India Supreme Court Narrows Use of Aadhaar DataTelcos, Banks and Other Private Firms No Longer Can Insist on Aadhaar Data
See Also: DevSecOps Community Survey 2019
Because the court struck down Section 57 of the Act, private companies, including banks, telecom companies, ecommerce firms and others, can no longer insist on biometric data and other Aadhaar data from consumers. The Reserve Bank of India had mandated that banks use Aadhaar for authentication (see: Critics Question RBI's Aadhaar Mandate).
Aadhaar use is still mandated for certain government-related transactions, such as filing income tax returns or extending social grants.
The court, which upheld the constitutionality of Aadhaar, also asked the government to draft a privacy law soon to help ensure the security of Aadhaar data is maintained by the highest standards.
Some privacy experts immediately praised the court's decision (see: India's Proposed Data Protection Bill: Compliance Issues).
"It does address aspects of privacy at least within the limited ambit of private companies," says Shivangi Nadkarni, CEO at Arrka Consulting, a consulting firm that specializes in data privacy." "The fact that I cannot be compelled to give my Aadhaar details to a private entity means I can exercise choice. This is empowering. If I exercise this choice, it means my Aadhaar data will not be with the private entity, reducing my own personal data risk exposure."
Meanwhile, politicians who opposed widespread use of Aadhaar data in the private sector also praised the court's decision.
"By striking down Section 57 of Aadhaar Act, the Supreme Court has firmly put an end to the mass surveillance exercise being carried out under the guise of Aadhaar by the central government," says Kapil Sibal, senior leader of Congress, the opposition party.
Critics alleged that the widespread use of Aadhaar data gave the government a free hand to look at each and every activity of an individual, invading their privacy.
Sections Struck Down
The sections of the Aadhaar Act that have been struck down by the Supreme Court are:
Section 57: This allowed the use of the Aadhaar number for establishing the identity of an individual for any purpose by any entity.
The striking down of this section is expected to have a big impact on payment firms that had been authenticating customers using Aadhaar. Many banks have been relying on Aadhaar-based KYC, or know you customer, for authentication. RBI had mandated banks use Aadhaar.
Section 33 (2): This section permitted disclosure of information, including identity and authentication information, made in the interest of national security in pursuance of a direction of an officer by an order of the central government. The court said that the level at which the approvals were required was not adequate.
"The situation has changed since the Aadhaar Act was enacted," says Na. Vijayashankar, a cyber law expert. "Now we have a personal data protection act, which is presently in the draft bill stage, that can address the requirements of privacy and exemptions required in the context of national security. This [court ruling] puts a greater responsibility on the personal data protection bill and the need for it to become a law without delay."
Section 33 (1): This allowed disclosure of information, including identity and authentication records, if ordered by a court. In its ruling, the Supreme Court determined that individuals must be given an opportunity to put forth their views and arguments before a court orders disclosure of their data.
Section 47: Under this section, only the government of India could issue a complaint about the theft of Aadhaar data. The Supreme Court ruled that individuals should also be allowed to file complaints.
Section 2(d): This section had required Aadhaar metadata to be stored for five years. The court ruled that metadata records collected through Aadhaar cannot be kept beyond six months.
What Experts Say
Reacting to the ruling, Rahul Sharma, co-founder The Perspective, a firm which designs cyber policies, notes: "I am happy that the court has taken a balanced view and has decided not to strike down Aadhaar completely. That would have been a waste of national resources and effort,"
Cyber law expert Vijayashankar adds: "I am happy with the judgment, since it has not fully given into the demand from the opponents that it should be struck down as 'unconstitutional' on fears that it would lead to surveillance by state."
Some security practitioners are particularly pleased with the court's directive of limiting storage of metadata collected through Aadhaar to six months.
"This is the best part of the judgement. This reduces risk of exposure to data compromises significantly," Nadkarni says.
But the draft personal data protection bill, to be considered by Parliament soon, must have provisions to make the government liable in case Aadhaar data gets compromised or misused, he argues. "What worries me is the fact that government entities can continue collecting data and they are not subjected to any privacy law until this Act comes out."
The Supreme Court has put responsibility for Aadhaar security on the government, which raises concerns among some security professionals.
"I am not sure how much can we trust the government when it comes to securing Aadhaar. To this date, it hasn't taken the responsibility forany breach happening on their websites," says Dinesh O .Bareja, COO at the Open Security Alliance.