On the 88th episode of his monthly radio programme “Mann Ki Baat” on April 24, Prime Minister Narendra Modi spoke glowingly about how small online payments had helped the growth of the digital economy. He said that the Unified Payments Interface mode for transactions was popular even in small towns and villages, and that every day digital transactions worth Rs.20,000 crore took place. On May 28, while launching a drone festival, he said he wished every Indian would have a smartphone in hand.
Ironically, this came just a day after the Bengaluru Regional Office of the Unique Identification Authority of India (UIDAI), in a Press Information Bureau release, cautioned the general public about sharing the photocopy of the Aadhaar number with any organisation because it could be misused. As an alternative, it suggested a “masked Aadhaar” that displayed only the last four digits and gave the URL of the website from where this could be downloaded.
The UIDAI also made it clear that only those organisations that had a User Licence from the UIDAI could demand the use of Aadhaar to establish the identity of a person. Unlicensed entities, such as hotels or film halls, were not permitted to collect or keep copies of the Aadhaar card.
Alarmed by the press release, people took to social media and other platforms to express their concerns about data privacy. The Ministry of Electronics and Information Technology (MEITY) soon withdrew the note of caution considering the possibility of it being “misinterpreted”. It assuaged Aadhaar cardholders that they were only advised to “exercise normal prudence in using and sharing their UIDAI Aadhaar numbers”. It stated that the “Aadhaar Identity Authentication ecosystem has adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”
Voluntary or mandatory?
Despite the government’s claim that the use of Aadhaar was voluntary, it is demanded as proof of identification everywhere. It is hard even for an educated person to determine whether the demand to furnish an Aadhaar card is legitimate or not. Fake Aadhaar IDs have also been reported, including one instance where the Mumbai Crime Branch busted a racket operating from one of the banks. The information on the Aadhaar card, such as date of birth and residence address, can be misused by unscrupulous elements and hackers.
All of this has once again brought to focus the need for a robust data protection Bill, which is yet to see the light of day despite the large number of digital transactions. A new Data Protection Bill, in place of the Personal Data Protection Bill, 2019, is expected to be presented in the forthcoming monsoon session of Parliament.
Right to privacy
While different countries have their own concepts of personal data protection on the basis of various constitutional and other obligations, the fact that an individual has a right to privacy that the state needs to protect is an underlying understanding enshrined in US and EU statutes. In India, the Supreme Court, in Justice K.S. Puttaswamy (Retd) vs Union of India, has recognised right to privacy as a fundamental right emerging from Article 21 of the Constitution. The court advised the Union government to examine and put in place a robust regime for data protection.
Following the Puttaswamy judgment, in 2017 the government constituted the Justice B.N. Srikrishna Committee to frame data protection norms. The committee underscored the need for a framework to protect personal data in a “fair and free digital economy”. The objective of the committee was to “unlock the data economy, while keeping the data of citizens secure and protected”. According to the committee, this objective was also based on the realisation that data had the potential to both empower and harm.
The committee, which submitted its report in July 2018, proposed a draft Personal Data Protection Bill. To illustrate the harm caused by the unlocking of the data economy, it referred to Facebook’s admission that data of 87 million users, including 5 lakh Indian users, were shared by Cambridge Analytica, which used a third party to extract the personal data of users who had downloaded the application. The incident, the committee observed, was not exceptional as data gathering processes were opaque, mired in complex privacy norms that were unintelligible, leading to practices that users had little control over.
The committee also referred to the collection of such data by the state on the grounds that such processing was important for its functions. Yet the state was unregulated and exercised a coercive power on the use of such data. There is currently no law to check the misuse of the data by state or non-state actors. The transfer of personal data is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) under the Information Technology Act.
The Personal Data Protection Bill, 2019, which leaned heavily on the Srikrishna Committee report, was introduced in the Lok Sabha in December 2019. A joint parliamentary committee (JPC) reviewed it and in its report submitted in December 2021 proposed just a Data Protection Bill, dropping ‘personal’ from the title.
The many errors
Even in its previous avatar, the Bill had several deficiencies that organisations such as the Internet Freedom Foundation (IFF) have highlighted. Commenting on UIDAI’s flip-flop and data protection, Tejasi Panjiar, Associate Policy Counsel of IFF, told Frontline that the retraction of the cautionary note issued by a recognised authority was surprising. “We’ve seen time and again Aadhaar failing in terms of its security for users. In 2018, the CEO of UIDAI noted that the authentication failure for government services was as high as 12 per cent. A study by J-PAL in Jharkhand found that Aadhaar-based verification had an error rate of anywhere between 22 and 34 per cent. We’ve seen time and again exclusion and inclusion errors happening,” she said.
