The push towards the digital economy is leading to the digitisation of the lives of Indians in unprecedented ways as the population of the entire country become ‘data subjects’. Considering recent implications of data misuse and privacy breaches, a Privacy Commissioner is required to protect India’s data and its people, Manpreet Dhillon writes.
India is a country of 1.2 billion people and counting. It is only behind China in terms of where the most data will be generated in the world. The push to the digital economy is leading to the digitisation of the lives of Indians in unprecedented ways by both private and public players. Data has been described as the ‘new oil’, and according to Nandan Nilekani, the architect of India’s Unique Identification (UID) project, India will be ‘data rich before being economically rich.’ The population of the entire country have become ‘data subjects’ and are thus considered an effectively free resource for the state and the market.
The push towards a ‘Digital India’ hinges on the active participation of the data subjects in generating information through the use of various devices and services thereby becoming co-partners in the construction of products and services that enable them to be targeted more efficiently as consumers. At the same time, there is much anxiety and concern amongst the public regarding the misuse of their data and the threat to their privacy. The ethical, transparent and consensual collection of user’s data defined by clear legal parameters forged by a democratic process of discussion and multi-stakeholder participation is necessary but unfortunately missing in India presently.
The dangers of data misuse: learning from Cambridge Analytica and Facebook
The ‘App economy’ works on the fundamental principle of getting access to all the data that is being generated by the user from the application platform, which is usually provided for free. The main revenue generating model for companies like Google and Facebook is the commodification of data that is freely given by its users, which in turn, is used to target them as consumers by companies which offer them products and services based on their profiles. The decreasing cost of data devices and data plans in India ensures the potential for massive data generation. For example, the BBC reported that more than half of Indian homes have mobiles but no toilet according to the 2011 census. However, the application of this data has become problematic for individuals as well as for governments across the world, as is exemplified by the recent controversy involving Cambridge Analytica, Facebook and the U.S. government. The fact that Cambridge Analytica is also reported to have been extensively involved with Indian political parties and is also potentially implicated in the Brexit referendum underlines the urgency of taking this threat to democracy seriously.
The unwelcome growth of Aadhaar?
This data revolution is moving ahead at breakneck speed with the partnership of both government and private sectors who claim to use it for providing effective and efficient services to the people. The Aadhaar project is the biggest biometric database in the world and it is being used as a platform to access many other services; for example, seeding it with the Permanent Account Number (PAN) for filing income tax returns. Private telecom companies are using it to authenticate their customers for providing them SIM cards. Banks are using the e-KYC generated from the Aadhaar database as proof of the customer’s identity. Legal documents can be e-signed now using the Aadhaar number without the need for any physical signatures. However, the Aadhaar database project has come under severe criticism for its inability to protect citizen’s data and ensure privacy. The threat of a ‘surveillance state’ and the unconstitutional means through which this database has been created using public money has resulted in cases being filed by civil rights activists across the country and the Supreme Court is currently hearing these cases.
The lack of transparency, accountability and multi-stakeholder consensus on the one hand and use of coercion and denial of services on the other has underlined the undemocratic ethos of this project. The owner and collector of the data i.e. the Unique Identification Authority of India (UIDAI) is also the regulatory body, which is a conflict of interest in the clearest terms possible. It has been reported that executives involved in creating the database are now launching private user-authentication companies. The fact that government departments have been leaking Aadhaar numbers by the bucketful has also put the UIDAI in a tight spot and put a big question mark over its capability to control and protect the data it has collected from the populace. Recently, the Chief Minister of Andhra Pradesh, Chandrababu Naidu declared that the DNA data of 50 million citizens will be collected using blockchain technology. Hence, we find that data is gathered by promising to deliver better and more effective welfare, healthcare, security and governance without clearly defining user rights over their data or any robust oversight on how it can be used or sold by various firms.
A man gets his fingerprints taken at the Aadhaar enrolment centre. Photo credit: .
The need for safeguarding citizens’ data
While it is clear that the interest of the government for innovation in governance through the use of technology and of the private companies for the generation of profit and new products are being well served, it is not at all clear how the privacy rights of citizens are being safeguarded in the new digital economy. The use or abuse of private data by multinational companies like Google, Facebook and others needs to be taken serious note of and citizens need to be protected by the government through laws that effectively address the issues and concerns related to informational privacy and provide the redress mechanism for misuse of data or data leakages. The data that the citizens provide to the government in good faith must also be protected and the citizens should have the right to have their complaints registered and action taken for any data breach. The government needs to become an active partner in ensuring that the interests of not only the state and market but also of individual citizens are safeguarded and protected.
To do this, the creation of the office of the Privacy Commissioner of India is urgently required. It should be a specialised office tasked with the mandate of ensuring the privacy rights of Indian citizens are well protected and relevant policy interventions are generated to ensure data security and compliance with the highest standards of data ethics. The Supreme Court ruled in 2017 that privacy is a fundamental right in India. The Right to Privacy Bill, which mandated the creation of a Data Privacy and Protection Authority (DPPA) is a step in the right direction and needs to be passed by the legislature without further delay. The government promised the Supreme Court that the Data Protection Bill drafted under the leadership of Justice B.N. Srikrishna will be ready by March 2018 but it is nowhere in sight yet. Cases relating to data protection and data security are currently being filed in the courts as there is no independent body that has jurisdiction to investigate complaints and suggest policies for data governance to the government while the juggernaut of data collection goes ahead full throttle.
Best practices in other countries
The U.K., Canada, Germany and the European Union are jurisdictions from where many best practices related to informational privacy and regulation of data can be picked up and put into action within the specificity of the Indian context. For example, citizens in the U.K. can file a complaint with the Information Commissioner’s Office and have their concerns investigated by law. The same office also works actively with the government and private parties to strengthen data security in the country while at the same time penalising any unlawful use or breach of data that infringes on the user’s right to privacy and security from harm. Data protection and security is safeguarded by the government in these countries by proactively engaging with all stakeholders concerned.
A well funded privacy commissioner’s office is the best way forward if India is to advance towards the optimal use of data while simultaneously ensuring informational privacy to achieve new benchmarks in ethical and democratic regulation of data. An autonomous and independent Privacy Commissioner’s Office with penal powers will help in ensuring that appropriate policies can be framed, data can be well regulated, and citizens can directly file their complaints to the office rather than going to the courts. India is on the journey to becoming ‘one nation, under code’ and thus, it would be wise to remember that data can be a good servant but may also transform into an evil master if allowed to by citizens and their government.
Note: This article gives the views of the author, and not the position of the South Asia @ LSE blog, nor of the London School of Economics. Please read our comments policy before posting.
About the Author
Manpreet Dhillon is a doctoral candidate at the Centre for the Study of Law and Governance, Jawaharlal Nehru University, New Delhi and a visiting Shastri Indo-Canadian student researcher at the Department of Sociology and Anthropology, Carleton University, Canada funded by the Ministry of Human Resource Development (MHRD), Government of India.