RTI reveal of Aadhaar disclosure by govt websites highlights privacy risks with Aadhaar data collection

The recent reveal of Aadhaar data breaches by govt websites draws attention again to the inadequacy of actions taken by the UIDAI to protect privacy

An RTI inquiry to the UIDAI revealed disclosure of Aadhaar numbers and other personal data by over 210 government websites. The UIDAI states that it has had the data removed, and that none of the disclosures were by the UIDAI itself. While the report does not clarify whether these numbers refer to recent or former disclosures of Aadhaar data, it draws attention again to the inadequacy of actions taken by the UIDAI and the government to protect privacy, and to the safeguards against privacy violations by such websites.

Reports of Aadhaar number disclosures

Image: Reuters

Representational Image: Reuters

The RTI inquiry revealed that over 210 websites, including those of central and state government government departments and educational institutions have disclosed beneficiary lists, including names, address and other details including Aadhaar numbers. Formerly, reports of disclosures included the report on Google searches revealing Aadhaar-based databases, and the CIS report suggesting that 135 million Aadhaar numbers being leaked.

Need to preserve confidentiality of the Aadhaar number

The present RTI inquiry is an acknowledgement of the privacy dangers of allowing the free collection, use and storage of Aadhaar and other personal data of the people. The UIDAI and the government has time and again stated that the protection of the Aadhaar number itself is crucial. Yet, it is normal today to share the Aadhaar number freely as a proof of identity. An example of this is the mandatory KYC requirements, such as those prescribed recently for m-wallets, leading to all m-wallet issuers, including private entities such as taxi aggregators, to ask for and collect Aadhaar numbers for eKYC. Sharing a signed Xerox of the Aadhaar card has become common, even for something as simple as a mobile number.

At every stage, the Aadhaar number is disclosed this way to multiple persons involved in the process. The Aadhaar number itself is displayed clearly on the Aadhaar card, with no effort made to conceal it. The government firstly needs to clarify to the people, as well as the numerous public and private entities being allowed to freely collect and store Aadhaar data, why it is so crucial to safeguard the confidentiality of the Aadhaar number. And if it is so crucial, why is the number being allowed to be shared so freely as an ID proof to everyone?

Meity notifications against govt department disclosures

The Aadhaar Act itself contains several provisions preventing the unauthorized use of Aadhaar data by such entities, but in the absence of suitable enforcement actions, these are ineffective. The RTI inquiry thus also raises questions on the action that can be taken against such websites.

The Ministry of Electronics and Information Technology had previously issued a notification in March 2017 following the disclosure reports, directing all websites that such publication violated the Aadhaar Act, 2016, and directing them to remove the data.

This was followed by the issue of the ‘General guidelines for securing Identity information and Sensitive personal data or information in compliance to Aadhaar Act, 2016 and Information Technology Act, 2000’ by Meity (the ‘Meity guidelines’) in June, 2017. These guidelines are quite broad in their scope, protecting any personal data, and not just data involving Aadhaar numbers from disclosure by all government departments. However, in terms of action against violations, no new provisions were prescribed. Nor were people given any new right to raise inquiries against this negligence.

UIDAI authority to act against privacy violations

Action against violations are thus restricted to those provided under the Aadhaar Act and the Information Technology Act, 2000. As has been long since pointed out by privacy advocates, both these laws fall majorly short of the privacy protections that are required in the digital age.

The UIDAI has the authority to take action against such websites as a violation of Sections 29 of the Aadhaar Act. The departments in question are liable to pay a fine of upto Rs 1 lakh, or even imprisonment of three years, under Sections 37, 40 and 41 of the Aadhaar Act. The people’s only remedy under the Aadhaar Act, however, is to approach the UIDAI with their grievance through various means — through the Centralized Public Grievance Redress and Monitoring System, through a post or e-mail to the UIDAI, or through the UIDAI Contact Centre (Details here).

Alternatively, they can approach the grievance redressal centres, if any, set up by the government department in question. Beyond this, there is no right under the Aadhaar Act to take the government department in question to court for its negligence, demand to be informed of such data breaches or seek compensation for the privacy violation.

Proving ‘loss’ for actions under the IT Act

An alternative remedy is provided under the Information Technology Act, 2000, where if the victim has suffered a loss of some sort due to privacy violation, he can take the government department to court under Section 43A. The problem with this, however, is that this applies only when the government department amounts to a ‘body corporate’, and not every government department does so. Additionally, the loss from a privacy violation is often not immediately felt. It can be felt much later, in the form of a cybercrime against the victim, where it is often impossible to determine how and from where the cybercriminal in question discovered the data of the victim.

Remedy through the fundamental right to privacy

The right to privacy judgment does bring about a change to this situation. Most importantly, in the absence of an alternative remedy, people have the right to take action against the websites for violating their privacy. Being websites of government departments, these departments amount to a ‘State’, thus entitling people to a remedy against them. The judgment, in particular, recognized informational privacy as a facet of the right to privacy, imposing an obligation on the State to protect data, first and foremost through the enactment of a data protection law.

Next steps

The forthcoming data protection law, and the ongoing examination of the privacy aspects of Aadhaar before the Supreme Court, will hopefully bring about further changes to the privacy practices in the country. People, for their part, need to be alert to fresh disclosures and take action against websites and other entities disclosing their personal data. The government, for its part, in particular the UIDAI, needs to rethink the steps taken to preserve the confidentiality of the Aadhaar number. They must ensure that entities using Aadhaar data take privacy seriously, and that suitable action is taken against violators.

Asheeta Regidi is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.