The panel — whose views on Aadhaar are captured in its 213-page report, but are not part of the draft Personal Data Protection Bill — seeks greater autonomy, both functional and financial, for the Aadhaar-issuing body.
The Justice Srikrishna panel on data protection has recommended that the Aadhaar Act be amended "significantly" to bolster privacy safeguards and mooted that only public authorities approved by the UIDAI or entities mandated by law be given the right to request for identity authentication.
The panel — whose views on Aadhaar are captured in its 213-page report, but are not part of the draft Personal Data Protection Bill, also submitted by it to the government yesterday — seeks greater autonomy, both functional and financial, for the Aadhaar-issuing body.
The panel asserted that the Unique Identification Authority of India (UIDAI) should not only be autonomous in its decision-making, functioning independently of the user agencies in the government, but also be vested with powers akin to a traditional regulator for enforcement actions.
It has prescribed that UIDAI should be granted powers to impose civil penalties on various errant entities and be armed with power to give directions, issue cease and desist orders to state and private contractors in cases involving statutory violations or non-compliance, and for actual or impending privacy breach.
"The Aadhaar Act needs to be amended significantly to bolster privacy protections and ensure autonomy of the UIDAI," said the report by the panel, a telling statement given the numerous reports of personal information being allegedly compromised with increasing use of biometric identifier Aadhaar in an array of services.
The recommendations of the committee also assume significance as the Supreme Court has reserved its judgement on a clutch of petitions challenging the constitutional validity of the Aadhaar Act.
"...it is salient that the data protection regime proposed by the Committee will require close introspection by the Government on various aspects pertaining to the existing functioning of the UIDAI (Unique Identification Authority of India). Currently the Aadhaar Act is silent on the powers of the UIDAI to take enforcement action against errant companies in the Aadhaar ecosystem," the report said.
Citing "several instances" in the recent past of companies wrongly insisting on Aadhaar numbers, those using the numbers for unauthorised purposes and those leaking the numbers, the report said these episodes can affect informational privacy and "requires urgent redressal".
The much-touted virtual ID feature and offline verification models rolled out by the UIDAI also came under the panel's lens, as it noted that while the twin measures have the potential to ensure safeguards like collection limitation and data minimisation, they do not come armed with a statutory backing.
"However, there is no statutory backing for such announcements as on date and it is unclear as to how they are to be effectively implemented," it said.
Significantly, on the entities that are entitled to request for authentication, the panel made it clear that this should be "restricted" to outfits that "perform a public function and require verifiable identification for the purpose of performing such public function".
It listed out two situation under which the entities can request for authentication — one where it is mandated by law made by Parliament, and in second instance a public authority performing a public function that is approved by the UIDAI.
"In granting such approval, the UIDAI should take into account security standards employed by the entity as well as the steps it has taken to incorporate privacy protections for Aadhaar number holders," it said.
For entities which do not perform a public function, but where identification of individuals may still be required, the panel said that only offline verification of Aadhaar numbers with the consent of the Aadhaar holder should be used for identity verification of an individual.
"Currently, many such entities, as a matter of course, ask for the Aadhaar number of individuals. This represents a significant privacy concern," the report said.
The panel batted for greater autonomy for UIDAI, seeking amendments in this regard.
The changes it has favoured with regard to UIDAI are that the nodal body must enjoy autonomy in decision-making, functioning independently of the user agencies in the government and outside it, and that it must be equipped with powers similar to those vested with traditional regulators for enforcement actions.
The panel said following an examination of the powers and functions of existing statutory regulators such as TRAI, SEBI, CCI and the deficiencies in the existing framework for Aadhaar, it has come to a view that the UIDAI should be vested with the functions of ensuring effective enforcement, better compliance, consumer protection and prevention and redressal of privacy breaches.
"In cases involving statutory violations or non-compliance, or an actual or impending privacy breach, the UIDAI will be tasked with the power to issue directions, as well as cease and desist orders to state and private contractors, and other entities discharging functions under the Aadhaar Act," it said.
And even UIDAI in its role as data collector will be subject to the rigours and penalties of the data protection law -- currently in the draft stage."Finally, in its role as a data fiduciary under the proposed data protection framework, the UIDAI will, in the eyes of the data protection law, be viewed as any other entity processing personal data of individuals, and will be subject to the rigours and penalties of the law. It is thus critical that these changes be made hand-in-hand with a new data protection legislation," it said.