By Amrita Vasudevan and Anita Gurumurthy
The right to privacy has had to come to terms with the pervasive digitization of life. No longer is it a negative right - of non interference from the State; it is now also a positive right that calls for proactive steps from the State to guarantee and uphold the privacy of its citizens. There is no better instantiation of this, than the story of Aadhaar. Since February of this year, we have seen many instances of how Aadhaar enabled front-end applications are scanning and storing biometric data. Interestingly, in one case, the individual responsible for uncovering a major privacy breach was slapped with an FIR, an indication that the establishment will do everything to push back at anyone or anything that reveals vulnerabilities in the Aadhaar system. The myth of Aadhaar’s invincibility, it seems, must be reinstated time and again.
What is at stake?
The right to privacy – as a duty incumbent upon the State – consists of certain non-negotiables. First and foremost is the duty of the State, which must, at all times, guard citizens’ private information from leakage. This implies the duty to alert the citizen, when such information is compromised (including mandating private actors to do so, when they collect private information). While Section 29(4) of the Aadhaar Act prohibits the publication of Aadhaar number or biometric details, it has no provision in place to notify individuals whose information has been leaked. The Section also fails to include data authentication records or meta data related to Aadhaar based transactions in its ambit, indirectly legitimising misuse of such records. In fact, the Aadhaar (Sharing of Information) Regulation 2016, allows for such information to be published, provided the Aadhaar number is redacted or blacked out (Rule 6).
In the off-chance that an individual may find that her Aadhaar data has been leaked, she can approach the UIDAI Contact Centers. However, she will not be able to approach the court, as under Section 47(1) of the Act, recourse for the breach of the Aadhaar Act lies only with the UIDAI. This directly vitiates the principle of independence, impartiality and neutrality, basic to the rule of law.
Even after the multiple breaches were revealed, the UIDAI chairman claimed that there was no data breach, as no data was lost from the UIDAI database. Such claims about citizen information seem to privilege the view that citizen data constitutes property to be shielded from theft and loss (if at all), and such data has little to do with what an individual holds inalienable. Thankfully, in March, the Ministry of Electronics and Information Technology (as reported by the Economic Times) had issued a notification stating that the state and central governments must take down Aadhaar data available online. However, as noted by Asheeta Regidi, since the Aadhaar Act only punishes intentional and not negligent publication of Aadhaar details (Section 37), a lot more than a notification is required to protect the right to privacy.
The all-important issue of consent
Secondly, consent to part with private information, is a complex issue and cannot be reduced to a blanket yes. Which is why, the state must safeguard abuse of citizen information through deception and fraud and ensure that citizens make informed choices. Section 29(3) allows for any requesting entity who uses the UIDAI authentication system to disclose data, if the consent of the individual to whom such data relates has been obtained. Scholars have noted that in the current milieu where Aadhaar has become quasi mandatory, this kind of framing can lead to privacy violations. For example, if the provider of an essential service who makes consent necessary is the requesting entity, then such consent evidently, is under duress.
While the government has issued a set of five regulations to supplement the Aadhaar Act, key loopholes continue to remain. As observed by the Centre for Internet and Society, when compared with internationally accepted data protection principles (upheld and reiterated by the Justice A.P Shah Committee, and even incorporated into the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011), the Aadhaar Act and Rules severely miss the mark with regard to data protection. For example, in a marked departure from its 2010 avatar, the UIDAI now allows for “a positive, negative or any other appropriate response” to authentication queries, and sharing of identity information, “excluding any core biometric information”. This could mean that the Authority could also provide the individual’s demographic information – name, address etc., even a mobile number or e-mail address, if submitted during enrollment. Both the Act and the Aadhaar (Enrollment and Update) Regulations 2016, mention information to be provided during enrollment, but do not mention anything about consent or how it is to be received. Along with the fact that the Act has no opt-out clause, these provisions reveal the all too obvious intention of the government to make Aadhaar compulsory.
Predators in the data market
Thirdly, states must privilege individual right to access data in their data retention policies. Policies stipulating long time periods of retention can lead to misuse, prove to be expensive, and prone to security risks in the form of theft, fraud and accidental disclosure. Long periods of retention can also heavily aid private surveillance. The Aadhaar (Authentication) Regulation 2016, requires requesting entities to retain authentication transaction data for a period of two years, and archive it for five more years. The Aadhaar holder cannot access her data during the latter period. This seems to belie the Regulation’s stated purpose in Rule 18(4), to protect and promote the interests of the Aadhaar number holder, in terms of grievance or dispute resolution. As we have seen in recent reports, private actors are collecting Aadhaar data, including biometric data. The Supreme Court has recently noted that “...biometric data collection by private agencies is not a great idea.” What is necessary therefore is not just a constitutionally recognized right to privacy against the state, but also for the idea of ‘right to privacy’ to include state protection against violation of citizen rights by private agencies.
No binding standards for data security
In furtherance of Sections 28 and 54(2)(p) of the Aadhaar Act, which requires the Authority to adopt and implement technical and organizational security measures, the Aadhaar (Data Security) Regulation 2016, was introduced. The Regulation mentions that the UIDAI ‘may’ set an information security policy that it and all other agencies mentioned by the Act or the Aadhaar related regulations shall adopt. The Rules also provide what the policy ‘may’ contain. What is obvious is that there is an equal possibility that the UIDAI ‘may not’ issue any security policy. The Rules do mention that personnel are bound to comply with the policy issued by the UIDAI, but without actually going into any time line for compliance. In fact lack of time lines plagues most of this Regulation. So while it mentions that service providers etc. need to “report promptly to the Authority any security incidents affecting the confidentiality, integrity and availability of information related to the Authority’s functions”, it fails to mention what ‘promptly’ is or what happens if this is not done. The Rules also provide for audits of the entities to be conducted by an auditor certified by a body under the Information Technology Act, 2000. However, such a body does not exist! This brings us to the fourth consideration – that a robust and binding framework of data security is vital. The absence of a Data Protection law in India hugely undermines the recourse that citizens have to hold the state and private actors to account for their data practices.
The refrain – “shall be as specified by the Authority” – remains a favorite in the regulations, begging the question, when? The Aadhaar Act was passed as a money bill and rushed through the Lok Sabha, despite its evident implications for the fundamental rights of citizens. Then came the new rules, supposedly to plug the lacunae in the Act. But all the action to fix all the loopholes tells a different story; that our rights in the digital age may call for a hard-fought battle.
The authors are with IT for Change, an NGO that works at the intersections of digital technologies and development.
Updated Date: May 04, 2017 08:47 AM