Aadhaar data leak PIL: Centre denies data breach, says security systems adequate

The Centre has stated that Shamnad Basheer’s Delhi HC petition seeking damages due to Aadhaar data leaks is non-maintainable given that the Supreme Court has already passed its judgment on the Aadhaar matter. Basheer is the founder of SpicyIP and a lawyer.

However, Basheer pointed out that the SC had specifically stated that it was not dealing with the issues raised in his petition. In the KS Puttaswamy judgment, the SC had noted that, “Section 43A of the IT Act attaches liability to a body corporate, which is possessing, handling and dealing with any 68A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi High Court in the matter of Shamnad Basheer v UIDAI and Ors. Therefore, we are not dealing with this aspect, nor does it arise for consideration in these proceedings.”

Apart from claiming that the petition was non-maintainable, the Centre argued that the petition was misplaced and based on unverified reports. The Centre said:

• The petition is based on “unsubstantiated” alleged facts and “grossly misreported and interpolated” information relating to Aadhaar
• It denied allegations of any security breach of the UIDAI’s or the CIDR’s biometric database, stating that Basheer’s allegations that his privacy was impacted were based on press reports “without even verifying as to whether his data was at all compromised”.
• “It is strongly denied that any data breach has occurred in the CIDR or that the petitioner’s right had been affected in any manner whatsoever,” the Centre’s affidavit said.

Demanded the rejection of the PIL

• The Centre further went on assert the importance and utility of Aadhaar for delivery of services, and demanded that Basheer present “the strictest proof” in evidence that his personal information was compromised or is under risk, or being made unsecure.
• It demanded that the petition be rejected; claiming that its existing controls and protocols are equipped to counter any attacks.

Basheer filed his petition in May 2018 in the Delhi HC, alleging a violation of privacy as guaranteed by the KS Puttaswamy judgment. He sought action against the UIDAI and the Union government, for being negligent in securing citizens’ Aadhaar data. Basheer demanded exemplary damages for the Aadhaar data breaches, the provision to opt out of Aadhaar, and that all existing Aadhaar data be deleted via Write of Mandamus.

In November 2018, the Delhi HC granted the UIDAI four weeks’ time to file a response to the petition, and posted the next hearing for February 14. Earlier in August, the court had given more time to the UIDAI and other government bodies in view that the final judgment in the Aadhaar matter was looming at the time.

The PIL

In his PIL, Basheer elaborates that he signed up for an Aadhaar Card in 2015, believing the project to be safe, secure, and consent based. He later also linked his bank account with Aadhaar for fear of his account being suspended.

• However, his petition notes that he learnt via news reports that the security of the Aadhaar database had been compromised multiple times.
• “The Petitioner fears that his valuable data (as also that of countless other Aadhaaris) is in the illegal possession of unauthorized third parties, who can, at any time, misuse it for their own personal gain. This fear is not just a theoretical one, but one which has played out in the past.”
• The PIL claimed that the security breaches were due to the “negligence/willful recklessness” of the UIDAI in the absence of adequate security measures, and caused breaches and/or compromise of the data of Aadhaar holders.
• Asserts that such conduct violates that Aadhaar Act and the IT Act, 2000 and Rules – violating Basheer’s right to privacy under the constitution
• The petition argues that the UIDAI and Centre are liable to compensate Aadhaar holders for security breaches under Section 43A of the IT Act, since their negligence in handling personal information and data has caused “wrongful loss or wrongful gain to individuals.”

Basheer in his petition further demands:

• Information on the number of data breaches of Aadhaar, seeking details of the scope and specific ways in which data was compromised
• An independent investigative/audit committee to investigate all Aadhaar breaches, and the adequacy of the existing security architecture

(all emphasis ours)

Also read:

IT Minister says no risk of data theft as Aadhaar amendment bill tabled in Parliament