Retaining authentication data of citizens who have enrolled for Aadhaar beyond six months was "impermissible", the Supreme Court held Wednesday while asking the Centre to bring in a robust data protection regime.
The apex court, which declared the Centre's flagship Aadhaar scheme as constitutionally valid but struck down some of its contentious provisions, allayed the apprehensions about misuse of data and said that "ample safeguards" for security and data privacy in the mechanism were in place.
A five-judge Constitution bench headed by Chief Justice Dipak Misra, with a majority of 4:1, noted that collection of data, its storage and use does not violate fundamental Right of Privacy and the Aadhaar Act and regulations provided for protection and safety of data received from individuals.
Justice A K Sikri, writing the verdict for the CJI, himself and Justice A M Khanwilkar, held that provision which permits data and records to be archived for a period of five years was "bad in law" and regulation on meta base relating to transaction was "impermissible" in the present form, requiring suitable amendment.
Meta data or meta base is a set of data that describes and gives information about other data.
"Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law," Justice Sikri said.
Justice Ashok Bhushan, who penned a separate judgement concurring with Justice Sikri, said that challenge to the regulations relating to collection, storage, use, retention and sharing of data "fails" and it was held that they do not violate constitutional Right of Privacy.
Justice Bhushan noted that after the Constitution bench had reserved its verdict on a batch of pleas challenging the constitutional validity of Aadhaar scheme and its enabling 2016 law, Justice B N Srikrishna committee has submitted its report containing a draft Personal Data Protection Bill, 2018 in July 2018.
"The report having been submitted, we hope that law pertaining to personal data protection shall be in place very soon taking care of several apprehensions expressed by petitioners," he said, adding that the "Aadhaar Act does not create an architecture for pervasive surveillance".
Similarly, Justice Sikri said, "We have also impressed upon the respondents (Centre, UIDAI and others), to bring out a robust data protection regime in the form of an enactment on the basis of Justice B N Srikrishna (retd) committee report with necessary modifications thereto as may be deemed appropriate."
The apex court also noted that authentication transaction data was stored in Central Identities Data Repository (CIDR) in encrypted form and as per the provision, anyone trying to unlawfully gain access into this system was liable to be punished with 10 years jail and fine.
However, Justice D Y Chandrachud, who wrote the lone dissenting judgement, said loss of data was "irretrievable" and in a digital society, an individual has right to protect himself by maintaining control over personal information.
"To enable the government to initiate steps for ensuring conformity with this judgment, it is directed under Article 142 (enforcement of decrees and orders of the Supreme Court) that the existing data which has been collected shall not be destroyed for a period of one year," he said.
"During this period, the data shall not be used for any purpose whatsoever. At the end of one year, if no fresh legislation has been enacted by the union government in conformity with the principles which have been enunciated in this judgment, the data shall be destroyed," Justice Chandrachud said.
He said that in order to uphold democratic values of the Constitution, the government needs to address these concerns as it would provide strong foundation for digital initiatives which were imminent in today's digital age.
"Additionally, the retention period must be justified and individuals must be given the right to access, correct and delete their data at any point in time, a procedure familiar to an opt-out option," Justice Chandrachud said.