Aadhar project and issue of privacy in India and worldwide
By Abeer Sehrawat
“The world’s largest mass surveillance project”, as the Aadhaar scheme is dubbed, is going to be challenged for violation of Right to Privacy before a Constitutional Bench. It remains obscure if the Indian Constitution guarantees a Right to Privacy at all, and any new provision for such a right is in a standstill until the Supreme Court hearing. Meanwhile, the EU is all set to reform its pre-existing framework of privacy and data protection laws to keep up with the technological progress of our world.
Aadhaar has faced objection from technological experts and political analysts alike for its overstepping of private and civic boundaries. To articulate this right in legal terms, it is defined in the Black’s Law Dictionary as the “right to personal autonomy” or “the right to be free from unwarranted public scrutiny”.
Article 12 of Universal Declaration of Human Rights (1948) states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attack upon his honour and reputation. Everyone has the right to protection of the law against such interference or attacks.” The SC of India has broadly interpreted Article 21, right to life, to include the protection of “personal autonomy” of an individual. In Anuj Garg v. Hotel Assn. of India [(2008) 3 SCC 1] (SCC p. 15, paras 34-35), the Court held that “personal autonomy includes both the negative right of not to be subject to interference by others and the positive right of individuals to make decisions about their life”.
Introduced as a voluntary ID, Aadhaar has practically become mandatory due to a web of parallel rules that require it for welfare schemes, train bookings, telecom services and filing for income tax returns according to the latest Supreme Court judgement. There is increasingly less real choice left at the discretion of people in this ‘optional’ scheme. Surveillance without a premises by the State is a hindrance to both negative and positive liberty, whereby the state is coercing individuals to part with their bodily property to facilitate a process of information aggregation and profiling.
We here, are in desperate need of comparative assessment of this scheme with others from countries where biometric data collection has been attempted.
In the context of information warfare and big data breaches, even the collection of biometric data is extremely dangerous. The Unique Identity Authority of India (UIDAI) -the government agency responsible for the conceptualising the Aadhaar scheme- gave this task to three US based biometric service providers (BSP): L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd. An investigation by Fountain Ink found a chain of connections between these companies and British, French and American intelligence and defence agencies. “Following the business links, partnerships and associations, investments and cross-holdings of the individuals and companies involved, situates biometric technology and persons involved in delivering Aadhaar in the midst of a labyrinth of interlocking relationships and conflicts of interest within the intelligence-industry complex. In an ecosystem where intelligence analysis is increasingly outsourced to private firms, these relationships fudge the distinctions between government and corporate, private and public, civilian and military.”
Handing over sensitive data of a billion Indian residents to other nations puts us at a vulnerable position with respect to external threats. The safeguards put up by the government against data theft haven’t been very comforting. A legal contract prohibits the BSP companies from sharing the biometric data. Yet, with consequences as grave as loss of unchangeable personal data, a legal document is a measly affair. Nandan Nilekani, ‘the father of Aadhaar’, said in an interview that the appropriate punishment for a data breach is a simple “matter of opinion”. In Mr. Nilekani’s opinion, Rs.10,000 in fine or three years in jail is a sufficient measure against misuse of biometric data.
On the other hand, the Indian state’s possession of this data also raises concerns. The government has used the argument of ‘convenience and efficiency’ to tip the scale against privacy and security issues. But the ability to tap into the private life of anybody without evoking any special powers means unconditional surveillance of anybody. Emphasising the same, Senior Advocate Mr. Shyam Divan argued that “the recognition of the distinction between an individual or person and the State is the single most important factor that distinguishes a totalitarian State from one that respects individuals and recognizes their special identity and entitlement to dignity. The Indian Constitution does not establish a totalitarian State but creates a State that is respectful of individual liberty and constitutionally guaranteed freedoms”.
While surveillance on the grounds of legitimate suspicion is allowed and valid, unconditional surveillance means authoritarian superiority of the state, and even less space for dissent. The state’s surveillance on everybody without condition is equal to the state treating every citizen as a criminal.
Comparative analysis of biometric data collection and privacy laws in other countries
France enacted a law in 2011 to issue unique identity cards to combat identity fraud. These cards had one chip containing biometric and demographic data, and an additional chip for online authentication and for accessing e-government services on voluntary basis. Running the scheme meant that the French state would have centralised information on 45 million individuals.
Even though the data was meant to be used for authentication purposes, the National Assembly had authorised under Article 10 of the act for “officers who have been individually designated and duly authorised from the national police and gendarmerie departments to gain access to the database containing personal data established pursuant to Article 5 for the purpose of preventing or punishing attacks against the independence of the Nation, its territorial integrity, its security, the republican form of its institutions, its defence or diplomatic service, to safeguard its population in France and abroad and the essential elements of its scientific and economic potential, and to prevent or punish acts of terrorism.” [Decision no. 2012-652 DC of 22 March 2012, Conseil Constitutionnel]
In 2012, the French Constitutional Council found this law unconstitutional, as well as in discord with European Human Rights guidelines. The Council concluded that collection of biometric database that enable a person to be identified on the basis of their fingerprints is a breach of the right to respect for private life. Moreover, the authorised use of data by investigating police meant that the Parliament had failed to adopt legal guarantees against the risk of arbitrary action.
