Justice BN Srikrishna Committee’s responses to the five questions mentioned below will decide whether the Data Protection Bill they propose will further promise of the Preamble, or take India back to colonial times and enslave citizens.
1. Who is the beneficiary of data protection?
Data is generated whenever any we undertake any transactions to further our purposes of living our lives. Since we are not hermits, our affairs cause us to engage with others as part of our lives. Together with these others, we pursue common purposes. Our activities towards these common purposes result in data.
Companies, or third parties, in the business of gathering, storing, modifying, analysing, trading or managing data leverage data from our affairs for their profits. The profits of these companies builds a data economy, usually also a digital economy. The exploitation of such data by these third parties is often viewed as innovation. Start-up businesses that exploit such use of data are often encouraged.
You, the Justice Srikrishna Committee, have to address the issue and make explicit the beneficiary of any data protection framework you propose. Is it transacting parties generating data, while pursuing their common purposes while living their lives that you will provide a protection to? Or is it third parties who choose to exploit the data of others to their profits that you are aiming to protect? Or is it the digital companies in the business of selling hardware and software to build digital empires across continents?
Your answer will decide the culture and society we will become - one that protects we, the people, or one that protects the profits of third parties exploiting data of others. One that upholds the promise and principles of the Preamble to the Constitution or one that colonises, corrupts and destroys the country as it drives its laws to help private interests to profit through exploitation of the lives of people of India.
2. Who are you protecting the beneficiary from?
If we are the beneficiary of data protection, are you protecting us from the third parties who want to colonise, corrupt and destroy our systems by seeking to profit from the data that results from our activities?
Or are you protecting the third parties from us - and our cries of pain? Are you protecting the third parties from their partners so that they can make bigger profits and grow the data economy or even the digital economy?
3. Why are you protecting the beneficiary?
The Preamble to our Constitution promised to secure to all citizens justice, liberty, equality and dignity. To deliver the promise of the Preamble, data from every transaction of ours has to ensure that the transaction did not cause injustice, indignity, was not the basis of an unequal relationship or the result of coercion outside the free will of the transacting parties.
Or are you protecting third parties so that they may continue to expand indignity, injustice, coercion and inequality? Are you protecting third parties because building a digital economy and data warehouses is more important than the lives of “We, the people” and the Constitution of India we gave to ourselves?
4. What is the scope of data protection?
Are you restricting the scope of data protection to exclude non-digital data? Is the understanding of the Committee about data protection merely restricted to informational privacy?
Shouldn’t data protection cover the entire life cycle of data? Should it not include the generation of data, the certification of generated data, the authentication of the certified data, when used later or for arbitration in case of disputes, the updation of data and the restriction and sharing of data? Should it not require the audit of all of these as part of the protection?
The Economic Times recently ran the story of all of India’s Electoral Roll with 68 attributes of each voter for every constituency being offered for a price by an American company. Unless the generation, certification, authentication and updation of records on the electoral roll were protected under the data protection framework, how can they be distinguished from those that could be replaced by third parties? If data protection is not allowed to permit sharing the electoral roll with all in the constituency, how will those in the constituency be able to further their common purposes to ensure voting by those who belong to the constituency?
Take the case of the use of unknown database to open 37 lakh bank accounts and transfer Rs167 crore as subsidy for liquefied petroleum gas (LPG) into them. If one restricted to informational privacy the transactions between the government and subsidy beneficiary or a customer and a bank cannot be protected. There would be no means to authenticate genuine records, perhaps even no means to access let alone audit them.
Similarly informational privacy provides no means to protect the customer of an internet service provider (ISP) using metering to throttle speed or block content in violation of Telecom Regulatory Authority of India (TRAI) regulations and NET Neutrality. The data generated by the ISP does not provide any basis for impartial arbitration to resolve disputes.
5. Why do we need data protection?
Do we need data protection to keep away third parties, lest they colonise, corrupt and destroy those systems that matter to our lives?
Our lives require us to come together with different agencies in different systems to further our common purposes€Š—€Šfrom enabling borrowing and lending money, enabling ability to connect and communicate with others, for obtaining education, for ensuring ability to travel abroad, to ensuring food security, or even to get a dignified burial. The Unique Identification Authority of India (UIDAI) and its ecosystem is a third party that has no role in any of these common purposes we share with these agencies, it has no skin in the game to protect or further our common purposes. This overreach of the UIDAI destroys the symbiosis between the borrower and lender, the mobile user and service provider, the passport issuer and traveller, the hungry and the food provider.
Like the UIDAI, the Goods and Service Tax Network (GSTN) and National Payments Corporation of India (NPCI), for example, are similar third parties that seek to profit from data of systems in which they do not share any common purpose with the participants of the system. All of these are sad examples of third parties who colonise, corrupt and destroy systems that worked reasonably well for their participants before the intervention of these third parties.
Or do we need data protection to provide a firm legal framework to allow the private interests of the UIDAI ecosystem to flourish in the name of data-driven innovation and entrepreneurship? Is data protection the means to allow the third parties to profit from data that they regard as the new oil?
The responsibility of Justice Srikrishna Committee cannot be under-emphasised. This is perhaps the easiest, yet most difficult arbitration that history will forever write him down for.
(Professor and Future Designer @AnupamSaraph is an internationally renowned expert on governance of complex systems)
I wish this article was sent to all the people in US where I live to alert them to the pitfalls of giving up their privacy for a little ease of purchase.
I am not techno savvy. Hopefully others who are will comment on this article to make sure that the consumers in India put checks and balances in place to protect their privacy.