The Aadhaar number is unique but it also poses doubts about endangering individual’s privacy
At the cusp of a data revolution, India is witnessing a tectonic shift in technology, as it transforms many aspects of lives and ways of thinking. While there is little doubt that big data is the new cash cow, the main question is whether India is geared up to protect privacy and make users accountable for their actions.
Historically, issues of personal data and privacy have scarcely bothered Indians. However, now things are different – they have woken up from their indifference towards data privacy and protection. There are good reasons for this concern. A late entrant into mobile telephony, India is one of the leading cellular nations in the world. For the last two decades, the world’s second most populous nation is crazy about its 24×7 presence in social media. This can be gauged from the fact that India is on top with 270 million users on Facebook, 200 million active users on WhatsApp, 30.4 million Twitter users and 10.1 micro-bloggers.
This leads us to two pertinent questions. Firstly, what is data? Data is quantitative and qualitative variables. Secondly, why is data under the scanner? It is so because new developments, events and issues have surfaced in quite unprecedented ways over the last two years. There is a new awakening about the rise of big data and the subsequent issues related to an individual’s data privacy and protection. Successive governments, through census operations, national sample surveys and other research agencies, have collected data over the decades. For instance, the Census Commission on an average generates aggregate data sets and reveals trends on various indicators. There are about 370 tables on different indicators. But as they collect data from individuals and their families, they promise not to share any information. Also, this data was static and a one-time collection.
Data Never Sleeps
With the onset of digital revolution, data has acquired a different dimension. In the online world, every like and dislike, comments, texts, interests and needs, generate data. In other words, consumer behaviour is extracted from online activity of each individual. This has resulted in a data deluge.
Such are the signs of changing times that about 90 pc of the data in the world today has been created in the last two years alone. Data generated by internet users is roughly 2.5 quintillion bytes a day. YouTube is streaming more than ever with 4.14 million videos watched per minute. Google processes 3.5 billion searches and 4.3 billion messages are posted on Facebook daily.
This gigantic information outflow has come to be known as Big Data. These channels of social networks have become a mode of networking, commerce, entertainment, advertisement and political campaigns in India as much as in other digitised nations.
Meanwhile, digital traces of individual users across social networks and e-commerce giants are captured by digital distilleries to churn out more profits than any other financially viable sector, including oil and gas businesses. While these technology giants are profiteering, data breach on a global scale has surfaced.
Source: Gemalto
Unique Identity for Indians
Aadhaar is the world’s largest, most ambitious digital identity scheme that has so far enrolled a mammoth 1.2 billion people, bringing in its ambit about 89 pc of India’s population.
Based on biometric and demographic data, a 12-digit unique identity number is created for residents of India. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory body established in January 2009 by the Government of India (GoI), under the jurisdiction of the Ministry of Electronics and Information Technology.
It began for the targeted delivery of financial and other subsidies, benefits and services. Now, it is affecting lives in every sphere. The costs of implementing and maintenance of Aadhar is about USD 1.5 billion or USD 1.25 per card between 2009 and 2017. Globally, this is cheaper as compared to the costs of other electronic identification systems of USD 3 to USD 6 per enrolee.
Programmes linked to Aadhaar include the Direct Benefit Transfer (DBT) scheme for Liquefied Petroleum Gas (LPG) subsidies, the Public Distribution System for rice and wheat and the Mahatma Gandhi National Rural Employment Guarantee Act, which provides 100 days of work for unemployed workers in a year. Similarly, another flagship programme, Jan Dhan, aimed at promoting financial inclusion, targeting universal access to banking facilities and facilitating the delivery of social benefits directly to bank accounts, uses Aadhaar and Mobile. The total number of current and savings accounts in banks has risen from USD 18 million in March 2015 to USD 23 million in March 2017.
