Aadhaar Act, 2016 Should be Amended to Improve Cybersecurity

Nilekani said that it is easier for developing countries to leapfrog by building the right digital infrastructure.

The year 2017 has seen a number of Aadhaar data leaks. 1.4 million names, addresses, bank account details and Aadhaar numbers of pensioners who had given their details for Direct Benefit Transfers into their account were leaked on a website run by the Jharkhand Directorate of Social Security.

This assumes more significance since the said breach involves senior citizens, who are beneficiaries of the state's old-age pension scheme.

Every person in the society is now increasingly feeling the heat of Aadhaar breaches. The only difference is that if you are a prominent personality, your complaint is responded to immediately while for more than 1.4 million pensioners, there is no effective redressal mechanism.

It has been reported that the UIDAI has filed an FIR against 8 websites which have been misleading people for providing Aadhaar-related services.

It has further been reported earlier in 2017 that the UIDAI has also shut down various websites available on Google Play Store for illegally charging money from the people.

Clearly, the aforesaid events have indicated an urgent need to deal with the various legal and other challenges concerning the Aadhaar ecosystem. There is a crying need for India to come up with detailed legal frameworks, which can effectively address cyber security and other policy and regulatory concerns regarding Aadhaar.

No Effective Provisions for Cybersecurity

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (hereinafter referred to as the Aadhaar Act, 2016) was passed to grant legality to Aadhaar. However, the Aadhaar Act, 2016 did not address all relevant and imperative issues concerning Aadhaar in a comprehensive manner.

We need to appreciate that security is critical for the further success of the Aadhaar ecosystem. When one looks at the provisions of the Aadhaar Act 2016, one finds that no effective and comprehensive provisions pertaining to cyber security of Aadhaar ecosystem are incorporated under the Aadhaar Act, 2016.

The Aadhaar Act, 2016 has itself been drafted keeping in mind just the security of identity information and authentication records of individuals stored on the Central Identities Data Repository.

The very fact that the Aadhaar Act, 2016 has not done enough for cyber security has ensured that the breaches will continue.

Given the resolve of the government to make Aadhaar mandatory, it needs to look at a broader vision of trying to make the Aadhaar ecosystem more cyber secure, rather than just the narrow vision of protecting security of the Central Identities Data Repository.

Citizens Can’t Report Crimes Related to Aadhaar

A major concern is that the Aadhaar Act, 2016 strips legitimate citizens of their right to report criminal activities and breaches concerning Aadhaar.

Section 47 of the Aadhaar Act, 2016 effectively locks out any effective remedy for the affected person whose privacy has been impacted by breach of Aadhaar numbers and other details. This Section provides that only on a complaint made by the UIDAI or any person authorised by it, any Court can take cognisance of any offence punishable under the Aadhaar Act, 2016. This effectively means that legitimate people, who are victims of breaches of their Aadhaar numbers or details, have no effective remedy.

It is high time that the biggest democracy of the world take cognisance of the intrinsic legal, policy and regulatory deficiencies in the Aadhaar ecosystem.

There is a need for further strengthening the ecosystem, not just from the perspective of protecting Indian sovereign interests, but also for the purposes of adequately safeguarding privacy and other related civil liberties/rights of Aadhaar number holders.

We need to be quickly alive to the fact that the Aadhaar ecosystem concerns live human beings and their biometric information. Hence, far more action needs to be taken to protect intrinsic data concerning citizens' demographic and biometric information on the Aadhaar ecosystem. This becomes more important given that India does not have in place a dedicated data protection law.

Time for India to Wake Up

At a time when the entire world is watching how India deals with Aadhaar, it is imperative that the country must not only amend the Aadhaar Act, 2016, to incorporate various new provisions to deal with legal challenges but also have in place adequate cyber security-related provisions.

Existing legal frameworks on Aadhaar are sketchy, not adequate and require specific amendments. We further need to ensure that Aadhaar should not become a tool for misuse of people’s information. Numerous checks and balances need to be put in place for ensuring the security and stability of the Aadhaar ecosystem.

India needs to act in a determined and decisive manner. Let’s not act in a hurry and repent at leisure. Lot of work needs to be done in this regard.

(The author Pavan Duggal, Advocate, Supreme Court of India, is Asia’s & India’s leading expert and authority on Cyberlaw, Cyber Security Law & Mobile Law and has been acknowledged as one of the top four cyber-lawyers in the world. He can be contacted at his email addresses pavan@pavanduggal.com and pavanduggal@yahoo.com. The views expressed above are of the author’s own and The Quint neither endorses nor is responsible for the same.)