Centre for Internet and Society

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit https://cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

Salient Points in the Aadhaar Bill and Concerns

Amber Sinha and Elonnai Hickok — 2016-03-21T04:37:48Z

Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill.

Use of Aadhaar Number

What the Bill says:

Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)
Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.
Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)
Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)

Concerns:

Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.
There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.
There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.

Enrollment Process

What the Bill says:

Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)
Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)
Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)

Concerns:

The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.
Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.

Authentication Process

What the Bill says:

Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.
Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)
Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)
Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)
Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)

Concerns:

Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used.
Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies.
“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations.
Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:

Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.
Opt out of sharing of information at the enrollment stage or authentication stage.
Opt out of any use, disclosure, or retention of their information prescribed by the Act.

Security

What the Bill says:

Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)
Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)
Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54)

Concerns:

Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)
Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)

Concerns:

Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.
Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)
Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)
Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33)

Concerns:

Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.
Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.
Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.
Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.
Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

The process of collecting information,
Verification of information,
Individual access to information,
Sharing and disclosure of information,
Alteration of information,
Request and response for authentication,
Defining use of Aadhaar numbers,
Defining privacy and security processes,
Specifying processes relating to data management, security protocols and other technology safeguards under this Act
Establishing redressal mechanisms.

Concerns:

Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.
Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.

For more details visit https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns

Aadhaar Bill 2016 Evaluated against the National Privacy Principles

Pooja Saxena and Amber Sinha — 2016-03-21T08:38:34Z

In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles

In India, Biometric Data Storage Sparks Demands for Privacy Laws

praskrishna — 2016-03-23T02:27:05Z

In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.

The article by Anjana Pasricha was published in Voice of America on March 18, 2016. Pranesh Prakash gave inputs.

The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.

Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.

The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.

The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.

Critics fear ‘police state’

Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.

Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number.

Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”

“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”

Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.

Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.

“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.

Fraud concerns

Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.

Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.

Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.

“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.

Nearly one billion biometric identity cards have been issued in India in the last six years.

For more details visit https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws

Seven reasons why Parliament should debate the Aadhaar bill (and not pass it in a rush)

praskrishna — 2016-03-24T02:25:24Z

Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.

The blog post by Anumeha Yadav was published in Scroll.in on March 11, 2016. Pranesh Prakash was quoted.

Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.

An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.

For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.

Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.

The Aadhaar (Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.

But a close examination of the Bill shows several questions remain.

1. Does the Bill make it mandatory for you to get an Aadhaar number?
Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.

Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will not be made mandatory.

“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”

But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”

A committee of experts on privacy, chaired by Justice AP Shah, had recommended in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.

But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.

7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.

As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.

Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.

2. Does the Bill allow Aadhaar authorities to share your personal data?
Yes, in the "interest of national security", a term that remains undefined.

Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.

The debate centres over the interception provisions in section 33.

In a piece in The Indian Express, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.

However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):

33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government

where, Section 29(1)(b) states:

29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication 'in the interest of national security.'"

Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.

Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but not to the person whose data is being disclosed.

3. Does the Bill protect you from interception and surveillance?
No, the Bill does not provide for transparency concerning covert surveillance.

Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.

This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of necessary and proportionate principles on communications surveillance related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.

“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”

Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.

4. Does the Bill allow you to seek redress in case of breach of information?
Yes, but the provisions are weak.

Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.

But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.

“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”

5. Does the Bill give you the right to alter your information?
No, it leaves you to the mercy of the Unique Identification Authority of India.

Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.

International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They provide for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.

In an interview to Mint, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.

6. Is the current Bill an improvement over the previous one?
Not really.

The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.

This is a watered down version of the provisions in the previous Unique Identification Authority of India 2010 Bill, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.

“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."

Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.

Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.

7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?
The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.

The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.

A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers preventing the poor from accessing benefits and subsidies." But last April, the UIDAI in response to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (0.03%) used the "introducer system" that provides an exception to those lacking identity proof.

More recently, there has been no public consultation by the government over the latest Bill.

For more details visit https://cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush

Making Aadhaar Mandatory: Gamechanger For Governance?

praskrishna — 2016-03-24T06:50:10Z

Why a programme that both the Congress and the BJP have hailed as transformational has divided Parliament this week? The Aadhaar Bill which was passed this week aims at facilitating government benefits and subsidies to citizens said Finance Minister Arun Jaitley.

