There Has Been No Aadhaar Data Security Breach: Centre Tells Delhi HC In Prof. Shamnad's PIL [Read The Counter]

In its response to the petition filed by IP Academic Prof. Shamnad Basheer in the Delhi High Court seeking damages for the losses due to Aadhaar data leak, the Centre has claimed that the petition is non-maintainable in view of the Supreme Court's Aadhaar judgment.Prof. Basheer, however, opined that this wasn't the case. He pointed out that the Supreme Court had, in its judgment, specifically stated that it was not dealing with the issues raised in his petition.A quick search would show that this was indeed the case. The Court had, in Justice KS Puttaswamy (Retd) v. Union of India, categorically observed, "Section 43A of the IT Act attaches liability to a body corporate, which is possessing, handling and dealing with any 68 A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi High Court in the matter of Shamnad Basheer v UIDAI and Ors. Therefore, we are not dealing with this aspect, nor does it arise for consideration in these proceedings."In addition to challenging the maintainability of the petition on the aforementioned ground, the Centre also claims that the alleged facts on the basis of which the petition has been filed are "unsubstantiated" and that the information relating to the Aadhaar scheme has been "grossly misreported and interpolated" to mislead the court.The counter affidavit then goes on to assert the importance and utility of Aadhaar for delivery of public services, relying on various reports and court decisions. It further demands Mr. Basheer to be put to strictest proof to show evidence of his personal information being compromised or rendered insecure.The Centre also denies allegations of there having been a security breach of UIDAI's biometric database or Central Identity Data Repository (CIDR). It submits, "It is quite curious that reading of press reports without actual verification of its impact on the petitioner affected his privacy, personhood and dignity and the petitioner felt to distressed without even verifying as to whether his data was at all compromised. It is strongly denied that any data breach has occurred in the CIDR or that the petitioners right has been affected in any manner whatsoever."It further assures the court that its existing security controls and protocols are robust and are capable of countering any such attacks, and elaborates on the legislative and technological measures taken by it. It, therefore, demands rejection of the petition.Fear of Aadhaar data being misused for personal gainIn his petition, Prof. Basheer recalls how he obtained an Aadhaar card back in 2015 believing the project to be safe, secure and consent based. Soon after, he also linked his bank account with Aadhaar for the fear of his account being deactivated.However, around the beginning of this year, he was devastated to learn through news reports that the confidentiality of Aadhaar data had been compromised, not once but several times over. For instance, he cites a news report by Tribune wherein Tribune claimed to have "purchased" a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.Listing down various other illustrative examples demonstrating such breach of Aadhaar data, he now submits, "He was particularly distressed to note that most of these breaches pertained to personal identity data maintained with the Central Identities Data Repository, a centralized database containing all information collected from Aadhaar applicants by Respondent No.1 and its various affiliates/partners, including sensitive personal information such as biometric data.The Petitioner fears that his valuable data (as also that of countless other Aadhaaris) is in the illegal possession of unauthorized third parties, who can, at any time, misuse it for their own personal gain. This fear is not just a theoretical one, but one which has played out in the past."Violation of statutory provisionsThe petition attributes the security breaches to "negligence/willful recklessness" on the part of the UIDAI due to the absence of reasonable security measures. It then asserts that UIDAI's conduct violates Aadhaar Act and associated regulations, as well as the Information Technology Act, 2000 and associated rules. UIDAI's conduct, it argues, violates the Petitioner's fundamental right to privacy; and is actionable and compensable as a common law tort.For instance, the Petition relies on Section 28 of the Aadhaar Act, which places a specific duty on the UIDAI to ensure the security and confidentiality of all identity information held by it, either directly or through its various partners/affiliates. In particular, the UIDAI is obligated to "take all necessary measures" to ensure that the information in its possession or control is secured and protected against any unauthorized access, use or disclosure.It then alleges violation of this provision, submitting,...

There Has Been No Aadhaar Data Security Breach: Centre Tells Delhi HC In Prof. Shamnad's PIL [Read The Counter]

Apoorva Mandhani

Prof. Basheer moved Delhi HC seeking exemplary damages for alleged Aadhaar data leak

Tags