February 25, 2026

Having upheld the constitutional validity of Aadhar Act, 2016 and collection of biometric data, the Supreme Court has struck the right balance in protecting the right to privacy of citizens and protecting them from data theft by striking down sections 33(2), 47 and 57 of the said act. In the process, the court has clearly demarcated the services for which providing Aadhar is mandatory and those for which it is not. The judgment would have been perfect if the court had ordered those service providers for whose service Aadhar is no longer mandatory to delete the data collected so far and had specified a mechanism and time frame for the same.

The main objection against Aadhar was based on the fact that since every Tom, Dick and Harry was asking for Aadhar number before providing any service, the common man was losing control over his private data. With cyber crimes on the rise and hackers in every lane of the country (not counting the international ones), chances of identity theft were real and the scenario was scary. The court has addressed these issues by deleting the provisions in the abovementioned sections.

Section 33(2) reads as follows:- (2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government:
Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:
Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

It is clear from the wording of this sub-section that the government had given itself arbitrary powers that could have been misused. Hence the court did the right thing by striking it off.

Section 47 reads as follows:- (1) No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it. (2) No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate shall try any offence punishable under this Act. The wording of both these sub-sections makes it completely discriminatory and restrictive. It does not give an opportunity to the common man to get his grievances addressed by a court of law. Hence it had to go.

Lastly, Section 57 reads as follows:- Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect: Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

This was the section that provided a free licence to all companies providing services like mobile telephony, insurance, banking, financial services, housing and the like to ask for Aadhar number from customers and applicants. It was highly mischievous in the sense since the UIDAI was expressly prohibited from disclosing and biometric information to such requesting entities, there were many other documents like Voter ID card, Pan Card (already mandatorily linked with Aadhar) and Passport to establish the identity of the person. The insistence on asking for Aadhar number by these private or even government service providers was wrong. Since the person collecting the information was a counter clerk, the chances of the data being sold and put to criminal use were great. As subsequent reports on sale of Aadhar data proved, these fears were not unfounded. The court has done well to delete this section.

But where the court has probably erred is in not expressly telling these service providers to delete the data collected so far with intimation to the person whose data had been collected, providing a transparent and verifiable mechanism for the same and obviously a specific time frame within which it should have been done. Millions of Indians have provided their Aadhar numbers to hundreds of entities. Just ensuring that these entities can no longer ask for Aadhar number is not enough. To protect privacy, the collected data needs to be deleted from their servers in a prescribed manner and as early as possible.