This article is written by Pragati Trivedi, NIMS University Rajasthan, Jaipur. This paper is a critical analysis of Aadhaar breaches of data on the constitutional jurisprudence, statutory mechanism, proportionality doctrine, and the impending data protection reforms in the Digital Personal Data Protection Act, 2023.
The Aadhaar project is one of the most ambitious biometric identification systems in the world and one of the biometric identification systems implemented under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. Aadhaar, which means identity, was created to simplify the welfare-giving process, remove redundancy, and improve the efficiency of the administering impersonations by allocating a 12-digit identity number with biometric and demographic data attached to residents. Though the programme has largely transformed direct benefit transfers and digital governance, it has also created a major controversy on the issue of informational privacy, cybersecurity threats, as well as constitutional responsibility.
Aadhaar reports of data leakages, information disclosed by third parties without authorisation and demographic data being exposed on government portals have fuelled worries on the dangers of centralised biometric databases. Despite the fact that the Unique Identification Authority of India (UIDAI) asserts that core biometric information is encrypted and secure, there have been recurring cases of data disclosure and this has brought about burning issues of adherence to constitutional protections.
The case has gained a constitutional depth when the Supreme Court handed a landmark verdict on Justice K.S. Puttaswamy (Retd.). v. Union of India, which declared the Right to Privacy as a fundamental right in the Article 21. The next case of five-judge ruling in Justice K.S. Puttaswamy (Aadhaar-5J.) v. Union of India also explored the constitutionality of the Aadhaar system.
Evolution of the Right to Privacy in India
In India, the jurisprudence of privacy was before 2017 dispersed. Previous courts like the M.P. Sharma v. Satish Chandra and Kharak Singh v. State of Uttar Pradesh had repudiated or restricted the constitutional status of privacy. Nonetheless, the nine judge court in Puttaswamy (2017) made it clear that privacy is inherent to life and individual freedom as provided under Article 21 and is part of the freedoms provided by Part III of the Constitution.
The Court acknowledged informational privacy as a key factor to the autonomy of an individual. It noticed that the contemporary digitalized state stores immense amounts of personal information and that the person must have a right to control the publication and the usage of this information.
Most importantly, the Court created the proportionality standard, whereby any intrusion of privacy must meet:
- Legality (existence of law),
- Legitimate state aim,
- Rational correlation and need,
- Procedural protection against abuse.
This framework has taken the constitutional validity of any system of data collection including Aadhaar.
Judicial Review of Aadhaar
The Supreme Court ruled in favour of the Aadhaar Act in Puttaswamy (Aadhaar-5J.) (2018), giving it heavy restrictions. Most of them appreciated that the goal of making sure targeted welfare delivery was a legitimate state interest. However, it struck down:
- Mandatory connection of Aadhaar and bank accounts,
- Linkage of mobile numbers compulsory,
- Section 57 that permits the use of Aadhaar authentication by private entities.
The Court stressed that the biometric data is sensitive and immutable. In contrast to passwords, biometric identifiers like fingerprints and iris scans cannot be edited in case of being compromised. Thus, any violation will leave a permanent damage.
The dissenting opinion of Justice D.Y. Chandrachud did not stop here and stated that the Act was unconstitutional because of the procedural anomalies and the possible architecture of surveillance. The dissent, though not a majority opinion, still has an impact on privacy debate.
Nature and Implications of Aadhaar Data Breaches
The major issues surrounding Aadhaar data breach are associated with:
- Posting of the Aadhaar numbers on government platforms,
- Beneficiary list leakages that have demographics,
- Illegal access by enrolment agencies,
- Scraping of data by miscellaneous parties.
Although UIDAI claims that demographic data is not compromised, it can be used to commit identity theft, phishing, and fraudulent activities since core biometric information is not compromised. Additionally, the use of Aadhaar numbers to connect with other databases enhances chances of profiling.
The constitutional issue is not only the possibility of misuse per se, but the risk of structure of the centralised databases. Aggregation of information improves the potential of surveillance and creeping functions where the information obtained to fulfil a specific objective is slowly reused to accomplish a different task.
Statutory Safeguards under the Aadhaar Framework
The Aadhaar Act contains protective provisions:
- Section 28 ensures confidentiality of information,
- Section 29 prohibits sharing of core biometric data,
- Section 30 classifies biometric information as sensitive personal data,
- Sections 37–42 prescribe penalties for unauthorised access.
Nevertheless, one of the most important critiques is that the design of the procedure renders prosecution of offences contingent on a complaint filed by UIDAI, thus depriving a person of direct access to legal services. This casts doubt on the issue of individual enforcement and compensation of the victim.
In addition, the Act also allows disclosure in national security interest as a response to executive authorisation under specific conditions. This lack of judicial review in the past has been faulted as being incompatible with strong privacy protection.
Impact of the Digital Personal Data Protection Act, 2023
The introduction of the Digital Personal Data Protection Act, 2023 has become a new step in the data governance policy of India. The Act introduces:
- Informed processing of data,
- Data Fiduciary Obligations,
- Retaliatory punishments in terms of hefty fines in case of violations,
- Creation of a Data Protection Board.
