Any Vulnerability In Aadhaar Database Can Lead To Misuse Of Personal & Financial Info, Strengthening Security Framework Need Of Hour: Orissa HC

The Orissa High Court has flagged the issue of misuse of Aadhaar details due to inadequate cybersecurity measures and has called for strengthening its security framework by implementing state-of-the-art encryption, multi-layered authentication protocols and stringent access controls.

The Single Bench of Dr. Justice Sanjeeb Kumar Panigrahi made the observations while hearing a challenge made by Ex-Member of Parliament Tathagata Satapathy to mandatory requirement of linking Aadhaar with PAN for operating demat accounts.

The ex-parliamentarian had taken shelter of the Court since he was prevented from operating his demat account linked to his HDFC bank's savings account. It was made dormant by citing non-linkage of Aadhaar with his PAN. He challenged this mandatory usage of Aadhaar and contended that it militates against Supreme Court rulings, which kept its usage in banking activities optional.

However, citing the provision under Section 139AA of the Income Tax Act and the judgments of the Apex Court in Justice (Retd.) K.S. Puttaswamy v. Union of India (2018) and Binoy Viswam v. Union of India & Ors. (2017), the Court held the aforesaid linkage requirement to be constitutional as it emanates from the objective to cut-down tax/financial frauds.

Nonetheless, Justice Panigrahi acknowledged that the concerns raised by the petitioner regarding infringement of privacy are not irrelevant. As more people invest their hard-earned money in financial markets, he said, concerns about privacy and security also surface.

“With increased digital transactions and mandatory KYC (Know Your Customer) norms, people rightfully demand transparency and accountability regarding their financial privacy. It is no longer acceptable for regulators, banks, or the government to turn a deaf ear to these concerns. If investment is to be encouraged, the trust of the people must be earned by ensuring stringent data protection laws, secure investment channels, and a commitment to safeguarding investor rights in a rapidly evolving financial landscape,” he added.

The Court underlined that since Aadhaar is mandatorily required to be linked with PAN and demat accounts, the potential risk of financial fraud and identity theft has become a significant concern for investors and account holders.

“While the Aadhaar framework was introduced as a robust and unique identification system to streamline financial transactions and curb fraud, concerns regarding its security persist. Reports of Aadhaar data leaks and unauthorized access have surfaced repeatedly, raising serious questions about the safety of sensitive personal information. Incidents where Aadhaar details, including biometric data, have been exposed due to inadequate cybersecurity measures have fuelled public apprehension.”

It further acknowledged that the system which was designed to prevent tax evasion and money laundering may inadvertently expose people to new risks, if adequate safeguards are not in place.

“The fear among individuals mandated to link their Aadhaar with PAN and Demat accounts is not unfounded. Any vulnerability in the Aadhaar database can lead to misuse of personal and financial information, with grave consequences such as unauthorized access to bank accounts, cloning of identities, and financial fraud,” it said.

The Bench, thus, urged the government to prioritize cyber security measures, conduct regular audits and ensure rigorous enforcement of data protection laws. It also asked the concerned stakeholders to strengthen the Aadhaar regime by implementing proper encryption and stringent access controls.

“Transparency in addressing data breaches, along with proactive steps to fortify the Aadhaar infrastructure, is essential to instil confidence in the system. Without these measures, the very objective of Aadhaar-PAN linkage i.e. to ensure financial transparency and curb fraud, may be undermined by the risk of data breaches and privacy violations.”

Case Title: Tathagata Satapathy v. HDFC Bank Ltd., Mumbai & Ors.

Case No: W.P.(C) No. 875 of 2024

Date of Judgment: February 14, 2025

Counsel for the Petitioner: Mr. Yasobanta Dash, Senior Advocate along with Mr. N.C. Mohanty, Advocate

Counsel for the Respondents: Mr. Gautam Mukherjee, Senior Advocate along with Mr. D.N. Mishra; Mr. Rajeet Roy, Advocate along with Mr. S. Sourav, Advocate; Mr. Tapesh Roy, Advocate along with Mr. S. Roy, Advocate

Citation: 2025 LiveLaw (Ori) 33

Click Here To Read/Download Order