Aadhaar verdict: Can you sue UIDAI and its licensed entities for offence?

Legal experts say an amendment is required to empower citizens to file criminal complaints

In its verdict on Wednesday, the Supreme Court (SC) scrapped Section 47 of the Aadhaar Act which means that individual Aadhaar cardholders or citizens can file criminal complaints against the Unique Identification Authority of India (UIDAI) and its licensed entities, if a suitable amendment is brought by the Government and Parliament, say legal experts.

Section 47 of the Aadhaar Act stated that only the Unique Identification Authority of India (UIDAI), or a person or officer authorized by it, could register and file criminal complaints against individuals or companies for offences under Aadhaar Act. 

"This was a contentious part as people were worried as to how they could get legal recourse for breaches of Aadhaar security, especially when UIDAI was unwilling to accept that data breaches are a reality. You can look at the Airtel Payments Bank scam where bank accounts were created for people without their knowledge. So this was a subversion of the principle of natural justice," says Raghu Godavar, member of advocacy group, RethinkAadhaar.

In its order, the SC held, "There could be several circumstances where UIDAI itself or some third-party is guilty of having committed offences under the Act. By restricting the initiation of the criminal process, the Aadhaar Act renders the penal machinery ineffective and sterile."

"Now that Section 47 is struck down, any person who is aggrieved can file a criminal complaint and set the legal machinery in motion. Under the earlier situation, only the authority could decide who to prosecute. The law now empowers citizens to seek punishment of those who violate their right to privacy by misusing their data," says Ajay Kumar, Associate at MZM Legal.

Petitioners to the case had argued that since the personal and biometric information collected and stored by the UIDAI in the Central Identities Data Repository (CIDR) is the property of the individual, this clause in the Act violated the individuals’ right to judicial intervention.

There are various offences listed in the Act under which the UIDAI could file criminal complaints and take cognizable action against individuals and companies. These include unauthorized access to the CIDR, impersonation of an Aadhaar holder, unlawful or non-consensual disclosure and transmission of Aadhaar details, mis-use of information in the CIDR, theft of identity information, amongst others.

Further, Section 43 also makes liable any companies and their management for offences committed under the Aadhaar Act. Which means companies can be taken to court if individuals or a group of individuals find that there are clear violations of their personal or biometric data by employees or the company itself.

"If a complaint is made against a company, then the person at the company who is responsible for that matter will be prosecuted along with the company itself. A lot of these prosecutions end up becoming slow because law enforcement and prosecutors lack the necessary training to prosecute these complicated offences, we will need to upgrade the law enforcement agencies to investigate offences under Aadhaar Act," Kumar said.

Just this week, the Aadhaar details of over 8.9 million MNREGA beneficiaries were made public on a website-portal run by the Andhra Government. In another report, the Commisionerate of College Education in Andhra Pradesh leaked the personal details and Aadhaar numbers of over 64,000 past and present students, including their caste details.

"All those people whose sensitive information has been leaked by state agencies or companies that have a license from the UIDAI to access the Aadhaar database can file suits, collectively or individually. Now that the Supreme Court has stuck down s.47, they can also file criminal complaints today under the Aadhaar Act as well as Information and Technology Act. Thereafter, if the case is not properly investigated or prosecuted, they can approach the High-courts or Supreme Court with a writ petition to constitute a Special Investigation Team with a court-appointed public prosecutor," says Murali Neelakantan, senior lawyer.   

There have been reports of countless instances of leaked Aadhaar data or frauds by entities with access to the CIDR since 2012. Activists have raised doubts as to the UIDAI’s ability to monitor and check the misuse by entities of people's Aadhaar details. 

According to parliamentary answers, the UIDAI have black-listed around 50,000 KuAs or AuAs that had access to the CIDR as of December 2017. 

Business Standard has sent queries to the UIDAI abnd its chief executive officer with regards to details of how many criminal complaints have been registered by the authority against these blacklisted entities. Their responses will be included in this story as soon as they are received.

While many hail the SC’s decision as a move in the right direction, legal experts say that individuals are at the moment restricted from filing First-Information-Reports (FIRs) with the police against the UIDAI or entities licensed by UIDAI to access the CIDR.

"The SC order says that there needs to be a ‘suitable amendment to include the provision for filing of such a complaint by an individual/victim as well whose right is violated.’ This means that the parliament needs to bring out a law which says that individuals have the right to file a complaint," said a spokesperson from the Software Freedom Law Centre, based in New Delhi.