Aadhaar Judgement..3.. Data retention limit of 6 months..

This is in continuation of the earlier articles on this topic

The First Issue answered by the first part of the majority judgement(signed by the three judges Dipak Mishra, A.K.Sikri and A W Khanwilkar here after referred to as the first part) was

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?
Incidental Issues:
(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

The answer to the above question provided by the judges took note that Aadhaar architecture does not tend to create a surveillance state. It also concluded that there were sufficient authentication security measures taken by UIDAI and adequate oversight. It recorded that use of Registered Devices prevented the risk of store and replay attack. It noted that the Authority does not get the transaction details of an authentication request or the IP address or GPS location of the authentication request.

Taking into account the above, the three judges held

After discussing the aforesaid aspect with reference to certain provisions of the Aadhaar Act, we are of the view that apprehensions of the petitioners stand assuaged with the striking down or reading down or clarification of some of the provisions, namely:

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.
(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.
(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.
(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.
(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.
(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

In expressing the above views, the Court actually descended to the level of drafting internal security guidelines for UIDAI. We cannot expect the Court to be an Information Security expert and hence some of these suggestions could have been avoided. In comparison the drafting of the Ashok Bhushan judgement was better as it avoided going into the details of how UIDAI has to manage the security.

Now coming to the exact recommendations in this Answer 1,

the first prescription is

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.

By making this observation, the Court has limited the data retention period of the authentication record to 6 months unmindful of the actual requirement which may be dependent on the circumstances.

The Authentication guidelines indicated data retention under two regulations. First was under regulation 18 (1) about the maintenance of logs by requesting party. Second was regulation 27(1) .

This regulation under 27(1) stated:

(1) Authentication transaction data shall be retained by the Authority for a period of 6 months, and thereafter archived for a period of five years.
(2) Upon expiry of the period of five years specified in sub-regulation (1), the Authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by a court or in connection with any pending dispute.

The judgement has suggested that the 27(1) is modified to remove the words “and thereafter archived for a period of five years”.

Simultaneously 27(2) may need to be amended to say “Upon expiry of six months…”

The similar provision under regulation 18 (1) which is applicable to the user agencies is not touched by this answer.

The current judgement has not invalidated the possibility of  a law that requires the data to be retained beyond 6 months. One such law which is in existence is the “Evidence Law”. When a certain transaction data is required as  “Evidence” because a potential crime has come to the knowledge of the person holding the data, he has to preserve it until it is required. Otherwise it will be an offence under IPC (Section 204)  and ITA 20008 (Sec 65).

Even the PDPA 2018 can clarify this aspect.

If within 6 months no specific complaint arises, the data may be destroyed.

However, since it is the law of limitation which says that there is a time limit of 3 years for any civil action, the action of the Supreme Court to get the potential evidence forcefully removed after 6 months is snatching a legal right available to the citizens.

I would therefore consider it necessary for the Supreme Court to increase this data retention limit from 6 months to 3 years.

Alternatively, the PDPA 2018 must state that

” System log records and other data which are relevant for the protection of the Privacy of a person shall be retained for a period as required under the law of limitation for a minimum period of 3 years and as otherwise may be required if the data is considered as a potential “Evidence” for a cognizable offence of which the data fiduciary is aware of.”

….To Be continued

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.


 

This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to Aadhaar Judgement..3.. Data retention limit of 6 months..

  1. Pingback: Aadhaar Judgement…4… Making the life of law enforcement difficult… | Naavi.org

  2. Pingback: Recent Developments in PrivacyProtection in India – Privacy Knowledge Center

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.