment — demographics, face photos and biometrics — doesn’t meet that criterion, meaning such data won’t be protected by privacy, unless under special circumstances.
Demographic information “is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities”; “face photographs are given by people for driving license, passport, voter id, school admissions”; fingerprint and iris scan do not deal “with the intimate or private sphere of the individual but are used solely for authentication”, the court said.
SURVEILLANCE
“We are of the view that it is very difficult to create the profile of a person simply on the basis of biometric and demographic information stored in CIDR,” the court said. While seeking Aadhaar authentication, neither the location of the person nor the purpose for which authentication is recorded, the court noted, concluding that “the threat to realtime surveillance and profiling may be far-fetched”.
The State Resident Data Hubs (SRDH) — databases maintained by state governments that are seeded with Aadhaar numbers by consolidating information from multiple government databases to create citizen profiles— did not find a mention in the judgment. The existence of SRDH had been one of the major criticisms of the identity project, that showcase the possibilities of Aadhaar-related profiling.
In his dissenting judgment, justice DY Chandrachud sided with the petitioners, and said Aadhaar was against the right to privacy as it enabled potential surveillance.
EMPOWERING CITIZENS
The court put in place judicial safeguards against misuse of individual data. It struck down Section 57, used by private companies to seek Aadhaar identification. It also struck down Section 33 (2), under which data could be requested for national security.
To obtain access to an individual’s Aadhaar data on grounds of national security, the court suggested an executive above jointsecretary rank (in the Centre) and a judge (preferably from a high court) must process such requests. A citizen whose Aadhaar-related information is sought by the government shall be afforded the opportunity of a proper hearing.
The court suggested that the act “needs a suitable amendment” to include the provision that a citizen can file complaints in case of a data breach or a rights violation. In the existing version, only the UIDAI had the authority do so.
The UIDAI could store authentication transaction data for a period of five years, but the court said “retention of this data for a period of six months is more than sufficient after which it needs to be deleted”, except in cases where its required to be maintained by a court or in connection with any pending dispute.