Srikrishna Committee has taken India back by enabling third parties to enmesh citizens through their data. It could even endanger India’s sovereignty.
The Economic Times reported, a few months ago, that an American company run by persons of Russian origin has 850 million unique records with 60 attributes for adult citizens from every state and union territory in India in 14 languages. The Srikrishna Committee Report, recommendations suggested amendments to the RTI Act, and its draft Personal Data Protection Bill may not be able to protect individuals or the country from losing their privacy even as the Election Commission loses its ability to distinguish between its lists and those prepared by third parties for their own purposes. It should have instead protected you and the country from the rights it just created for thousands of third parties to your and the country’s data.
Unless the generation, certification, authentication and updation of records on the electoral roll were protected under the data protection framework, how can they be distinguished from those that could be replaced by third parties? At the same time, if data protection is not allowed to permit sharing the electoral rolls with all in the constituency, how will those in the constituency be able to further their common purposes to ensure voting by those who belong to the constituency?
According to the affidavit filed by the UIDAI before the Supreme Court, in the Aadhaar petitions before it, more than 50% of the Aadhaar numbers that have been issued have never been used for any authentication since they were issued. The UIDAI doesn’t certify the biometric or demographic data associated with the number. Its database has never been verified or audited. The UIDAI has also indicated that it does not know how many unique biometrics, names, addresses, email IDs or cell numbers exist in its database. It also says that querying its database with a biometric doesn’t result in a unique record.
The Aadhaar number is being used widely to replace existing data that helps government and service providers identify citizens and customers. Post Aadhaar, governments and service providers may have lost their ability to recognise you and others who they had been interacting with for decades. They all insisted on Aadhaar, that cannot identify anyone, to “identify” you. The Srikrishna Committee Report, recommendations, its suggested amendments to the Aadhaar Act and its draft Personal Data Protection Bill may not protect you or the country from the generation and use of such uncertified, unverified, unaudited and invalid data to replace good data. It may not protect you from those who mandate such data or cause it to replace existing valid, certified, verified and audited data.
In October last year, 3.7 million bank accounts were opened by Airtel Payments Bank solely on the basis of Aadhaar, without any form being filled up by any on-boarded “customers”. LPG subsidy of Rs 1.67 billion was transferred to these benami bank accounts. Srikrishna Committee’s recommendations should be such as to protect you or the country from such frauds that result from the generation, use and maintenance of invalid, uncertified, unverified and unaudited data.
Already tens of millions of people face exclusion from rights, subsidies, benefits or even services, civil death, because of the voiding or replacement of their valid, certified data in government and private databases due to Aadhaar colonising and corrupting existing databases. Already, at least Rs 950 billion of government subsidies have been transferred into millions of uncertified, unverified and unaudited bank accounts opened solely on the basis of uncertified, unverified and unaudited Aadhaar.
It is unfortunate that the Srikrishna Committee is oblivious of the lifecycle of data. It is oblivious that data is generated whenever we undertake any transactions to further our purposes of living our lives. Since we are not hermits, our activities cause us to engage with others as part of our lives. Together with these others, we pursue common purposes. Our activities towards these common purposes result in data.
Our lives require us to come together with different agencies in different systems to further our common purposes — from enabling borrowing and lending money, enabling ability to connect and communicate with others, for obtaining education, for ensuring ability to travel abroad, to ensuring food security, or even to get a dignified burial. The Committee must protect the transacting parties generating data, while pursuing their common purposes while living their lives. It must protect from third parties who want to exploit their data or replace their data with alternate data of their own.
The Committee instead goes on to create rights and protect the very third parties, who they call “data fiduciaries” and who determine the purpose and means of processing of your data, who choose to exploit the data of others to their profits and call themselves a “digital economy”.
The Unique Identification Authority of India (UIDAI) and its ecosystem is one such third party that has no role in any of these common purposes we share with these agencies, it has no skin in the game to protect or further our common purposes. It doesn’t concern itself whether you could pursue and enjoy your relationship with your government or service provider. It has no link to your suffering, exclusion, or civil death. Any overreach of the UIDAI destroys the symbiosis between the borrower and lender, the mobile user and service provider, the passport issuer and traveller, the hungry and the food provider.
Like the UIDAI, the Goods and Service Tax Network (GSTN) and National Payments Corporation of India (NPCI), for example, are similar third parties that seek to profit from data of systems in which they do not share any common purpose with the participants of the system. All of these are examples of third parties who change systems that worked reasonably well for their participants before the intervention of these third parties.
Srikrishna Committee moves your rights to your relationship with your government or service providers to these data fiduciaries and in the case of grievance to “adjudicating officers” or further to “appellate tribunals”. This creates a totally new bureaucracy to remove any wrongful use by data fiduciaries, of the legitimate common purposes we pursue with our government or private parties in the process of living our lives. The Committee must not forget that “We, the people” and the Constitution of India we gave to ourselves as it protects third parties because building a digital economy and data warehouses appears to them as more important than “we the people”.
The Srikrishna Committee recommendations are far from protecting India from private interests who may use digital economies as their Trojan horse. Prime Minister Narendra Modi needs to ensure a hard relook at the matter so that the data generated daily by the people of India are protected from those seeking to monetise or misuse such information.
Dr Anupam Saraph is a renowned expert in governance of complex systems and advises governments and businesses across the world. He can be reached @anupamsaraph.