The Delhi High Court on Tuesday issued notice on a petition filed by IP Academic Prof. Shamnad Basheer alleging a violation of the fundamental right to privacy as guaranteed under Article 21 of the Constitution and as affirmed in Justice KS Puttaswamy v Union of India due to Aadhaar data breaches.

The notice was issued by a Bench comprising Justice Ravindra Bhat and Justice Anu Malhotra, directing the Respondents—Unique Identification Authority of India (UIDAI), Union of India, National Informatics Centre and Ministry of Communications and Information Technology— to file their response within six weeks. The matter will next be heard on 19 November.

The petition had earlier come up before a Bench comprising Justice Sanjiv Khanna and Justice Chandrashekhar on 18 May. The Court had, however, opined that it would wait for the outcome of the petition on Aadhaar pending before the Supreme Court before taking this one up. This was in view of the submissions made by the Counsel for Aadhaar to the effect that the issues raised in the petition are the same as those raised before the Supreme Court. The Court had then posted the matter for 21 August.

Curiously, during the hearing on Tuesday, UIDAI and its counsel sought deletion of Respondent no. 2, i.e. the Union of India through its Cabinet Secretary as a party to the suit. The petitioner then requested more time for deliberation, owing to which the Court decided to take up the request on the next date of hearing.

The petition was filed as part of the latest IDIA initiative on promoting public interest lawyering (PPIL), an initiative meant to raise public interest causes, and in the process, train IDIA scholars and volunteers through clinical legal education.

While Prof. Basheer was represented pro-bono by leading criminal lawyer Siddharth Aggarwal, assisted by Rupali Samuel, the IDIA team working on the petition was initially led by their P-PIL fellow, Balu Nair, and is now being headed by Eshwar Ramachandran.

No Challenge to Aadhaar Act’s Constitutional validity

Addressing all Aadhaar card holders as Aadhaaris, Mr. Basheer’s petition traces the journey of how Aadhaar was conceptualized as a voluntary scheme but was gradually morphed into a near compulsory mandate, with forced linkages to a slew of essential services, including banking services, filing of tax returns and cell phone subscriptions. It then asserts that with Aadhar being all-pervasive, the contemporaneous privacy concerns have also risen.

The petition however clarifies that it does not intend to challenge the constitutional validity of the Aadhar Act, but only seeks to "establish that the Respondents continue to compromise the security of Aadhaar data through their negligent acts/omissions and consequently violate the fundamental privacy rights of the Petitioner and that of the public at large".

It therefore essentially makes a direct claim to damages using common law theories, while also challenging the constitutional validity of section 43A of the IT Act, taking objection to the adjudication of legal disputes by a single government officer.

Fear of Aadhaar data being misused for personal gain

In his petition, Prof. Basheer recalls how he obtained an Aadhaar card back in 2015 believing the project to be safe, secure and consent based. Soon after, he also linked his bank account with Aadhaar for the fear of his account being deactivated.

However, around the beginning of this year, he was devastated to learn through news reports that the confidentiality of Aadhaar data had been compromised, not once but several times over. For instance, he cites a news report by Tribune wherein Tribune claimed to have “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.

Listing down various other illustrative examples demonstrating such breach of Aadhaar data, he now submits, "He was particularly distressed to note that most of these breaches pertained to personal identity data maintained with the Central Identities Data Repository, a centralized database containing all information collected from Aadhaar applicants by Respondent No.1 and its various affiliates/partners, including sensitive personal information such as biometric data.

The Petitioner fears that his valuable data (as also that of countless other Aadhaaris) is in the illegal possession of unauthorized third parties, who can, at any time, misuse it for their own personal gain. This fear is not just a theoretical one, but one which has played out in the past."

Violation of statutory provisions

The petition attributes the security breaches to "negligence/willful recklessness" on the part of the UIDAI due to the absence of reasonable security measures. It then asserts that UIDAI's conduct violates Aadhaar Act and associated regulations, as well as the Information Technology Act, 2000 and associated rules. UIDAI's conduct, it argues, violates the Petitioner's fundamental right to privacy; and is actionable and compensable as a common law tort.

For instance, the Petition relies on Section 28 of the Aadhaar Act, which places a specific duty on the UIDAI to ensure the security and confidentiality of all identity information held by it, either directly or through its various partners/affiliates. In particular, the UIDAI is obligated to “take all necessary measures” to ensure that the information in its possession or control is secured and protected against any unauthorized access, use or disclosure.

It then alleges violation of this provision, submitting, "It is evident that this duty under Section 28 of the Aadhaar Act has been breached by the reckless and grossly negligent actions/omissions of Respondent Nos. 1 [UIDAI] and 2 [Union of India] and their officers in unleashing a very vulnerable privacy architecture that gave direct access to the CIDR database to so-called “grievance redressal” personnel to effectuate changes as they pleased, and permitted such access controls to be multiplied manifold and disseminated widely."

The Petition further blames UIDAI for its failure to systematically audit and track breaches, and deploy a fraud analytics system. It in fact argues that the UIDAI and the Centre are liable to compensate the aggrieved Aadhaaris for security breaches under Section 43A of the IT Act, "for its negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal information and data, thereby causing wrongful loss or wrongful gain to individuals."

Deletion of all existing Aadhaar numbers

In the light of such submissions, the Petition prays for a direction to the authorities for immediately complying with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This includes the demand for publication of a privacy policy, and laying down of an information security policy for itself and its core operations.

The petitioner also seeks information on the number of data breaches which have taken place since the inception of the Unique Identification Authority of India (UIDAI) and the Aadhaar scheme. He further demands to know the scope of such breach, and the manner in which his data has specifically been compromised.

To this end, the petition advocates for appointment of an independent investigative/audit committee comprising multiple stakeholders and experts to investigate all Aadhaar security breaches as well as the robustness of the existing systems.

As for the damage already done, Prof. Basheer not only requests action against the UIDIA and other government agencies such as National Informatics Centre (NIC) for its failure to adhere to security practices, but also seeks exemplary damages as well as the liberty to opt out of the Aadhaar system. He highlights the damage that such data leak can cause to him specifically, submitting,

"Being a Muslim and a member of a minority community, the threat of potential harms to the Petitioner are even more accentuated. For one, given that in today’s post truth world, almost all Muslims are seen as terrorists and interrogated as such at various international airports and the like, the risk of harms from a data breach and consequent identity theft or the tampering with personal data is significantly more magnified. Secondly, given the present political climate in the country for minorities and the growing patriotic fervor of those committed to purging the country of its plural ethos, the Petitioner fears that unrestrained access to his data could have potentially fatal implications."

In the alternative, a Writ of Mandamus is sought directing the Centre to permanently delete all existing Aadhaar numbers. Besides, he recommends the appointment of a neutral ombudsman/ verification authority for addressing all concerns and complaints at the first level, which may arise in the future in relation to violations of the Aadhaar Act and the IT Act, as well as any data breaches.