It will lead to unprecedented levels of surveillance, but the advantages far outweigh risks that can be mitigated
Advocate, Supreme Court*
Citizens have to realise that they would have no control on how their personal data collected in the UID database would be adequately protected
Unique Identification numbers or Aadhaar numbers are being touted as the next big thing. The current implementation of the UID numbers framework in India is, however, likely to lead to a direct contravention of citizens’ fundamental right of privacy.
The right to privacy has been interpreted to mean the right to be left alone. The Supreme Court has already held in various cases that the right to privacy is implicit in the fundamental right to life and personal liberty under Article 21 of the Constitution of India.
Unique Identification Authority of India (UIDAI) has already started collecting biometric and other sensitive personal information of citizens without having the requisite sanction of Parliament. The present process of collection, collation and preservation of sensitive personal information including biometric information of Indian citizens without adequate safeguards amounts to a direct infringement of the citizens’ fundamental right to privacy.
UID is likely to contribute directly towards unprecedented levels of surveillance on common citizens. These, when combined with unprecedented powers of interception, monitoring, blocking and decryption granted to the government, under the provisions of the amended Information Technology Act, 2000, could constitute a deadly cocktail.
Any misuse of collected UID data could expose ordinary citizens to irreparable loss and injury, apart from bringing disrepute to such a monumental exercise. It needs to be considered that a UID scheme of the nature and magnitude envisaged in India has not been successfully implemented anywhere in the world.
Considering the fact that the said UID data being collected is data and information in the electronic form, it is being directly covered by the Information Technology Act 2000 and is subject to various norms pertaining to data protection as have been stipulated by the government.
Information collected by UIDAI for the UID numbers is sensitive personal information under the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data And Information) Rules, 2011 and require appropriate compliances. The public domain is completely silent on the compliances done by the UIDAI in this regard, thereby further endangering the citizens’ right of privacy.
Given the peculiar complexities of the Indian conditions, collection of sensitive personal information, outsourced to third-party vendors without adequate checks and balances could have a negative impact upon the individual’s right to privacy. Further, the UID scheme could become a vehicle, if so desired, in the hands of the state to target and marginalise sections of society. Despite touting the UID scheme as voluntary and optional, the present scheme virtually gives no real and effective choice to citizens. If you as a citizen want benefits from the government, you have no choice but to adopt the Aadhaar Number.
Citizens have to realise that they would have no control on how their personal data collected in the UID database would be adequately protected. The vulnerability of governmental databases to hacking and cyber criminal attacks has been well documented all across the world. The absence of any legal safeguards for lapses on the part of the Registrars and collation authorities and enrolling agencies, further makes the entire situation far more problematic for an individual’s privacy. At a time when India does not have a specific law on privacy, it is all the more implicit for the government to be circumspect while launching and implementing UID scheme in India.
India needs to draw its lessons from the experience of other countries. The recent experience in the UK has been severely ignored by India. The UID project in the UK has been scrapped and the National Identity Card scheme there has been described as an assault on individual liberty.
The government of India does not need to not act in a hurry and examine all the nuances pertaining to potential violations of privacy in this regard, given the Aadhaar Number’s specific role as an electronic information resource resident on computers, computer systems and computer networks of the government.
* Also Chairman of Assocham Cyberlaw Committee
Aadhaar will give the poor an identity and a vehicle to the government to build very targeted and focused programmes
“Progress always involves risks. You can’t steal second base and keep your foot on first’’’ — Frederick B Wilcox
A unique identity for 1.2 billion residents is the largest identity project being executed and watched globally. The success of this initiative will create a big change for governments to help uplift its citizens’ lives not only in India, but also in developing countries that face similar challenges.
Though the benefits of Aaadhar have been articulated, with any new system of such huge magnitude, there will always be doubts and apprehensions that the data may be misused. These concerns are natural but need to be viewed from a risk-management perspective including the risk of not doing it and mitigate any risks as we move ahead with a project of such a large impact.
Fifty per cent of Indians do not have access to primary healthcare; 80 per cent of Indian households are unbanked; and India suffers from a leakage of 40-50 per cent in public food distribution. These are alarming statistics and key priorities for the country to address.
There have been multiple initiatives aimed at lifting the economically-backward sections of society through subsidy programmes. However, disaggregated initiatives, leakages and corruption have limited their impact. The trickle-down benefits of economic growth have also not demonstrated inclusion to the desired extent.
Aadhaar is a unique identity for residents that will give the poor and underprivileged an identity and a vehicle to the government to build very targeted and focused programmes. This will act like the KYC leading to financial inclusion with deeper penetration of banks, health insurance and easy distribution of benefits of government schemes. Aadhaar will enable the core subsidy management system to ensure that government subsidies like food, LPG, fertilisers reach the intended beneficiaries. Scarce funds will now be better utilised and coverage will be expanded. The system will enable de-duplication and provide a robust, fast and real-time authentication.
Identity of an individual would entail biometrics and data being digitised. A single number could possibly mean the government having a system that could enable them for profiling, which is unintended. These are possible risks that need to be addressed.
In the digitised world, we expose ourselves to risk when we swipe our credit cards or when we shop or transfer funds online — everything that has made our lives more efficient. These risks are managed well by the use of secure processes and technological solutions such as encryption, secure payment gateways and so on. Another good example is that of the BPO industry that manages sensitive information of end customers. But since the benefits of outsourcing are very tangible and quantifiable – cost effectiveness, increase in productivity and competitiveness – businesses have outsourced with effective risk mitigation. Mature security and privacy practices, regular auditing and monitoring, vendor risk management programmes, security and privacy-related clauses in contracts, among many others are the best practices being followed.
For Aadhaar as well, appropriate legal, technological and process related safeguards for protecting privacy need to be built. Aadhar has already deployed state-of-the-art technologies and processes for securing personal information. Balance between privacy and purpose is a key vision articulated by Aadhaar.
The Bill for establishing the National Identification Authority of India has been introduced in Parliament. Appropriate provisions in this Bill can be inserted around no user profiling by correlating different databases, guidelines for agencies that will directly collect or have access to personal information on behalf of Aadhaar, can strengthen the country’s privacy regime.
The Right to Privacy Bill has been introduced to provide a legal framework. It is interesting that banks, which have been entering sensitive and personal information, did not have this provision till now and it was Aadhaar that triggered the privacy provisions.
Even as technology and legal provisions will make the whole system robust, the government and administration must ensure that the provisions of the law are followed in letter and spirit. We need to move forward, build our conviction and trust because the advantage of Aadhaar far outweighs risks that will be mitigated through safeguards and policy.