PDPA 2018: Is Data Localization related to Privacy?

Posted on August 31, 2018 by Vijayashankar Na

[This is in continuation of earlier articles on PDPA 2018]

There is a strong opposition to the proposal in PDPA 2018 about the Data Localization requirement which has already been discussed in the earlier articles.

There are a few specific questions that are coming up in the discussion about Data Localization, namely

 “Is Data localization has any relation to Privacy”? ..

“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?

” What is the meaning of a Serving Copy”?

I am sure that different view points will prevail on some of these matters but I would like to place my personal views on these.

 “Is Data localization has any relation to Privacy”?

According to the diktat of the Supreme Court in the Puttaswamy judgement, Privacy Right is a fundamental right in India. There is therefore an obligation for the Government to take all measures to ensure that the Privacy of an Indian Citizen is protected.

To repeat what we have said earlier, “Privacy” is an “Individual Preference” of a person on what makes him feel “left alone”. What is “Privacy” for one is “Not Privacy” for another. What is Privacy for a person at one time is not Privacy for the same person at another time. This being the nature of Privacy and it being a matter of  individual preference and choice, it is difficult to provide privacy protection by a law applicable to all.

What we are therefore doing is to focus only on “Information Privacy” meaning that we give control to the data principal to determine how some information can be collected, processed and shared. The entire exercise is therefore only related to “Personal Data Protection” and nothing else. To call this exercise as “Privacy Protection” is perhaps a misnomer but we need to put up with the situation as there may not be an alternative.

In this “Personal Data Protection Approach” to “Privacy Protection”, we need to define what is “Personal Data” and “What kind of protection we should provide”.

In order to design a guideline for such data protection, the PDPA 2018 defines data in different categories namely “Personal Data”, “Sensitive Personal Data”, “Critical Personal Data” and also “Personal Data exempted from some restrictions” for reasons of “necessity” and “strategic interests of the State”.

Coming specifically to the Data Localization, it is felt that if the Government of India needs to protect the personal data of an individual then it should have the control on the personal data. If I send my personal data to some unknown person in Timbaktu and expect the Government of India to take responsibility for its protection, it will be an unreasonable expectation.

Therefore it is reasonable for the Government to propose that “Data Shall Remain In my control” and this translates into the “Data Localization” in the Act. The industry however looks at only the commercial aspect of the requirement and thinks that any change from the current scenario may involve additional cost and therefore they donot want Data localization. If Cost is the only criteria, let us appreciate that the Privacy Protection itself imposes a cost and if there was no PDPA 2018, there would be no cost.

The industry is behaving in a strange fashion by first fighting with the Government for the legislation and now trying to stall its implementation by irrelevant arguments on data localization.

Recognizing this opposition perhaps, Government has actually diluted the Data Localization principle by providing that only the “Sensitive Personal information” is subject to strict data localization. The “Critical Personal Information” will also be subject to similar strict data localization but it will be restricted to some specific categories that the Government may have to notify. On the other hand the “Personal Information” which is not considered sensitive can continue to be processed and stored any where except that one “Serving Copy” has to be kept within the boundaries of India.

This need for local storage is restricted to data that is originating in India or is being processed in India and should therefore first be stored here and then a copy forwarded outside.

The Government has also been considerate in not insisting that the entire processing has to take place in India since only a “Serving Copy” needs to be retained. The processing can still take place elsewhere.

Thus Government is trying to yield to the industry pressure and allowing the cross border outflow of personal information for which it has prescribed under Section 41 the various means such as standard contractual clauses, adequacy of protection in a given country or sector, or upon specific consent and also when there is a “Situation of Necessity”.

The provisions are therefore very flexible and perhaps too flexible for hard core privacy activists.

The objections raised on this ground therefore lacks conviction.

“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?

This is the genuine grievance of a hard core Privacy Activist and needs to be addressed through a proper system of approving of countries on “Adequacy” principle, incorporation of “Standard clauses” and “Informed Explicit Consent”.

The Data protection Authority should be expected to take necessary measures in this regard.

” What is the meaning of a Serving Copy”?

The meaning of “Serving Copy” can be interpreted in any manner based on our expectations. I feel that the intent is to ensure that it should mean a current live copy which is dynamically updated with every transaction and not a back up copy.

Since the Act applies only for data which originates from India, the local server copy can be the first instance of the data which then can be sent outside for back up storage.

