With the data-protection bill in limbo, these policies contravene the right to privacy

In the absence of a data-protection bill there are no procedures, limitations or restrictions governing the manner in which the state collects citizens’ data or utilises it. K Asif/The India Today Group/Getty Images

On 24 August 2017, a nine-judge bench of the Supreme Court ruled that the right to privacy is a fundamental right guaranteed by the Indian Constitution. The verdict, in Justice KS Puttaswamy vs Union of India, stated that the right to privacy is an intrinsic part of the fundamental right to life and personal liberty, as guaranteed under Article 21 of the Constitution. Puttaswamy, a retired high court judge, had challenged the government’s decision to make the biometrics-based Aadhaar cards mandatory for access to state welfare schemes. The government had argued that the Constitution does not grant specific protection for the right to privacy—a contention that the apex court overruled.

The ambit of the judgement—autonomy over personal decisions, bodily integrity as well as the protection of personal information—has far reaching implications for any data that is part of the state’s multiple databases with details of India’s citizens. The government relies on four kinds of data—administrative data that includes vehicle-registration records, tax receipts and property records, and survey data, which forms the bedrock of policy making. Indian citizens cannot opt out of these two databases. Citizens have the option of withholding their data from the other two databases—end-to-end transactional data on the Unified Payments Interface, a real-time payment system which facilitates inter-bank transactions and is regulated by the Reserve Bank of India, and institutional data such as hospital and academic history.

The historic judgement states that consent is paramount for the collection or distribution of any personal data. In the absence of consent, this should be accompanied by a legitimate aim of the state—such as public good—that is proportionate to the objective it seeks to achieve. But over the past one year, the central government has proposed or implemented a number of data- collection and surveillance schemes that could infringe on an individual’s privacy. These schemes have been proposed or implemented without a commensurate data-protection bill that would provide a rule-of-law framework for data collection and the corresponding concerns over privacy and consent. A rule-of-law framework safeguards citizens by restraining the powers of governing agencies. It establishes procedures and limitations for these agencies and determines the constitutionality of any proposed initiative.

In July 2018, a ten-member team, led by Justice BN Srikrishna, a retired judge from the Supreme Court, submitted a final report, and data-protection bill to the government. The bill—which is yet to be tabled in the parliament—sought amendments to the Right to Information Act, 2005 and the Information Technology Act, 2000, to establish a procedure for the disclosure of personal information. The absence of a rule-of-law framework, essentially a data-protection law, makes the government’s schemes—the ones already implemented and those in the pipeline—problematic.

In April 2018, the Andhra Pradesh government had published the details of about 1,30,000 Aadhaar cards with bank details and demographic data. The new proposals, that will entail new databases with several agencies, are prone to the same lapses in privacy. In addition, the section 4 of the 2019 Economic Survey, assumes that “the processing of data will be in compliance with accepted privacy norms and the upcoming privacy law, currently tabled in Parliament.” But absence of data-protection bill could render all the initiatives listed below unconstitutional and in direct violation of the Puttaswamy judgement.

1. Vehicle-Registration Data

On 8 July, Nitin Gadkari, the union minister for road transport and highways, revealed that the government had earned Rs 65 crore by selling the data contained in two databases—Vahan and Sarathi—maintained by his ministry. These are digitised databases: Vahan stores details like the registration, engine and chassis number of the vehicles, and Sarathi has the driving-licence records. The ministry sold approximately twenty-five crore vehicle-registration records and 15 crore driving licence records to 87 private companies and 32 government agencies.

The government justified the premise of the sale on the basis of a document titled “Bulk Data Sharing Policy & Procedure,” released in March this year. The policy established a framework to sell bulk data from the road-and-transport ministry to companies with at least 50-percent stake owned by an Indian citizen or a company registered in India. Such sales would “support the transport and automobile industry,” benefit the country’s economy, and improve services for citizens. The document also stated that “there has been a growing demand to share the data for wider benefits.”

An analysis of the government policy shows that although the policy addresses concerns about privacy—all the data shared would be encrypted and stored on local servers—and utilises the information-technology act to restrict usage of this data for internal research purposes, it does not address how sharing vehicle records would benefit consumers. It only accounts for the interests of the seller, the government, and the buyer—private entities. Moreover, there is nothing in the Motor Vehicles (Amendment) Act, 2019—an act that regulates all road-transport vehicles—to facilitate the sale of administrative data such as this. Since this is part of administrative data, neither can citizens opt out of it, nor is it mandatory for the ministry to secure the consumers’ consent. This lack of consent suggests that this is a violation of the right to privacy as defined by the Puttaswamy judgment.

2. DNA Technology (Use and Application) Regulation Bill, 2019

On 8 July this year, the DNA bill was tabled in the Lok Sabha. The legislation provided for the use of DNA technology to establish the identity of anyone booked under the Indian Penal Code. It also allowed for creation of indices on crime scenes, suspects, undertrials, offenders, missing persons and unidentified deceased persons. The bill also extended to civil matters such as paternity suits, emigration and immigration, transplantation of human organs and the establishment of individual identity. According to the bill, removal from the database—which is to be maintained and used by several government agencies—would require a court order and a police report.

Although the bill addresses consent, it does so partially. The bill does not require consent from anyone who is charged with an offence that is punishable with imprisonment for seven years or more. It is not clear how former convicts can remove their DNA profiles from the database. If the government wants to retain the profiles of ex-convicts, it does not specify how it would circumvent the harassment or ostracisation that comes in the way of rehabilitation. Moreover, the bill does not address consent given under duress or the issue of how the government would prevent leaks as the data will be handled by multiple agencies.

