Before the project can be implemented any further, it is essential that statutory protection be provided to safeguard the privacy of people as well as the data collected. It is imperative for there to also exist some liability which further regulates the actions of the Government and its agencies, furthering the cause of the right to privacy
With a population of over 1.2 billion people, and over half of those being categorised as working, increased globalisation and the use and dependence on technology, India is in dire need of a law to protect its citizen’s right to privacy. With the introduction of the Unique Identification Number under the Unique Identification Authority of India, which collects sensitive information about applicants, there are growing concerns about how the data collected will be stored and used. With no mechanisms to safeguard such sensitive information and to affix liability consequent to a breach of privacy, an urgent need exists for a system to be put into place to combat the same.
The Unique Identification Number ("UID") project, has been initiated to combat the ill-governance there exists in India and to make sure that the Government services are delivered to every citizen of the country1. Spearheaded by the Central Government, this project has many law enforcement agencies as well as private players assisting it in getting details of phone calls, credit card transactions, visa and immigration records, property records, driving licenses, fingerprints and iris scans among others.
There has been constant debate and deliberation over what privacy law in India should look like. The Central Government, by amending the Information Technology Act, 2000, in 2011, took the first steps by introducing rules that regulate and deal with personal data and information collected as well as list out what constitutes sensitive data under the purview of the Information Technology Act, 20002. However, it only deals with a "body corporate" possessing, dealing or handling any sensitive data or information and does not impose any liability on the Government of India for any breach of privacy or loss of sensitive data so collected by them or under their instructions. Further, a body corporate under the applicable Section 43A of the Information Technology Act does not include the Central Government but means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Since the project is initiated by the Central Government, and the data collected is on behalf of the Government, while privacy rules under the Information Technology Act, 2000 have identified mechanisms for collection of data and review systems by the Government, they do not tackle the issue of security of the data so collected.
The UID project on many levels compromises on both the privacy as well as human rights aspect of the rights a citizen has. Many issues such as the following, as also stated by the Standing Committee of Finance in 2011, can be detrimental to the security and privacy of citizens:
(a) Security and confidentiality of information, imposition of obligation of disclosure of information so collected in certain cases,
(b) Impersonation by certain individuals at the time of enrolment for issue of unique identification numbers,
(c) Unauthorised access to the Central Identities Data Repository (CIDR),
(d) Manipulation of biometric information,
(e) Investigation of certain acts constituting offence, and
(f) Unauthorised disclosure of the information collected for the purpose of issue of unique identification numbers3
(g) Loss of sensitive information and data
With no regulatory setup to look into how the information is being collected, stored and used, there exist no laws, rules or guidelines that state the boundaries that the Government and its agencies have to adhere to with respect to shadowing of individuals based on such collected data.
While there are current laws in the form of the Information Technology Act, 2000, the Telegraph Act of 1885 and the Anti-Terrorism Act, 2002, none of these statutes comprehensively deal with the security and the privacy concerns of an individual and the liability of the Central Government in situations of breach of privacy, leakage of data or misuse of data so collected
Such sensitive as well as classified personal information could potentially have an effect on the individual privacy of a citizen unless a comprehensive privacy law is put into place. The current UID scheme and the proposed National Identification Authority of India Bill, 2010 do not propose any steps towards assuring that certain individuals would not be targeted, discriminated or marginalised on the basis of the biometric data collected. While it gives a person the choice to get a UID number, the basic reason of development that the UID proposes makes it mandatory for an individual to get an Aadhar card, albeit not legally enforceable. While there are current laws in the form of the Information Technology Act, 2000, the Telegraph Act of 1885, and the Anti-Terrorism Act, 2002, none of these statutes comprehensively deal with the security and privacy concerns of an individual and the liability of the Central Government in situations of breach of privacy, leakage of data or misuse of data so collected. With the recent loss of data of 3 Lakh registered users under the UID project, and the subsequent need for them to resubmit themselves to data collection, such threats of breach of privacy have become very real4.
The project, in its current form, allows access to the information collected to all interested parties in the Government, thereby exposing it to a wide range of people. Particularly, Clause 33 of the proposed Bill states that the disclosure of information for national security, which runs the risk of surveillance, tracking and profiling, will be controlled by the state and its agents. It does not give any reprieve to the misuse or undemocratic, illegal or unethical purposes of using the data. It is creating an effective database of over a billion people without first protecting the privacy rights of the billion people - a right held by the Supreme Court of India to be Fundamental Right under the right to life in the Indian Constitution5.
Today, if the data collected under this project is lost, one may not have any knowledge of such loss until the data is misused and even then it is the responsibility of the individual to remedy the misuse. Any loss accruing from such loss of data or misuse is also to be borne by the individual himself. The Government and its agencies, because of there being no law, rules or statutory guidelines in place are effectively absolved of any legal liability that may accrue.
Before the project can be implemented any further, it is essential that statutory protection be provided to safeguard the privacy of people as well as the data collected. Another alternative could be the creation of a governing body that follows a set of principles on the lines of those existing in the United Kingdom and USA with respect to data protection. It can conduct audits to ensure that there is no misuse or loss of data and can publish transparency reports that informs the public how their data is being used, thereby ensuring that the process remains transparent. It is imperative for there to also exist some liability which further regulates the actions of the Government and its agencies, furthering the cause of the right to privacy.
Footnote: 1 http://uidai.gov.in/about-uidai.html 2 http://deity.gov.in/sites/upload_files/dit/files/senstivepersonainfo07_02_11.pdf 3 Standing Committee of Finance, THE NATIONAL IDENTIFICATION AUTHORITY OF INDIA BILL, 2010; FORTY-SECOND REPORT, December 2011 4 Maharashtra loses data of 3 lakh UID cards, Clara Lewis, April 23, 2013; Times of India 5 See R. Rajagopal v. State of Tamilnadu, 1995 AIR 264; Peoples Union for Civil Liberties v. Union of India, (2003) 4 SCC 399
Disclaimer-The views expressed in this article are the personal views of the authors and are purely informative in nature.