A public interest litigation has been filed before the High Court Of Kerala against permitting private telecom operators to use biometric data collected under Aadhaar programme for authenticating customer identity while issuing SIM cards.
The PIL, filed by one Shyam KJ, who claims to be an “avid user of Information Technology, and a staunch advocate of enhanced transparency, personal freedom and individual privacy in internet and telecommunications”, contended that there is no law specifically enabling private entities to use biometric data for authentication purposes.
According to the petitioner, Section 57 of the Aadhaar Act 2016 permits private entities to use only the Aadhaar number for establishing the identity of a person. Therefore, use of biometric data for such purposes by private entities is not contemplated by the Act.
However, the Aadhaar (authentication) regulations framed by the Unique Identification Authority of India (UIDAI) enable private entities to make use of biometric data for authentication. The regulations permit private entities to be registered as ‘e-KYC user agencies’ that can make use of biometric and demographic data for authentication purposes. Therefore, it is contended that the regulations are ultra-vires the Aadhaar Act.
Also, a circular dated 16.08.2016 issued by the Department of Telecommunications, Ministry of Communications, Govt of India, was also stated to be repugnant to the Aadhaar Act, as it directs telecom licensees to make use of Aadhaar e-KYC for customer authentication.
It was alleged in the writ petition that the agents and retailers of mobile operators were not following the procedure laid down in the regulations while using biometrics of customers.
It was also alleged that the informed consent of the customer is not taken before using his biometric data, and that no proper record of authentication transactions is maintained in the manner mandated by the Act. In this context, it is relevant to note that LiveLaw had earlier published an article that raised concerns about the use of biometric data by private operators.
The petition raised apprehensions about the safety and confidentiality of biometric data.
According to the petitioner, use of biometric data for authentication was grossly unreasonable, unwise and dangerous, as any compromise in data safety could lead to irreversible damage. The petition, therefore, sought a declaration that private entities cannot use biometric data, in view of the language of Section 57. The petition also sought to quash the provisions of the regulations that permit the private operators to use biometric data, and also the circular dated 16.08.2016, to the extent that it is repugnant to the Aadhaar Act.
The court issued notices to the respondents and posted the matter for their response.