Where there is a need for processing abroad, the local server should be the gateway through which the data goes out and it should return to India after processing. The facility outside India should work like a “Processing System” and not a “Processing cum storage system”. After the processing the data can be received back in India and stored here. A back up of this stored copy can be sent outside for back up storage if required.

If any company adopts a different process then they should satisfy the authorities on “Unfailing Synchronization” so that the copy in India is always the latest copy from which further transactions have to take place. The Data Protection officer should take care of this during his impact assessment.

(P.S:. As said earlier, this is only one opinion and it is possible that there may be alternate opinions also. I welcome sharing of any views and comments on the above)

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

PDPA 2018: Privacy Activists and RTI Activists fight with each other

Posted on August 31, 2018 by Vijayashankar Na

[This is in continuation of the earlier article on PDPA 2018]

There were three major criticisms against the PDPA 2018 (draft) which was presented by the Srikrishna Committee. One was on whether Aadhaar Act was to be amended. Second was on “Data Localization”. The third major objection was raised in respect of the proposed amendment to RTI Act 2005.

According to this report in dnaindia.com  RTI Activists in Mumbai have started a campaign against “Amendments to the RTI Act through the proposed Data Protection Bill” because they believe that this will ensure that officials will not be held accountable and transparency will be affected. A RTI activist named Mr Bhaskar Prabhu has been quoted as stating “As per data protection, it seems they have suggested changes to 8 (1) (j) or strike it odd altogether. If they take that stand and data protection has an overriding effect, then all information will be termed a personal and will not be provided,”

Another activist Mr Shailesh Gandhi has reportedly started a campaign for people to call up law makers and states “”The more serious amendment to RTI Act has been proposed in the Data Protection Bill. It seeks to make Section 8 (1)(j) an omnibus exemption which could be used to deny most information where there is the name of an individual,”

PDPA 2018 proposes that in place of the current clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005 the following clause (j) of sub-section (1) of section 8 shall be substituted.

Coinciding with these views, comments made by the Central Information Commissioner Sridhar Acharyulu in a lecture in Hyderabad on the Right to Information (Amendment) Bill 2018 stating that it will weaken the Act was super imposed by the media to project as if he has a strong objection to the proposed amendment through the PDPA 2018.

However, if we observe the proposed amendment it appears that this is a propaganda launched by the motivated media to oppose the PDPA 2018.

The two versions namely the present version and the proposed version are provided below:

Present
Version		 Proposed
Version
(j) information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate  authority, as the case may be, is satisfied that the larger  public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

(j) information which relates to personal data which is likely to cause harm to a data principal, where such  harm outweighs the public interest in accessing such information having due regard to the common good of promoting transparency and accountability in the functioning of the public authority;

Provided, disclosure of information under this clause shall be notwithstanding anything contained in the Personal Data Protection Act, 2018;

Provided further, that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Explanation. —For the purpose of this section, the terms “personal data‟, “data principal‟, and “harm‟ shall have the meaning assigned to these terms in the Personal Data Protection Act, 2018.”

If we study the two versions, it appears that  the proposed amendment is cosmetic and tries to replace the words

“..cause unwaranted invasion of Privacy of an individual…unless the Central Public Information Officer or the State Public Information Officer or the appellate  authority,  is satisfied that the larger  public interest justifies the disclosure of such information “

with the words

likely to cause harm to a data principal, where such  harm outweighs the public interest”

There does not appear to be any ground to attribute all the motives that the Press reports to have assigned in their reports.

I request Mr Sridhar to clarify if he has any view on this specific amendment proposed by the Justice Srikrishna Committee. It is possible that the other RTI activists quoted in the DNA report might not have studied the bill and might have made an off the cuff remark based on what the journalist might have told them about the proposed bill. If so, they also need to clarify.

It is regrettable that certain sections of the media appear to be hitting out at PDPA 2018 without specific reason. It appears that they have objection to whatever Modi Government does or does not do. First they said there is no Privacy Act in India and now they donot want the Act to be passed. I wish that these Pseudo Data Protectionists should be stopped from spreading mis information about the PDPA 2018 and the Press Council should seek explanation from these journalists on the basis on which they are writing such motivated articles.

It is because of such unscrupulous journalists that Social Media is being relied more than the traditional media which situation is being exploited by the malicious individuals to spread fake news and further blame the Government for its inability to control fake information.

There appears to be a fair amount of “Fake” information in the traditional media itself working under the cover of “Freedom of Press”. This needs to be checked by “Ethical Journalists” who should come together to weed out the bad elements.

