Aadhaar: Need robust law to protect data of citizens, says SC

In last seven years, not a single breach of biometric details has taken place, said UIDAI CEO

The Supreme Court on Tuesday said there was a need for a "robust" law to protect sensitive information of citizens and asked the UIDAI about the safeguards to restrain private entities, involved in Aadhaar authentication, from parting with it.

A five-judge Constitution bench headed by Chief Justice Dipak Misra asked Ajay Bhushan Pandey, the CEO of UIDAI, about the safeguards employed to restrain private entities from parting with sensitive information of citizens for commercial gains while conducting the authentication of Aadhaar.

"There are two ends of authentication. You say that you do not know the purpose of authentication and the data at your (UIDAI) end is safe. AUA may be a private entity, what are the safeguards, if AUA parts with the sensitive information," the bench asked the UIDAI CEO.

"Let us have a robust law to protect the data of citizens. There is no such law in India," the bench, comprising justices A K Sikri, A M Khanwilkar, D Y Chandrachud and Ashok Bhushan, said.

Authentication User Agency (AUA) is an entity, engaged by the Unique Identification Authority of India (UIDAI), to provide Aadhaar enabled services to Aadhaar number holders by using the authentication.

Justice Chandrachud, during the hearing, gave an illustration and said if, he orders pizza from a pizza chain on regular basis and if that chain shares the information with his health insurance firm, then it will have some bearing because, the lifestyle is one of the key factors.

"This is a commercially sensitive information," the judge said and added that there was no "enforceable protection against others" even if the CIDR (data repository of UIDAI) was fully secure.

Such sharing is prohibited under the Aadhaar Act, the CEO said, adding that however, there was no control over such sharing of information by private entities, working as AUAs.

The bench asked the CEO not to bother the court with operational aspects, but to satisfy it as to whether any breach of data as possible.

The CEO said that breaches, if any, might take place from others' end as the UIDAI's CIDR was safe and not connected to the Internet.

"In last seven years, not a single breach of biometric details has taken place," he said, adding that now it has been directed that only the last 4 digits of Aadhaar number would be put in public domain.

"Aadhaar biometrics is shared only for 'national security' reasons. The consent is required at the level of the Cabinet secretary and so far, not a single request has so far come to us," he said.

He said that UIDAI gets a lot of requests from IT department seeking Aadhaar data, he said, adding, "We tell them we don't have 'a lot of data'."

Sharing of information, except core biometrics, would require permission of the district court concerned, the UIDAI CEO said.

He said the possibility of surveillance with Aadhaar was not there, because the UIDAI did not keep any data that can be misused.

The UIDAI CEO referred to the point raised by the apex court that why the government could not think of giving ID cards as done in Singapore to ensure that the authorities do not aggregate the data of citizens.

In Singapore, there is a smart card with online authentication to enhance security, he said, adding that even they had authentication records.

Moreover, Singapore was also planning to move to biometrics, he said, adding that having too much information on the smart card was risky.

"It's frozen in time. If a new technology develops, you will have to be replace all cards," he said.