The debate over the security of data collected and stored under the Aadhaar project is heating up. While the Unique Identification Project has always had strong supporters and equally strong detractors, the latest controversy has been sparked off by an alleged breach of biometric data.

On February 25, Mint reported that the Unique Identification Authority of India (UIDAI) had detected a breach of biometric data and filed a police complaint on February 15 against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra with the allegation of impersonation using illegally stored biometric information.

These entities deny storage of any data and claim that the business correspondent was merely testing the platform which accidentally sent authentication requests to the live server instead of the testing one. Still, the incident has sparked concerns about the security of data in the possession with the UIDAI and also the redressal mechanism in the case of a breach like this.

Interestingly, it turns out that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act is silent on making the UIDAI liable for reporting any breaches.

Legal experts that BloombergQuint spoke to point out that while the international principles of data collection require that any breach or abnormal activity be revealed to the users and authorities quickly, the Aadhaar regulations give no such assurance.

Delhi-based lawyer Apar Gupta said that a user may never really get to know if there was a data breach in the Aadhaar database which compromised their personal data, unless the authority chooses to voluntarily disclose it.

“There is no provision under the act for notification to the public that there’s been a breach of their data. The breach includes both hacking of identity data and unauthorised authentication carried out by someone impersonating a citizen,” Gupta said adding that the authority is “whole and sole” and it isn’t liable to even disclose it under the Right To Information Act or to the parliament.

A broad comparison can be drawn to  system breach in the banking system last year which led to 32 lakh debit cards being compromised. While banks are not required to disclose details of the breach to the public, they are required to report it to regulators immediately. Customer protection provisions also ensure deposit protection to some extent.

In contrast, there is no regulatory oversight of the UIDAI which keeps it away from scrutiny, Gupta said. “There is an absence of a breach notification requirement under the Act,” he added.

Rahul Matthan, partner at law firm Trilegal said that all technological systems are likely to be breached at one point or the other and the Aadhaar Act has strong provisions against nefarious elements wronging the system.

“There is a clear violation of the law in this case no matter who has done it,” Matthan said while adding that it is  not clear where the violation has happened.

If a bank employee steals your money, there is nothing you can do since the bank expects all employees to behave properly. It’s the same thing here as all participants in the process are expected to keep information safe.

Rahul Matthan, Partner, Trilegal

Matthan said that storing of biometrics is wrong and illegal and the concern stems from the potentiality of people using this information left, right and centre.

He also added that protective provisions of the IT Act will apply to Aadhaar as well.

“Any data breach is required to be disclosed under the IT Act but whether that is followed or not is a separate question,” he said. Every authentication under the system is reported to the citizens through an SMS which is effectively informing them of unusual activity, he added.

However, there remains a loophole here for those who do not have their correct phone numbers updated in the Aadhaar system.

Gupta also said that even if one gets to know about their Aadhaar being misused, there is no guarantee under the Act that a redressal will be provided.

In chapter 7 of the Aadhaar regulations, there is a provision for a grievance redressal mechanism whereby a person can approach a call centre through phone or email which will provide residents with a tracking number till the matter is closed.

Gupta believes that this is not enough.

“Even the IT Act has the same absence of reporting principles as the Aadhaar Act so it is substantively insufficient,” he said. “There is no requirement for the call centre to give you a reasoned order like a public authority does. There is no specification to give you a reason if they don’t agree with you and why they can’t help you. The process doesn’t ensure that people’s dispute will be determined by the principles of natural justice.”

Additionally, Sunil Abraham, executive director of Bangalore-based Centre for Internet and Society told BloombergQuint that a privacy law was promised when the Aadhaar Act was being passed in the parliament. That never happened so the system remains deficient on redressal.

I don’t think there is a data breach provision in the act. They said don’t worry, a privacy bill is coming which never happened. But whether we have privacy bill or not, as long as there is centralised biometric data, we are in constant danger.

Sunil Abraham, Executive Director, Centre for Internet and Society