FrontLine

Aadhaar fiasco

- BY T.K. RAJALAKSHM­I

The UIDAI’S failed advisory on use of photocopie­s of Aadhaar cards highlights the need for a tough data protection law, which the

new Data Protection Bill was meant to be. However, in its present form it privileges a free and fair digital economy over

informatio­nal privacy.

ON the 88th episode of his monthly radio programme “Mann Ki Baat” on April 24, Prime Minister Narendra Modi spoke glowingly about how small online payments had helped the growth of the digital economy. He said that the Unified Payments Interface mode for transactio­ns was popular even in small towns and villages, and that every day digital transactio­ns worth Rs.20,000 crore took place. On May 28, while launching a drone festival, he said he wished every Indian would have a smartphone in hand.

Ironically, this came just a day after the Bengaluru Regional Office of the Unique Identification Authority of India (UIDAI), in a Press Informatio­n Bureau release, cautioned the general public about sharing the photocopy of the Aadhaar number with any organisati­on because it could be misused. As an alternativ­e, it suggested a “masked Aaadhar” that displayed only the last four digits and gave the URL of the website from where this could be downloaded.

The UIDAI also made it clear that only those organisati­ons that had a User Licence from the UIDAI could demand the use of Aadhaar to establish the identity of a person. Unlicensed entities, such as hotels or film halls, were not permitted to collect or keep copies of the Aadhaar card.

Alarmed by the press release, people took to social media and other platforms to express their concerns about data privacy. The Ministry of Electronic­s and Informatio­n Technology (MEITY) soon withdrew the note of caution considerin­g the possibilit­y of it being “misinterpr­eted”. It assuaged Aadhaar cardholder­s that they were only advised to “exercise normal prudence in using and sharing their UIDAI Aadhaar numbers”. It stated that the “Aadhaar Identity Authentica­tion ecosystem has adequate features for protecting and safeguardi­ng the identity and privacy of the Aadhaar holder.”

VOLUNTARY OR MANDATORY?

Despite the government’s claim that the use of Aadhaar is voluntary, it is demanded as proof of identification everywhere. It is hard even for an educated person to determine whether the demand to furnish an Aadhaar card is legitimate or not. Fake Aadhaar IDS have also been re

ported, including one instance where the Mumbai Crime Branch busted a racket operating from one of the banks. The informatio­n on the Aadhaar card, such as date of birth and residence address, can be misused by unscrupulo­us elements and hackers.

All of this has once again brought to focus the need for a robust data protection Bill, which is yet to see the light of day despite the large number of digital transactio­ns. A new Data Protection Bill, in place of the Personal Data Protection Bill, 2019, is expected to be presented in the forthcomin­g monsoon session of Parliament.

RIGHT TO PRIVACY

While different countries have their own concepts of personal data protection on the basis of various constituti­onal and other obligation­s, the fact that an individual has a right to privacy that the state needs to protect is an underlying understand­ing enshrined in US and EU statutes. In India, the Supreme Court, in Justice K.S. Puttaswamy (Retd) vs Union of India, has recognised right to privacy as a fundamenta­l right emerging from Article 21 of the Constituti­on. The court advised the Union government to examine and put in place a robust regime for data protection.

Following the Puttaswamy judgment, in 2017 the government constitute­d the Justice B.N. Srikrishna Committee to frame data protection norms. The committee underscore­d the need for a framework to protect personal data in a “fair and free digital economy”. The objective of the committee was to “unlock the data economy, while keeping the data of citizens secure and protected”. According to the committee, this objective was also based on the realisatio­n that data had the potential to both empower and harm.

To illustrate the harm caused by the unlocking of the data economy, it referred to Facebook’s admission that data of 87 million users, including 5 lakh Indian users, were shared by Cambridge Analytica, which used a third party to extract the personal data of users who had downloaded the applicatio­n. The incident, the committee observed, was not exceptiona­l as data gathering processes were opaque, mired in complex privacy norms that were unintellig­ible, leading to practices that users had little control over.

The committee also referred to the collection of such data by the state on the grounds that such processing was important for its functions. Yet the state was unregulate­d and exercised a coercive power on the use of such data. There is currently no law to check the misuse of the data by state or non-state actors. The committee, which submitted its report in July 2018, proposed a draft Personal Data Protection Bill. The transfer of personal data is governed by the Informatio­n Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Informatio­n) Rules 2011 (SPD Rules) under the Informatio­n Technology Act.

The Personal Data Protection Bill, 2019, which leaned heavily on the Srikrishna Committee report, was introduced in the Lok Sabha in December 2019. A joint parliament­ary committee (JPC) reviewed it and in its report submitted in December 2021 proposed just a Data Protection

Bill, dropping ‘personal’ from the title.

THE MANY ERRORS

Even in its previous avatar, the Bill had several deficiencies that organisati­ons such as the Internet Freedom Foundation (IFF) have highlighte­d. Commenting on UIDAI’S flip-flop and data protection, Tejasi Panjiar, Associate Policy Counsel of IFF, told Frontline that the retraction of the cautionary note issued by a recognised authority was surprising. “We’ve seen time and again Aadhaar failing in terms of its security for users. In 2018, the CEO of UIDAI noted that the authentica­tion failure for government services was as high as 12 per cent. A study by J. Pal in Jharkhand found that Aadhaar-based verification had an error rate of anywhere between 22 and 34 per cent. We’ve seen time and again exclusion and inclusion errors happening,” she said.

