For Estonia, a European country with a population nearly 1,000 times less than India, the pursuit to establish a national digital identity programme was not any easier. When the nation rolled out its identity programme 15 years ago, similar to India’s Aadhaar project, political debates around the cost of the project and its mandatory nature had erupted. The government believed that the first step to have a strong ecosystem of digital services and e-governance was digital identity. However, that’s just one side of the coin. The push to electronic governance was backed by a data protection legislation.
India, while having its own digital identity programme and a slew of e-governance services, does not have a data protection law. Back in May 2010, though, when Aadhaar was in infant stages, the then chairman of the Unique Identification Authority of India, Nandan Nilekani, had written to then Prime Minister Manmohan Singh describing the background for requirement of a “comprehensive data protection law” in India. Over seven years later on July 31 this year, the Ministry of Electronics and Information Technology constituted a committee of experts headed by Justice B N Srikrishna “to study and identify key data protection issues and recommend methods for addressing them” along with suggesting a draft Data Protection Bill.
According to sources in the IT ministry, the government expects to have the Data Protection Act in place by December.
Even as the Indian government works towards having the data protection law, Estonians believe it is imperative to have one in place as one of the foundation stones of a strong e-governance ecosystem. “Information societies are about how governments are able to handle the data, and protection of data is absolutely crucial. It has to start from the constitutional system, but it should be realised through concrete regulations and laws. They should define how to keep databases, how to provide access to databases, who should have access to databases, which system should be there to see there’s no misuse of data,” said Liia Hanni, advisor to the Estonian president, and senior expert on e-democracy at e-Governance Academy in Estonia.
“In Estonia, for example, we have a special data protection inspectorate who is in charge of an oversight of the user data. Different information systems before being applied should also be coordinated with the data protection inspectorate,” Hanni added.
The Estonians have been operating their digital services under the aegis of their data protection law for the past 15 years. “Ownership of data remains with the people to whom the data pertains, or the person whose data it is. As the government, we only hold their data, but we have a very clear framework as to who will have the access to that data. Ultimately the people always have to get access to their data. We can’t say no to them. Only you can see all your data,” Siim Sikkut, Estonia’s government chief information officer pointed out.
Addressing the ownership of data is just one of the key principles laid down by various data protection laws across the world, including the European Union’s General Data Protection Regulation (GDPR) that will kick in from May 2018. The GDPR also establishes certain cornerstones for protection of citizens’ rights in a digital world. These include the right to be forgotten, right to access of own data from controllers, mandatory breach notification within 72 hours, right to port own data from one controller to another, among others.
Even as data protection regulations provide a legal backing to citizens as well as both government and private agencies to operate in a digital environment, Estonians believe that it also builds a foundation of trust between the people and the government for handling their data. “If people do not trust their government, it is a risky situation. To introduce something like internet voting, it’s not so much about technology or building of the platform, it’s very much about whether people trust their government or not,” Hanni said. “…data protection, I must say, is very important to build trust because if people don’t trust the government to handle their data, it’s very difficult to build up e-governance systems,” she added.
The legal backing and the “trust” factor has helped Estonia push its e-governance services, she said. Currently, almost all of 1.3 million Estonians rely on a variety of digital services such as e-prescriptions, telemedicine, internet voting, etc. About 80 per cent of the country operates in a cashless manner, something which the Indian government has also been attempting to get to create a more formalised economy.
“To introduce something like internet voting, it’s not so much about technology or building of the platform, it’s very much about whether people trust their government or not,” Hanni said.
Interestingly, Estonians often joke about how they can manage everything with their digital signatures and need physical signatures only for three processes – buying or selling real estate, getting married, and getting divorced.
“Digital identity is the building block for e-government and a digital society. We have had it for almost 15 years. At the time we were introducing it, there was a political debate in our parliament about why do we need this ID card with chip. ‘It is an expensive project, and let us make it voluntary’. Even then, we made this decision to have an obligatory digital identity and now to have digital services, you need to be able to prove who you are. Of course there are debates about risks of technology, but there always will be some risks, and it is the role of the government to explain to the people this new reality. We can’t escape technology anymore,” Hanni added.