The Wire: New Delhi: Monday, July 30, 2018.
Much like the finale of an exasperatingly
long-drawn out TV series, the Srikrishna Committee submitted its final report
to the law and IT minister on Friday. However, it appears that this emotionally
and physically exhausting data privacy drama will be prolonged as the Aadhaar
judgment isn’t out yet.
The Srikrishna Committee was constituted during
the pendency of the hearings in the constitutional challenges to the validity
of the UID project. The Union government had in fact stated during its
submissions to the Supreme Court that it was setting up a committee and
intended to introduce laws related to data protection and privacy. Those
following the Aadhaar project have waited to see the kind of impact a data
protection bill might have on the project, with many feeling that any data
protection bill would by its very nature, have to deal with, and curtail it.
The idea of a privacy/data protection law has been proposed various times in the
country’s recent past. None of the various official drafts and deliberations
have occurred in a time quite like this, when over one billion Indian citizens
were, in most cases, coerced into enrolling in a centralised mandatory
biometric identification system.
After the composition of the Committee was finally
announced, by November 6, 2017, several eminent jurists and concerned citizens raised concerns about
possible conflicts of interest of various members of the Committee,
specifically related to Aadhaar. The Committee chose not to respond to this
letter, nor did it increase the diversity of the members of the Committee. Lack
of transparency and public participation has been a ‘feature’ of the
deliberations of the Committee. The first public document put out by the
Committee was its White Paper, which was published solely in English and no
other language.
When the minutes of the meeting of the Committee
was released, after denial and then appeal, in response to an RTI application
filed by RTI activists Anjali Bhardwaj and Amrita Johri, it was found that the
same think-tank involved in drafting the Aadhaar Act played a prominent
supporting role in the deliberations of the Srikrishna Committee. The Ministry
of Electronics and Information Technology later illegally denied providing the
submissions and recommendations made to the Committee in response to RTI applications
filed by the same activists. Most recently, 150 citizens once again wrote to
the Committee demanding greater transparency and accountability in its
functioning. The Committee remained determinedly silent, giving no response and
continuing to valiantly and illegally deny RTI applications for the draft bill,
notes and submissions made to the Committee. The release of the draft bill and
the final report of the Committee are thus very welcome, but further public
consultation is clearly needed. In fact, the pre-legislative process created by
an empowered group of ministers in 2014 legally mandates it.
In its final report, the Committee recognises
that, “The Aadhaar Act needs to be amended significantly to bolster privacy
protections and ensure autonomy of the UIDAI. Since the context of the
Committee’s functioning has been shaped by a vigorous public debate about
Aadhaar and its impact on data protection, the Committee would be remiss if it
did not deal with this issue.” The best way to understand the Committee’s
proposed amendments to the Aadhaar Act and the suggestions it makes in its
reports are to imagine being a ‘data subject’ – elderly, below the poverty
line, significantly if not totally dependent on welfare entitlements for
survival – who was coerced into submitting her biometrics as a necessary
condition for her to receive her pension.
Concerns around the Aadhaar project have broadly
coalesced around welfare and privacy; these have included questions of
surveillance, liberty, access to basic rights, data commercialisation, coercion
and choice.
At first glance, the draft data protection bill
appears to provide massive exceptions for welfare that seemingly apply to Aadhaar.
Section 13 makes the processing of personal data without a person’s consent possible
for any function of the Parliament or State Legislature. It allows the
processing of personal data, if necessary for the exercise of any function, for
the delivery of services or benefits or issuance of certificates. In addition,
Section 19 states:
Sensitive personal data may be processed if such
processing is strictly necessary for: (a) any function of Parliament or any
State Legislature and (b) the exercise of any function of the State authorised
by law for the provision of any service or benefit to the data principal.
This appears to be the exception allowed for the
State to process personal data and looks ominous when you think about the
expansion of the Aadhaar into so many aspects of our lives – for welfare
programmes, IT returns, for healthcare subsidies, sim cards etc.
But is Aadhaar or Aadhaar authentication strictly
necessary to fulfill any function of the state? The draft bill opens a space in
which we can and must ask this question. As Prof Reetika Khera points out, for
example, “welfare needs Aadhaar like a fish needs a bicycle.” Much has been
written about how Aadhaar is an inappropriate technology for welfare. Why
should Aadhaar or Aadhaar authentication be necessary for a person to receive
her pension?
Critics of the Aadhaar project have since the very
beginning highlighted the sweeping nature of the Aadhaar project. While the
Aadhaar Act posits itself as an act to “provide for, as a good governance,
efficient, transparent and targeted delivery of subsidies, benefits and
services”, its expansion into various other fields has been unchecked and
indiscriminate. Section 5 of the draft data protection bill deals with purpose limitation and states
that the “personal data shall be processed only for purposes that are clear,
specific and lawful.” The processing of Aadhaar data so far has been for
purposes that are anything but clear and specific, while the lawful bit is
under challenge in the Supreme Court of India.
With the enormity of the unwieldy Aadhaar project
occupying our imagination, one thing has become very clear that while data
protection laws around the world and this one in particular largely deal with
protecting personal data, there might be times when I may need to be protected
from data. For example, if I am poor and elderly and go to a ration shop,
currently, I am mandatorily required to authenticate my fingerprint on a
machine that decides whether or not I am the person I say I am. Once the
machine decides, on the basis of data I gave it at an earlier date, only then
can I get access to my entitlements. While various authorities keep assuring us
that other means of identification are acceptable, this message has still not
permeated to the people administering these programmes and in many cases, the
technical architecture itself does not allow for any other means of
identification.
In the case of Aadhaar authentications – for the
elderly, differently abled, those engaged in manual labour, people genetically
predisposed to not have fingerprints – Aadhaar-based biometric authentication
does not work. The draft bill and report propose a new system of offline
verification, only proving how broken Aadhaar really is. We have not been told
what this system of offline verification will be, nor why it is necessary, nor
what purpose it will serve or where exactly it will be used.
Section 9 of the draft bill relates to
data quality and sub-section (1)
states that:
“The data fiduciary shall take reasonable steps to
ensure that personal data processed is complete, accurate, not misleading and
updated, having regard to the purposes for which it is processed.”
As per section 2(13) of the bill, a “data
fiduciary” means any person, including the state, a company, any juristic
entity or any individual who alone or in conjunction with others determines the
purpose and means of processing of personal data.” This would mean possibly,
that the burden of maintaining data quality would be placed on the UIDAI, and not
on the data subject.
The data protection draft bill and report further
add to the conversation around meaningful, just and fair data protection and
its simultaneous existence with the unjustifiable privacy-related incursions of
the Aadhaar project. It remains to be seen how and whether the Aadhaar Act and
a Data Protection Act can coexist.
The speed with which the Committee has been forced
to work is an obvious side-effect of the vacuum created by the existence of the
Aadhaar project, new proliferating technologies and the growing global
conversation around data protection standards. It is vital that there be
further discussion and public consultation on the data protection bill. The
conversation around data protection is incomplete without the voices of those
whom it will affect the most, including those that are entitled to welfare from
the state.
(Praavita is a lawyer and a Save Our Privacy
volunteer.)
.JPG)
.JPG)
