A Brief On Data Privacy, Protection And Surveillance

Data Governance is a series on the use and abuse of data by private and government entities. It examines the many gaps and overlaps within multiple policies and laws that seek to regulate data.

Am I a citizen or have I been reduced to a string of 1s and 0s within a database?
Do I have control over the numerous data points I generate?
Do I know who owns and controls my data?
Am I a citizen with data rights or an atomised generator and consumer of data?

As the Indian government and private sector step up their digital infrastructure and extend a greater number of services through the internet, issues of digital rights, data ownership, privacy, protection and surveillance naturally follow.

As yet, India has no over-arching legislation to protect individual privacy and community data even as the government, in tandem with the private sector, has launched numerous data projects and surveillance systems.

The State Purpose

There are several databases created by central and state governments for governance, taxation, economic and financial policies, national security and welfare purposes. These could run into the thousands.

However, there are a few large data projects that seek to improve delivery of government services, boost private sector opportunities, all the while enhancing the state’s law enforcement and surveillance powers.

• Unique Identification Authority of India
  The nodal agency that stores all biometric and demographic details of Aadhaar card holders. These details are held in the Central Identities Data Repository and the system involves licensed private entities to enroll people into the Aadhaar system.
  
• State Resident Data Hubs
  Prior to the Supreme Court verdict on the efficacy of the Aadhaar program in September 2018, the UIDAI had shared or seeded CIDR data with state governments, who in turn created numerous SRDHs or state government Aadhaar databases. According to a March 2019 report in the Times of India, UIDAI had directed state governments to shut down the SRDHs and has stopped sharing data with them for the last three years. But data that’s been shared with states prior to the apex court ruling continues to be used by state governments for various programs.
  
• Central Monitoring System
  Introduced in 2011, the CMS made way for lawful interception and monitoring of communications - mobile phones, landlines and the internet, without any authorisation from the nodal officers of the Telecom Service Providers.
  
• National Intelligence Grid or NATGRID
  This came about in the wake of the 26/11 attacks as a unified intelligence database which would collect data and patterns, such as immigration entry and exit, banking and telephone details of a suspect, from 21 different organizations which will be shared with 11 agencies. It is expected to go live in December 2020.

Also Read: It Would Be Better If NATGRID Was Delayed Forever

• NEtwork TRaffic Analysis or NETRA
  Developed by the Defence Research and Development Organisation, NETRA is a system to intercept and analyse internet traffic based on keywords. It can intercept voice and text traffic over the internet traffic, analyse it and alert the concerned agencies in case of a potential security threat.
  
• Interoperable Criminal Justice System
  It is the evolution of the Crime and Criminal Tracking and Network System, which brought in IT solutions to all police functions. In 2016, the ICJS system was launched with an aim to integrate all courts, police stations, prosecution, forensic science laboratories and jails in the country. It is an all encompassing system for the criminal justice system and would provide inter-operable access to databases and systems managed by prisons, the police departments, Directorate of Prosecution and courts.
  
• Cities Database
  The Union Housing and Urban Affairs Ministry plans to create a database of 4,000 cities encompassing details on infrastructure, education and health facilities, aimed at addressing urban challenges of the country.
  
• DNA Databanks
  The DNA Technology (Use and Application) Regulation Bill of 2018 seeks to establish regional and national level databanks for both criminal and civil matters, according to August 2018 report by BloombergQuint.
  
• National Social Registry
  It’s a searchable database that uses Aadhaar numbers to integrate religion, caste, income, property, education, marital status, employment, disability and family-tree data of all citizens, a March 2020 report by Huffpost India revealed.
  
• National Digital Health Mission and the National Health Stack The national health identity will record health data of citizens and residents and store their health records. The information is then envisioned to be used for accessing healthcare services, drugs and pharmaceuticals, insurance claims etc. The health stack is a set of digital systems that will power the mission and provide analytics to improve healthcare services, with private sector participation.

• National Register of Citizens The Citizenship Amendment Act of 2003 introduced the requirement of a National Register of Indian Citizens. It also made way for compulsory registration of every citizen of India, and issue of National Identity Cards. Further amendments to the law, which came into force in January this year, make foreign illegal migrants of certain religious communities coming from Afghanistan, Bangladesh, and Pakistan eligible for Indian citizenship based on documentary evidence.
  
• National Population Register Though the NPR was conducted for the first time in 2010, it was abandoned after the Aadhaar system took off. That is until 2014, when the Bharatiya Janata Party-led government announced that it would re-start the NPR process, according to an answer to Parliamentary questions by Kiren Rijiju, the Union Minister of State for Home Affairs.

There are also sector-specific database projects that are either in the works or have already been set by specific ministries and regulators. For instance, Vahan and Sarathi are databases of registered vehicles and driving licenses respectively. The Public Credit Registry is a Reserve Bank of India system that has been conceptualised to track all financial, tax, legal and credit information of individual and institutional borrowers

The Commercial Purpose

Indian citizens did not have the right to privacy until the Supreme Court’s ruling in 2017, which upheld privacy as a fundamental right. The judgment also laid down a four-fold test that needs to be fulfilled before state intervention in the right to privacy.

The principles are critical in light of the government’s attempts to make way for commercial use of data. The legislative framework for that led to the introduction of the Personal Data Protection Bill, 2019 and more recently in July, a committee report on use and protection of non-personal data.

Personal Data Protection Bill, 2019
It governs the processing of personal data by the government, companies incorporated in India, and foreign companies dealing with personal data of individuals in India. The Bill has been referred to the Joint Parliamentary Committee for deliberation.

Also Read: All You Need To Know About The Personal Data Protection Bill

Committee Report On Non-Personal Data
Headed by Infosys co-founder Kris Gopalakrishnan, the 9-member committee has recommended that the private sector should be allowed to use non-personal data for economic purposes. It’s also suggested creating a data-sharing marketplace for Indian businesses and the government.