Retaining the authentication data of citizens who have enrolled for Aadhaar beyond six months is “impermissible”, the Supreme Court held on Wednesday while asking the Centre to bring in a robust data protection regime.
Authentication data relate to details of financial transactions, movement and the like and are distinct from basic data such as biometric and demographic (name, address, phone number, photograph, etc) details.
The apex court, which declared the Aadhaar scheme constitutionally valid but struck down some of its contentious provisions, allayed fears of data misuse and said “ample safeguards” for security and data privacy were in place.
Justice A.K. Sikri — writing the verdict for himself, Chief Justice Dipak Misra and Justice A.M. Khanwilkar — held that the provision that permits data and records to be archived for a period of five years was “bad in law”.
“Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision, which permits records to be archived for a period of five years, is held to be bad in law,” Justice Sikri said.
Justice Ashok Bhushan, who penned a separate judgment concurring with Justice Sikri, noted that after the constitution bench had reserved its verdict on a batch of pleas challenging the constitutional validity of Aadhaar and its enabling 2016 law, the Justice B.N. Srikrishna committee had submitted a report containing a draft Personal Data Protection Bill, 2018.
“The report having been submitted, we hope that law pertaining to personal data protection shall be in place very soon taking care of several apprehensions expressed by (the) petitioners,” he said. “(The) Aadhaar Act does not create an architecture for pervasive surveillance.”
Justice Sikri said: “We have also impressed upon the respondents (Centre, UIDAI and others), to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (retd) committee report.”
Justice D.Y. Chandrachud, who wrote the lone dissenting judgement, said loss of data was “irretrievable” and in a digital society, an individual had the right to protect himself by maintaining control over personal information.
“To enable the government to initiate steps for ensuring conformity with this judgment, it is directed under Article 142 that the existing data which has been collected shall not be destroyed for a period of one year,” he said.
“During this period, the data shall not be used for any purpose whatsoever. At the end of one year, if no fresh legislation has been enacted by the Union government in conformity with the principles which have been enunciated in this judgment, the data shall be destroyed,” Justice Chandrachud said.