Is UIDAI a ‘body corporate?’
The Unique Identification Authority of India (UIDAI) is a statutory authority established under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act, 2016”). It earlier functioned as an attached office of the Planning Commission (now known as NITI Aayog).
The Aadhaar Act, 2016 with Section 11(2) clearly establishes UIDAI as a body corporate and Section 30 of the same act qualifies the biometric information collected and stored by UIDAI to be “electronic record” and “sensitive personal data or information” as per the Information Technology Act, 2000 and subsequent rules. Hence, it reflects that the biometrics collected under the Aadhaar Act will be subject to the IT Act, 2000 and the subsequent rules.
The Information Technology Act, 2000 under Section 43A renders that a body corporate is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” would be held responsible under this provision as well as the rules to ensure security of data and information of an individual and could be held liable for being negligent in implementing reasonable security practices and procedures.
As per the definition of body corporate given by the IT Act, UIDAI is not a body corporate as it does not indulge in commercial or professional activities. (Although commercial and professional activities have not been explicitly defined in the IT Act, 2000).
How shall one decide whether UIDAI’s activities come under the ambit of commercial and professional activities since it has not been defined under the IT Act act?
The Consumer Protection Act, 1986 defines commercial purpose as not a one in which a person uses goods or services by himself for the purpose of earning his livelihood by self-employment. For professional activity, it was held in Surti v. State of Gujarat (AIR 1969 SC 63) that “a professional activity must be an activity carried on by an individual by his personal skill and intelligence.” Amidst all this ambiguity, the Companies Act, 2013 provides for a separate definition for body corporates. The General Clauses Act, 1897 is silent in this regard.
We do not have a uniform definition for body corporates, each act defines it with its limited view, which causes incompatibility of such acts and many organizations have been and will take advantage of this fact.
Since very clearly, UIDAI cannot undisputedly be classified as a body corporate, it can dodge its liability under the IT Act and the subsequent rules. What remains to be seen is whether this question will be addressed in the on-going hearing of the Aadhaar case under the Apex court.
What is the relevance of covering UIDAI under the IT Act and subsequent rules?
If UIDAI is covered under the IT Act and the subsequent rules, it will have to comply with numerous security practices and procedures for the safety of sensitive personal information of the citizens, which includes international standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” or any policy for data protection duly approved by the Central Government and Audit of the security practices and procedures carried out at least once a year. As per the RTI reply to us, ISMS policies and audits are being duly conducted by UIDAI.
Both the RTI Act and the Aadhaar Act, limit the sharing/disclosure of the personal information of any individual. The RTI Act with Section 8(j) restricts the disclosure of the personal information of any individual, except when such information is related to any public activity or interest. Section 8 of the Aadhaar Act prevents sharing of any personal information of any individual to any entity for authentication without the permission of the individual and sharing of any core biometric information is not permitted.
The above discussion leads us to the assumption that in case there is a breach, audit logs and ISMS policies of UIDAI may be called into question and in fact, the affected citizen(s) can also file a civil litigation with the Adjudicating Officer to receive compensation under Section 43A of the Information Technology Act, 2000.