The rise of digital identity systems in India has transformed the way citizens access services, verify their identity, and interact with government institutions. At the heart of this digital transformation is Aadhaar, India’s ambitious biometric-based identification program governed by the Unique Identification Authority of India (UIDAI). While Aadhaar has played a pivotal role in streamlining welfare delivery, curbing duplication, and expanding access, it has also sparked intense debates around privacy, consent, and data security. As concerns grow over the misuse of personal information and the lack of adequate legal safeguards, the question becomes more pressing than ever—should UIDAI be held accountable for data breaches and consent violations?
UIDAI, a statutory authority established under the Aadhaar Act, 2016, is responsible for the issuance and management of Aadhaar numbers and the data collected in the process. This data includes biometric information such as fingerprints and iris scans, as well as demographic data like name, date of birth, and address. In a country of over 1.4 billion people, the scale of this data collection is unprecedented. Yet, the legal framework surrounding this sensitive data remains weak and fragmented. Critics argue that although Aadhaar is positioned as a voluntary identity system, in practice, it has become a mandatory requirement for accessing a wide range of services, from banking and mobile connections to government subsidies and even school admissions. This de facto compulsion undermines the foundational principle of consent.
The core issue lies in the nature of consent and whether it is truly informed, voluntary, and revocable in the context of Aadhaar. Informed consent requires that individuals understand what data is being collected, how it will be used, who it will be shared with, and what risks are involved. In the case of UIDAI, users often have little clarity or control over these aspects. The system does not provide adequate mechanisms for individuals to opt out or to demand deletion of their data. Moreover, instances of data leaks and unauthorized access have further fueled skepticism. Reports of Aadhaar data being sold online or accessed without proper authorization have surfaced multiple times, despite official denials or downplaying by the authorities.
Legal experts and privacy advocates have highlighted the urgent need for a robust data protection law that clearly defines the responsibilities of data fiduciaries like UIDAI. While the Supreme Court’s 2017 judgment in the Justice K.S. Puttaswamy vs. Union of India case declared privacy as a fundamental right under Article 21 of the Indian Constitution, it did not resolve all concerns regarding Aadhaar’s compliance with privacy norms. Although the Court allowed the use of Aadhaar for certain welfare schemes, it struck down its mandatory linkage with services like mobile numbers and bank accounts. However, implementation of these directions has been inconsistent, and the boundaries of UIDAI’s accountability remain blurred.
Furthermore, the proposed Digital Personal Data Protection Act, 2023, while a step forward, has been criticized for its exemptions that allow government agencies significant leeway. The Act fails to place strong obligations on state bodies like UIDAI and contains vague definitions of consent, leaving individuals with little recourse in case of violations. Without stringent legal consequences, UIDAI may continue to operate with limited transparency and accountability, compromising citizen rights in the name of efficiency.
The situation demands a reimagining of how digital identity systems function in a democracy. Holding UIDAI accountable is not about undermining the utility of Aadhaar but about ensuring that such a powerful tool is governed by principles of legality, transparency, and respect for human rights. Accountability should include independent audits, public grievance mechanisms, penalties for breaches, and a clear regulatory framework that empowers citizens rather than rendering them powerless data subjects.
In conclusion, as India continues to embrace digital governance, the protection of individual autonomy must not be sacrificed. UIDAI, as the custodian of one of the world’s largest biometric databases, must be held to the highest standards of accountability. The right to privacy is not a privilege granted by the state—it is a constitutional right. Upholding this right in the digital age requires that institutions like UIDAI be legally and morally responsible for the data they collect, store, and use. Only then can a truly inclusive, secure, and rights-respecting digital identity framework be realized.
