India’s Supreme Court ruled Wednesday to uphold a controversial biometric identity program, finding that the sweeping data collection scheme is constitutional despite claims that it violated privacy laws and was unlawfully established. Four judges on the five-member Supreme Court panel decided by majority that the program can continue, but with limited scope and restrictions on data storage.

The program, known as Aadhaar, is considered the world’s largest biometric ID program with roughly 1 billion registered users representing nearly all of India’s 1.3 billion population. It was established by the administration of Manmohan Singh in 2009 as a way to streamline government welfare schemes and prevent identity fraud. While rollout began as early as 2010, the program was retroactively legalized by a law passed in 2016.

Public perceptions of the program also seem to have evolved over time. Upon its creation, Aadhaar was largely viewed as a well-intentioned initiative that could stem government waste and protect citizens’ identities. Today, many view it as a mass surveillance tool that infringes on privacy rights, which were enshrined by India’s Supreme Court in 2017.

Tech experts from around the world have weighed in on the pros and cons. Microsoft founder Bill Gates reportedly supports the initiative, and has worked with the World Bank to try and implement the idea in other countries. Conversely, U.S. whistleblower Edward Snowden has pointed out Aadhaar could be used for profiling by non-government entities that store personal information in private databases.

Here’s what you need to know about the landmark ruling.

What is Aadhaar?

Aadhaar is a nationwide personal identification scheme by which the government of India stores basic information of residents and assigns each a random 12-digit number and a registration card. The government hopes to eventually enroll every resident, whether or not they have citizenship.

A central government agency collects and stores demographic and biometric data of each registered person, such as their name, gender, date of birth, fingerprints, iris scans and photos. This creates an easily accessible digital identity that is linked to various government and financial services, including bank accounts.

A government website describes the program as “a strategic policy tool for social and financial inclusion, public sector delivery reforms, managing fiscal budgets, increase convenience and promote hassle-free people-centric governance.”

Read more: How India’s Controversial Biometric ID System Can Help Women

Why is it controversial?

Critics of the program argue that it leaves sensitive data vulnerable, that its rollout was ill-conceived and that it prevents marginalized people from accessing basic services — the opposite of its intended impact.

From the start, the enrollment processes for what began as a voluntary experiment were flawed. Weak Internet signals and erratic power connections made it difficult for regional registration centers to upload information to a central database maintained by the Unique Identification Authority of India. Some elderly people were unable to register because the equipment couldn’t scan their cloudy eyes, while some manual laborers had fingerprints too faded to be read. Leprosy patients were similarly excluded.

Because many of the people who were excluded from registration were among poor and underprivileged classes, the program’s rollout inadvertently left some of the country’s most vulnerable even further disadvantaged. As it became more widespread, Aadhaar became more integral to daily life and business needs; the cards are reportedly required for transactions such as opening a bank account or filing income taxes.

Read more: India’s Youth and Liberty Are Looking Less Like Advantages Over China

As Aadhaar became more widespread, concerns increased over data vulnerability. Earlier this year, a journalist in the north Indian city of Jalandhar reportedly paid an agent about $7 for access to the Aadhaar database. Authorities said that any breach could be traced and action taken, claiming that there had been no intrusion on the biometric data which it said was “fully safe and secure with highest encryption.” Any demographic data would be useless without the biometrics, they said according to the Hindustan Times.

The government has refuted accounts of data breaches. To prove the system’s foolproof security measures, a high-ranking official recently shared his Aadhaar number on Twitter and dared users to “do any harm.” Hackers quickly accessed and shared his personal information including his mobile number and income tax ID number. They even reportedly deposited one rupee in his account to show that they had found his banking details.

What did the court decide?

Aadhaar has faced roughly 30 petitions and half a dozen interventions since 2012, all of which have now been officially settled. Most of the the challenges have centered around either the legality of implementing the program before a law was enacted to regulate it, or whether it violates the Supreme Court’s privacy judgement from 2017. Several other cases centered on whether having and Aadhaar number could be made mandatory for certain services such as opening bank accounts or purchasing a SIM card.

For now, all existing cases are settled. The panel ruled that the benefits of Aadhaar outweighed privacy concerns, arguing that “one can’t throw the baby out with the bathwater.” The court has, however, limited he scope of the program’s application; inclusion in the scheme can no longer be mandatory for banking, mobile phone services or school admissions. Private companies have also been advised to purge all existing Aadhaar data, while government storage of authentication records can only be kept for six months instead of the previous limit of five to six years.

Get The Brief. Sign up to receive the top stories you need to know right now. Please enter a valid email address. Sign Up Now Check the box if you do not wish to receive promotional offers via email from TIME. You can unsubscribe at any time. By signing up you are agreeing to our Terms of Use and Privacy Policy . This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Thank you! For your security, we've sent a confirmation email to the address you entered. Click the link to confirm your subscription and begin receiving our newsletters. If you don't get the confirmation within 10 minutes, please check your spam folder.

Write to Kamakshi Ayyar at kamakshi.ayyar@time.com.