It shuts it down. Read on.
Privacy and data protection is a wide subject which has various facets. We highlighted in our presser that one of the recurring problems facing us is Aadhaar. We used the specific language of, "policy fix" to go beyond meaningless, artificial reform to challenging the very basis of Aadhaar. This was as per the drafting exercise carried over weeks which is explained and set out in this post.
To us several fundamental features of Aadhaar as per the Aadhaar Act, 2018 are :
- Mandatory use due to statutory language and administrative practice
- It is a universal digital ID not tied to any specific purpose
- It relies on biometrics which are an incredibly sensitive form of data
- It results in mass surveillance as a precondition to availing essential services
- Due to its architecture it makes people vulnerable to data breaches and identity thefts
The Indian Privacy Code, 2018 will attempt to prevent these "features" to operate against us.
The first thing to consider is that the Indian Privacy Code, 2018 is a comprehensive data protection statute that overrides all existing legislations [Refer Section 85]. Hence, it will apply over and above the Aadhaar Act, 2016. We have inserted specific statutory language that the Privacy Commission which will have powers to issue orders to the UIDAI [Refer Section 53]. Hence, privacy and data protections under the Indian Privacy Code will be given first preference in the pecking order.
- The Privacy Code has the consent framework deeply baked within it (Section 3(5)). This is illustrated in several provisions for meaningful consent beyond the ineffective terms of services and privacy policies [Sections 7, 8, 9, 10 and 12]. It requires people are explained what data is being parted, what are the consequences of it, and maintain the continuing power of the individual. More importantly, it clearly demarcates a statutory option for people to refuse their consent. This undercuts the Aadhaar Act but more importantly the administrative practices which have resulted in making it mandatory.
- The Indian Privacy Code is built off seven progressive privacy principles including use and purpose limitation in the collection and processing of data. Hence, it will limit universal, purposeless digital forms of identification such as Aadhaar or severely curtail its application which has seen unrestricted use (Sections 7(3), 10(2), 15). We specifically need to improve language on this and request help.
- The Indian Privacy Code classifies biometrics as a heightened class of sensitive personal data. We have given specific regulatory power on this to the Privacy Commission (Section 19(2)). Again, existing statutory language under the Indian Privacy Code, 2018 will lean towards prohibiting the use of biometrics by the UIDAI for purposeless use, or authorisation channels as is done through its network.
- The Indian Privacy Code has several provisions against (a) machine learning or algorithmic systems that determine legal entitlements (Section 27); and (b) a specific bar to denial of essential services (Section 13). All these provisions will override any provisions, interpretations under the Aadhaar Act or notifications under any other laws which make it a precondition for essential services, benefits and subsidies.
- The Indian Privacy Code has pro-active breach notification obligations (Section 16(4)) and penalty provisions for data breaches (Section 73). This applies equally to private parties and statutory bodies such as the UIDAI (Section 2(1)(l)).
We acknowledge the Indian Privacy Code, 2018 is not perfect text.
That is why we keep going back to the Seven Privacy Principles to guide us and continue to request suggestions on improving language which recognises user rights over personal data.
We also need to state it clearly : The Indian Privacy Code, 2018 is wider effort on protecting privacy and data protection. Also, it is not against all forms of digital IDs that can be privacy compliant under the Seven Privacy Principles. We believe it is possible for technology to work for people while they still retain power and control over it. Clearly, Aadhaar in its present form and its core features is fundamentally incompatible with the Indian Privacy Code, 2018 but more importantly the Seven Principles which have gone into its framing.
We also note that any Aadhaar repeal act limited to expressly repealing the Aadhaar Act may be an effort worth consideration and are open to conversation, support and collaboration on it. We welcome any such measure by people but again undertake and promise that the Indian Privacy Code, 2018 and the Seven Privacy Principles are incompatible with Aadhaar. Help us articulate them better.