Prof. Shamnad Basheer has filed a Petition before the Delhi High Court seeking action against the UIDAI and NIC for not adhering to secure practices, exemplary damages for the data leaks and the provision to opt out of Aadhaar, LiveLaw reports. Premising his PIL on the data leaks causing a violation of the fundamental right to privacy that was upheld in the Puttaswamy Judgment, the petition alternatively seeks a Writ of Mandamus directing the Central government to delete all Aadhaar numbers.

The Aadhaaris

The petition refers to Aadhaar holders as “Aadhaaris” and begins with a poem:

Grass seemed greener on the Aadhaar side
Seduced by its spell, I got taken for a ride
Linking my card, not once but twice
Lulled by its lore and some lies

But soon I found
That Aadhaar was unsound
Privacy breaches and bunglings galore
Data pirates so desperate to score

My unique ID is now up in the air
Open to all, both foul and fair
Yet the “authority” insists that all is well
Link some more…and we’ll all be swell!

To our courts therefore, I now do turn
For privacy, justice, and a little less burn

The petition then traces the history of Aadhaar and its change from being a voluntary scheme into its now near mandatory form. and ubiquitous linkages with essential services, including banking, filing taxes and mobile phones magnifying the privacy concerns caused by the data breaches. The petition explicitly clarifies that it does not challenge the constitutional validity of the Aadhaar Act but to “establish that the Respondents continue to compromise the security of Aadhaar data through their negligent acts/omissions and consequently violate the fundamental privacy rights of the Petitioner and that of the public at large”.

Lack of data security

In the petition, Prof. Basheer states that he obtained an Aadhaar in 2015 believing the project to be safe and consent based. He later linked his Aadhaar with his bank account for fear of his account being deactivated. He then recalls the discovery of the confidentiality of Aadhaar being compromised and cited several reports of Aadhaar data being compromised, including the unauthorized access to the Aadhaar database being available for sale on WhatsApp, as reported by the Tribune.

Prof. Basheer also articulates apprehensions of being due to the data. “Being a Muslim and a member of a minority community, the threat of potential harms to the Petitioner are even more accentuated. For one, given that in today’s post truth world, almost all Muslims are seen as terrorists and interrogated as such at various international airports and the like, the risk of harms from a data breach and consequent identity theft or the tampering with personal data is significantly more magnified. Secondly, given the present political climate in the country for minorities and the growing patriotic fervor of those committed to purging the country of its plural ethos, the Petitioner fears that unrestrained access to his data could have potentially fatal implications.”

Potential for misuse by third parties

Stating that most of the breaches pertained to the Aadhaar data maintained with the CIDR (Central Identities Data Repository), the petition states the apprehension that “… his valuable data (as also that of countless other Aadhaaris) is in the illegal possession of unauthorized third parties, who can, at any time, misuse it for their own personal gain. This fear is not just a theoretical one, but one which has played out in the past.”

Actionable and Compensable as a common law tort

The petition argues that the lack of reasonable security measures on the part of the UIDAI is “negligence/wilful recklessness” and asserts that the UIDAI’s conduct violates the Aadhaar Act and associated regulations, the Information Technology Act (2000) and associated rules and violates the petitioner’s fundamental right to privacy, thus being actionable and compensable as a common law tort.

Specifically, the petition argues that the UIDAI violates the Aadhaar Act by not fulfilling its duty under Section 28 to “take all necessary measures” to secure the information held by it in allowing “grievance redressal” personnel access to the CIDR and effectuate changes at will and allowing such access to be multiplied and disseminated widely.

It also holds the UIDAI responsible for failing to systematically audit and track breaches or deploy a fraud analytics system. The petition argues that the UIDAI and the Centre are liable to compensate aggrieved Aadhaaris for the security breaches under Section 43A of the IT Act.

Data Security measures sought

The petition seeks a direction to the authorities for immediate compliance with the IT Rules (2011), including the publication of a privacy policy and laying down of a security policy for itself and its core operations.

With regard to breaches that have already taken place, the petition seeks action taken and exemplary damages imposed against the UIDAI and other government agencies like the NIC for failure to adhere to security practices, as well as the option to opt-out for Aadhaaris. As an alternative, the petition seeks a Writ of Mandamus directing the Centre to permanently delete all existing Aadhaar numbers

The petition also seeks information on the number of data breaches that have taken place since the inception of the UIDAI and the Aadhaar scheme and the scope of the breach and manner in which the data has been compromised.

The petition recommends the appointment of an independent multistakeholder investigative/audit committee to investigate all Aadhaar breaches and the robustness of the existing systems as well as the appointment of a neutral ombudsman/ verification authority for addressing all concerns and complaints at the first level, which may arise in the future in relation to violations of the Aadhaar Act and the IT Act, as well as any data breaches.

Current status of the Petition

The matter has been posted for the 21st of August with judges Justice Sanjiv Khanna and Justice Chandrashekhar wanting to wait for the judgment in the Constitutional Challenge to Aadhaar in the Supreme court, but the Petitioners free to approach a bench before, in the event of any emergency or urgency.

The Petitioners

Prof. Basheer is an IP lawyer who founded the Increasing Diversity by Increasing Access to Legal Education (IDIA) trust, which is a non-profit working on making legal education accessible to the underprivileged. The Promoting Public Interest Lawyering (P-PIL) initiative was started by IDIA to enable IDIA scholars and volunteers to advocate for public interest causes, whilst still in Law School, through practical experience. This petition is a part of the P-PIL initiative.

Advocate Siddharth Aggarwal, who specializes in Criminal Law is representing Prof. Basheer pro bono. He was briefed by lawyers, Rupali Samuel, Jhanvi Dubey and Sidddharth Sajita. UIDAI was represented by Advocate Zoheb Hossain. IDIA fellow Balu Nair and volunteers Anmol Malhotra, Ankit Yadav, Shilpa Prasad, Vinoothna Vinjam and IDIA scholar Donnie Ashok are assisting the petition.