Yet it became a reason for the Rajya Sabha to raise key questions. On the panel - Chandan Mitra, Rajya Sabha MP, BJP; Ajoy Kumar, Spokesperson, Congress; Tathagat Sathapathy, Lok Sabha MP, Biju Janata Dal; Rajeev Chandrashekhar, Rajya Sabha MP; Sunil Abraham, Executive Director, Centre for Internet & Society; and Shekhar Gupta, Senior Journalist.

Video

Link to NDTV website

For more details visit https://cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance

Making Voices Heard: Privacy, Inclusivity, and Accessibility of Voice Interfaces in India

shweta — 2019-12-18T12:10:05Z

We believe that voice interfaces have the potential to democratise the use of internet by addressing barriers such as accessibility concerns, lack of abilities of reading and writing on digital text interfaces, and lack of options for people to interact with digital devices in their own languages. Through the Making Voice Heard Project supported by Mozilla Corporation, we will examine the current landscape of voice interfaces in India.

Download the project announcement cards (shown above): Card 01, Card 02, and Card 03

Making Voices Heard: Project Announcement

Although voice enabled interfaces are being deployed there is a need to understand how they are beneficial, and what have been important knowledge gaps and challenges in their development, adoption, use, and regulation. Through the Making Voice Heard Project supported by Mozilla Corporation, we will be examining the current landscape of voice interfaces in India, and seek to address the following questions:

What is the broad (sectoral and functional) typology of available voice interfaces in Indian languages? How widely are these voice interfaces (in Indian languages) used, and what barriers prevent their further adoption and use?
What are concerns related to privacy and data protection that emerge with the growth of voice interfaces? What kind of protocols for data processing may need to be built into the design of these interfaces?
How accessible are these interfaces for persons with disabilities (PWDs)? What kinds of accessibility features, especially for Indian languages, may need to be developed to ensure effective use of voice technologies by PWDs?
Where do challenges in these three areas intersect? For instance, is compromising on users’ privacy, including weak or missing data protection regulations, required to create comprehensive speech datasets that may help develop better accessibility features, and address linguistic barriers?

In order to approach these questions we have begun mapping the various developers and users of voice interfaces in India. In the next stage of the process we will be looking at these interfaces through the lens of privacy, language, accessibility, and design. In order to add to the mapping and questions, we will be conducting interviews and workshops with users, developers, designers and researchers of voice interfaces in India, including the Common Voice team at Mozilla.

We hereby invite researchers, developers and designers of voice interfaces to speak to us and help inform the study. You may contact Shweta Mohandas at shweta@cis-india.org.

- Shweta Mohandas, Saumyaa Naidu, Puthiya Purayil Sneha, and Sumandro Chattapadhyay (project team)

For more details visit https://cis-india.org/raw/making-voices-heard-project-announcement

WhatsApp spy attack and after

Theres Sudeep — 2019-12-15T05:06:27Z

Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.

The article by Theres Sudeep was published in Deccan Herald on November 6, 2019. Aayush Rathi was quoted.

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.

Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.

It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after

Power over privacy: New Personal Data Protection Bill fails to really protect the citizen’s right to privacy

Nikhil Pahwa — 2019-12-15T05:57:31Z

Nikhil Pahwa throws light on the new personal data protection bill.

The article by Nikhil Pahwa was published in the Times of India on December 12, 2019. CIS report was mentioned.

Earlier this year, in April, a data breach in the Election Commission of Philippines led to the leakage of personal information of over 55 million eligible voters on a searchable website: including names, addresses and date of birth. This was not the first data breach from the Election Commission. After the first, which took place in March 2016, where 340 GB of voter data was published online by a group of hackers called LulzSec Pilipinas, the National Privacy Commission of Philippines found that the Election Commission had violated the Data Privacy Act of 2012, and recommended criminal prosecution of its chairman, finding him liable when the agency failed to dispense its duty as a “personal information controller”.

It’s 2019, and that recommendation has still not been acted upon, because the National Privacy Commission of Philippines only has recommendatory powers for criminal prosecution. Meanwhile, data breaches continue at the Election Commission of Philippines.

