The Long Wait For A Privacy Protection Law In India

The following post is a sponsored post.

There are numerous examples of how easily Indians can lose whatever privacy they have through intentional or unwitting leaks of personal information.

Last year, financial data from up to 3.2 million debit cards were compromised in a leak affecting major banks such as State Bank of India, HDFC Bank, ICICI Bank and others.

Subsequently, more than 35,000 patients of a Mumbai-based diagnostic laboratory were victims of a data hack that saw their medical records – including test results – spilled online.

And the largest database of all has not been immune to careless handling of information either. In more than seven years, the Unique Identification Authority of India (UIDAI), the agency that collects biometric data used to issue Aadhaar cards, has stored information from more than one billion Indians.

According to the Centre for Internet and Society, the government itself has made public details of bank accounts and personal information of more than 130 million Aadhaar holders. The Centre has confirmed there was a leak, but denied the UIDAI was responsible, blaming other government agencies.

Recently, the government made it mandatory for Indians to have an Aadhaar card – in addition to their Permanent Account Number (PAN) – to file their tax returns, ostensibly to widen its taxpayer base and distribute welfare benefits more efficiently and accurately.

Activists have challenged this requirement in the Supreme Court. The challenge at hand is based on the necessity of Aadhaar card rather than concerns over data security, but critics warn the biometric system, which contains fingerprints and iris scans, can be used to steal identities and snoop on law-abiding citizens.

That’s because the UIDAI has contracted private companies, such as Microsoft, to provide authentication services and e-KYC requests.

This has amplified the lack of clear, thorough and overarching privacy protection laws in India.

According to the Aadhaar Act, 2016, it’s illegal to impersonate or knowingly duplicate Aadhaar data. However, enforcement and investigation are at the behest of the UIDAI, and punitive measures are unclear.

The involvement of corporate players, along with the overzealous application of Aadhaar – demands for its presentation have come from schools, hospitals and other non-government service providers – have advocates and cyberlaw experts raising the spectre of a lawless digital frontier.

In recent legal news, Attorney-General Mukul Rohatgi said the Centre is considering a data protection regime, possibly by Diwali.

But even while fending off accusations that Aadhaar is a covert surveillance tool, the Centre has told the Supreme Court that Indians do not, in fact, have “absolute” right over their bodies and cannot refuse to provide biometric samples.

The Information Technology Act contains a few sections on how corporations should handle sensitive personal data. Beyond those sections, there is no legal framework that safeguards Indians’ digital privacy and security: laws that address consent, duration, which data are private or public, how they should be obtained and stored and the nature of reparations for misuse are absent.

With the onset of digital payments, the move toward a cashless society and the popularity of social media, cyberlaw activists are pushing India adopt a more sophisticated data privacy statute. Globally, governments have recognized that technology is not infallible and have backed this up with legislation that governs the use and storage of personal data and punishes violators.

The former chair of the UIDAI, Nandan Nilekani, has also spoken in favour of stronger privacy laws not only to protect personal information, but also to improve digital literacy.

For the latest business news, visit BloombergQuint.

Leave a Reply