Deleting Aadhaar data stored with private firms a Herculean task: Experts

With a lack of data-protection law in India, there is no entity to audit whether or not private companies are actually deleting personal data of customers

Private entities might now have to delete Aadhaar data they have collected, but ensuring they actually do so is going to be an uphill task, experts claim.

With a lack of data protection laws in India, there is no entity to audit whether or not private companies are actually deleting personal data of customers.

Senior Supreme Court lawyer Pavan Duggal said it was going to open "a Pandora's box".

“Even as we speak, much of the data could have already been migrated to other territories. So, who will conduct the audit to see the whole data is deleted within the time frame stipulated by the SC?,” he asked.

Telecom companies such as Reliance Jio, exclusively signed up users through the e-Know Your Customer process. Other telecom companies also pushed customers to link their Aadhaar numbers in order to continue to use their service, before the SC in an interim verdict said any such data collection should be put on hold.

Cyber experts said getting private firms to delete this data will certainly remove any chance of it being misused. They, however, added that with the lack of any data localisation or data privacy laws in India, there's no way to ensure this.

They also said the government and the regulators would face challenges in ascertaining that the SC’s judgment was actually followed as none of these firms were incentivised to delete this data.

“We have seen instances of data breaches in the recent past. There were also reports suggesting data was easily available in the black market for a price,” Duggal said.

The SC also said that if Aadhaar data was collected for authentication, it could not be stored for more than six months. Earlier, it could be stored for five years.

Experts said even this period was not necessary. Once authenticated, these entities had no need for this data.

“These entities don’t even require six months to delete the data that they have collected and stored. The only issue is that there needs to be some due-diligence on the part of the data regulator to ensure these entities delete it,” said A P Hota, former chairman of the National Payments Commission of India.