Between 2017 and 2018, Aadhaar related personally identifiable data of several Indian citizens, including names, addresses, bank account numbers, in some cases pregnancy information and even religion and caste information of individuals, was published online by Indian government departments. The Centre for Internet and Society, in a report, estimated that personally identifiable data for 130-135 million Indian citizens had been leaked, thus putting them at risk. 210 government websites had made Aadhaar related data public, UIDAI confirmed in response to an RTI in 2017.

No one was held liable. There was no data protection law, no data protection authority, no criminal prosecution was recommended. Around that time, the Indian government was instead arguing in the Supreme Court that privacy isn’t a fundamental right under the Indian Constitution.

What we can learn from these two instances is that for the enforcement of a citizen’s right to privacy, and ensuring that no one takes the protection of data lightly, there needs to be a strong privacy law that holds even the government responsible, and above all, a strong data protection authority that is independent and has powers to penalise even government officials. On some of these counts, the Personal Data Protection Bill, 2019, disappoints.

First, members of the Data Protection Authority will no longer be appointed by independent entities from diverse backgrounds: where they were previously going to be appointed by a committee comprising the Chief Justice of India or a Supreme Court judge, the Cabinet secretary, and an independent expert, the power to appoint members to DPA now rests solely with government officials, including the appointment of adjudicating officers. In addition, the central government, in the interest of “national security, sovereignty, international relations and public order, can issue directions to DPA, which DPA will be bound by. Powers of DPA have also been reduced: while in the previous version of the bill, DPA had the sole power to categorise data as sensitive personal data, in the current version, the power rests with the central government, albeit in consultation with DPA. The central government will also notify any social media company as a significant data fiduciary, and not DPA. Only the central government can determine what critical personal data is, and not DPA.

This dependence on the government for appointments, functions and definitions, will invariably impact the independence of DPA, and even though the 2019 version of the bill gives it the authority to fine the state a maximum of Rs 5-15 crore, depending on the offence, i’d be surprised if this ever happens.

The bill does create significant exceptions for the state to acquire and process data, and an opportunity to create a base for surveillance reform in the country has been lost. The previous version of the bill had brought some sense of safety against mass surveillance, when it included the condition that processing of data by the government must be “necessary and proportionate”, drawing from Supreme Court’s historic right to privacy judgment. This is particularly important given that the bill also gives power to the government to exempt any agency from the provisions of the bill for processing of personal data, which includes acquiring data from any public or private entity.

Effectively, this means that government agencies may be exempt from any scrutiny by DPA, and can even collect data from third parties (for example, fin-tech companies, health-tech startups) without the user even knowing. Forget recommending criminal prosecution for mass surveillance, India’s DPA won’t even be able to fine a government agency for such a violation of the fundamental right to privacy. The government also has vast exceptions for data processing: “for the performance of any function of the state authorised by law”.

This aside, one of the more curious clauses in the bill is around non-personal data. The government, a few months ago, constituted a committee led by Infosys co-founder Kris Gopalakrishnan to look into the governance of non-personal data. Non-personal data, as the term suggests, is any data that is not related to an individual. In the bill, the government has given itself the right to acquire this data, which is essentially a company’s intellectual property, to “promote framing of policies for digital economy”. Why non-personal data finds a mention in a Personal Data Protection Bill is beyond comprehension, and this move will not inspire much confidence in businesses operating in India, when the state claims eminent domain over intellectual property.

It’s unfortunate minister Ravi Shankar Prasad is sending the bill to a select committee, given the fact that such significant changes to the bill should have led to another public consultation.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-december-12-2019-power-over-privacy

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Aayush Rathi and Ambika Tandon — 2019-12-30T16:44:32Z

In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state.

The article was first published by EPW Engage, Vol. 54, Issue No. 6, on 9 February 2019.

Framing Reproductive Health as a Surveillance Question

The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).

This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).

While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.

Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.

In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.

The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).

The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).

A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.

Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.

Potential Harms of the Data Model of Reproductive Health Provisioning

Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.

Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.^[1] For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.

What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.

While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”

Towards a Networked State and a Neo-liberal Citizen

Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).

These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.^[2] The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).^[3] The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).

The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).

“Quantified Self” of the Neo-liberal Citizen

Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).

As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).

This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.

Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.

