Srikrishna Committee must get data protection right
Data protection must cover the entire life-cycle of the data.
On 27 October 2017, the Attorney General for India told the Supreme Court that the Data Protection Committee under Justice Srikrishna was examining the entire area of data protection law, including allied legislations. He sought to defer the hearing of the Aadhaar petitions till at least March 2018. However, the Aadhaar petitions go far beyond data protection. They are about the digital impact on India by private interests. They are about the fate of the databases that protect our sovereign, socialist, democratic republic status and whether databases of our financial institutions get shared with indeterminate players, without detection and possibilities for rollback.
Aadhaar by its nature cannot distinguish citizens from residents. It cannot distin- guish legal residents from illegal residents. It cannot distinguish illegal residents from terrorists and criminals. That said, even if the Committee cannot address all the issues of Aadhaar, now that the White Paper on Data Protection authored by Justice Srikrishna Committee is out, can it actually protect data?
In their foreword itself, the Committee declares its objective to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”
When third parties seek profit from the data of systems they have no role in, they colonise, corrupt or seek to destroy those systems.
A call to grow the digital economy must not mean that private interests may profit from the data generated by those transacting in various systems in the country. The purpose of data protection is to protect people— the participants or parties in a system—not the protection of those who seek profits by collecting the data of systems in which they have no role.
In a market system comprising a buyer and a seller, for example, it is meaningful and fair to protect the data that will help them conduct their relationship to further their common purposes, and ensure it is just, dignified, equal and free in nature. Similarly, in a banking system comprising borrowers and lenders. Or a democratic system comprising the representative and the represented. Or a justice system comprising the aggrieved, the aggressor and the arbitrator.
Unfortunately, participants in our systems rarely recognise the symbiotic nature of systems as the key prerequisite for sustainability. They forget the common purposes of the systems they participate in. They often allow third parties to broker transactions that they have no role in. The data generated in these systems find rampant abuse by either participants of the system itself or more often by third parties. We recognise our systems as unsustainable only when they turn parasitic and are on the verge of ensuring destruction. The Committee, in its foreword itself, declares that a regime for data protection is synonymous with protection of informational privacy. It cites Jerry Kang to define informational privacy as privacy of personal information. To restrict the scope of the Committee to personal information, rather than create a comprehensive data protection regime should be avoided.
Data protection must cover the entire life-cycle of the data. From the time data is generated, certified, authenticated when it is used, restricted from being used by unauthorised third parties, undated to keep it contemporary and subjected to audit of the data as well as the process that generates, certifies, authenticates, restricts and updates. Participants in a healthy, sustainable system evolve their norms to ensure data protection, so that the system remains just, equitable, dignified and conducts transactions through free will. Data protection falters when it chooses to ignore the data life cycle or intent of protection. It fails when it cannot protect systems from data brokers and data thieves.
Fraudulent data, for example, gets generated by third parties when they force entry into systems where they have no role or common purpose.
Aadhaar should not be an example. When participants in a system already use several ways to identify each other, its “ecosystem” forces its way, generating data that prevent the participants of our systems from even identifying those they have been transacting with ever since Independence, 70 years ago.
No one questions the absence of certification of Aadhaar. Even a school ID is certified by its principal. Again Aadhaar is an example of uncertified data. No one certifies Aadhaar as valid data. Replacing certified data with Aadhaar creates a risk of ghost entities getting passed off as real.
While it is possible to authenticate an Aadhaar number as being valid by querying https://resident.uidai.gov. in, it (unlike IDs issued by participants in the system) has no way to authenticate the person’s role or rights in the system. Aadhaar, therefore, opens every system to intrusion by those who may have no role in the system.
Unlike data generated with a system, third party IDs like Aadhaar, cannot be restricted from possible misuse across systems. Aadhaar, unlike other system specific data, can be updated by third parties outside the system, leaving participants in systems that use the Aadhaar data vulnerable
Unlike each system that undertakes an audit of its data generation, certification, authentication, restriction, updation processes, and the data itself to satisfy its participants, the UIDAI has never done this.
Similarly, there is no shortage of examples of third parties affecting our telecom, travel and banking systems by interfering in the data of these systems where they have no role. The GSTN, the NPCI, for example, are similar third parties that play roles in the data of systems in which they have no role to play. It cannot be a coincidence that the entry of third parties into systems where they have no role through an outsourcing model has gone together with the shrinking of the average life time of businesses from about 50 years prior to the 1990s to about eight nowadays. Data protection must primarily protect the common purposes of the systems we participate in from private interests within our systems or of third parties intending to profit from our transactions. It must ensure the sovereign, republic and democratic nature of our systems to ensure their sustainability. A serious data protection regime will cover the generation, certification, authentication, restriction, updation and audit of data to ensure justice, dignity, equality and liberty of those who engage in common purposes in their system.
The challenge before Prime Minister Narendra Damodardas Modi is to prevent efforts at digital colonisation of India by private interests. The challenge before the PMO is to halt the possible destruction of the databases that protect our sovereign, socialist, democratic republic status. The need is to prevent the misuse of databases of our financial institutions, that too without detection and possibilities for rollback. The Srikrishna Commission must return to the drawing board and fulfil its task of ensuring a comprehensive and practical Data Protection Code such as would power India’s growth to the double digit level while protecting our citizens from digital theft and intrusion.