Is Aadhaar a breach of privacy?

Aadhaar protects privacy by design. It uses the best possible technology relating to data protection


Since its inception, Aadhaar has been criticised as a project which violates privacy. India does not have a law on privacy. In fact, then chairman of UIDAI, Nandan Nilekani, wrote to the Prime Minister as early as in May 2010 suggesting that there was a need to have a data protection and privacy law.

In a digital world, search and aggregation of data have become relatively easy. Aadhaar was designed as a digital identity platform which is inclusive, unique and can be authenticated to participate in any digital transaction. This has transformed the service delivery in our country, conveniencing residents and reducing leakages. Direct benefit transfer, subscription to various services and authentication at the point of service delivery are some of the benefits which have accrued.

In-built privacy

Aadhaar followed the principle of incorporating privacy by design, a concept which states that IT projects should be designed with privacy in mind. Collection of biometrics has often been quoted as one of the means of violating privacy. Biometrics are essential to ensure uniqueness, a key requirement for this project. Additionally, these biometrics can be used for authentication for financial transactions, getting mobile SIMs and various other services using electronic KYC (e-KYC).

Another principle of privacy by design states that you should collect only minimal data. As UIDAI was creating identity infrastructure, it was decided that only a minimal set of data, just sufficient to establish identity, should be collected from residents. This irreducible set contained only four elements: name, gender, age and communication address of the resident.

Another design principle was to issue random numbers with no intelligence. This ensures that no profiling can be done as the number does not disclose anything about the person. The Aadhaar Act has clear restrictions on data sharing. No data download is permitted, search is not allowed and the only response which UIDAI gives to an authentication request is ‘yes’ or ‘no’. No personal information is divulged.

When a biometric-based authentication takes place, it is the individual who must participate in the process by submitting his or her biometrics, typically at the service delivery point to prove his identity. Typical examples are at the time of lifting ration from a PDS shop, opening a bank account to provide eKYC to the bank or submission of Digital Life Certificates by pensioners. The basic purpose of authentication is to facilitate residents in getting service in a digital, paperless and convenient way. As no information is divulged to any agency without the consent of the concerned individual, it cannot be construed to violate any privacy.

Purpose of authentication

Besides the minimal data which UIDAI has about a person, it does not keep any data except the logs of authentication. It does not know the purpose of authentication. The transaction details remain with the concerned agency and not with UIDAI. This is the best model of keeping data where each data-owner has the responsibility of data confidentiality and security.

Aadhaar authentication and e-KYC ensures that documents cannot be misused. Physical papers are amenable to misuse. We know of situations where multiple SIMs are issued based on some document, and the real owner is not even aware. On the other hand, e-KYC ensures that the document cannot be used for any other transaction. UIDAI has also built a facility wherein one can ‘lock’ the Aadhaar number and disable it from any type of authentication for a period of one’s choice, guarding against any potential misuse.


[Copyright By R.S. Sharma]