What does the Srikrishna Committee Report mean for your data or protection?

The Committee has failed to address key problems with the white paper released by the Committee for consultation. It has failed to correct the errors in its approach

A 213-page report and 62 page Personal Data Protection Bill are the result of the Srikrishna Committee commissioned by the Ministry of Electronics and Information Technology (MeitY) on 31 July 2017.

What does this mean for the citizens of India?
The committee intends to rewrite your relationship with your government and your service providers as it expects at least 49 laws that will be impacted by its recommendations. The report presents a draft Personal Data Protection Act. It also proposes amendments to the Aadhaar Act and the Right to Information Act.

Over its one-year tenure, the Committee has failed to address key problems with the white paper released by the Committee for consultation. It has failed to correct the errors in its approach. It has failed to address the five key questions for the Committee. I had made a representation to the Committee in Mumbai and raised some of these issues in person. Sadly, the Committee has not applied itself to any of these inputs.

Let us examine what the implications are for data protection, Aadhaar and the Right to Information (RTI).

Will your personal data be protected?
Even if the Personal Data Protection Bill became law, the short answer, is no, your data will be not be protected. There will, however, be an illusion of protection.

The Committee does not deal with fundamental questions about the generation, use and currency of the data but restricts itself to enabling third parties, who have no role to play in your relationship with your government or service provider, to access and use your data while restricting your own.

Data protection starts with the creation of data. What makes data valid? Whose responsibility is it? Who certifies the data that is generated? If data cannot be validated as genuine and is not certified, it serves no purpose. To protect invalid or fake data from replacing valid data, data has to be created in a well-defined manner and must be certified on creation. Invalid and uncertified data allows the propagation of fraud and destroys the ability of parties who rely on such data to recognise, trust and transact with persons with whom they have enjoyed a relationship for decades.

The Committee’s proposed Data Protection Bill has no provisions to define validly generated data or responsibility of the parties who create data. Nor does it require the parties creating the data to certify its validity. Neither the Committee’s recommendations nor its proposed Bill can protect your data when it is created.

Aadhaar numbers and Aadhaar data, for instance, are a classic example of invalidly generated uncertified data. The inability of the UIDAI to indicate which primary proof of identity or proof of address documents form the basis of the data associated with an Aadhaar number or to verify the original form filled by an Aadhaar applicant, makes the entire data invalid. Furthermore, neither the UIDAI, nor anyone else, certifies the data as having been generated validly or the contents of the data itself.

Can the data produced for a transaction be authenticated?
To protect valid and genuine data from being replaced by that which is invalid and not genuine, anyone using the data should be able to verify it as being the authentic data generated validly and certified by the one who claims to certify it. The Committee’s proposed Data Protection Bill has no provisions for data to be authenticated as being the same as the one validly generated and certified by the parties certifying it.

In the case of Aadhaar, for example, there is little that the UIDAI does to tell you whether the Aadhaar number, or the biometric or demographic data associated with it, are authentic and the same as validly generated and certified by them.

Can the use of the data be logged for the parties referred to in the data?
A log of the use of the data is necessary to protect the data from unauthorised access. The Committee’s proposed Data Protection Bill mentions logging requests and approvals but does not define the access to such logs. It does not place responsibility of such logs with the parties in possession of the data. Neither does it guarantee the parties in the transaction access to such logs.

Again Aadhaar is an example that illustrates this failure to protect data. Aadhaar is used in ways beyond online authentication of biometrics or demographics as defined in section 7 of the Aadhaar Act. UIDAI has no way to tell about the offline use, nor can it tell about the purpose of the online use.

Can the access and use of the data be blocked if the data is compromised?
The Committee’s proposed Data Protection Bill has no provisions to ensure data can be selectively blocked or released if it is compromised. It considers vague notion of consent, not an explicit transaction like issuing a cheque or filing a form, as sufficient to grant control over restriction of access or use.

Aadhaar, again, is a perfect example of the failure to protect an Aadhaar holder from unauthorised use of the number or any data associated with it. The user can do nothing to restrict or block any use without their consent. For instance, they cannot reverse, block or restrict sim cards, bank accounts, directorships of benami companies, benefits claimed or even fake tax returns filed using their Aadhaar number or associated data.

Is there a means to update the data?
Ability to update your data provides you protection from incorrect data being used. The Committee’s proposed Data Protection Bill restricts the ability for updation of data with a “Data Fiduciary”, or someone who decides the purpose or means of processing data, and not a “Data Principal”, or someone whose data it is. Furthermore, there is no provision for complete logs of such updates to protect the Data Principal.

