UIDAI’s Exemption from Personal Data Protection Laws

personal data protection laws
Spread the love for law


The Unique Identification Authority of India (UIDAI) has requested a waiver from the Personal Data Protection Laws. UIDAI personnel told the Joint Parliamentary Committee on Data Protection Bill 2019 at its Bengaluru office that the authority is already bound by the Aadhaar Act and that there cannot be a conflict of laws.

Ironically, it was the requirement of Aadhaar for many critical businesses, including banks that sparked the data privacy argument. The origins of this Bill can be traced back to a study published by a Committee of Experts led by Justice B.N. Srikrishna. The committee was formed by the government during the Supreme Court’s hearings on the right to privacy matter (Justice K.S. Puttaswamy v. Union of India).

The Personal Data Protection (PDP) Bill 2019

Section 35 of the Personal Data Protection (PDP) Bill 2019 invokes “sovereignty and integrity of India,” “public order”, “friendly relations with foreign states” and “security of the state” allows the Central Government to strike out the provisions of the said Act in favor of government agencies.

The UIDAI has demanded blanket exemption from the act as it has already being entitled under Aadhar Act. UIDAI said this during the meeting with Joint Parliamentary Committee and contended the two laws (PDP and Aadhar) to be counterproductive.


The Bill authorizes the government to transmit certain types of personal data overseas and offers exceptions that allow government agencies to collect personal data from citizens. The Bill categorizes data and mandates that it be stored in one of three ways, depending on the kind:

  • Critical Personal Data: Anything that the government may deem vital at any time, such as military or national security data.
  • Sensitive Personal Data: Financial, health-related, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and other sorts of personal data.
  • Personal Data: Data that may be used to identify an individual, such as a person’s name, address, and so on.

It requires data fiduciaries to share any non-personal data requested by the authorities where:

  • Non-Personal Data refers to data that has been anonymized, such as traffic patterns or demographic information.
  • Data Fiduciary may be a service provider who gathers, keeps, and utilizes data while delivering such goods and services.

A Data Protection Authority has been proposed to ensure that the legislation is followed. It also cites the ‘Right to be forgotten’. It specifies that the “data principal (the person to whom the data is connected) must have the right to restrict or prevent a data fiduciary from continuing to disclose his personal data.” 

Aadhaar Act, 2016

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, is a money bill passed by the Indian Parliament. Its goal is to offer legal support for the Aadhaar unique identification number programme. The Lok Sabha approved it on March 11, 2016. Certain parts of the Act went into effect on July 12 and September 12, 2016.

Chapter VI: Protection of Information

Clause 28 (1) specifies that the UIDAI must safeguard the security of identification information and authentication data. In Clause 2, the authentication records have been defined as “a record of the time of authentication, the identity of the requesting entity, and the answer returned” (d). Clause 32 specifies that the UIDAI must keep the authentication records for the designated amount of time. Subject to legislation, the Aadhaar number holder may examine his authentication records. The UIDAI is not obligated to keep a record of the purpose of authentication.

Clause 33 (1) stipulates that a District Judge or a higher court may compel the UIDAI to provide a person’s identifying information, i.e. Aadhaar number, image, and demographic information, as well as authentication records, but not basic biometric data. Clause 33 (2) specifies that an official with the level of Joint Secretary or above may access a person’s identification information, including core biometric information, if the central government issues an order in the sake of national security.

Issues Involved

Formation of Two Different Ecosystems

If the Personal Data Protection (PDP) Law is implemented in its current form, it may result in the formation of two different ecosystems: One with government entities that will be totally exempt from the regulation, allowing them unlimited flexibility to deal with personal data. The second group will be private data fiduciaries, who will be responsible for adhering to the word of the law.


Section 12 of the Act exempts UIDAI from the rigors of the Bill by allowing for the processing of data for the provision of a service or benefit to the data principal. Even in such case, advance warning is required. There can be no duplication of legislation because the UIDAI authority is already bound by the Aadhaar Act. In 2018, the Supreme Court (SC) overturned the Aadhaar Act’s national security exemption. It indirectly assures better privacy of an individual’s Aadhaar data while restricting access to it by the government.

Section 35

 It uses “Indian sovereignty and integrity,” “public order,” “friendly relations with other governments,” and “state security” to provide the Central government the authority to suspend all or some of the provisions of this Act for government entities.

Expert’s words

There are already sections in the 2019 Bill that are susceptible to interpretation. According to Prasanth Sugathan, Legal Director of the Software Freedom Law Centre, “Section 12 of the 2019 Bill affords UIDAI some freedom from the rigours of the Bill since it allows for processing data for the provision of a service or benefit to the data principal.” However, even in such case, advance warning is required.”

According to sources, UIDAI may not be the only one seeking exemption. “We are concerned that if the Bill is adopted in its current form, it would result in the formation of two different ecosystems: One with government entities that will be totally exempt from the regulation, allowing them unlimited flexibility to deal with personal data. The second will be private data fiduciaries, who will have to deal with every word of the law,” one of the members explained.

Leave a Comment

Your email address will not be published. Required fields are marked *