The Supreme Court, while upholding the constitutional validity of the Aadhaar Act, has struck down Section 57, a provision that allows private entities to seek Aadhaar authentication. The verdict is, however, silent on what happens to the Aadhaar details already collected by private entities such as banks, digital payment services and telecom service provides.
Justice A K Sikri, in his judgment, held Section 57 to be unconstitutional as it is not backed by law and it can be used for establishing the identity of an individual ‘for any purpose’. This effectively allows the Parliament to introduce a law allowing private entities to use Aadhaar data. However, Sikri said whenever any such “law” is made, it would be subject to judicial scrutiny.
Sikri also said that the provision enables “commercial exploitation of an individual biometric and demographic information” by the private entities and it would impinge on their right to privacy.
In respect to linking of Aadhaar with bank accounts, Sikri said: “We hold that the provision (Section 57) in the present form does not meet the test of proportionality and, therefore, violates the right to privacy of a person which extends to banking details.”
On the validity of circulars issued by the Department of Telecommunications mandating linking of mobile number with Aadhaar, Sikri said it is illegal and unconstitutional as it is not backed by any law and is hereby quashed”.
While the majority judgment doesn’t elaborate on Aadhaar data currently held by private entities, it did stipulate that authentication records, in this case held by government service providers, are not to be kept beyond a period of six months and that holding metadata of the transactions is impermissible. “We have also impressed upon the respondents to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate,” Sikri said.
Justice D Y Chandrachud, in his dissenting judgment, said Aadhaar details collected by Telecom Service Providers shall be deleted forthwith. “All TSPs shall be directed by the Union government and by TRAI to forthwith delete the biometric data and Aadhaar details of all subscribers within two weeks. The above data and Aadhaar details shall not be used or purveyed by any TSP or any other person or agency on their behalf for any purpose whatsoever,” he said.
There is, however, no mention of Aadhaar details held by private banking institutions.