Theoretically, the processing of Aadhaar related data is now under a wider accountability model. Breach redress may be sought by individuals (Data Principals).
Nevertheless, the Act allows the government agencies exemptions as well, in favour of sovereignty and nation order. Critics are of the view that these exemptions will weaken constitutional safeguards unless strictly construed.
Proportionality and Mass Surveillance Concerns
The proportionality doctrine calls on the constant review of the question whether the level of bio-metric information gathering is still justified and minimalistic.
Arguments in favour of Aadhaar highlight:
- Elimination of ghost beneficiaries,
- Improved effectiveness in welfare provision,
- Success in the Direct Benefit Transfer.
Arguments against raise concerns regarding:
- Biometric centralised repository,
- Potential service-wide tracking,
- Possibility of lock out because of authentication failures.
The Supreme Court tried to strike a balance between these interests, yet the changing technological ability might need a new judicial examination.
Comparative Perspective
Big data protection laws and regulations including the General Data Protection Regulation (GDPR) of the EU are strict liability laws with an independent supervisory authority worldwide. Although the mechanism of penalties is quite similar in the DPDP Act of India, the governmental exemptions are still wider.
The constitutional system of India, however, offers a special protection, namely, judicial protection of basic rights. Articles 32 and 226 provide that citizens can directly address constitutional courts.
State Liability and Remedies
When there are Aadhaar data breaches, the potential solutions would be:
- Covered by constitutional writ petitions,
- Compensation by the principles of the public law,
- Criminal complaints under the Data Protection Board.
- Criminal prosecution under the provisions of Aadhaar Act.
Yet, procedural complexity and awareness barriers limit effective redress.
To strengthen accountability, reforms could include:
- Mandatory breach notification,
- Independent audits,
- Transparent reporting mechanisms,
- National security disclosures: judicial review.
Balancing Welfare Governance and Privacy
Aadhaar is an example of the dilemma of the modern digital state: on one hand, it is possible to use technology to benefit the populace, and on the other hand, it is possible to eliminate civil liberties.
In Puttaswamy (2017), the Supreme Court highlighted the importance of the dignity at the centre of privacy. Individual autonomy should thus be taken into consideration by data governance.
The data centralisation cannot be justified by welfare efficiency. Following the progress of India toward digital governance, the constitutional morality necessitates the constant review of the risks of surveillance, cyberspace security demands, and data minimisation practices.
Conclusion
The fact that Aadhaar information is leaking highlights the precarious nature of the balance between technological custodianship and constitutional freedom. Although the Supreme Court concluded that the Aadhaar Act was valid, it also provided privacy protection using the proportionality doctrine.
The acknowledgement of privacy as an essential right in Justice K.S. Puttaswamy (2017) comes with a constant constitutional burden on the State concerning strong cybersecurity, open accountability, and minimal data intrusion. Digital Personal Data Protection Act, 2023 has reinforced the statutory framework but its effectiveness is partially reliant on unbiased enforcement and limited interpretation of exemptions.
Conclusively, legitimacy of Aadhaar is not just in the efficiency of the administration, but the Aadhaar obedience to constitutional values. Biometric identity protection should stay grounded on dignity, autonomy, and rule of law.
Frequently Asked Questions
Does Aadhaar have a constitutional mandate?
The Supreme Court affirmed its validity with some limitations in 2018.
Is the violation of Aadhaar information unlawful?
The illegitimate disclosure is punishable by Aadhaar Act and DPDP Act.
Is it possible to share biometric data with third parties?
In 2018, the Supreme Court overturned the private mandatory use.
What is the constitutional guideline of Aadhaar data collection?
The proportionality doctrine that was instituted in Puttaswamy (2017).
What are the solutions to the victims of Aadhaar data leakages?
Constitutional writ remedies, statutory complaints and criminal penalties.
References
I. Constitutional Provisions – Constitution of India, 1950, Articles 14, 19, 21, 32 and 226.
II. Statutes and Regulations
- Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
- Information Technology Act, 2000.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- Digital Personal Data Protection Act, 2023.
- Aadhaar (Authentication) Regulations, 2016.
- Aadhaar (Data Security) Regulations, 2016.
III. Judicial Decisions
- Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
- Justice K.S. Puttaswamy (Aadhaar-5J.) v. Union of India, (2019) 1 SCC 1.
- M.P. Sharma v. Satish Chandra, AIR 1954 SC 300.
- Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295.
- People’s Union for Civil Liberties v. Union of India, (1997) 1 SCC 301.
- Shreya Singhal v. Union of India, (2015) 5 SCC 1.
IV. Committee Reports and Government Publications
- Government of India, Report of the Group of Experts on Privacy (Chairperson: Justice A.P. Shah), 2012.
- Government of India, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, 2018.
- Unique Identification Authority of India (UIDAI), Annual Reports (Various Years).
V. International Instruments
