Indian government committee proposes draft Data Protection Act and recommends changes to Aadhaar

The Srikrishna Committee has issued a draft proposal for India’s Data Protection Act, along with a report outlining its recommendations for the Act and a recommended change to the Aadhaar Act, which would exclude private entities from using Aadhaar-based online authentications, The Indian Express reports.

In addition to its proposals for a new Indian data protection law, the report says that Section 8 of the Aadhaar Act should be changed to allow online authentication using Aadhaar only by public authorities performing public functions. There are currently 299 Authentication User Agencies (AUAs) providing digital authentication using Aadhaar to businesses, and most of them are private entities, according to the Express.

If the recommendation is carried out, then “requesting entities” which are entitled to submit requests to the Unique Identification Authority of India (UIDAI) will be defined as only those which are carrying out the business of the government.

As reported by the Business Standard the report comes while the country awaits a decision about the legality of certain sections of the Aadhaar Act, as well the Act as a whole, by India’s Supreme Court. It proposes a new offline system of identification, but without details about how the system will work or what it will be used for.

“The Aadhaar Act needs to be amended significantly to bolster privacy protections and ensure autonomy of the UIDAI,” the report says, according to the Standard. “Since the context of the Committee’s functioning has been shaped by a vigorous public debate about Aadhaar and its impact on data protection, the Committee would be remiss if it did not deal with this issue.”

The Standard reports skepticism that Aadhaar is really necessary for any state function, and says that Aadhaar does not meet the criteria the Data Protection Act would set for legally processing personal data, that its purposes must be clear and specific.

As debate about proper data protection and privacy ramps up in India, Telecom Regulatory Authority of India Chairman Ram Sewak Sharma Tweeted his Aadhaar number along with an open challenge to prove that its public exposure could cause him any harm.

My Aadhaar number is 7621 7768 2740
Now I give this challenge to you: Show me one concrete example where you can do any harm to me!

— RS Sharma (@rssharma3) July 28, 2018

Firstpost reports that Twitter users answered by Tweeting what is alleged to be his personal phone number, and have also claimed to have found his Gmail account, bank account number and other personal details. Other claimed to have used his Aadhaar number to create accounts with Facebook and Amazon Cloud Services, and register a mobile phone number associated with his Aadhaar.

The UIDAI issued a statement blasting the Twitter users for attempting to “malign the world’s largest unique identity project,” and saying all of the information discovered by them was already publicly available.

The biometric aspect of Aadhaar should protect Indians from many potential harms, but the economics of fingerprint forgery can work for corrupt AUAs who are willing to sell pre-activated SIM cards on the black market, The Wire reports.

Article Topics

authentication  |  biometrics  |  data protection  |  India  |  privacy  |  UIDAI