Nandan Nilekani, ex-chairman of UIDAI and co-founder of Infosys, observed in the Credit Suisse Indian Financials Report 2016: “India goes from being data poor to data rich in the next two-three years. The Electronic Consent layer of the India Stock will enable consumers and business to harness the power of their own data to get fast, convenient and affordable credit. Such use of digital footprints will bring millions of consumers and small businesses (who are in the informal sector) to join the formal economy to avail of affordable and reliable credit.”
All this has earned global accolades for India, Nilekani said, adding, “And as data becomes the new currency, financial institutions will be willing to forego transaction fees to get rich digital information on their customers.”
Opposition to Aadhaar
Undoubtedly, the Aadhaar number is unique. But it also poses a series of questions for its 1.3 billion Indian holders.
Serious doubts have been raised about Aadhaar endangering individual’s privacy on one hand and becoming an enabler of corporate interest on the other. Such is its seriousness that the Constitutional Bench of the Supreme Court of India comprising the Chief Justice of India Dipak Misra and Justices A K Sikri, A M Khanwilkar, D Y Chandrachud and Ashok Bhushan, heard the petitions on constitutional validity of the Aadhaar for 38 days spread over a period four months.
The apex court had tagged a total of 29 petitions. Petitioners have challenged making Aadhaar mandatory for availing of social welfare benefits and filing of Income Tax Returns (ITRs), as well as for obtaining and retaining the Permanent Account Number (PAN) required for filing ITRs. They have also cited the potential for infringement of an individual’s right to privacy.
The apex court examined if the 12-digit Aadhaar number violates the Right to Privacy, which was declared a fundamental right by the apex court last year.
Security Breach Boom
Another issue confronting Aaadhar is whether it has become an enabler of corporate interests. This assumes significance in view of the several newsbreaks in the recent months regarding the data breach of Aadhaar cards. Aadhaar has been breached by different stakeholders, including government departments, Indian corporates and multinationals. All of them continue to have a free run as far as breaching data security is concerned and what’s more, are not accountable as of now. The possession of a physical Aadhaar card is considered an identity proof at airports, trains and other public places, even though it should not be.
Data for Sale
In January this year, one of India’s leading national dailies, The Tribune, uncovered a racket wherein you could get access to Aadhaar data if you paid USD 7.5 to certain individuals on a closed WhatsApp group. Also, with an additional payment of USD 5, it would be easy to obtain a printed copy of these Aadhaar cards. Last year, Bengaluru-based Centre for Internet & Society in south India has carefully documented the public availability of 130 million Aadhaar numbers, along with other sensitive private information. The sources of the leaks were four government-run schemes. The leaks were multi-sourced: they originated at the National Social Assistance Programme by the Ministry of Rural Development, the National Rural Employment Guarantee Act (NREGA) by the Ministry of Rural Development, Daily Online Payment Reports under NREGA by the government of Andhra Pradesh and the Chandranna Bima Scheme, another state government scheme of Andhra Pradesh.
As we go to print, personal and professional details of about 27 million members registered with the retirement fund body, Employees’ Provident Fund Organisation (EPFO), have been exposed to data theft. In a letter to the Ministry of Electronics and Information Technology, the Central Provident Fund Commissioner has written that hackers have stolen data from Aadhaar seeding portal of EPFO. He also called upon the ministry’s technical team to plug vulnerabilities on the portal, which has now been temporarily shut. The portal linked Aadhaar number of employees with their provident fund accounts.
It is widely reported how India’s corporate class misused data and have been subsequently fined. In December last year, UIDAI temporarily barred Bharti Airtel and Airtel Payments Bank from conducting Aadhaar-linked e-Know Your Customer (KYC) verification of SIM cards and bank clients. The action follows allegations of Bharti Airtel using the Aadhaar-e-KYC based SIM verification process to open payment bank accounts of its subscribers without their ‘informed consent’. For instance, more than 2.3 million customers have reportedly received as much as USD 6 million in their Airtel bank accounts, which they did not know had been opened. In April, authorities imposed fines worth many millions on telecom major Bharti Airtel and Axis Bank for breaching terms and conditions attached to Aadhaar authentication.