If these fake journalists are not stopped, they will prevent the PDPA 2018 from being passed in the next session of the Parliament and then they will lobby with the Supreme Court to release the Aadhaar judgement to strike it down since the Government has failed to pass the Privacy Bill and further attack Mr Modi during the next election for his inability.

Thus we are seeing the playing out of the 2019 election politics in the criticisms of PDPA 2018 that are surfacing now.

Naavi

Posted in Cyber Law | Tagged , | 1 Comment

Personal Data Protection and Data Localization-2

Posted on August 30, 2018 by Vijayashankar Na

[This is a continuation of the earlier article]

Having debated the need to “Restrict” the operation of the word “Indirectly identify” in the definition of “Personal Data”, we can now look at Section 40 once again.

We know that PDPA 2018 is a law that has been framed under the Indian Constitution (Just like the GDPR which is a law under EU Constitution) and its basic jurisdiction is for the citizens and activities that fall under its geographical boundaries. If “Privacy Protection” is the basic objective of the law then the mandate for the Government is to protect the privacy of Indian citizens. India cannot assume the responsibility to protect the Privacy of global citizens just as EU cannot assume responsibility for protecting the privacy of an Indian citizen.

However, law makers arrogate to themselves the right to frame laws with universal jurisdiction as if they are protectors of the whole world. GDPR did it and PDPA 2018 had no option but to follow suit.

Hence PDPA 2018 has stated that the law will have extra territorial jurisdiction in some respect though it is more humble than GDPR.

Basically PDPA 2018 applies under Section 2, to the following:

(a) processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and
(b) processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.

Under Section 2(1)(b), processing of data by an Indian company even of a foreign national is subject to this Act.

I consider this a needless responsibility that the law could have avoided.

Under Section 2(2)

(2) Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —

(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(b) in connection with any activity which involves profiling of data principals within the territory of India.

This is better worded than similar regulation under GDPR and brings the foreign companies within the ambit of the Act which is only reasonable if they are doing business in India or profiling activities in India.

Obviously some of the industry giants appear to be miffed at the courage shown by the legislators in bringing them under Indian law. While US meekly surrenders to the EU GDPR and EU GDPR tries to lord over the global IT systems, there seems to be objection only when India tries to assert its rights equal to other countries. It is in this context that the need to defend the sovereignty of India arises even in defining the provision of the data protection law.

Unfortunately our industry is dominated by vested interests and we find that this provision is being opposed as part of opposition to “Data Localization”.

The arguments presented in this opposition is

  1. Restricting cross border data flow is against the basic philosophy of Internet
  2. Imposes Additional cost
  3. A balanced view is required between Safety and Security of India and flow of global data into and from India
  4. Approach is against the fundamental tenets of our liberal economy
  5. Localization may become a trade barrier and unlikely to benefit local industry

Additionally, recognizing that the key to escaping data localization lies in the definition of data, there is an industry view point presented as a dissenting note that wants “Financial Data” and “Password” to be not classified as “Sensitive Data”.

It is not possible to give any credence to any of the objections raised above. It is like the usual arguments we see from the Pseudo liberals in our country  who plot the assassination of the Prime Minister on the one hand but wants to be protected under free speech on the other hand.

The Pseudo Data Protectionists want the law to be tuned to the advantage of other countries rather than India. They are having a skewed interest in data protection from the point of view of what helps their commercial interests rather than what helps the country and its citizens. This attitude needs to be countered for a healthy development of “Privacy in harmony with Security”.

I am sure that as in many other instances, Naavi.org will be a contrarian thought leader and the industry professionals may have discomfort in accepting the “Nation First” view point even ahead of “Privacy”.

After all I consider that “Cyber Security is a fundamental Right” and Privacy right  has to be balanced with the Security of the State without any excuse.

However, there will be many debates on this concept and this is only the beginning of a long drawn data colonisation war which India has to fight with the world data business leaders.

Let’s watch the developments as they unfold.

Naavi

Posted in Cyber Law | Tagged | 2 Comments

Personal Data protection and Data Localization-1

Posted on August 30, 2018 by Vijayashankar Na

(This is in continuation of the earlier article on PDPA 2018)

After the discussions on Aadhaar the other hotly debated aspect of Srikrishna Committee’s report and the draft PDPA 2018 is the “Data Localization” recommendation.

