Data Protection and the National Population Register #SaveOurPrivacy
Tl;dr
As part of its submission to the Joint Parliamentary Committee evaluating the Personal Data Protection Bill 2019, IFF has sent a brief analysing the impact of the Bill on the National Population Register. The brief highlights how the National Population Register violates data protection principles of lawfulness, consent, purpose limitation, data minimization and accountability. Based on this case study, the brief identifies various loopholes in the Bill and recommends necessary changes.
The Database Republic
The National Population Register has been in the headlines during the ongoing protests against the Citizenship Amendment Act but the project has a long and interesting history. Originally proposed in 2001 in the aftermath of the Kargil War to address concerns of cross-border infiltration, the project was accelerated after the 26/11 Mumbai terror attacks. Household surveys were conducted in 2010 for NPR, and demographic data, biometric data and other government identifiers were collected from the population. It is important to note biometrics and government identifiers are sensitive personal data and their misuse can cause significant harm to an individual.
While there was an initial tussle between UIDAI and the Registrar General over whose database will have primacy, this was resolved by the Cabinet Committee on UID in 2010 with the Government deciding that the Registrar General will issue Aadhaar cards instead of Multi-Purpose National Identity Cards. In 2015, NPR was updated and seeded with Aadhaar numbers. The Election Commission also wanted Voter ID details to be mandatorily included in NPR so it could link Voter IDs with Aadhaar through this mechanism. Earlier in 2011, NPR data was used as the basis for the Socio-Economic Caste Census because the Census Act, 1948 prohibited census data from being used. Therefore, NPR became the channel to achieve what could not be done through databases which had higher levels of data protection.
Recommendations
We analysed the NPR project against data protection principles recognized by the Supreme Court in the landmark judgement of K.S. Puttaswamy v. Union of India and found that it fell short on several aspects.
Based on this case study, we recommend the following changes should be made to the Personal Data Protection Bill 2019 to fix loopholes which could lead to a disproportionate encroachment on individual privacy.
- Clause 5 of the PDP Bill should state that only those purposes which are clearly mentioned in the primary legislation enacted by Parliament will qualify as a valid purpose for collection and processing of personal data if the government is building a database.
- Clause 35 of the PDP Bill should include principles of necessity and proportionality and mandate independent judicial oversight prior to any exemption being granted by the Central Government. This would also be consonant with the proportionality standard endorsed by the Supreme Court in K.S. Puttaswamy v. Union of India (2017 10 SCC 1). In any case, exemption from application of the entire PDP Bill should not be permitted and certain minimal requirements like preservation of quality and integrity of data and adherence to security standards should be required even under Clause 35.
- Clause 38 of the PDP Bill should be restructured and sub-clauses (d) and (e) should be incorporated as provisos which will serve as a pre-condition for grant of exemption for statistical purposes.
(We are very grateful to Srinivas Kodali and Vrinda Bhandari for helping us with this brief.)
Important Documents
- IFF’s Brief on Impact of PDP Bill on NPR (link)
#SaveOurPrivacy
#BanTheScan