Having envisaged a platform which enables the achievement of an “efficient, transparent and targeted delivery of subsidies, benefits and services”, the Aadhaar Act hopes for a machinery that allows the State to optimise its welfare delivery mechanism in a manner that not only comes as monetary relief but also mitigates the significant human cost attached to leakages. Unfortunately, the benefits of such a system seem to be overshadowed by legitimate concerns pertaining to privacy and data protection. This further gets cemented given the ambiguity in collection and utilisation of sensitive personal data, the Orwellian dangers brought about by its sheer scale, and the inadequacy of current legal mechanisms to address grievances appropriately. Aadhaar, it seems to many, has transformed from being an instrument for subsidies to one of surveillance.
Now Aadhaar, by itself, is simply a means of identification, and the information that UIDAI stores is more or less restricted to the data it has obtained from the individual while registering. The distress emanates from the ways in which this identification system could be used, or rather misused, by state and non-state actors. Keeping aside the argument that such procurement of sensitive data is itself questionable on several grounds, the inability of the individual to control the ways in which their personal data is processed by different entities is the core problem. The unfortunate truth, in this day of technology, is that this ambiguity is not just restricted to Aadhaar, but any and all services that collect personal data. So even though much of the recent debate on Privacy emerges from and is centred around the Aadhaar Scheme, perhaps these concerns can be solved more wholesomely if the focus is on creating legal capacity that not just curtails the misuse of Aadhaar data, but of all personal data obtained by state and non-state actors.
For this, the constitution of an independent quasi-judicial body is essential. Such a body should include stakeholders from all concerned sectors if it is to have the bandwidth for enforcing the framework with accountability and effectiveness. Furthermore, all entities that deal with sensitive personal data should be mandated, on similar lines of the the RTI mechanism, to appoint a high ranking individual to be the point person for all data protection related queries. The primary aim of such a system (and the legislation it constitutes), would be to empower the individual with adequate rights over the usage of all personal data, to ensure more accountability from entities using this data, and for deterrence, impose significant penalties on any violation. Delving deeper into the terms of the legislation in itself, it is necessary that such a framework empowers each citizen with three important rights-Right to Notice, Right to Object and Right to be Forgotten.
To prevent misuse of personal data, it is essential to keep the individual informed of its use, as well as the nature of its use. To realise this, a ‘Right to Notice’ clause would be required to ensure an individual is notified the moment a request for the data is raised. In the specific case of Aadhaar, the individual should be able to access a time stamped list of authentication requests and be notified when different entities interact using said individual’s Aadhaar number. Taking this one step further, the concept of ‘Privacy by Design’ should be implemented where the default setting for all services that deal with personal data is set towards enabling maximum privacy and consent. Such privacy themed design structures would also ensure that the process of notifying the individual doesn’t remain a legally mandated afterthought, but develops into a core function that is facilitated by the system’s form.
While notifications play an important part in keeping the individual informed, the ‘Right to Object’ clause would empower the person to translate this information into action.The ability to refuse or object is a fundamental principle that is implicit across inter-personal transactions in free societies, and should certainly be made an essential component of all digitally enabled transactions as well. Informed consent should form the bedrock of all transactions pertaining to personal data, and all intrusions to this rule, unless judicially mandated, should be adequately penalised. Furthermore, this function should be realised by the independent body that oversees data protection and it should create adequate mechanisms for all individuals to exercise this right.
Finally, the clause pertaining to ‘Right to be Forgotten’ should enable citizens to get their information removed from the database of any entity. This clause, which has already been recognised in multiple judgements over the last few years including the landmark Justice Puttaswamy Vs GOI judgement, would enable citizens to opt-out of any service and ensure that their data is not being further used by the same entity. Considering that an individual’s data is akin to personal property, all transactions wherein the individual provided her or his personal data in exchange for better service should be time bound to the individual’s usage of said service. Additionally, such a clause should also enable victims of abuse, whose details have been publicised online, an opportunity to reinvent their lives. According to the nature of the situation, and subject to legal implications, this Right to be Forgotten can be availed either through the data protection body or through the courts themselves.
It is only through the efficient enactment and enforcement of these three rights under a larger privacy framework, backed by an independent quasi- judicial body, that the concerns regarding data protection can be addressed successfully. At the end of the day, the individual is the best judge on all transactions pertaining to personal data, and the function of regulations should be to ensure that the person is informed of its use and is given adequate avenues to exercise their rights in case of misuse. Maybe by not forcing others to follow our own narrow definitions of what privacy entails, and by merely empowering each individual to choose based on utility, we could enable a system that provides privacy for the individual, enables efficiency for the State and ensures justice for all.
The opinions expressed in this essay are those of the authors. They do not purport to reflect the opinions or views of CCS.