Since a large quantum of data, including biometric data of individuals is stored with Central Identities Data Repository, the possibility of data theft is palpable with Aadhaar.
By Supratim Chakraborty & Sneh Lata
The public consultation meetings on the white paper, framed by the committee of experts headed by Justice BN Srikrishna, in relation to data protection framework for India has been an eye opener in many respect.
The consultation sessions held in cities like New Delhi, Hyderabad and Bangalore have often meandered towards venting of grievances against Aadhaar by the public.
So much so, that the committee members had to intervene at times to clarify that the consultation meet was not to discuss the Aadhaar related issues but was for a larger goal of determining the data protection framework for India.
It became apparent from these sessions that amidst the controversies and questions surrounding data privacy and protection, Aadhaar has taken the centre stage today.
Whilst the hearing on the need and validity of Aadhaar in India has resumed in the Hon’ble Supreme Court, it is important to discuss some of the critical issues of Aadhaar and its implementation in India.
Taking a cue from some of the rather emotional discussions at the white paper consultation meets, one can state with conviction that there are several gaps in the implementation of the Aadhaar scheme.
These issues are certainly acting as roadblocks for the Government’s ambitious project to take a quantum leap and have a uniform digital identity proof in India.
Critical Hurdles for Aadhaar
One important roadblock in relation to Aadhaar is the lack of clear understanding about the various facets and legal framework associated with Aadhaar.
It is being observed that subsidies, benefits and services are being refused on the ground that individuals do not possess a valid Aadhaar.
The aggrieved individuals are often left with no recourse as there is a lack of understanding and clarity amongst the general public as well as the officials entrusted with the implementation of Aadhaar.
People are unaware that authentication of an individual by the Aadhaar number is not the only mode of authentication of identity of an individual and that the Aadhaar Act itself contains provision that allows for alternate and viable means of identification.
However, it is also a fact that the government is increasingly implementing measures that would ensure that obtaining of Aadhaar becomes mandatory, in effect.
This aspect has been flagged out in the white paper which states that Aadhaar is being viewed by many as coercive collection of personal data by the State.
It has also been frightfully argued before the Hon’ble Supreme Court recently that Aadhaar has empowered the State with a switch with which it can cause civil death of a person.
Aadhaar implementation has also been facing serious hurdles in relation to data security issues.
One such issue is that no authentication procedure has been provided for verifying the identity of the Aadhaar number provider for checking the bank details associated with a particular Aadhaar number.
Any person who knows an individual’s Aadhaar number can find out the name of the last bank linked to such Aadhaar number.
Since a large quantum of data, including biometric data of individuals is stored with Central Identities Data Repository (CIDR), the possibility of data theft is palpable.
Though it may be argued that the superior encryption used for such data would make it impregnable, however, in light of the rapid strides towards quantum computing, this premise could easily be negated and rendered redundant in future.
Whereas UIDAI is attempting to continuously boost security measures for authentication of individuals under Aadhaar by using technologies such as dummy numbers, facial recognition, etc, it is true that despite such attempts there is a possibility of breach, as counter to such technological security attempts are also continuously evolving. Also, the apprehension is - whether it is too little, too late!
The white paper in this regard points out that despite adequate security safeguards, no database is one hundred percent secure. Such enormous amount of valuable personal data acts as a significant motivation for miscreants to hack and, therefore, this concern has to be given due regard.
A Solution in the Making?
In light of all these, it would be important to set up a robust grievance redressal mechanism that would promptly address the issues.
Currently, as per the Aadhaar Act, the courts are to take cognizance of complaints for breach provisions of the Aadhaar Act, only when Unique Identification Authority of India (UIDAI) files a complaint.
It is the need of the hour to devise a framework that allows hassle-free functioning of Aadhaar whereunder one does not have to rely on the integrity or whims of human functionaries implementing the Aadhaar or on the advancement of technology.
This can be achieved through the new data protection law that is in the offing. If the new law, which is equally applicable to both private parties and the government, provides adequate safeguards to maintain confidentiality of individual’s information, holds wrongdoers strictly accountable and provides for adequate grievance redressal mechanism, then some of the important lacunae highlighted in relation to Aadhaar may stand effectively redressed.
If the larger concern of data protection of individual is adequately addressed, the concerns relating to Aadhaar, being a subset of the larger issue, will automatically stand resolved.(Authored by Supratim Chakraborty (Associate Partner) and Sneh Lata (Associate) at Khaitan & Co LLP. Views are personal)