Site icon Lawful Legal

Surrogate Sovereignty: How India’s Data Protection Law Fails the Aadhaar-Linked Citizen

Author: Palak Chouhan, BBA LL.B, 9th Semester, Renaissance Law Collage

To the Point

India has become one of the most digital countries in the world. Government services, banking, healthcare, education, and welfare schemes increasingly depend on digital identity. At the center of this transformation is Aadhaar, the world’s largest biometric identification system. At the same time, India introduced the Digital Personal Data Protection Act, 2023 (DPDP Act) to protect personal information.

Although the Act promises to safeguard citizens’ data, many experts believe it does not fully protect people whose lives are closely connected to Aadhaar. The Act gives broad powers to the government, allows several exemptions, and provides limited opportunities for citizens to challenge misuse of their personal data. This article explains these concerns in simple language while discussing the constitutional right to privacy recognized by the Supreme Court.

Use of Legal Jargon

The following legal terms are important for understanding the issue:

Data Principal: The individual whose personal data is collected.

Data Fiduciary: A person, company, or government body that collects and processes personal data.

Consent: Free, informed, specific, and clear permission given by an individual before personal data is used.

Biometric Data: Personal information such as fingerprints, iris scans, and facial recognition.

Processing: Any activity involving personal data, including collecting, storing, sharing, or deleting it.

State Exemption: Legal permission allowing government agencies to avoid certain obligations under the law.

Fundamental Right: A basic constitutional right guaranteed to every citizen under the Constitution of India.

Proportionality Test: A constitutional principle requiring that any restriction on fundamental rights must be necessary, reasonable, and proportionate.

 

The Proof

The Digital Personal Data Protection Act, 2023 aims to regulate the collection and use of digital personal data. It provides individuals with rights such as correcting personal information, withdrawing consent, and requesting deletion of data.

However, the law also gives the Central Government authority to exempt government departments from several important obligations if exemptions are considered necessary for reasons like national security, sovereignty, public order, or preventing offences.

This creates an imbalance because citizens may lose many protections when government agencies process their personal data.

Aadhaar collects highly sensitive biometric information including fingerprints and iris scans. Since Aadhaar is linked with banking, taxation, welfare schemes, mobile numbers, and many public services, citizens often have little practical choice but to share their data.

Although the DPDP Act emphasizes consent, many Aadhaar-linked services function on mandatory verification. In such situations, consent may become a legal formality rather than a genuine choice.

Another concern is transparency. Citizens may not always know how their information is being processed, shared, or retained. The law also limits judicial remedies in certain situations and places significant regulatory powers with the executive.

Therefore, while the DPDP Act establishes a legal framework for data protection, questions remain regarding whether it adequately protects citizens against misuse by public authorities.

 

Abstract

Digital governance has transformed public administration in India by making government services faster and more accessible. Aadhaar has become the foundation of this digital ecosystem by providing a unique identity to more than one billion residents. Simultaneously, the Digital Personal Data Protection Act, 2023 seeks to regulate digital personal data and protect individual privacy.

Despite these objectives, concerns continue regarding meaningful consent, broad government exemptions, accountability, transparency, and effective remedies for citizens. These concerns become more significant after the Supreme Court recognized privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India.

This article evaluates whether the DPDP Act sufficiently protects Aadhaar-linked citizens and whether the present legal framework fulfills constitutional requirements relating to privacy and personal liberty.

 

Case Laws

1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)

Citation: (2017) 10 SCC 1

This landmark judgment declared that the right to privacy is a fundamental right under Article 21 of the Constitution of India.

The Supreme Court held that privacy includes informational privacy, personal autonomy, and protection against arbitrary state interference. Any restriction on privacy must satisfy legality, necessity, and proportionality.

This judgment became the constitutional foundation for India’s data protection framework.

 

2. K.S. Puttaswamy (Aadhaar) v. Union of India (2018)

Citation: (2019) 1 SCC 1

The Supreme Court upheld the constitutional validity of Aadhaar for welfare schemes while placing limits on its mandatory use.

The Court prohibited compulsory Aadhaar linkage with mobile SIM cards and private bank accounts. It emphasized that citizens’ biometric information requires strong legal safeguards.

 

3. People’s Union for Civil Liberties (PUCL) v. Union of India (1997)

Citation: (1997) 1 SCC 301

This case dealt with telephone tapping.

The Supreme Court ruled that surveillance without adequate safeguards violates the right to privacy and personal liberty.

The judgment highlighted the importance of procedural safeguards whenever the State interferes with private communications.

 

4. Maneka Gandhi v. Union of India (1978)

Citation: (1978) 1 SCC 248

The Court held that any law affecting personal liberty must be fair, just, and reasonable.

This decision strengthened Article 21 and later influenced privacy-related judgments, including Puttaswamy.

 

Conclusion

India’s Digital Personal Data Protection Act, 2023 is an important milestone in recognizing the need for data protection in the digital age. It introduces rights for individuals and obligations for organizations handling personal data.

However, the law does not completely resolve concerns arising from Aadhaar’s widespread use. Broad government exemptions, limited independent oversight, and questions about genuine consent create uncertainty regarding the protection of citizens’ privacy.

The Supreme Court has repeatedly stated that privacy is a fundamental right. Therefore, future reforms should ensure stronger accountability, greater transparency, independent regulation, and effective remedies whenever personal data is misused.

A digital economy can succeed only when citizens trust that their personal information is protected equally against misuse by both private organizations and the State.

 

Frequently Asked Questions (FAQ)

1. What is the Digital Personal Data Protection Act, 2023?

It is India’s primary law governing the collection, storage, processing, and protection of digital personal data.

 

2. What is Aadhaar?

Aadhaar is a 12-digit unique identity number issued by the Unique Identification Authority of India (UIDAI) based on biometric and demographic information.

 

3. Why is Aadhaar linked to privacy?

Aadhaar stores sensitive biometric information. Since it is linked to many essential services, concerns arise regarding data security, surveillance, and misuse.

 

4. What did the Puttaswamy judgment decide?

The Supreme Court declared that privacy is a fundamental right protected under Article 21 of the Constitution.

 

5. Why are state exemptions controversial?

The DPDP Act allows the government to exempt certain public authorities from several obligations under specific circumstances. Critics argue that such exemptions may reduce accountability and weaken privacy protections.

 

Exit mobile version