3. Automated Facial-Recognition System

On 28 June 2018, the National Crime Records Bureau—which has not released reports on crimes, prisons, accidents and suicides in India since 2016—released a request for proposal for an Automated Facial Recognition System, or AFRS, to be used by law enforcers across the country. The NCRB has proposed the use of an artificial intelligence technology called neural networks—which establishes patterns and matches—to identify missing and dead persons, and criminals, as well as for crime prevention. The use of AFRS has been heavily criticised outside India—China uses it to identify its Muslim minority, the Uighurs—because it relies on gathering data from CCTVs, newspapers, raids and sketches, which are prone to biases based on variables such as class, gender, race.

Since the data for automated facial recognition is gathered from surveillance, there is no question of consent in the process. In the absence of explicit consent, the NCRB must prove a legitimate state prerogative that would justify the use of automated facial recognition—as opposed to more accurate measures such as iris scans and fingerprints—for identification. According to the Puttaswamy judgement, fundamental rights cannot be construed as distinct, unrelated rights. Freedom of expression is closely tied to the right to privacy, and automated facial recognition may also be used to identify dissidents apart from the stated aim of cracking down on criminal activities.

4. Monetising the Central Welfare Database of Citizens

The 2019 Economic Survey pitched for the creation of a centralised database that would merge all existing data sets maintained by different ministries and departments. The argument presented was that such a database would streamline the government’s delivery of services and subsidies.

The survey states that the “elite preference of privacy” should not be imposed on the poor, “who care for a better quality of living the most.” It suggests that data is a public good and that it should be utilised to improve the services and benefits offered to the public. The survey advocated the sale of private data to companies—to generate better insights for profits or for commercial use—to overcome the gaps in welfare policies. Recasting private data as public good implies that the state has the consent to sell this data for commercial use, since it must be in the public sphere.

If the government intends to sell the four types of data it possesses, it assumes that this data is given to the state consensually. The Puttaswamy judgment recognises an individual’s autonomy over personal information. In a bid to monetise private data, the government assumes that any consent given at the outset of data collection extends to its use by private firms. This assumption is flawed because most of our data collection methods do not require explicit consent at the outset and are a part of specified quid pro quo between the state and citizens.

Additionally, in the same survey, the government admits that “advancements in gathering, storing, processing and dissemination have lowered the marginal cost of data to unprecedented levels.” Even if data processing incurs marginal costs, why should data be sold to private companies if it could be a violation of people’s right to privacy?

Moreover, even if the government localises this data and removes personal identifiers, this data is meant to support data analytics, and will reveal patterns that could be misused to undermine democratic institutions. Subsequently, even the creation of a Central Welfare Database of citizens has to contend with any unauthorised data leaks that might render integrated datasets open to misuse.

5. Access to Social-Media Accounts

On 3 July 2019, R Subrahmanyam, the secretary of higher education, issued a circular that directed students to connect their social media accounts to their respective higher education institutes as well as the ministry of human resource development.

According to a report on the news website Vice, this policy will affect nearly thirty million students across 900 universities. Amidst rising tensions on Indian campuses, this move has raised eyebrows as it brings students’ personal data directly under the purview of the government. Critics believe that this kind of surveillance might quell student activism, help in identifying activists on campus, lead to moral policing and push students to anonymise their online activities, thereby curbing their freedom of expression. While the students will not be compelled to share their data with the government, it will become mandatory for them to provide access to their personal space with implied consent.

6. Linking WhatsApp to Aadhaar

On 20 August, the Supreme Court agreed to hear a plea from Facebook for the transfer of multiple cases related to enabling tracking of its social-media platforms. These cases were being heard before the high courts of Chennai, Mumbai and Madhya Pradesh. Facebook, which had been taken to court in various states over linking its verticals to Aadhaar, wanted all pleas to be heard in one court, in the “interest of justice,” and to streamline the various rulings from the states. Facebook has asserted that it will need to compromise on its promise of end-to-end encryption and privacy if it has to comply with the government’s request to provide traceability and decryption on the platform.

The Attorney General of India, KK Venugopal, who appeared for the Tamil Nadu government, argued in the Supreme Court that the spike in cyber crimes, child pornography and anything against “public health and safety” can only be countered if the government links users’ social media accounts to Aadhaar. Facebook-owned WhatsApp has resisted the government’s demand for digital fingerprints—India is the only country in the world to demand in-built tracking—because it is practically impossible for the app to do so without building a backdoor to decrypt messages. On 14 September, the Supreme Court asked the central government if it indeed wants to link WhatsApp and Facebook to citizens’ Aadhaar cards. The Centre argued that Facebook had misinterpreted its motive to link unique-identification numbers to social-media platforms and insisted that the increased surveillance would result in greater good for society by curbing crimes.

The government’s bid, however, is undercut by two unanswered questions—what it aims to achieve by linking these accounts specifically to Aadhaar and how it plans to protect the personal information of 400 million WhatsApp users if all decrypted data is available through a backdoor and each user has a digital fingerprint. WhatsApp is one of the only platforms to have withstood data leaks. Linking social-media accounts with Aadhaar can lead to a centralised database of personal information—from business transactions to a conversation between a journalist and a stringer. In the Puttaswamy judgment, the Supreme Court explicitly struck down the mandatory linking of Aadhaar to mobile numbers and bank accounts. If the government wants traceability, it also has to contend with operating systems such as Apple’s iOS that ban apps that share user information. Moreover, the government has provided no rule of law or framework for the proposed traceability.