Concluding Remarks

The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.

The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.

For more details visit https://cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india

Call for Researchers: Welfare, Gender, and Surveillance

ambika — 2020-02-13T15:05:37Z

We are inviting applications for two researchers. Each researcher is expected to write a narrative essay that interrogates the modes of surveillance that people of LGBTHIAQ+ and gender non-conforming identities and sexual orientations are put under as they seek sexual and reproductive health (SRH) services in India. The researchers are expected to undertake field research in the location they are based in, and reflect on lived experiences gathered through field research as well as their own experiences of doing field research. Please read the sections below for more details about the work involved, the timeline for the same, and the application process for this call.

Call for Researchers: Download (PDF)

Description of the Work

Each researcher is expected to author a narrative essay that presents and reflects on lived experiences of people of LGBTHIAQ+ and gender non-conforming identities and sexual orientations as they seek sexual and reproductive health (SRH) services in India. We expect the essay to contribute to a larger body of knowledge around the increasing focus on data-driven initiatives for public health provision in the country and elsewhere. Accordingly, the researcher may respond to any one or more than one of the following questions, within the context of the geographical focus as specified by the researcher:

What are the modes of surveillance, especially in terms of generation and exploitation of digital data, experienced by people of marginalised gender identities and sexual orientations in India, as they avail of sexual and reproductive healthcare?
How are the lived experiences of underserved populations, such as people of marginalised gender identities and sexual orientations, shaped by gendered surveillance while accessing sexual and reproductive services?
What are the modes of governance and gender ideologies that have mediated the increasing datafication of such provision?

We expect the researchers to draw on a) the Indian Supreme Court’s framing of privacy in India, as a fundamental right, and its implications; and b) apply and/or build on feminist conceptualisations of privacy. Further, we expect the researchers to respond to the uncertain landscape of legal rights accessible to people of LGBTHIAQ+ and gender non-conforming identities and sexual orientations, especially in the current context shaped by The Transgender Persons (Protection of Rights) Act, 2019.

The researchers will undertake field research in locations of their choice, conduct interviews and discussions with people of LGBTHIAQ+ and gender non-conforming identities and sexual orientations seeking such services, and conduct formal and informal interviews with officials and personnel associated with public and private sector agencies involved in the provision of SRH services.

Eligibility and Application Process

We specifically encourage people of LGBTHIAQ+ and gender non-conforming identities and sexual orientations to submit their applications for this call for researchers.

We are seeking applications from individuals who:

Are based in the place where field study is to be undertaken, for the duration of the study;
Are fluent in the main regional language(s) spoken in the city where the study will be conducted, and in English (especially written);
Preferably have a postgraduate degree (current students should also apply) in social or technical sciences, journalism, or legal studies (undergraduate degree-holders with research or work experience should also apply); and
Have previous research and writing experiences on issues at the intersection of sexual and reproductive health, gender justice and women’s rights, and health informatics or digital public health.

Please send the following documents (in text or PDF formats) to raw@cis-india.org by Friday, January 24 to apply for the researcher positions:

Brief CV with relevant academic and professional information;
Two samples of academic/professional (published/unpublished) writing by the applicant; and
A brief research proposal (around 500 words) that should specify the scope (geographical and conceptual), research questions, and motivation of the essay to be authored by the applicant.

All applicants will be informed of the selection decisions by Friday, January 31.

Timeline of the Work

February 3-7 CIS research team will have a call with each researcher to plan out the work to be undertaken by them

February - March Researchers are to undertake field research, as proposed by the researchers and discussed with the CIS research team

March 27 Researchers are to submit a full draft essay (around 3,000 words)

March 30 - April 3 CIS research team will have call with each researcher to discuss the shared draft essays and make plans towards their finalisation

May 15 Researchers are to submit the final essay (around 5,000 words, without footnotes and references)

As part of this project, CIS will organise two discussion events in Bengaluru and New Delhi during April-June (tentatively). Event dates are to be decided in conversation with the researchers, and they will be invited to present their works in the same.

Remuneration

Each researcher will be paid a remuneration of Rs. 1,00,000 (inclusive of taxes) over two equal installments: first on signing of the agreement in February 2020, and second on submission of the final essay in May 2020.

