Srikr­ishna Com­mit­tee must get data pro­tec­tion right

Data pro­tec­tion must cover the en­tire life-cy­cle of the data.

The Sunday Guardian - - World -

On 27 Oc­to­ber 2017, the At­tor­ney Gen­eral for In­dia told the Supreme Court that the Data Pro­tec­tion Com­mit­tee un­der Jus­tice Srikr­ishna was ex­am­in­ing the en­tire area of data pro­tec­tion law, in­clud­ing al­lied leg­is­la­tions. He sought to de­fer the hear­ing of the Aad­haar pe­ti­tions till at least March 2018. How­ever, the Aad­haar pe­ti­tions go far be­yond data pro­tec­tion. They are about the dig­i­tal im­pact on In­dia by pri­vate in­ter­ests. They are about the fate of the data­bases that pro­tect our sov­er­eign, so­cial­ist, demo­cratic repub­lic sta­tus and whether data­bases of our fi­nan­cial in­sti­tu­tions get shared with in­de­ter­mi­nate play­ers, with­out de­tec­tion and pos­si­bil­i­ties for roll­back.

Aad­haar by its na­ture can­not dis­tin­guish cit­i­zens from res­i­dents. It can­not dis­tin- guish le­gal res­i­dents from il­le­gal res­i­dents. It can­not dis­tin­guish il­le­gal res­i­dents from ter­ror­ists and crim­i­nals. That said, even if the Com­mit­tee can­not ad­dress all the is­sues of Aad­haar, now that the White Pa­per on Data Pro­tec­tion au­thored by Jus­tice Srikr­ishna Com­mit­tee is out, can it ac­tu­ally pro­tect data?

In their fore­word it­self, the Com­mit­tee de­clares its ob­jec­tive to “en­sure growth of the dig­i­tal econ­omy while keep­ing per­sonal data of cit­i­zens se­cure and pro­tected.”

When third par­ties seek profit from the data of sys­tems they have no role in, they colonise, cor­rupt or seek to de­stroy those sys­tems.

A call to grow the dig­i­tal econ­omy must not mean that pri­vate in­ter­ests may profit from the data gen­er­ated by those trans­act­ing in var­i­ous sys­tems in the coun­try. The pur­pose of data pro­tec­tion is to pro­tect peo­ple— the par­tic­i­pants or par­ties in a sys­tem—not the pro­tec­tion of those who seek prof­its by col­lect­ing the data of sys­tems in which they have no role.

In a mar­ket sys­tem com­pris­ing a buyer and a seller, for ex­am­ple, it is mean­ing­ful and fair to pro­tect the data that will help them con­duct their re­la­tion­ship to fur­ther their com­mon pur­poses, and en­sure it is just, dig­ni­fied, equal and free in na­ture. Sim­i­larly, in a bank­ing sys­tem com­pris­ing bor­row­ers and lenders. Or a demo­cratic sys­tem com­pris­ing the rep­re­sen­ta­tive and the rep­re­sented. Or a jus­tice sys­tem com­pris­ing the ag­grieved, the ag­gres­sor and the ar­bi­tra­tor.

Un­for­tu­nately, par­tic­i­pants in our sys­tems rarely recog­nise the sym­bi­otic na­ture of sys­tems as the key pre­req­ui­site for sus­tain­abil­ity. They for­get the com­mon pur­poses of the sys­tems they par­tic­i­pate in. They of­ten al­low third par­ties to bro­ker trans­ac­tions that they have no role in. The data gen­er­ated in these sys­tems find ram­pant abuse by either par­tic­i­pants of the sys­tem it­self or more of­ten by third par­ties. We recog­nise our sys­tems as un­sus­tain­able only when they turn par­a­sitic and are on the verge of en­sur­ing de­struc­tion. The Com­mit­tee, in its fore­word it­self, de­clares that a regime for data pro­tec­tion is syn­ony­mous with pro­tec­tion of in­for­ma­tional pri­vacy. It cites Jerry Kang to de­fine in­for­ma­tional pri­vacy as pri­vacy of per­sonal in­for­ma­tion. To re­strict the scope of the Com­mit­tee to per­sonal in­for­ma­tion, rather than cre­ate a com­pre­hen­sive data pro­tec­tion regime should be avoided.

Data pro­tec­tion must cover the en­tire life-cy­cle of the data. From the time data is gen­er­ated, cer­ti­fied, au­then­ti­cated when it is used, re­stricted from be­ing used by unau­tho­rised third par­ties, un­dated to keep it con­tem­po­rary and sub­jected to au­dit of the data as well as the process that gen­er­ates, cer­ti­fies, au­then­ti­cates, restricts and up­dates. Par­tic­i­pants in a healthy, sus­tain­able sys­tem evolve their norms to en­sure data pro­tec­tion, so that the sys­tem re­mains just, eq­ui­table, dig­ni­fied and con­ducts trans­ac­tions through free will. Data pro­tec­tion fal­ters when it chooses to ig­nore the data life cy­cle or in­tent of pro­tec­tion. It fails when it can­not pro­tect sys­tems from data bro­kers and data thieves.

