Panel recommends changes in Aadhaar Act; moots new safeguards for data protection
NEW DELHI: The Justice Srikrishna panel on data protection has recommended that the Aadhaar Act be amended "significantly" to bolster privacy safeguards and mooted that only public authorities approved by the UIDAI or entities mandated by law be given the right to request for identity authentication.
The panel –whose views on Aadhaar are captured in its 213-page report, but are not part of the draft Personal Data Protection Bill, also submitted by it to the government on Friday–seeks greater autonomy, both functional and financial, for the Aadhaar-issuing body.
The panel asserted that the Unique Identification Authority of India (UIDAI) should not only be autonomous in its decision-making, functioning independently of the user agencies in the government, but also be vested with powers akin to a traditional regulator for enforcement actions.
It has prescribed that UIDAI should be granted powers to impose civil penalties on various errant entities and be armed with power to give directions, issue cease and desist orders to state and private contractors in cases involving statutory violations or non-compliance, and for actual or impending privacy breach. "The Aadhaar Act needs to be amended significantly to bolster privacy protections and ensure autonomy of the UIDAI," said the report by the panel, a telling statement given the numerous reports of personal information being allegedly compromised with increasing use of biometric identifier Aadhaar in an array of services.
The recommendations of the committee also assume significance as the Supreme Court has reserved its judgement on a clutch of petitions challenging the constitutional validity of the Aadhaar Act.
"...it is salient that the data protection regime proposed by the Committee will require close introspection by the Government on various aspects pertaining to the existing functioning of the UIDAI (Unique Identification Authority of India). Currently the Aadhaar Act is silent on the powers of the UIDAI to take enforcement action against errant companies in the Aadhaar ecosystem," the report said.
Citing "several instances" in the recent past of companies wrongly insisting on Aadhaar numbers, those using the numbers for unauthorised purposes and those leaking the numbers, the report said these episodes can affect informational privacy and "requires urgent redressal".
The much-touted virtual ID feature and offline verification models rolled out by the UIDAI also came under the panel's lens, as it noted that while the twin measures have the potential to ensure safeguards like collection limitation and data minimisation, they do not come armed with a statutory backing.
"However, there is no statutory backing for such announcements as on date and it is unclear as to how they are to be effectively implemented," it said.
Significantly, on the entities that are entitled to request for authentication, the panel made it clear that this should be "restricted" to outfits that "perform a public function and require verifiable identification for the purpose of performing such public function".
It listed out two situation under which the entities can request for authentication -- one where it is mandated by law made by Parliament, and in second instance a public authority performing a public function that is approved by the UIDAI.
"In granting such approval, the UIDAI should take into account security standards employed by the entity as well as the steps it has taken to incorporate privacy protections for Aadhaar number holders," it said.