The PDPA 2018 has recommended under Sections 40 and 41, the regulations on cross border movement of data and there is a strong opposition from the industry circles on the proposed requirement that suggests that at least one serving copy of personal data generated in India has to be retained in India.

The Data Localization debate  has also triggered the concept of “Data Sovereignty” under which it is argued that the nation has the right to expect control over data that belongs to it.

We can refer to a well articulated opinion expressed in Economic Times today titled ” Data Sovereignty-Economic Implications for the country”

The Indian IT industry represented by NASSCOM which was represented in the Srikrishna Committee as DSCI has through a dissent note submitted as part of the report expressed its reservations on the recommendations of the Committee. The industry is continuing to lobby for a change so that the proposed recommendation is scrapped.

Until there was no specific data protection law in India, the IT industry lobbied for the law stating that it is important under the EU data protection guidelines. The EU guidelines even before GDPR threatened that no data would be transferred to Indian data processing industry unless there is a strong data protection law in India. The industry failed to recognize that ITA 2000/8 was itself a strong data protection law in India and was sufficient to claim the status of a “Adequate Data Protected Nation” under EU regulations. What was lacking was perhaps an effective implementation which could have been corrected administratively without another law.

However, after the Supreme Court jumped into the fray with the Puttaswamy judgement essentially to reign in the use of Aadhaar, there was no option for the Government but to develop a separate Personal Data Protection Law and the result is the PDPA 2018.  While the industry was earlier crying that data inflow has been curtailed because of lack of a law in India, now they are raising an objection that the law is restricting the data outflow. The stand taken by the industry therefore lacks conviction and looks like a lobbying by vested interests.

Let’s us first see what PDPA 2018 has proposed and what are the objections of the industry.

Section 40 of the proposed PDPA 2018,

40: Restrictions on Cross Border Transfer of Personal Data

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

For the purpose of this section, data has to be considered as belonging to four types namely

a) Personal data to which Section 40(1) applies

b) Critical Personal data to which Section 40(2) applies

c) Exempted categories of data to which Section 40(3) applies

d) Sensitive Personal data to which Section 40(4) applies.

Of these, Personal data and Sensitive personal data is defined in the law and the Critical and Exempted data categories need to be notified by the rules or the Data Protection Authority of India (DPAI) when established.

Essentially the restrictions under Section 40 states that “Sensitive Personal Data” has to be compulsorily retained within India. As regards Personal Data, a copy alone need to be compulsorily retained in India and otherwise the data can move freely outside. Additionally the Government has kept the power to notify any other type of data that can be mandated for processing in India as “Critical Information” and those which can be exempted for local retention (of even a copy) under grounds of necessity or strategic State interests.

We should also observe the section carefully and note that Section 40(1) applies only to personal data to which this Act applies.

To understand Section 40(1) we need to therefore visit the definition of Personal Data and the Applicability of PDPA 2018.

The definition of “Personal Data” under Section 3(29) follows the global standards of defining anything and everything as “Personal” and if we raise objection to this, the very foundation of all personal data protection laws including GDPR would be threatened.

The definition given is

Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”

The definition is clearly omnibus with the use of the words “relating to”, “Indirectly identifiable” and “any combination”.

Data exists for a purpose and Law basically exists for the protection of a “Natural Person”. Hence almost all “Data” is indirectly related to a Natural person. In the days of “artificial Intelligence” supported by “Quantum Computing Power”, it is impossible to find data that is not related a natural person. Take for example a “Google Glass”. If I am wearing a Google Glass, every thing I see around me can be tagged to the identity of the face recognition. A Place can be identified with the people who have visited the place and it becomes “related to an individual”.

To expect any data to be “Not Related to a Natural Person indirectly or directly even with a combination of information sorrounding it and the use of technology” is a figment of imagination and living in a fools paradise.

I therefore consider that the law whether PDPA 2018 or GDPR has to recognize its own limitations and provide for a less than universal definition of “Data to which this Act applies”.

If we donot recognize this, there will be endless litigations and Supreme Court of India will have nothing to do expect interpreting how a particular piece of data is related to an individual.

This article which you are reading on the internet is a non-personal data but it is related to a person whose nick name is Naavi but who has a real name and identity associated with an e-mail address, a mobile number, aadhaar etc. Can we then say that this article is subject to Section 40(1) of PDPA 2018?. A strict interpretation will essentially agree with such an interpretation.

