Data is secure, some information not private: Supreme Court
On data security and privacy, the Supreme Court on Wednesday sided with the Unique Identification Authority of India (UIDAI), rejecting petitioners’ concerns regarding the establishment of a surveillance regime and the lack of adequate data protection provisions. At the same time, the court empowered citizens to control their data.
The UIDAI collects demographic and biometric data of an individual during enrolment. The major concern raised by the petitioners, the court noted, was the “storage and retention of this data whenever authentication takes place” and not collection of data for enrolment or authentication process.
The SC addressed five major issues in its verdict on the constitutional validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.
The court expressed trust in UIDAI’s systems and said that the Central Identities Data Repository (CIDR) — the central database where biometric and demographic data are stored — is secure.
On technical questions concerning data security, the judges extensively referred to UIDAI CEO Abhay Bhushan Pandey’s presentation on Aadhaar’s architecture that he made before the court.
“There are sufficient authentication security measures taken,” the court noted, quoting specific slide numbers from Pandey’s presentation, adding that UIDAI “has sufficient defence mechanism”.
The court mentioned newspaper reports that suggested that “some people could hack the website of CIDR”—which the UIDAI denies. But those reports were not taken into consideration as they appeared “after the conclusion of hearing in these cases” and the judges left that matter with “a hope that CIDR would find out the ways and means to curb any such tendency”.
Critics, however, take a more expansive view of Aadhaar data security, looking towards the entities on the periphery — such as a ration shop in a remote village — interacting with the central database. This ecosystem challenge was not the focus of SC judgement.
Privacy concerns are a serious issue in the age of information, the judgement said.
The term “reasonable expectation of privacy” found repeated mention in the ruling, referring to court’s interpretation that an individual can’t expect privacy for all kinds of data.
“Data such as medical information would be a category to which a reasonable expectation of privacy attaches,” the court said. But information collected during Aadhaar enrolment — demographics, face photos and biometrics — does not meet that criterion, meaning such data won’t be protected by privacy, unless under special circumstances.
Demographic information “is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities”; “face-photographs are given by people for driving license, passport, voter id, school admissions”; fingerprint and iris scan do not deal “with the intimate or private sphere of the individual but are used solely for authentication”, the SC said.
“We are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR,” the court said. While seeking Aadhaar authentication, neither the location of the person nor the purpose for which authentication is recorded, the court noted, concluding that “the threat to real time surveillance and profiling may be far-fetched.”
The State Resident Data Hubs (SRDH) — databases maintained by state governments that are seeded with Aadhaar numbers by consolidating information from multiple government databases to create citizen profiles— did not find a mention in the judgement. The existence of SRDH had been one of the major criticisms of the identity project, that showcase the possibilities of Aadhaar-related profiling.
In his dissenting judgement, Justice Chandrachud sided with the petitioners, and said Aadhaar is against the right to privacy as it enables potential surveillance.
The court put in place judicial safeguards against misuse of individual data. It struck down Section 57, used by private companies to seek Aadhaar identification. It also struck down Section 33 (2). To obtain access to an individual’s Aadhaar data on grounds of national security, the court said an executive of Secretary position and a judge alone can process such requests. A citizen whose Aadhaar-related information is sought by the government shall be afforded an opportunity of a proper hearing.
The court suggested that the act “needs a suitable amendment” to include the provision that a citizen can file complaints in case of a data breach or rights violation. In the existing version, only the UIDAI had the authority do so.
The UIDAI could store authentication transaction data for a period of five years, but the court said “retention of this data for a period of six months is more than sufficient after which it needs to be deleted”, except in cases where its required to be maintained by a Court or in connection with any pending dispute.