A year after the Supreme Court of India’s landmark judgement in the Aadhaar case, Indians are still waiting for a data protection law. Even though the Supreme Court urged the government to bring out a data protection law in both the Aadhaar case and the Puttaswamy judgement (which established privacy as a fundamental right), a data protection bill is yet to be introduced in the Parliament.
The government’s inaction is even more glaring when one considers that they already have a draft bill that has undergone a public consultation. The government must act to fulfill the promise of real privacy made to Indians by both the Constitution and the Indian Supreme Court.
The Aadhaar judgement specifically recognised that: “the dangers to privacy in an age of information can originate not only from the State but from non-State actors.”
Despite the Supreme Court outlawing the private sector’s use of the Aadhaar, the Aadhaar Act was amended in July 2019 to allow the private sector to voluntarily use the Aadhaar in certain instances. Without a data protection law, the egregious exploitation of citizen data is likely to continue unabated, with no real effective recourse or remedy for these abuses.
In blocking companies from using the Aadhaar, the Supreme Court argued that there was a lack of controls to prevent abuse of Aadhaar data by third parties, a lack of consent for such data processing, and a lack of proportionality with the original intent of the Aadhaar Act.
Despite the passing of amendments in July 2019, all of these concerns continue to be present.
What’s more, while new functionality to allow offline Aadhaar authentication has reduced risks of people being denied services, it has also increased the risks of additional privacy violations.
Imagine if you were to use a scanned copy of your Aadhar card to buy a house and the builder’s website were to suffer from a data leak. It would be quite easy for your scanned Aadhaar card to be available to anyone on the Internet. This isn’t a speculative risk; just last week, Aadhaar cards and other national IDs were reportedly freely accessible on the website of a regulatory authority in Gujarat.
With a strong data protection law in place, people whose privacy had been violated, could turn to a strong, independent, and empowered government regulator.
Not only does this highlight the insecurity of the websites that store Aadhaar numbers, but potentially thousands of Gujaratis now have limited hope for remedy for this violation of their privacy.
Positive steps, however, have been taken to improve safety of the program in the past year. The introduction of masked cards has helped reduce risks associated with leaks of images or scans of cards. Virtual IDs have allowed users to generate revocable versions of their number for both offline and online use.
This allows them to revoke the number in case they have been a victim of an unauthorised use or leak. These are useful and important steps that appropriately respond to the sensitivity of Aadhaar information. However, there are many other services, which process sensitive data, but are yet to take similar action to protect user privacy. A strong data protection law could and would require them to do so.
With a strong data protection law in place, people whose privacy had been violated, could turn to a strong, independent, and empowered government regulator. A Data Protection Authority (DPA), as the draft data protection bill calls it, would have the power to investigate and prosecute privacy violations.
This would be a regulator with dedicated expert staff whose sole job would be to uphold our rights, and who would have the resources to bring privacy violators to justice. In the EU, we have already seen how the threats of fines from DPAs as large as 4% of a company’s total global turnover have forced changes at some of the world’s largest and most powerful companies.
India too could have such a DPA, which would create a strong deterring effect and ensure all stakeholders take Indians’ privacy seriously. Finally, the mandatory requirement in the data protection bill to report data breaches to the DPA within a set time will lead to faster detection of violations and quicker action to mitigate the harm that may occur from such leaks.
Unfortunately, we don’t have the benefits of such a strong law, at least not yet. Despite the highest court of the land declaring privacy to be a fundamental right more than two years ago, privacy violations remain unchecked. The government should urgently introduce a data protection law when Parliament next convenes.
Due to the wide-ranging impacts of this law and the presence of several loopholes in the last public version, it is also critical that this legislation be scrutinized by the Parliament Standing Committee on IT. Given the rapid increase in adoption of Aadhaar by the private sector within one year of the Aadhaar judgment, any further delay in passing the law will only increase the likelihood of harm to Indians and their personal data. Given the real risks that Indians face, the time to act is now.