According to her, even though the government has been saying that Aadhaar is voluntary, private firms treated Aadhaar as the preferred form of identification. Said Panjiar: “Even a premier government institutio­n such as AIIMS had at some point brought in a rule that registra

tion charges would be waived if Aadhaar was furnished as identity authentica­tion. A person from a lower income group would not think twice before offering the Aadhaar card to avail of the waiver. More recently, the Aadhaar card was required for vaccinatio­n, and a health ID was created without the user’s explicit consent. On the one hand we have seen the failure of Aadhaar in security practices, and on the other it is being demanded more and more for all kinds of services, drifting away from its ‘voluntary nature’. The dangers of its misuse increase in the absence of data protection.”

Panjiar said in the current draft Bill, too, there were many exemptions on the issue of consent. “The draft Data Protection Bill says that consent will be required where the processing is necessary. The Puttaswamy judgment was absolutely clear when it said that it should be necessary, legitimate and proportion­ate. The exemptions for taking consent are very broad in the current Bill.”

Panjiar also flags the cyber security structure, which is in bad shape. “There is at present no obligation on the Data Protection Authority to inform the user that the data have been breached. If my data have been leaked, the responsibi­lity falls on both the fiduciary as well as the authority. Even if the Aadhaar judgment said that authentica­tion through Aadhaar was only for welfare schemes, we’ve seen time and again State government­s, the Centre and private entities asking for Aadhaar authentica­tion. Even in the middle of the pandemic, there were so many roll-out schemes that were linked to Aadhaar. At the ground level, this is the preferred mechanism of authentica­tion. With such low levels of digital literacy in the country, people voluntaril­y share their Aadhaar details.”

According to Panjiar, the Bill prioritise­d the data economy more than data protection economy. The amount of data repositori­es that were being created necessitat­ed a strong data protection economy, which unfortunat­ely was not the thrust of the present Bill, she said.

An analysis of the Bill by the IFF shows that the preamble itself contained “two contradict­ory goals on the same footing”, one, of creating a collective culture that promotes a free and fair digital economy, progress and innovation, and the other respecting informatio­nal privacy. Informatio­nal privacy, which should have been the main thrust of the Bill, was an add on. The preamble, according to an IFF brief, also overlooked the need to protect the right of privacy of individual­s from the state, one of the “biggest processors of personal data”.

CARTE BLANCHE TO THE STATE

For instance, the JPC report on the Personal Data Protection Bill altered the nomenclatu­re to Data Protection Bill, which itself indicated a dilution. The logic offered was that the Bill would regulate “non-personal” data too. It also placed economic interests on the same footing as informatio­nal privacy.

The new draft Bill, IFF believes, undermines an individual’s privacy by inserting the terms “to ensure the interest and security of the state” in the preamble itself. The principle purpose of the Bill is to give a carte blanche to the state under Clause 92: “Nothing in this Act shall prevent the Central government from framing any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse and handling of non-personal data including anonymised personal data.”

On the face of it, both the JPC report and the Bill say that if an individual exercised the choice not to provide personal data, she or he would not be denied service or enjoyment of a legal right or claim. However, the scope of processing non-consensual data is writ large in the Bill. As explained by the IFF expert, it even entitles “quasi-judicial” authoritie­s to process personal data without consent.

Data breaches, according to an IFF brief, went up manifold times in 2021. Citing a study by Surfshark, a cyber security company, it stated that data of 86.63 million Indians had been breached. Under the new Bill, the decision to notify data breaches lies with the Data Protection Authority, which has absolute discretion whether to inform the data principal (the user) on the basis of the severity of the harm caused.

In July, the Digital India initative will enter its eighth year. Ravi Shankar Prasad, former Union Minister, Electronic­s and IT, Communicat­ions, Law and Justice, stated in a national daily that India was “home to 75 crore smartphone­s, 133 crore Aadhaar cards, more than 80 crore Internet users, has 4G and is accelerati­ng towards 5G”. He spoke eloquently about the advancemen­ts made in accelerati­ng digital growth, the JAM trinity (Jan Dhan Yojana, Aadhaar and Mobile number), but there was no mention of a data protection Bill.

The issue is whether there are adequate safeguards that protect ordinary people from the misuse of their personal data by state and nonstate entities. The fact that the current data protection Bill does not prioritise the individual’s right to privacy is a serious concern. If the objective is to induce trust in digital markets to enable their growth at the cost of informatio­nal privacy, accepting the draft Bill in its current form will be problemati­c. m

Despite the government’s claim that the use of Aadhaar is voluntary, it is demanded as proof of identification everywhere.

 ?? ?? A STUDY found that Aadhaar-based verification had an error rate of anywhere between 22 and 34 per cent.
A STUDY found that Aadhaar-based verification had an error rate of anywhere between 22 and 34 per cent.
 ?? ?? POLICE OFFICIALS of Cyberabad display seized duplicated Aadhaar cards and mobile SIM cards. Personal informatio­n given on Aadhaar cards, such as date of birth and residentia­l address, can be easily misused by unscrupulo­us elements and hackers.
POLICE OFFICIALS of Cyberabad display seized duplicated Aadhaar cards and mobile SIM cards. Personal informatio­n given on Aadhaar cards, such as date of birth and residentia­l address, can be easily misused by unscrupulo­us elements and hackers.

Newspapers in English

Newspapers from India