UIDAI is not India’s data watchman

Depending on whom you’re speaking with, Aadhaar is either the single-most transformative reform measure taken by the Indian government or the very embodiment of an ultra-intrusive state, spying on every action of its citizens. The future reality could simultaneously be both, either or neither. By providing millions of disenfranchised and invisible Indians with an identity, Aadhaar may be tremendously empowering; equally, if not implemented carefully, it has the potential to alienate, empowering the state at the cost of the citizen. The direction the Aadhaar project takes rests on a critical reform—a comprehensive law on personal data protection.

In this context, especially at a time when public emotion regarding Aadhaar is running high, a few facts may be appropriate. The Aadhaar Act, 2016 contains an entire chapter dedicated to protection of information, becoming the first modern-day statute in India to explicitly do so. It obliges both the Unique Identification Authority of India (UIDAI) as well as the range of agencies which collect Aadhaar data to keep data secure. It incorporates standard fair information practices of collection limitation, purpose specification, use limitation, access and correction, recognized by the A.P. Shah Committee and widely accepted as the bedrock of data protection in the world. However, despite these facets (full disclosure: I assisted in drafting the Act), the Aadhaar Act, is not, and cannot double up as a comprehensive law on personal data protection in India.

To understand why, it would be useful to closely analyse a recent instance where it has been alleged that Aadhaar data is insecure. The Kerala Sevana Pension website displayed the following information about pensioners: name, pension ID, bank, branch, account number, Indian financial system code (IFSC) number, and Aadhaar number. That the Aadhaar number has been displayed is a clear violation of the Aadhaar Act and necessary action ought to be taken. But limiting criticism to this aspect alone, as several critics have done to demonstrate UIDAI’s deficiencies, would be missing the wood for the trees.

There is a larger and potentially far graver disclosure—of the pension database itself. This is a common feature in all the recent “leaks” that have been alleged—personal information unrelated to Aadhaar has been disclosed by user agencies. Such information is a veritable goldmine for product marketers—imagine the cost savings for companies making products for the elderly if it could target its advertisements solely to pensioners. Now, it cannot be anybody’s case that the Aadhaar Act or UIDAI should protect all such data strictly unrelated to Aadhaar itself. This would make UIDAI the de facto data protection authority for India, a situation both absurd and unworkable.

It is into this breach that the law on personal data protection needs to step in. One might argue, as some have, that without such a law in place first, an ambitious project such as Aadhaar ought not to have been launched. Such argument, while understandable, is unfortunately oblivious to the political economy that drives legislation, particularly around data protection.

The Privacy Act, 1974 in the US was not a bolt from the blue—it emerged pursuant to the Watergate scandal and its disclosures. Similar is the case in Australia where the enhanced tax file number (TFN), which sought to more authoritatively identify taxpayers, led to the Privacy Act, 1988. Governments do not simply pass data protection laws on a whim—they do so when there is a compelling interest.

Such compelling interest exists in India today. With over a billion Aadhaar numbers issued and demonetisation catapulting India into the digital economy, vast amounts of demographic data will be generated and used.

Without adequate norms guiding sharing and use of such data, public discourse will continue to unjustifiably hold UIDAI responsible for protecting such data. Anyone familiar with UIDAI knows that being the data watchman for the country is not its mission. This public-induced mission creep must be guarded against, if the Aadhaar project is to achieve its core objective of uniquely identifying every Indian resident. This will be possible only if a robust machinery for enforcement of technology-agnostic data protection norms is established in the country. A failure to do so and UIDAI stands in grave peril of falling prey to a rightfully concerned but ultimately misguided civil society activism.

Equally, there is a more compelling interest for a data protection law that has less to do with Aadhaar and more with national sovereignty. With approximately 450 million people online today, India presents a combination of a large number of Internet users coupled with low digital literacy. The absence of a data protection regime means that several private companies collect and use personal data in a manner quite unknown to the individual.

To provide a personal example: logging into the “My Activity” section in the Google suite of products recently, I could access a full profile of where I was a year to the day—the restaurant I ate at, the hotel I stayed in and the distance that I had driven. All this has been stored technically with my consent—so Google isn’t violating the law—but the protection of my data is now the benefaction of Google’s privacy policy.

As an emerging global power that has aspirations to be at the vanguard of the information technology age that we live in, India, not Google or any other private player, needs to set the rules of the game. If set right, the fruits of the digital economy, including the benefits of Aadhaar and big data, will work for the citizen. If not, Aadhaar might be reduced to a footnote when India’s digital history is written, where the kings and queens are the digital repositories of citizen data that lie in private hands.

Arghya Sengupta represented the Unique Identification Authority of India in the Supreme Court. Views are personal.