Can the Aadhaar Act and a Data Protection Act Coexist?

The data protection draft bill and report add to the conversation around meaningful, just and fair data protection and its simultaneous existence with the unjustifiable privacy-related incursions of the Aadhaar project.

Much like the finale of an exasperatingly long-drawn out TV series, the Srikrishna Committee submitted its final report to the law and IT minister on Friday. However, it appears that this emotionally and physically exhausting data privacy drama will be prolonged as the Aadhaar judgment isn’t out yet.

The Srikrishna Committee was constituted during the pendency of the hearings in the constitutional challenges to the validity of the UID project. The Union government had in fact stated during its submissions to the Supreme Court that it was setting up a committee and intended to introduce laws related to data protection and privacy. Those following the Aadhaar project have waited to see the kind of impact a data protection bill might have on the project, with many feeling that any data protection bill would by its very nature, have to deal with, and curtail it. The idea of a privacy/data protection law has been proposed various times in the country’s recent past. None of the various official drafts and deliberations have occurred in a time quite like this, when over one billion Indian citizens were, in most cases, coerced into enrolling in a centralised mandatory biometric identification system.

After the composition of the Committee was finally announced, by November 6, 2017, several eminent jurists and concerned citizens raised concerns about possible conflicts of interest of various members of the Committee, specifically related to Aadhaar. The Committee chose not to respond to this letter, nor did it increase the diversity of the members of the Committee. Lack of transparency and public participation has been a ‘feature’ of the deliberations of the Committee. The first public document put out by the Committee was its White Paper, which was published solely in English and no other language.

When the minutes of the meeting of the Committee was released, after denial and then appeal, in response to an RTI application filed by RTI activists Anjali Bhardwaj and Amrita Johri, it was found that the same think-tank involved in drafting the Aadhaar Act played a prominent supporting role in the deliberations of the Srikrishna Committee. The Ministry of Electronics and Information Technology later illegally denied providing the submissions and recommendations made to the Committee in response to RTI applications filed by the same activists. Most recently, 150 citizens once again wrote to the Committee demanding greater transparency and accountability in its functioning. The Committee remained determinedly silent, giving no response and continuing to valiantly and illegally deny RTI applications for the draft bill, notes and submissions made to the Committee. The release of the draft bill and the final report of the Committee are thus very welcome, but further public consultation is clearly needed. In fact, the pre-legislative process created by an empowered group of ministers in 2014 legally mandates it.

In its final report, the Committee recognises that, “The Aadhaar Act needs to be amended significantly to bolster privacy protections and ensure autonomy of the UIDAI. Since the context of the Committee’s functioning has been shaped by a vigorous public debate about Aadhaar and its impact on data protection, the Committee would be remiss if it did not deal with this issue.” The best way to understand the Committee’s proposed amendments to the Aadhaar Act and the suggestions it makes in its reports are to imagine being a ‘data subject’ – elderly, below the poverty line, significantly if not totally dependent on welfare entitlements for survival – who was coerced into submitting her biometrics as a necessary condition for her to receive her pension.

Concerns around the Aadhaar project have broadly coalesced around welfare and privacy; these have included questions of surveillance, liberty, access to basic rights, data commercialisation, coercion and choice.

Justice B.N. Srikrishna. Credit: LiveLaw

Justice B.N. Srikrishna. Credit: LiveLaw

At first glance, the draft data protection bill appears to provide massive exceptions for welfare that seemingly apply to Aadhaar. Section 13 makes the processing of personal data without a person’s consent possible for any function of the Parliament or State Legislature. It allows the processing of personal data, if necessary for the exercise of any function, for the delivery of services or benefits or issuance of certificates. In addition, Section 19 states:

Sensitive personal data may be processed if such processing is strictly necessary for: (a) any function of Parliament or any State Legislature and (b) the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal.

This appears to be the exception allowed for the State to process personal data and looks ominous when you think about the expansion of the Aadhaar into so many aspects of our lives – for welfare programmes, IT returns, for healthcare subsidies, sim cards etc.

But is Aadhaar or Aadhaar authentication strictly necessary to fulfill any function of the state? The draft bill opens a space in which we can and must ask this question. As Prof Reetika Khera points out, for example, “welfare needs Aadhaar like a fish needs a bicycle.” Much has been written about how Aadhaar is an inappropriate technology for welfare. Why should Aadhaar or Aadhaar authentication be necessary for a person to receive her pension?

Critics of the Aadhaar project have since the very beginning highlighted the sweeping nature of the Aadhaar project. While the Aadhaar Act posits itself as an act to “provide for, as a good governance, efficient, transparent and targeted delivery of subsidies, benefits and services”, its expansion into various other fields has been unchecked and indiscriminate. Section 5 of the draft data protection bill deals with purpose limitation and states that the “personal data shall be processed only for purposes that are clear, specific and lawful.” The processing of Aadhaar data so far has been for purposes that are anything but clear and specific, while the lawful bit is under challenge in the Supreme Court of India.

With the enormity of the unwieldy Aadhaar project occupying our imagination, one thing has become very clear – that while data protection laws around the world and this one in particular largely deal with protecting personal data, there might be times when I may need to be protected from data. For example, if I am poor and elderly and go to a ration shop, currently, I am mandatorily required to authenticate my fingerprint on a machine that decides whether or not I am the person I say I am. Once the machine decides, on the basis of data I gave it at an earlier date, only then can I get access to my entitlements. While various authorities keep assuring us that other means of identification are acceptable, this message has still not permeated to the people administering these programmes and in many cases, the technical architecture itself does not allow for any other means of identification.

In the case of Aadhaar authentications – for the elderly, differently abled, those engaged in manual labour, people genetically predisposed to not have fingerprints – Aadhaar-based biometric authentication does not work. The draft bill and report propose a new system of offline verification, only proving how broken Aadhaar really is. We have not been told what this system of offline verification will be, nor why it is necessary, nor what purpose it will serve or where exactly it will be used.

Section 9 of the draft bill relates to data quality and sub-section (1) states that:

“The data fiduciary shall take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, having regard to the purposes for which it is processed.”

As per section 2(13) of the bill, a “data fiduciary” means any person, including the state, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.” This would mean possibly, that the burden of maintaining data quality would be placed on the UIDAI, and not on the data subject.

The data protection draft bill and report further add to the conversation around meaningful, just and fair data protection and its simultaneous existence with the unjustifiable privacy-related incursions of the Aadhaar project. It remains to be seen how and whether the Aadhaar Act and a Data Protection Act can coexist.

The speed with which the Committee has been forced to work is an obvious side-effect of the vacuum created by the existence of the Aadhaar project, new proliferating technologies and the growing global conversation around data protection standards. It is vital that there be further discussion and public consultation on the data protection bill. The conversation around data protection is incomplete without the voices of those whom it will affect the most, including those that are entitled to welfare from the state.

Praavita is a lawyer and a SaveOurPrivacy volunteer.