JOIN USAmend Aadhaar, RTI Acts, says Srikrishna panel
The Justice B N Srikrishna Committee has proposed amendments to Aadhaar Act and RTI Act to bolster protection of personal data, which include providing the Unique Identification Authority of India (UIDIA) powers to take enforcement action against errant companies leaking the Aadhaar number.
While experts committee wants the government to amend the Aadhaar Act "significantly" to bolster privacy protections and ensure the autonomy of the UIDAI, it also wants changes in the RTI Act to ensure that personal information should not be divulged if the harm caused to the person due to such a disclosure outweighs public interest.
The committee has identified a list of 50 statutes and regulation, including Income Tax Act, GST Act and FCRA Act, that have a potential overlap with the data protection framework.
Referring to "several instances" of a breach in the recent past, the panel said the Aadhaar Act is silent on the powers of the UIDAI to take action against companies who illegally insist on Aadhaar numbers, use it for unauthorised purposes and leakage of data.
"Amendments are thus necessary to the Aadhaar Act for bolstering privacy protections for residents as well as reconceptualising the UIDAI into a regulatory role that can ensure consumer protection and enforcement action against violations with appeals to an appropriate judicial forum," the report said.
It said the UIDAI must be autonomous in its decision-making, functioning independently of the user agencies in the government and outside it, that make use of Aadhaar and it must be equipped with powers akin to a traditional regulator for enforcement actions.
"Powers should be given to the Authority to impose civil penalties on various entities (including requesting entities, registrars, and authentication agencies) that are errant or non-compliant. In cases involving statutory violations or non-compliance, or an actual or impending privacy breach, the UIDAI will be tasked with the power to issue directions, as well as cease and desist orders to state and private contractors, and other entities discharging functions under the Aadhaar Act," it said.
Referring to the recently-introduced virtual ID feature and offline verification, it said these measures have "significant potential" to ensure both "collection limitation and data minimisation" but emphasised that it was "unclear as to how they are to be effectively implemented" in the absence of statutory backing.
On the RTI Act, it said the RTI Act does not give an elaborate definition of what constitutes an unwarranted invasion of privacy. "This problem may be exacerbated by the enactment of a data protection law which gives a broad definition of personal data," the report said.
"The RTI Act must specifically spell out the circumstances in which disclosure of such personal information would be a proportionate restriction on privacy having regard to the object of the RTI Act in promoting transparency and accountability in public administration," it said adding the question arises as to what are the exceptional circumstances in which personal data can be denied to a citizen.