Why does UIDAI need to collect metadata of citizens, asks SC
Advocate appearing for UIDAI and the Gujarat government said UIDAI collected “limited technical metadata” to have control over the requesting entities which seek Aadhaar authentication for granting services and benefits.
The Supreme Court on Tuesday asked the Unique Identification Authority of India (UIDAI) why it needed to collect ‘metadata’ of personal transactions of citizens which go for Aadhaar authentication to avail services and benefits.
A five-judge Constitution bench headed by Chief Justice Dipak Misra, hearing a clutch of petitions challenging Aadhaar and its enabling 2016 law, was responding to the submission of UIDAI that it collected only “limited technical meta data.”
“Why do you (UIDAI) have to retain meta data of personal transactions of persons entered through Aadhaar authentication,” the bench, also comprising Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan, asked. Metadata is a set of data that describes and gives information about other data.
Senior advocate Rakesh Dwivedi, appearing for UIDAI and the Gujarat government, said the petitioners, opposing the Aadhaar scheme, have completely “misunderstood the concept of metadata” and the UIDAI collected “limited technical metadata” to have control over the requesting entities (REs) which seek Aadhaar authentication for granting services and benefits.
He said that on one hand, the petitioners were saying that UIDAI had no control over requesting entities, but simultaneously, they were also alleging that UIDAI will have so much control over the metadata that may lead to surveillance.
While it was important to exercise control over the REs, there was no data about the location or purpose of transaction or authentication which was being collected by UIDAI, he said.
The bench then asked him “So you are not collecting metadata about the person but only about the machine,” to which Dwivedi replied in affirmative.
The senior lawyer referred to foreign judgments and said there was reasonable and legitimate expectation of privacy, but the context was “very important”.
“A criminal might not have any expectation of personal autonomy whereas a common man will,” he said, adding that there will be different levels of privacy rights when a person was inside home and when he ventured out in “relational world”.
“Individuals live in communities and their personality is shaped by imbibing cultural and social values of the society. Regulations are designed to protect objective principles that define reasonable expectation of privacy,” he said.
He said the possibility of data breaches cannot be a ground to strike down the Aadhaar law and efforts should be to make it work and not to strike it off.
He then referred to the example of doctors trying to save a patient and asked the court to adopt the same approach in saving the Aadhaar law and suggest it measures to strengthen the statute.
The bench said there was one area which required consideration was the provision of remedies for the breaches.
The lawyer said the Information Technology Act provided for penalties and recently, UIDAI had imposed penalties on Airtel and Axix Bank for the breaches.
Dwivedi will conclude his submissions on Wednesday.
Earlier, the bench had said it was not sure whether bringing people “face to face” with the authorities through Aadhaar was the best model as the State should reach them to accord the benefits of the welfare schemes.
“We are not sure if that is the best model. The individual should not be a supplicant. The State should go to him and give him benefits,” the bench had said.
The bench had also said that if biometric authentication is attached to every transaction entered into by a person, it would “form a wealth of information” necessitating the need for data protection.