The third level of breach involving data on Indians comes from global digital social platforms. In April this year, Facebook admitted that information from 560,000 Indian users may have been improperly shared with Londonbased analytics firm, Cambridge Analytica. India has sought responses from both Facebook and Cambridge Analytica. Interestingly, the political consultancy firm, after harvesting data from Facebook to influence the last United States of America’s (US) election, filed for bankruptcy in New York.
Paradigm Shift
There is a new awakening and sudden rush of activities over data privacy and data protection in India, thanks to the General Data Protection Regulation (GDPR) of European Union that came into force from May 25. Indians can ill afford to ignore the GDPR. It requires businesses to protect personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states.
Any company handling EU user data will have to comply with the regulation. “With the coming of GDPR into force, the organisations will need to evaluate where they stand in their data privacy journey as the onus of accountability shifts from regulators to organisations,” noted Jaspreet Singh, partner, Cybersecurity, Ernst & Young. The GDPR is being adopted at a time where India is arguably at a cusp regarding data privacy. The August 2017 decision of the Supreme Court in Justice Puttusamy vs Union of India confirmed the existence of a fundamental Right to Privacy, recognised the concept of information privacy and noted that legislation should be enacted to ensure enforceability against nonstate actors (private entities).
What is GDPR?
A key concept of GDPR is privacy by design. This amounts to thinking about data privacy and its implications when developing products, features and even marketing campaigns based on personal data. It also involves privacy by default that requires controllers to implement appropriate technical and organisational measures to ensure that only personal data, which are necessary for each specific purpose, are processed.
With the enforcement of GDPR, any breach of the regulations may compel violators to pay heavy penalties. It will result in substantial fines of up to EUR 20,000,000 or four pc of annual worldwide turnover – whichever is greater. Says Devendra Kumar Sikri, chairman of the Competition Commission of India: “Regulators don’t as yet have much idea. I must confess that what has to be done to make human centric anti-trust laws apply effectively to intermediated transactions, remains a real challenge. But instrumentally, I believe a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish while also keeping personal data of citizens secured and protected.” He suggested that personal data, which is collected, used, shared or stored, should be governed by a separate regulatory framework.
Non-Existent Data Privacy Laws
India presently does not have any express legislation governing data protection or privacy. However, relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the Indian Contract Act, 1872.
According to Pavan Duggal, a noted cyber law expert and Supreme Court lawyer, India should not cut and paste any other country’s law, as it has to deal with a different set of problems. “India’s social realities are entirely different. The country has to deal with the issue of Aadhaar, which is reeling under a variety of cyber attacks because we have failed to apply cyber security as an integral part of Aadhaar architecture,” he asserts.
India’s approach has to be based on its own needs. “We should not allow data to be stored outside its boundaries. Service providers must be made to pay high penalty if they are found to be misusing the data of Indians, irrespective of whether they are located in India are not,” Duggal adds. Last year, the government set up a committee under the chairmanship of former Supreme Court judge B N Srikrishna, to suggest a framework and law for protecting data. The panel is likely to submit its report in June 2018.
This isn’t the first time India is attempting to introduce data privacy law. In 2011, the justice A P Shah panel was tasked with submitting a report on privacy. That panel, submitted its report in 2012, but the Congress-led and BJP-led governments have failed to enact a law as of yet. However, there is little doubt that India badly needs data protection laws to protect its foreign exchange and attract greater foreign investments.
Points out Suresh Chandra, law secretary, Ministry of Law & Justice: “Rather than limit itself to being a supplier of services to corporate America and Europe, India sees itself as the place where such corporations can establish themselves. Thus, by creating a good data protection law, India could extend well beyond being a mere supplier to the world’s multi-national corporations.” The scope, surely, in this sensitive line of business, is limitless.