We therefore should recognize that if we donot confine the meaning of the “Personal Data” and remove the word “Indirectly” and stick to specific identifiers being defined (like in HIPAA), we are in for a chaotic time. This is not just for PDPA 2018 but also for all other legislation such as GDPR.

We shall however for the time being donot stir this hornet’s nest and accept the word “Indirect” as part of the definition and move on.

(To Be continued)

Naavi

 

Posted in Cyber Law | Tagged , , | 1 Comment

PDPA 2018 and Aadhaar-2

Posted on August 29, 2018 by Vijayashankar Na

Continuing our discussion on the draft PDPA 2018 (proposed by the Srikrishna Panel) and the proposed amendments to the Aadhaar Act embedded in the report under the Appendix, the following observations can be made.

  1. Offline Verification

One of the proposed changes is the introduction of the concept of “offline verification” which is defined as

“a process of verifying the identity of the Aadhaar number holder without authentication through such offline modes as may be specified by the regulations”.

We had a brief discussion on the possibilities of how an “Offline Verification System” can be used as a substitute to the present system where the authentication is based on the provision of biometric (Finger prints and/or Face recognition) at the service provider’s end and a direct connection to the CIDR for real time verification.

More discussions on the way the offline verification system can be designed will be required and hopefully UIDAI will come up with some innovative ideas of its own. For the time being we shall take this as a suggestion of the Srikrishna Committee to be further explored and developed. But this should be an alternative to the current system of authentication (both through global AUAs and Local AUAs with the use of the real Aadhar number and the virtual aadhaar number) and reduce the risk of leakage of biometrics during the billions of authentications that will be happening on the system on a daily basis.

2. Consent before Verification

Srikrishna Committee has proposed introduction of Section 8A to the Aadhaar Act which specifies that

(1) Any offline verification of Aadhaar number holder shall take place on the basis of consent provided to such verification by the Aadhaar umber holder

(2) Any offline verification-seeking entity shall,

(a) obtain the consent of an individual before verifying him offline, in such manner as may be specified by regulations; and
(b) ensure that the demographic information or any other information collected from the individual for offline verification, if any, is only used for the purpose of such verification.

(3) An offline verification-seeking entity shall inform the individual undergoing offline verification the following details with respect to offline verification, in such manner as may be specified by the regulations, namely: —

(a) the nature of information that may be shared upon offline verification;
(b) the uses to which the information received during offline verification may be put by the offline verification requesting entity;
(c) alternatives to submission of information requested for, if any.

(4) An offline verification-seeking entity shall not:

(a) subject an Aadhaar number holder to authentication;
(b) collect, use or store an Aadhaar number or biometric information of any individual for any purpose;
(c) take any action contrary to any obligations on it, specified by regulations.

It can therefore be observed that the entity seeking authentication through the off-line process has been mandated to obtain an informed consent. This is anyway covered under the PDPA 2018 also since the person receiving the information would be a data fiduciary even before he tries to verify the data.

There is need to recognize one anomaly here. The Aadhaar comes into the picture only for “Verification” of the “Data already provided by the data principal to the service provider (eg SIM card provider). It is at the time of providing his personal information to the service provider that he is obligated under PDPA2018 to obtain the necessary consent. Subsequently the interaction with UIDAI is not “Collection of Information”. It is only “Verification” of information already collected. So we may argue that no consent would be required to be taken from the data principal for the service provider to verify the data with the UIDAI. As long as the verification is the binary answer to the parameters submitted “Correct” or “Incorrect”, there is no information collection beyond what the data principal has already given.

The consent suggested therefore may be considered as a means of abundant caution. It may be relevant when the service provider just provides an Aadhaar number and the UIDAI send out the demographic data. This is being followed now but should perhaps be discouraged. The proposed amendment to Aadhaar Act will perhaps provide the backing to this system where data is thrown out of UIDAI to the service provider when a form is populated automatically with the data to be used by the service provider.

3. Purpose Limitation

Aadhaar service providers would be bound by the terms of the consent to use the data only for a specified purpose. This is also reiterated under the amended section 29 (4) which states

No Aadhaar number, demographic information or photograph collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for purposes, if any, as may be specified Provided, nothing in this sub-section shall apply to core biometric information which shall only be governed by sub-section (1).”

The amendment under 29(4) on restrictions on sharing the information addresses the many cases of aadhaar leakage that we have observed in the past.

