The issues with maximum data and minimum privacy
Since the privacy judgment five years ago, two evident trends have compromised the promise of privacy in the context of data protection and surveillance reforms.
Anniversaries, when meaningful, are not mechanical celebrations played out each year, but prompt deeper reflection. This month marks not only 75 years of Independence but also five years of the right to privacy judgment. On August 24, 2017, the Supreme Court reaffirmed privacy to be a fundamental right, linking it to each fundamental right under the Constitution. It prescribed tests that became legal qualifiers for ensuring an effective framework for state and corporate accountability to ensure the autonomy, liberty and dignity for all Indians.
But since this verdict, two evident trends have compromised the promise of privacy in the context of data protection and surveillance reforms. The first is the growth of digitisation in India through State policies and private enterprise that often lead to indiscriminate data collection and the second is the institutional resistance to privacy. This has collectively led to a policy of data maximisation.
In response to rapid digital transformation, countries from the Global North have established and continuously redeveloped frameworks for data protection. Many regulations draw from a common set of principles, including purpose limitation and data minimisation, to safeguard informational privacy.
Variance from it, such as those through regulatory sandboxes, is an exception to the rule. This recognises that personal data when collected and stored by a State or corporate entity, exerts power over an individual or a group. This view is under challenge in India. A common value within the execution of government programmes is to gather sensitive personal data across a range of daily actions through digital systems. It may be referred to as a policy of data maximisation, posing challenges to democratic guarantees.
An example of data maximisation exists within India’s biometric national ID, Aadhaar, which as per law is limited to the use of delivery of benefits, entitlements and subsidies. Upholding Aadhaar’s validity in 2018, the Supreme Court restricted its use and endorsed data protection principles, including purpose limitation and data minimisation.
Despite this, Aadhaar’s use has been expanded and is used as a common digital identifier across public and private services beyond welfare objectives. For instance, in December 2021. Parliament passed a law for the use of Aadhaar to establish the identity of voters ignoring risks of voter suppression and profiling. This amendment is now being operationalised with block-level officers of the Election Commission undertaking a door-to-door collection of Aadhaar numbers and linking it to electoral rolls. Within the private sector, its use is widespread to satisfy “know your customer” (KYC) norms from new age fintech firms to online matrimonial services.
Such expansion of use sets a background to the proliferation of digital databases and platforms in India. For farmers, there is an AgriStack, for unorganised labourers, the e-SHRAM portal, in health, the Aarogya Setu (a contact tracing app that has undergone function creep) and Ayushman Bharat Digital Health Mission (ABHA), and for schoolchildren and teachers, a NDEAR (National Digital Education Architecture). These digital databases are without an anchoring legislation but have developed frameworks within publicly available policy documents. They advocate for greater data processing and storage for satisfying public and private purposes. Any privacy protections under them — even when public pressure is applied — remain a mirage for they do not have the force of law. For instance, there is complete unaccountability on any data-related issues for Aarogya Setu.
In addition to database-specific frameworks, there exist data unification policies such as Data Empowerment and Protection Architecture (DEPA) that advocate “breaking data silos”. DEPA is supported by policies encouraging a combination of personal data across databases.
It includes India Digital Ecosystem Architecture (InDEA), which is being updated and the Draft India Open Data Access Policy for the free sharing of data within government and its enrichment, valuation and licensing to the private sector. A noticeable feature within the unification frameworks is their emphasis on innovation and growth that will be spurred by greater data capture through individual digital platforms, which then will need to be combined to provide a complete profile of an individual. Further data unification exists under digital security programmes such as Crime and Criminal Tracking Network System (CCTNS) that leads to 360 degree profiling.
Here, the absence of a data protection law has been made near-permanent by the withdrawal of the Personal Data Protection Bill, 2019 in Parliament. On the contrary, commercial imperatives of purposeless processing and licensing it to the private sector is being promoted.
Take this example from the Economic Survey 2019 — “Governments already hold a rich repository of…data about citizens..Merging these distinct datasets would generate multiple benefits with the applications being limitless … The private sector may be granted access to select databases for commercial use.” Vehicular data in the Vahan and Saarthi databases was licensed for ₹3 crore annually. The policy was withdrawn only after reports emerged that the data was used in a communal riot to identify persons by religion, based on vehicles parked at their houses. More recently, IRCTC invited bids to explore how train reservation data, including possible personal details of passengers, can be monetised.
Here, powerful state and private sector incentives exist in the absence of any legal regulation. Its impact is beyond regulatory development around data protection such as data retention or localisation mandates towards individual rights and power relationships in a constitutional democracy.
In effect, India has adopted an authoritarian policy cocktail, mixing surveillance welfarism and capitalism. Five years on from Puttaswamy, India has not merely failed to implement the right to privacy, but compromised on its core principles.
Apar Gupta is an advocate and executive director, Internet Freedom Foundation
The views expressed are personal