The Council further acknowledged that “the collection, registration, conservation, consultation and communication of personal data must be justified on grounds of general interest and implemented in an adequate manner, proportionate to this objective.” The nuance here is in the ‘proportionate’; benefits of data collection should overweight the risks of such an affair. Given that such a scheme went against the right to privacy and presumption of innocence, the proportionality did not hold.
The argument of proportionality was also used by writ petitioners in the Aadhaar-PAN case to challenge constitutionality of Section 139AA by Article 14, equality before law, and Article 19 (1) (G), to practise any profession, or to carry on any occupation, trade or business. The petitioners argued that the nexus objectives of the Aadhaar-PAN linkage did not justify the risks in a proportionate manner. The supreme court, however, cited three objectives of this linkage to fulfill the proportionality requirement: efficiency in providing welfare schemes, mowing down of corruption and black money and checking for crime.
According to the French Constitutional Council, biometric IDs do not pass the proportionality test, even with similar objectives behind creating them. It said, “having regard to the nature of the data registered, the scope of this processing, its technical characteristics and the conditions under which it may be consulted, the provisions of Article 5 violate the right to respect for privacy in a manner which cannot be regarded as proportionate to the goal pursued”.
With no concrete privacy laws, the aspect of privacy invasion was not considered with its due regard in the case of India. Shouldn’t privacy, a basic human right recognised by the UN Declaration of Human Rights, exist to upkeep the dignity of Indian residents as much as it does for the French?
The Parliament of the United Kingdom passed an Act called ‘The Identity Cards Act 2006’ whereby a national identity card, a personal identification document and European Union travel document would be created. These documents would then be linked to a database known as the National Identity Register (NIR). In addition to 50 categories of information required in the making of the ID like date of birth, principal place of residence, every other place of UK or overseas residence, head and shoulder photograph, signature, fingerprints, and other biometric information (which might include iris scans, and a facial measurement template), the government also had the authority to ask for any other information in addition by a regulation or a single vote of parliament.
The Act faced criticism from privacy advocates, who warned that the existence of such a database for people who could benefit from data abuse was like an open pot of honey for ants. Moreover, collection of this much data could adversely affect “vulnerable groups such as members of the witness protection programme, scientists involved in animal experimentation, celebrities and victims of domestic violence will find that their personal details are sold to the highest bidder or circulated among interested parties.”
A campaign called NO2ID gained momentum in its opposition of the Act. Their aim is to protect citizens for the “threat to liberty and privacy posed by the rapid growth of the database state, of which “ID cards” were the most visible part.” The concern comes from the fact that ID cards of the sorts that this scheme aims to create allows the government to watch everything that a person does, and profile them with great accuracy. This means great power to manipulate, differentiate and target, both by the government and private interest businesses.
This act was eventually repealed by the coalition government of Conservatives and Liberal Democrats after the 2010 elections.
David Cameron, who formed his government as Prime Minister in 2010, said the British state was becoming "an increasingly Orwellian surveillance state - symbolised by the simultaneously ineffective and intrusive ID cards scheme". Nick Clegg, Deputy Prime Minister, said that the scrapping of the Act meant that the government “won't sacrifice people's liberty for the sake of minister's' pet projects."
Owing to privacy breaches, data leaks and a lagging legal framework to protect data of people being shared around, the EU has made comprehensive data protection laws. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) intends to strengthen and unify data protection for all individuals within the European Union (EU). This regulation will be directly binding for European states when it comes into effect on 25 May 2018.
The primary objective of the GDPR is to give control back to citizens and residents over their personal data. The GDPR is an improvement on the already existing Data Protection Directive, which is not legally binding. Henceforth the implementation, a uniform data protection law would be applicable all over Europe, with extended legislation over extra-territorial matters, i.e., processing data of EU citizens outside of European territories would be protected by European law.
The provisions in the new regulation are also up to speed with technological advancement: the rules under GDPR apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. A breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). Moreover, it requires the format of consent forms to be simple and clear, with the intended use of data adjoined, as well as a an easy process to withdraw consent.
The primary data protection law of France, Law No. 78 17 of 6 January 1978 on ‘Information Technology, Data Files and Civil Liberty’ (DPA), was recently modified by Law No 2016-1321 for a Digital Republic dated 7 October 2016 (Digital Republic Law) to prepare for the due implementation of the GDPR. As a member of the European Union, the United Kingdom implemented the EU Data Protection Directive 95/46/EC in March 2000 through the Data Protection Act 1998 (‘Act’). This act was due to be reformed in accordance with the GDPR, but may not exactly follow EU guidelines after Brexit.
Abeer is a student of political science, philosophy and economics at Sciences Po Paris, Reims.
Disclaimer:"The views in the article are of the author and do not represent the views of the Invisible Lawyer"