We will also reimburse local travel expenses of each researcher upto Rs. 10,000, and translations and transcriptions expense (if any) incurred by each researcher upto Rs. 10,000. These reimbursements will be made on the basis of expense invoices shared by the researcher.

Description of the Project

Previous research conducted by CIS on the subject of sexual and reproductive health (SRH) services in India observes that there is a complex web of surveillance, or ‘dataveillance’, around each patient as they avail of SRH services from the state. In this current project, we are aiming to map the ecosystem of surveillance around SRH services as their provision becomes increasingly ‘data-driven’, and explore its implications for patients and beneficiaries.

Through this project, we are interested in documenting the roles played by both the public and the private sector actors in this ecosystem of health surveillance. We understand the role of private sector actors as central to state provision of sexual and reproductive health services, especially through the institutionalisation of data-driven health insurance models, as well as through extensive privatisation of public health services. By studying semi-private, private, and public medical establishments including hospitals, primary/community health centres and clinics, we aim to develop a comparative analysis of surveillance ecosystems across the three establishment types.

This project is led by Ambika Tandon, Aayush Rathi, and Sumandro Chattapadhyay at the Centre for Internet and Society, and is supported by a grant from Privacy International.

Indicative Reading List

We are sharing below a short and indicative list of readings that may be useful for potential applicants.

Aayush Rathi, Is India's Digital Health System Foolproof? (2019)

Aayush Rathi and Ambika Tandon, Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention? (2019)

Ambika Tandon, Feminist Methodology in Technology Research: A Literature Review (2018)

Ambika Tandon, Big Data and Reproductive Health in India: A Case Study of the Mother and Child Tracking System (2019)

Anja Kovacs, Reading Surveillance through a Gendered Lens: Some Theory (2017)

Lindsay Weinberg, Rethinking Privacy: A Feminist Approach to Privacy Rights after Snowden (2017)

Nicole Shephard, Big Data and Sexual Surveillance (2016)

Sadaf Khan, Data Bleeding Everywhere: A Story of Period Trackers (2019)

For more details visit https://cis-india.org/jobs/researchers-welfare-gender-surveillance-call

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

A Compilation of Research on the PDP Bill

pranav — 2020-03-05T08:04:24Z

The most recent step in India’s initiative to create an effective and comprehensive Data Protection regime was the call for comments to the Personal Data Protection Bill, 2019, which closed last month. Leading up to the comments, CIS has published numerous research pieces with the goal of providing a comprehensive overview of how this legislation would place India within the global scheme, and how the local situation has developed, as well as analysing its impacts on citizens’ rights.

In addition to general and clause-by-clause comments and recommendations, we have compiled an annotated version of the Personal Data Protection Bill, which lays out our commentary in an easy-to-follow format.

Below, you can find our other recent research on Data Protection:

Pallavi Bedi has put together a note on the Divergence between EU’s General Data Protection Regulation (GDPR) and the Personal Data Protection Bill.

In addition, Pallavi has also contrasted the Personal Data Protection Bill with the GDPR and California Consumer Protection Act, in the contexts of jurisdiction and scope, rights of the data principal, obligations of data fiduciaries, exemptions, data protection authority, and breach of personal data.

On IAPP’s blog Privacy Perspectives, D. Shweta Reddy has assessed whether the Personal Data Protection Bill 2019 is sufficient for India to receive adequacy status from the EU.

Along with Justin Sherman, Arindrajit Basu has outlined the key global takeaways from the Personal Data Protection Bill 2019 on Lawfare.

On The Diplomat, Arindrajit has also traced the narrowing localization provisions in India, as well as Vietnam and Indonesia, and studied the actors and geopolitical tussle that has shaped these provisions.

Through a string of publicly available submissions, press statements, and other media reports, Arindrajit and Amber Sinha have tracked the political evolution of the data protection ecosystem in India, and how this has, and will continue to impact legislative and policy developments on EPW Engage.

Gurshabad Grover and Tanaya Rajwade have written on The Wire about how the Personal Data Protection Bill regulates social media.

Amber was also a guest on Suno India’s Cyber Democracy podcast, with Srinivas Kodali, to discuss how the latest version of the Personal Data Protection Bill will impact the right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/compilation-of-research-on-data-protection