Aadhaar Authentication Data Not To Be Kept Beyond 6 Months, Bring Out Robust Data Protection Regime: SC Directs UIDAI/GOI

Although the Supreme Court has upheld the Aadhaar programme and many provisions of the Aadhaar Act, the reading of the judgment delivered by Justice AK Sikri would show that all is not well with the Aadhaar.

The court, in order to address the apprehensions expressed in the petitions challenging the Aadhaar Act, has issued the following directives to UIDAI and Central Government:

• Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law. (Authentication Record is the record of the time of authentication and identity of the requesting entity and the response provided by the Authority.)


• Metabase relating to the transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment. (The judgment also holds that under Section 2(d) which pertains to authentication records, such records would not include metadata as mentioned in Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016.)


• Section 33 of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.


• Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.


• That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.


• Bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

The petitioners had contended before the court that the Act enables data collection indiscriminately regarding all aspects of a person (biometrics, demographic details, authentication records, meta-data related to transaction) even though such data has no nexus to the purported object of subsidies, thus violating the principle of data minimization. They had also expressed apprehensions about Regulation 26 of the Authentication Regulations requires the UIDAI to store “authentication transaction data” consisting of: (a) authentication request data received including PID block; (b) authentication response data sent; (c) metadata related to the transaction; and (d) any authentication server side configurations as necessary. The authentication record affords access to information that can be used and analyzed to systematically track or profile an individual and her activities, it was argued by the petitioners.