2023 promises to be a landmark year for technology and digitisation in India. The Union Budget indicates growing prioritisation of these areas. For instance, the Digital India programme has been allotted Rs 4,795.24 crore, the allocation to the Ministry of Electronics and IT has nearly doubled, and there is a 1,000 per cent increase in the funding for the Artificial Intelligence and Digital Intelligence Unit. But something crucial is amiss.
Digitisation entails ever-expanding data collection, storage and sharing. This includes personal information such as biometrics and financial and health data. Many of the initiatives announced with the budget reinforce the deep discord between the pace of digitisation efforts, and the implementation of effective legal frameworks to strengthen privacy and cybersecurity. Let’s look at a few examples that will aggravate the existing privacy deficit in India, and amplify the scope for surveillance, unless meaningful, and urgent progress is made on a privacy-focused legislation.
A new National Data Governance Policy is going to be introduced to enable access to anonymised data. Anonymised data includes data that does not contain Personally Identifiable Information (PII) like name, age, phone number, address, etc, or data from which PII has been removed. However, several studies have demonstrated the ease with which anonymised data can be reverse-engineered to identify individuals. For instance, a study in 2019 was able to accurately reidentify 99.98 per cent of Americans in an anonymised dataset, including information held by the US government on more than 11 million people.
In a nutshell: Current anonymisation techniques are inadequate and do not guarantee privacy protection. For the potential of anonymised data to be unleashed without jeopardising people’s privacy, India first needs a robust data protection law. The current Draft Digital Data Protection Bill, 2022, falls short and fails to incorporate safeguards from previous rounds of consultations and even earlier iterations of the Bill. For instance, the 2021 draft imposed a penalty for the intentional reidentification of an individual’s anonymised personal information. This provision has been done away with, amplifying concerns around insufficient limitations and safeguards for privacy.
The budget also proposes privacy-invasive changes to the Income Tax search and seizure provisions in view of the increased use of technology and digitisation. IT officials could seek the assistance of experts to access digital devices and encrypted data. Note that there are no effective legislative limitations and safeguards to prevent access to certain types of personal information (private, encrypted communications, photos, videos), and require oversight and restrictions over when or how IT officials can invoke these powers. Such broad authorisations are bound to increase the scope for arbitrariness and misuse. Allowing unfettered access to personal devices like computers, mobile phones, hard disks, and cloud storage and encrypted data — which house much of an individual’s personal life today — without a data protection regime that ensures necessity and proportionality, is dangerous, and ill-fitting for a democracy whose Constitution guarantees the fundamental right to privacy.
Finally, the budget proposes expanding the scope of DigiLocker, a government-run cloud-based platform for storing, sharing, and verifying documents and certificates, to make it a “one-stop solution of reconciliation and updating of identity and addresses” with “Aadhaar as foundational identity”. For this measure to truly serve the objective of “Trust Based Governance”, two issues need to be addressed: One, strengthening of the cybersecurity infrastructure, including implementation of the long-awaited National Cyber Security Strategy, to inspire people’s trust, and potentially avert situations like the one in 2020 where 3.8 crore DigiLocker accounts were compromised. Two, prevent the continuing scope creep of Aadhaar, which is increasingly being made mandatory not only to avail services and benefits but also to exercise fundamental rights such as voting. The negative human rights impact of the forced, widespread use of Aadhaar has been well-documented. Further, there have been several Aadhaar data breaches over the years. This includes the largest data breach in the world in 2018 with the sensitive records of 1.1 billion citizens being compromised.
Regulations establishing accountability mechanisms and strengthening digital rights, based on feedback and impact assessments, are a crucial component of digitisation. At present, the approach tilts towards speedily implementing the latter, without equal prioritisation of the former, and this must change.
The World Economic Forum’s Global Cybersecurity Outlook 2023 finds that data privacy and cybersecurity regulations are effective for reducing cyber risks. Many new laws have been assured this year on data protection, telecommunication, internet governance and cybersecurity. However, the available drafts are far from satisfactory in terms of global best practices and international rights frameworks. As the country kickstarts its G20 presidency and prepares to be a leader in this space, we would do well to prioritise the development of exemplary, rights-respecting privacy and cybersecurity regimes.
The writer is Asia Pacific Policy Counsel at Access Now
