Context: The government is considering amendments to the Aadhaar Act to align it with the Digital Personal Data Protection (DPDP) Act, 2023.
Relevance of the Topic:Prelims: Digital Personal Data Protection (DPDP) Act, 2023.
Why is a new law Needed?
- Original Aadhaar Act (2016): It was enacted in a pre-horizontal-privacy regime, so it focused on identity authentication and welfare delivery and lacked a comprehensive data protection framework.
- Horizontal Privacy Law: The DPDP Act, 2023 introduces uniform privacy standards across all sectors, public & private. It provides penalties for data breaches, consent-based data processing, and data fiduciary responsibilities.
Implications of revised Aadhaar Law
- Alignment with DPDP Principles:
- It will ensure consent-based usage of Aadhaar data by incorporating data minimisation, purpose limitation, and storage limitation norms. E.g., As per the Aadhaar Act consent is required for enrollment and authentication. But in practice, Aadhaar is often mandatorily demanded for services like bank accounts, school admissions or SIM cards, even when it is supposed to be optional.
- Under the DPDP Act, consent must be free, specific, informed and unambiguous. So, if agencies force people to use Aadhaar for identification, it can be violative of the DPDP Act’s consent framework, thus increasing individual control over data.
- Enhance User Rights: Right to access, correct, and erase Aadhaar-related data and Grievance Redressal Mechanisms shall be further aligned with the DPDP Act.
- Enhance User-Centricity: The revised law will make life easier for citizens by focusing on reducing repeated consent/authentication hassles and prioritising user convenience and control.
- Security & Accountability: It has clear provisions for data fiduciaries, especially in the Aadhaar ecosystem (e.g., banks, telecom, welfare agencies) and stronger mechanisms to prevent data leaks or misuse.
- Data Minimisation: DPDP Act emphasises collecting only necessary data. However, Aadhaar collects sensitive biometric data by default, which might not always be necessary for the service being provided.
- Resolve conflict between Aadhar Act and DPDP Act: Under the Aadhaar Act, data collected can only be used for authentication and for purposes notified by the government. However, under the DPDP Act, personal data should only be used for the specific purpose for which consent was given. Thus, a conflict arises with the DPDP Act, if Aadhaar data is reused for other purposes like profiling or surveillance without fresh consent.
- Right to Erasure: Conflict between the two also arises with regard to the right to erasure and correction. The DPDP Act gives people the right to correct or erase their data. The Aadhaar Act, on the other hand, allows for limited correction, like updating address or phone number, but not deletion of core biometric data. So, Aadhaar does not support full data erasure, which clashes with DPDP rights.
Thus, the proposed revision will remove the conflicts between the two laws and further harmonise them.