Fraud­u­lent data, for ex­am­ple, gets gen­er­ated by third par­ties when they force en­try into sys­tems where they have no role or com­mon pur­pose.

Aad­haar should not be an ex­am­ple. When par­tic­i­pants in a sys­tem al­ready use sev­eral ways to iden­tify each other, its “ecosys­tem” forces its way, gen­er­at­ing data that pre­vent the par­tic­i­pants of our sys­tems from even iden­ti­fy­ing those they have been trans­act­ing with ever since Independence, 70 years ago.

No one ques­tions the ab­sence of cer­ti­fi­ca­tion of Aad­haar. Even a school ID is cer­ti­fied by its prin­ci­pal. Again Aad­haar is an ex­am­ple of un­cer­ti­fied data. No one cer­ti­fies Aad­haar as valid data. Re­plac­ing cer­ti­fied data with Aad­haar cre­ates a risk of ghost en­ti­ties get­ting passed off as real.

While it is pos­si­ble to au­then­ti­cate an Aad­haar num­ber as be­ing valid by query­ing https://res­i­dent.uidai.gov. in, it (un­like IDs is­sued by par­tic­i­pants in the sys­tem) has no way to au­then­ti­cate the per­son’s role or rights in the sys­tem. Aad­haar, there­fore, opens ev­ery sys­tem to in­tru­sion by those who may have no role in the sys­tem.

Un­like data gen­er­ated with a sys­tem, third party IDs like Aad­haar, can­not be re­stricted from pos­si­ble mis­use across sys­tems. Aad­haar, un­like other sys­tem spe­cific data, can be up­dated by third par­ties out­side the sys­tem, leav­ing par­tic­i­pants in sys­tems that use the Aad­haar data vul­ner­a­ble

Un­like each sys­tem that un­der­takes an au­dit of its data gen­er­a­tion, cer­ti­fi­ca­tion, au­then­ti­ca­tion, re­stric­tion, up­da­tion pro­cesses, and the data it­self to sat­isfy its par­tic­i­pants, the UIDAI has never done this.

Sim­i­larly, there is no short­age of ex­am­ples of third par­ties af­fect­ing our tele­com, travel and bank­ing sys­tems by in­ter­fer­ing in the data of these sys­tems where they have no role. The GSTN, the NPCI, for ex­am­ple, are sim­i­lar third par­ties that play roles in the data of sys­tems in which they have no role to play. It can­not be a co­in­ci­dence that the en­try of third par­ties into sys­tems where they have no role through an out­sourc­ing model has gone to­gether with the shrink­ing of the av­er­age life time of busi­nesses from about 50 years prior to the 1990s to about eight nowa­days. Data pro­tec­tion must pri­mar­ily pro­tect the com­mon pur­poses of the sys­tems we par­tic­i­pate in from pri­vate in­ter­ests within our sys­tems or of third par­ties in­tend­ing to profit from our trans­ac­tions. It must en­sure the sov­er­eign, repub­lic and demo­cratic na­ture of our sys­tems to en­sure their sus­tain­abil­ity. A se­ri­ous data pro­tec­tion regime will cover the gen­er­a­tion, cer­ti­fi­ca­tion, au­then­ti­ca­tion, re­stric­tion, up­da­tion and au­dit of data to en­sure jus­tice, dig­nity, equal­ity and lib­erty of those who en­gage in com­mon pur­poses in their sys­tem.

The chal­lenge be­fore Prime Min­is­ter Naren­dra Damodar­das Modi is to pre­vent ef­forts at dig­i­tal coloni­sa­tion of In­dia by pri­vate in­ter­ests. The chal­lenge be­fore the PMO is to halt the pos­si­ble de­struc­tion of the data­bases that pro­tect our sov­er­eign, so­cial­ist, demo­cratic repub­lic sta­tus. The need is to pre­vent the mis­use of data­bases of our fi­nan­cial in­sti­tu­tions, that too with­out de­tec­tion and pos­si­bil­i­ties for roll­back. The Srikr­ishna Com­mis­sion must re­turn to the draw­ing board and ful­fil its task of en­sur­ing a com­pre­hen­sive and prac­ti­cal Data Pro­tec­tion Code such as would power In­dia’s growth to the dou­ble digit level while pro­tect­ing our cit­i­zens from dig­i­tal theft and in­tru­sion.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.