Again Aadhaar is an excellent example of failure to protect the Data Principal as anyone with administrative access to the Classless Inter-Domain Routing (CIDR), as exposed by The Tribune earlier this year, can update data without any knowledge or control of the Data Principal.

Is there an audit of the processes of data creation, certification, authentication, use, restriction and updation? Is there an audit of the data itself? Such an audit ensures that the data is protected throughout the entire data life-cycle. While the Committee’s proposed Data Protection Bill has provisions to audit for “notices”, privacy, transparency, security, and breach, it has no provision to audit the data itself or the processes of data creation, certification, authentication, use, restriction and updation. It has no recognition of the entire data life-cycle.

Aadhaar is again an example where data has not been protected as no audit of data itself or the processes of data creation, certification, authentication, use, restriction and updation of the Aadhaar database has ever happened.

The idea of a “Data Fiduciary" itself is problematic. It creates rights to third parties, who have no role in the relationships of parties interacting for whatever purposes, for purposes of profit, control or defrauding individuals, organisations or the state.

Do the problems with Aadhaar go away?
The Committee in its report suggests amendments to the Aadhaar Act. It suggests an offline use of Aadhaar to “verify the identity of individuals”. Clearly the committee doesn’t understand identification or Aadhaar.

RS Sharma, Chairman of the Telecom Regulatory Authority of India (TRAI) and former Director General of the Unique Identification Authority of India (UIDAI), made his Aadhaar number public on 28 July 2018 and challenged social media users to cause him harm through his Aadhaar number. This resulted in, among other things, a physical Aadhaar “card” that was demonstrated as having been used offline with shocking results.

This offline use of Aadhaar was sufficient for anyone in possession of this “card” to be “identified” as RS Sharma by service providers, including Facebook and Amazon. Other hackers on social media highlighted its use for allegedly altering mobiles associated with his services, obtaining his PAN number, obtaining his demat and bank statements, threatening to file his tax returns and even open bank accounts. Some on social media even demonstrated money transfers, and potentially siphoning of subsidy, by using his Aadhaar number.

Identification requires a certified ID. It also requires that the person identifying takes the responsibility of the identification. In the case of Aadhaar, no one certifies the biometric or demographic data associated with an Aadhaar number. It cannot serve as a basis for identification. Furthermore, the UIDAI takes no responsibility for any identification based on Aadhaar. It cannot, as it does not certify any data and is not present to identify anyone.

Online “authentication” does not identify anyone either, firstly because the authenticated data is not certified to identify anyone, and secondly because the UIDAI takes no responsibility to identify anyone or of the identification process.

The Committee proposes powers that at least one of its own members called draconian “to issue directions, as well as cease and desist orders to state and private contractors, and other entities discharging functions under the Aadhaar Act”. This makes the UIDAI the “judge, jury, and executioner”. Again, this fails to recognise that without the UIDAI facing the consequence of failing to protect data, no failure will ever be faulted as theirs.

Does RTI get better?
The Committee interferes with Section 8(1)(j) of the RTI Act. It proposes that “if such information is likely to cause harm to a data principal and such harm outweighs the aforementioned public interest, can the information be exempted from disclosure”. This opens up discretion of deciding the harm and public interest, neither of which are defined.

The Committee, however, excludes the RTI from the provisions of the Data Protection Bill. Since the Committee has limited the scope of Data Protection and restricted itself to Privacy, it fails to protect the data sought under RTI from being invalid, uncertified, un-authenticable, without logs, updation records or unaudited.

Where does that leave you?
By creating a Prevention of Corruption Act that protects the corrupt, you are left helpless. Much the same way the Personal Data Protection Bill promises to unprotect your data by creating rights to third parties and even restricting the rights of parties whose relationship generates the data. It fails to understand the importance of protecting the parties and the legitimate purposes of the relationships they engage in from third parties who colonise, corrupt and destroy these relationships by capturing and interfering with their data.

The Committee, its report, recommendations and proposed Bill even fails to save Aadhaar from the mess it has created. It promises to ruin the RTI that has empowered millions across India. It also promises to alter 49 Acts to destroy governance, justice, liberty, equality, dignity and national security. It neither serves public interest, nor any national interest.

(Dr. Anupam Saraph is a renowned expert in the governance of complex systems and advises governments and businesses across the world. He can be reached @anupamsaraph)

(This opinion was first published online at Moneylife. You can read the same here)

Aadhaar verdict whittles down Modi’s Digital India ambition
The temple door is now open, but how many knocks did it take?
‘Shocking that finance minister is working towards restoring access of private parties to Aadhaar’
Editor’s Pick More