Monday, July 30, 2018

Data privacy: Too many hats for UIDAI

​The Justice Srikrishna Committee’s final report has missed an opportunity to separate the conflicting roles played by the Unique Identification Authority of India (UIDAI) by bringing the UIDAI under the proposed Data Protection Authority’s (DPA) purview.

​​The committee’s draft law (DL) defines a data fiduciary as someone who “determines the purpose and means of processing of personal data”, meaning that anyone collecting or using our data is a data fiduciary. It also distinguishes between personal data and sensitive personal data (such as biometrics), the latter having greater protections.

​​DL proposes that a fiduciary should process our data in a fair and reasonable manner that respects our privacy, process the data for specific purposes, collect only that data that is necessary for the specified purpose and seek our consent, explicit for sensitive personal data, before collecting or processing the data.
​​DL also provides for rights of access, correction, data portability to data subjects as well as the right to be forgotten. There is also a right to withdraw consent for use of one’s data. The data fiduciary is required to ensure that the data processed is complete, accurate, not misleading, updated and retained for only as long as needed for the stated purpose.

​​DL proposes four additional obligations on large data fiduciaries, ‘significant data fiduciaries’. It requires such entities to maintain accurate and up-to-date records on how it handles data, to conduct data impact assessments before undertaking any new or large-scale activity that might potentially harm us, appoint a data protection officer to meet the obligations, and get its policies and processing of personal data audited by an independent data auditor.
​​
How will we know that any of this is being adhered to? Towards this, DL proposes a DPA, an independent regulator overseeing the process and all data fiduciaries.

​​The UIDAI would qualify as a data fiduciary, and significant data fiduciary: it collects, stores and processes sensitive personal data and is the centralised repository of biometric data of over 1.2 billion residents and Aadhaar numbers crucial for availing welfare benefits and operating mobile phones, bank accounts and, interestingly, sending parcels overseas through the post office.
​​If DL is enacted, then the UIDAI as a significant data fiduciary would have to meet the obligations on data impact assessments, data auditing, reporting and appointment of an information officer required by law. It would also come under the purview of the regulatory authority of the DPA. UIDAI maintains the biometric data and oversees the process of authentication and thus, acts as a data fiduciary. Significantly, however, it is also a regulator: it licenses and regulates, and has the quasi-judicial powers to suspend Registrars and Aadhaar enrolling agencies. UIDAI also writes subordinate-legislation, redresses grievances and is the only entity authorised to file criminal complaints.

​​The report, however, does not seem to appreciate this distinction. It calls for more powers to the UIDAI for stronger enforcement and penal levies. This suggests that the committee does not think that the UIDAI is a fiduciary, and assumes that it will continue to play the role of a regulator while it collects and maintains extremely sensitive data of India’s citizens. This assumption is also strengthened by the fact that DL has not proposed such changes to the Aadhaar Act (unlike its suggested amendments to the RTI Act), although the report does propose specific changes.

​​We have discussed the problems of the Aadhaar legal framework including that of the UIDAI further delegating the specification of important standards/procedures to a future, undetermined time leaving the current system to function in a legal vacuum (https://goo.gl/g33vLb) and the problems with UIDAI’s accountability framework (https://goo.gl/WHHqdt). If DL is passed as it is, the DPA should assume UIDAI’s regulatory functions while UIDAI should function as a significant data fiduciary meeting all its legal obligations, amending the Aadhaar law accordingly. Such separation of the data fiduciary function from the regulatory function will bring in more accountability and transparency.

​​The next step would be for Parliament to discuss the draft bill, engaging with the relevant stakeholders and civil society. Given the immense impact that the UIDAI has on our lives, and if the Supreme Court is to uphold the constitutionality of the Aadhaar Act, one can only hope that these important issues are publicly debated and clarified.

(The post is co-authored with Vrinda Bhandari. It first appeared in Economic Times, 29 July 2018)

No comments:

Post a Comment

Why Rajasthan government’s decision to return to old pension scheme is a fiscal disaster

 by Rajiv Mehrishi and Renuka Sane We wrote in the Indian Express about the Rajasthan government decision to revert back to the Old Pension...