Banks and credit card companies let you authenticate yourself using your voice when you call their helpline. Some airports are gearing up to do away with boarding passes, letting facial recognition software do the job for you — it is standard practice at some Chinese terminals. Police routinely identify culprits from the footage of surveillance cameras that record and store whatever transpires under their watch.
Bank and credit card statements populate your Gmail, besides your medical reports and travel bookings. Your calendar helps you plan your life, but also reveals to Google what you do, whom you meet and where. Google Maps tracks your movements with far greater aplomb and accuracy than an anxious mother can muster in relation to her teenaged daughter. Your search and browsing history, including on Youtube and whatever else you watch logged into the Chrome browser, reveal more about you to Google than what you tell your therapist.
Facebook’s idea of what you actually like is hazy. Eagerness to be liked and not offend makes most people ‘like’ many things on Facebook that they might be indifferent to, if not actually abhor. But Facebook certainly knows who your friends are, who their friends are, what they wear, what they do, where they go and what their major transitions in life are. Facebook also owns Whatsapp, India’s favourite messaging app. But Facebook claims ignorance of the contents of its messages.
Amazon, of course, knows the exact shade of your consumerist hedonism. Bookmyshow, Netflix and Amazon Prime know the movies you watch and can probably draw your psychological profile. Swiggy and Zomato know what gives you your umami and how much you are willing to pay for it. Your payment wallets and card companies analyse your spends before you ask for it.
Your smartphone is loaded with apps that seek and obtain permission to access your contacts and messages, scan your photographs and inherit 1% of your estate when you die. (Can you put your hand on your heart and swear they don’t?)
The long point is that a host of private companies collect, store and act on a whole lot of your personal data. Your gut bacteria own your mood and level of sanity. Collectors of your data dictate your conduct, leaving some tiny room, we hope, for god, spouse and conscience, acting jointly or severally.
The short point is that data protection is not just about Aadhaar.
Most Indians now possess the 12-digit unique identity (UID) number and have linked it to bank accounts, telephone numbers and their income tax Permanent Account Numbers (PAN). The trouble is, a whole lot of other Indians, besides the designated authority in charge of Aadhaar, also possess at least the Aadhaar numbers and demographic details of their countrymen, if not their biometric data. Time and again, state government departments have put out list of beneficiaries of assorted state schemes, complete with Aadhaar numbers. The Tribune reported a major breach in Aadhaar’s link to the agencies across the country that enrolled members, which allowed some entrepreneurs to sell Aadhaar details to anyone willing to pay Rs 500.
The Unique Identity Authority of India (UIDAI) has responded with a scheme of virtual Aadhaar numbers that are dynamically generated and stay valid for a limited period for a limited purpose. This is a good solution, but does not address the loss of ID number privacy lost in previous data breaches.
Ideally, the UIDAI should issue fresh Aadhaar numbers to all previous allottees, and continue with virtual numbers based on the new set of numbers. This would be administratively difficult and expensive, but it should be done to secure Aadhaar, which is a valuable tool of governance.
Shoddy, leaky enrolment is not the only problem with Aadhaar. Its legal basis for use by non-State entities got knocked down by the Supreme Court. As of now, Aadhaar can be used only for the purpose of channelling government funds to beneficiaries, besides for taxpayer identification.
This is the result not of Supreme Court judges’ inability to appreciate the immense benefit Aadhaar has brought to microfinance companies and their millions of customers. Or Aadhaar’s empowerment of migrant workers in lands far away from home, enabling them to establish their identity and secure a bank account and a phone connection. The problem is twofold: one was GoI’s sleight of hand, of getting the Aadhaar law passed by Parliament as a money Bill that bypassed Rajya Sabha; and the other was its failure to put in place, before legislating on Aadhaar, a well thought-out data protection law.
The coming year will see these problems getting fixed. A proper data protection law will have to be enacted, seeking consensus rather than strong-arm measures of the kind that rammed the Aadhaar Bill through Parliament. Aadhaar will have to be enacted afresh, shielded by a strong data protection law and shedding the tag of a money Bill.
The judges who said that GoI could justify passing the Aadhaar Bill as a money Bill then felt constrained to limit the use of Aadhaar to matters related to government monies. That constraint has to go, to enable private parties to use Aadhaar-Based Biometric Authorisation (ABBA). ABBA is a key enabler for the deprived sections of society. To bring it back, the safest, surest method is to pass Aadhaar afresh, passing it through both Houses of Parliament.
A key question in data protection is data localisation. Should data on Indians be stored in India and exclusively in India? The case for storing it in India is strong. India is a large enough data generator for Indian data to be stored in India without worrying about losing economies of scale. Local storage would ensure availability of Indian data for judicial purposes.
Local storage would likely create fresh business for the Cloud arms of Amazon, Google, Microsoft and IBM. As a major provider of data-based services around the world, India has to be mindful of data rights and reciprocity requirements of other jurisdictions, when deciding on exclusive storage of Indian data within India.
Working these out cannot be rushed. A thorough legal framework for data protection and data sharing cannot be undertaken by a lame duck government. A coalition government, whose senior partner is called a thief by its junior partners with impunity, and lacks a majority in the Upper House, to boot, is lame, even if it does not quack. We will have to wait for the elections to be over, to put digital India on a secure footing.