According to her, even though the government has been saying that Aadhaar is voluntary, private firms treated Aadhaar as the preferred form of identification. Said Panjiar: “Even a premier government institution such as AIIMS had at some point brought in a rule that registration charges would be waived if Aadhaar was furnished as identity authentication. A person from a lower income group would not think twice before offering the Aadhaar card to avail of the waiver. More recently, the Aadhaar card was required for vaccination, and a health ID was created without the user’s explicit consent. On the one hand we have seen the failure of Aadhaar in security practices, and on the other it is being demanded more and more for all kinds of services, drifting away from its ‘voluntary nature’. The dangers of its misuse increase in the absence of data protection.”
Panjiar said in the current draft Bill, too, there were many exemptions on the issue of consent. “The draft Data Protection Bill says that consent will be required where the processing is necessary. The Puttaswamy judgment was absolutely clear when it said that it should be necessary, legitimate and proportionate. The exemptions for taking consent are very broad in the current Bill.”
Panjiar also flags the cyber security structure, which is in bad shape. “There is at present no obligation on the Data Protection Authority to inform the user that the data have been breached. If my data have been leaked, the responsibility falls on both the fiduciary as well as the authority. Even if the Aadhaar judgment said that authentication through Aadhaar was only for welfare schemes, we’ve seen time and again State governments, the Centre and private entities asking for Aadhaar authentication. Even in the middle of the pandemic, there were so many roll-out schemes that were linked to Aadhaar. At the ground level, this is the preferred mechanism of authentication. With such low levels of digital literacy in the country, people voluntarily share their Aadhaar details.”
According to Panjiar, the Bill prioritised the data economy more than data protection economy. The amount of data repositories that were being created necessitated a strong data protection economy, which unfortunately was not the thrust of the present Bill, she said.
An analysis of the Bill by the IFF shows that the preamble itself contained “two contradictory goals on the same footing”, one, of creating a collective culture that promotes a free and fair digital economy, progress and innovation, and the other respecting informational privacy. Informational privacy, which should have been the main thrust of the Bill, was an add on. The preamble, according to an IFF brief, also overlooked the need to protect the right of privacy of individuals from the state, one of the “biggest processors of personal data”.
Carte blanche to the state
For instance, the JPC report on the Personal Data Protection Bill altered the nomenclature to Data Protection Bill, which itself indicated a dilution. The logic offered was that the Bill would regulate “non-personal” data too. It also placed economic interests on the same footing as informational privacy.
The new draft Bill, IFF believes, undermines an individual’s privacy by inserting the terms “to ensure the interest and security of the state” in the preamble itself. The principle purpose of the Bill is to give a carte blancheto the state under Clause 92: “Nothing in this Act shall prevent the Central government from framing any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse and handling of non-personal data including anonymised personal data.”
On the face of it, both the JPC report and the Bill say that if an individual exercised the choice not to provide personal data, she or he would not be denied service or enjoyment of a legal right or claim. However, the scope of processing non-consensual data is writ large in the Bill. As explained by the IFF expert, it even entitles “quasi-judicial” authorities to process personal data without consent.
Data breaches, according to an IFF brief, went up manifold times in 2021. Citing a study by Surfshark, a cyber security company, it stated that data of 86.63 million Indians had been breached. Under the new Bill, the decision to notify data breaches lies with the Data Protection Authority, which has absolute discretion whether to inform the data principal (the user) on the basis of the severity of the harm caused.
In July, the Digital India initative will enter its eighth year. Ravi Shankar Prasad, former Union Minister, Electronics and IT, Communications, Law and Justice, stated in a national daily that India was “home to 75 crore smartphones, 133 crore Aadhaar cards, more than 80 crore Internet users, has 4G and is accelerating towards 5G”. He spoke eloquently about the advancements made in accelerating digital growth, the JAM trinity (Jan Dhan Yojana, Aadhaar and Mobile number), but there was no mention of a data protection Bill.
The issue is whether there are adequate safeguards that protect ordinary people from the misuse of their personal data by state and non-state entities. The fact that the current data protection Bill does not prioritise the individual’s right to privacy is a serious concern. If the objective is to induce trust in digital markets to enable their growth at the cost of informational privacy, accepting the draft Bill in its current form will be problematic.