Retaining authentication data of citizens who have enrolled for Aadhaar beyond six months was "impermissible", the Supreme Court held Wednesday while asking the Centre to bring in a robust data protection regime.
The apex court, which declared the Centre's flagship Aadhaar scheme as constitutionally valid but struck down some of its contentious provisions, allayed the apprehensions about misuse of data and said that "ample safeguards" for security and data privacy in the mechanism were in place.
A five-judge Constitution bench headed by Chief Justice Dipak Misra, with a majority of 4:1, noted that collection of data, its storage and use does not violate fundamental Right of Privacy and the Aadhaar Act and regulations provided for protection and safety of data received from individuals.
Justice A K Sikri, writing the verdict for the CJI, himself and Justice A M Khanwilkar, held that provision which permits data and records to be archived for a period of five years was "bad in law" and regulation on meta base relating to transaction was "impermissible" in the present form, requiring suitable amendment.
Meta data or meta base is a set of data that describes and gives information about other data.
"Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law," Justice Sikri said.
Justice Ashok Bhushan, who penned a separate judgement concurring with Justice Sikri, said that challenge to the regulations relating to collection, storage, use, retention and sharing of data "fails" and it was held that they do not violate constitutional Right of Privacy.
More From This Section
Justice Bhushan noted that after the Constitution bench had reserved its verdict on a batch of pleas challenging the constitutional validity of Aadhaar scheme and its enabling 2016 law, Justice B N Srikrishna committee has submitted its report containing a draft Personal Data Protection Bill, 2018 in July 2018.
"The report having been submitted, we hope that law pertaining to personal data protection shall be in place very soon taking care of several apprehensions expressed by petitioners," he said, adding that the "Aadhaar Act does not create an architecture for pervasive surveillance".
Similarly, Justice Sikri said, "We have also impressed upon the respondents (Centre, UIDAI and others), to bring out a robust data protection regime in the form of an enactment on the basis of Justice B N Srikrishna (retd) committee report with necessary modifications thereto as may be deemed appropriate."