Mansi Thapliyal / Reuters An operator works on his table while enrolling villagers for the Unique Identification (UID) database system at an enrolment centre at Merta district in the desert Indian state of Rajasthan February 21, 2013.

A year after the Supreme Court of India’s landmark judgement in the Aadhaar case, Indians are still waiting for a data protection law. Even though the Supreme Court urged the government to bring out a data protection law in both the Aadhaar case and the Puttaswamy judgement (which established privacy as a fundamental right), a data protection bill is yet to be introduced in the Parliament. The government’s inaction is even more glaring when one considers that they already have a draft bill that has undergone a public consultation. The government must act to fulfill the promise of real privacy made to Indians by both the Constitution and the Indian Supreme Court. For the latest news and more, follow HuffPost India on Twitter, Facebook, and subscribe to our newsletter. The Aadhaar judgement specifically recognised that: “the dangers to privacy in an age of information can originate not only from the State but from non-State actors.”

Despite the Supreme Court outlawing the private sector’s use of the Aadhaar, the Aadhaar Act was amended in July 2019 to allow the private sector to voluntarily use the Aadhaar in certain instances. Without a data protection law, the egregious exploitation of citizen data is likely to continue unabated, with no real effective recourse or remedy for these abuses. In blocking companies from using the Aadhaar, the Supreme Court argued that there was a lack of controls to prevent abuse of Aadhaar data by third parties, a lack of consent for such data processing, and a lack of proportionality with the original intent of the Aadhaar Act. Despite the passing of amendments in July 2019, all of these concerns continue to be present. What’s more, while new functionality to allow offline Aadhaar authentication has reduced risks of people being denied services, it has also increased the risks of additional privacy violations. Imagine if you were to use a scanned copy of your Aadhar card to buy a house and the builder’s website were to suffer from a data leak. It would be quite easy for your scanned Aadhaar card to be available to anyone on the Internet. This isn’t a speculative risk; just last week, Aadhaar cards and other national IDs were reportedly freely accessible on the website of a regulatory authority in Gujarat.

With a strong data protection law in place, people whose privacy had been violated, could turn to a strong, independent, and empowered government regulator.

Not only does this highlight the insecurity of the websites that store Aadhaar numbers, but potentially thousands of Gujaratis now have limited hope for remedy for this violation of their privacy. Positive steps, however, have been taken to improve safety of the program in the past year. The introduction of masked cards has helped reduce risks associated with leaks of images or scans of cards. Virtual IDs have allowed users to generate revocable versions of their number for both offline and online use. This allows them to revoke the number in case they have been a victim of an unauthorised use or leak. These are useful and important steps that appropriately respond to the sensitivity of Aadhaar information. However, there are many other services, which process sensitive data, but are yet to take similar action to protect user privacy. A strong data protection law could and would require them to do so. With a strong data protection law in place, people whose privacy had been violated, could turn to a strong, independent, and empowered government regulator. A Data Protection Authority (DPA), as the draft data protection bill calls it, would have the power to investigate and prosecute privacy violations.