In an unfortunate development, the Unique Identification Authority of India has filed a complaint against three companies for the unauthorised use of biometrics stored by it. Three companies—Axis Bank, Suvidhaa Infoserve and eMudhra—are under investigation for attempting illegal authentication and impersonation, reports the Times of India. There are suspicions that biometrics stored within the Aadhar systems were being used for unauthorised transactions. The government and its people are divided on the use of Aadhar by the government and the private sector. Individual activists have raised significant concerns on issues of security and data privacy. Last month, the apex court observed that such data collection by private agencies was not a good idea. In response, the Centre argued that the practice is commonplace and that it had placed enough safeguards to ensure that information was not misused.
Noted social scientist Pratap Bhanu Mehta refutes this contention in a recent column. “There is still no clear transparent consent architecture, no transparent information architecture (which agency or vendor shares what information with whom), no privacy architecture worth the name, and increasingly, no assurance about what exactly you could do if the state decides to mess with your identity. The project of force-feeding digitisation, now with the help of commercial players whom we can hold even less accountable, and giving short shrift to all concerns of dignity, autonomy and privacy, should cause worry,” he said. With the move to digital payments, these fears take greater precedence with citizens vulnerable to data misuse and without any rights to protect that information and data.
In the past, the government has indeed ridden roughshod over privacy concerns in allowing the wider use of a citizen’s personal Aadhar data by private bodies under clause 57 of the Aadhar Bill. “Any public or private person may use the Aadhaar number for establishing the identity of any individual for any purpose,” says clause 57. The opposition asked the government to drop the provision but to no avail. It is imperative to note that the legislation on Aadhar was passed as a Money Bill, avoiding all scrutiny of the Rajya Sabha. With inadequate safeguards for data protection, among other concerns, the government has avoided critical and detailed questions. In response, concerned citizens have petitioned the Supreme Court, and the question of whether privacy is a fundamental right is now under review. Clearly, the provisions enshrined in the IT Act are not enough, considering the limited scope provided for data protection and privacy-related requirements.
This 15-year-old piece of legislation does not foresee a comprehensive legal framework for privacy and data security. Critics have also raised concern over a clause in the Aadhar Bill, which allows the government to reveal information about UID holders under the guise of national security. Although Clause 28 of the bill ensures the security and confidentiality of identity information and authentication records, Clause 33 (2) allows for disclosure of identity information and authentication records kept with the National Data Repository “in the interest of national security”. Nowhere in the Bill is there a specific definition of national security. The government needs to define national security in the context of this law. Otherwise, it could well become an instrument of abuse in the hands of the government. These concerns must be addressed at the earliest.