4. Civil Penalties

It is proposed that an entire new chapter VIA on Civil Penalties along with Chapter VIB on appeals is proposed to be added. The civil penalty can extend upto Rs 1 crore and in the case of continued failure can extend to Rs 10 lakhs for each day of failure. Civil Courts will not have jurisdiction and the appeal from the Adjudication authority (to be appointed) goes to the Appellate Tribunal and then directly to the Supreme Court.

5. Criminal Penalties

Under Sections 38 and 39 it is suggested that the term of imprisonment can be increased from 3 years to 10 years.

Not obtaining a proper consent or unauthroized publication of data or unauthrorized use of biometric is considered as a criminal offence that can attract an imprisonment of 3 to 10 years with fine upto fifty lakhs. (Section 40, 41A, 41B,41C and 41D)

Punishments under  section 42 (residual penalty) has also been increased from 1 year to 3 year making it possibly a cognizable offence.

In view of the above, it can be stated that the Srikrishna Committee has suggested a substantial hardening of the Aadhaar act which should be welcomed.

However it is strange that we see some objections on the propositions including the dissent note from one of the members that suggestions on Aadhaar was beyond the scope of the committee’s terms.

While we are open to further suggestions and refinements regarding the controls that can be suggested for preventing misuse of the Aadhaar system, it is necessary to record that the recommendations are welcome.

Naavi

Posted in Cyber Law | 2 Comments

Srikrishna Panel report and Aadhaar

Posted on August 29, 2018 by Vijayashankar Na

Throughout the one year when the Justice Srikrishna Committee was deliberating on the Privacy Legislation in India, Aadhaar was the focus of the privacy activists. There was one group of people who were completely against Aadhaar and have been trying to convince the Supreme Court that Aadhaar is a threat to Privacy Right and has to be abandoned. They cited the many data breaches sorrounding the Aadhaar to discredit the Aadhaar system. On its part, UIDAI introduced the Virtual Aadhaar facility so that the Aadhaar identity need not be over exposed and also brought some additional controls on the Aadhaar authentication agencies by treating only a few as “Global AUAs”  and the rest as “Local AUAs”. During most of the public consultantion programs that the Srikrishna Panel held across the country, several concerns were expressed that because of Aadhaar non availability or failure, people are losing their ration and facing several difficulties etc.

Naavi has been speculating that the opposition was mainly from those who were hurt with the liking of Aadhaar to the Bank and PAN numbers and the proposed linking of Aadhaar to the property records. These measures were a blow to the holders of black money and they were voicing their opposition to the Aadhaar on grounds of Privacy and Security threats.

Even the Supreme Court held back its judgement awaiting the passing of the Privacy Act on which the Srikrishna Panel was working.

It was therefore logical that the Srikrishna committee when it was finalizing its report had several suggestions to harden the Aadhaar legislation. Justice Srikrishna is a pragmatic judicial expert whose years of experience were available for drafting of the report and his views are therefore to be considered as  meaningful suggestions that need to be translated into action at the earliest.

However, when we look at the final release of the Srikrishna committee report, it appeared that there was some difficulty in forging consensus in the committee as to the final recommendations. While the report did contain a whole Appendix where suggestions for amendments to the Aadhaar (Target delivery of financial and other subsidies, benefits and services) Act 2016, it was not incorporated into the draft Bill namely the “Draft Personal Data Protection Act 2018” (PDPA2018). Only amendments to ITA 2000 (Removal of Section 43A) and a small amendment to the RTI Act were added. The Committee in fact identified a list of 50 allied laws which were affected by the proposed legislation of which only amendments to ITA 2000 and RTI Act were incorporated in the draft bill.

Given the expertise which was at hand, the committee was capable of suggesting amendments to all these legislations but did not do so. In fact even the critical suggestions regarding Aadhaar were only incorporated as a suggestion in an Appendix and it is now left to the Government to bring a separate bill for the amendment of the Aadhaar Act.

After the release of the two documents namely the draft bill and the committee’s report, we have seen that there has been sharp criticisms on the proposed amendment to the RTI Act. The opposition to Aadhaar was expressed in the report itself in the form of the dissenting notes from one Professor and another representative of DSCI. Additionally there has been dissent on the Data localization suggestions of the Committee.

There is a possibility that some minor changes to the draft bill can be made before it is passed.

We shall therefore try to discuss the major points of dissent and try to understand why there is an opposition from some sections of the industry which has tried to express itself in the dissenting note of the DSCI representative in the report itself.

….To be continued

continued Naavi

Posted in Cyber Law | Tagged , , , | 1 Comment