The Delhi High Court on 21 August issued notice to the UIDAI and the Centre on a petition alleging that the fundamental right to privacy of all Indians with an Aadhaar card has been violated because of numerous Aadhaar data breaches.
The petition, filed by social activist and academic Shamnad Basheer, asks the court to direct the UIDAI and the Centre to improve security for Aadhaar, allow for opting out and deletion of existing Aadhaar data, and, pay exemplary damages for all the breaches of data till now.
The bench of Justices Ravindra Bhat and Anu Malhotra have instructed the respondents – the UIDAI, Union of India, National Informatics Centre and Ministry of Communications and IT – to submit their response within the next six weeks. The next hearing in the case is scheduled for 19 November.
In this case, Professor Basheer is not trying to argue that Aadhaar is unconstitutional or illegal. The petition is instead about how the UIDAI, the Centre, the NIC and IT Ministry have been negligent in ensuring security of Aadhaar data, which he argues is a violation of the right to privacy.
To substantiate his claims, he has relied on a number of news articles including The Tribune’s expose in January 2018 that access to Aadhaar details could be acquired for Rs 500, as well as official press notes by the UIDAI about actions taken against contractors, and responses by the IT Ministry in the Rajya Sabha.
On the basis of these sources, Basheer is arguing that his data and that of other users of Aadhaar (‘Aadhaaris’) is “in the illegal possession of unauthorised third parties, who can at any time misuse it for their own personal gain.”
Since these breaches have occurred because of the negligence or recklessness of the UIDAI, Basheer argues that they have violated their own obligations under the Aadhaar Act 2016 to take “all necessary measures” to ensure security and confidentiality of all identity information (Section 28).
The UIDAI’s response to alleged data breaches is also under the scanner in the petition – there is no system in place to properly audit and track breaches, and no fraud analytics system. Section 43A of the Information Technology Act mandates compensation for breach of such data, and Basheer thinks the UIDAI and the Centre would be obliged to pay compensation to all Aadhaaris on this basis.
What Does the Petition Ask For?
Speaking to The Quint, Basheer said that the court’s decision today was a very welcome one, since the judges had rejected the UIDAI’s attempt to conflate this case with the challenge before the Supreme Court, recognising that redressal of security breaches is important.
“This is the first ever data privacy suit in India,” he said, “and the idea is to set standards in this country to make the UIDAI and others accountable for data security. By having an independent audit of Aadhaar data breaches, this will allow anybody whose data has been compromised to come forward. The UIDAI and others like them must understand that they have to keep our data secure, and they can’t keep pulling the wool over our eyes.”
The petition asks the Delhi High Court to do the following:
- Direct the authorities to reveal the number of data breaches since the inception of the Aadhaar programme, along with details of how Basheer’s own data has been compromised.
- Appoint an independent investigative/audit committee to investigate all breaches.
- Appoint a neutral ombudsman/verification authority for addressing complaints relating to Aadhaar or other data breaches as well.
- Direct the authorities to provide the option of opting out of the Aadhaar system.
- Award exemplary damages for the failure to adhere to security practices, so as to deter the government and authorities like the UIDAI from being negligent with the rights of citizens again.
- In the alternative, direct the Centre to delete all existing Aadhaar numbers.