What Does the Srikrishna Committee Report Mean for your Data or Protection?
A 213-page report and 62 page Personal Data Protection Bill are the result of the Srikrishna Committee commissioned by the Ministry of Electronics and Information Technology (MeitY) on 31 July 2017.
 
What does this mean for the citizens of India?
 
The committee intends to rewrite your relationship with your government and your service providers as it expects at least 49 laws that will be impacted by its recommendations. The report presents a draft Personal Data Protection Act. It also proposes amendments to the Aadhaar Act and the Right to Information Act. 
 
Over its one-year tenure, the Committee has failed to address key problems with the white paper released by the Committee for consultation. It has failed to correct the errors in its approach. It has failed to address the five key questions for the Committee. I had made a representation to the Committee in Mumbai and raised some of these issues in person. Sadly, the Committee has not applied itself to any of these inputs.
 
Let us examine what the implications are for data protection, Aadhaar and the Right to Information (RTI).
 
Will your personal data be protected?
 
Even if the Personal Data Protection Bill became law, the short answer, is no, your data will be not be protected. There will, however, be an illusion of protection. 
 
The Committee does not deal with fundamental questions about the generation, use and currency of the data but restricts itself to enabling third parties, who have no role to play in your relationship with your government or service provider, to access and use your data while restricting your own.
 
Data protection starts with the creation of data. What makes data valid? Whose responsibility is it? Who certifies the data that is generated? If data cannot be validated as genuine and is not certified, it serves no purpose. To protect invalid or fake data from replacing valid data, data has to be created in a well-defined manner and must be certified on creation. Invalid and uncertified data allows the propagation of fraud and destroys the ability of parties who rely on such data to recognise, trust and transact with persons with whom they have enjoyed a relationship for decades. 
 
The Committee’s proposed Data Protection Bill has no provisions to define validly generated data or responsibility of the parties who create data. Nor does it require the parties creating the data to certify its validity. Neither the Committee’s recommendations nor its proposed Bill can protect your data when it is created.
 
Aadhaar numbers and Aadhaar data, for instance, are a classic example of invalidly generated uncertified data. The inability of the UIDAI to indicate which primary proof of identity or proof of address documents form the basis of the data associated with an Aadhaar number or to verify the original form filled by an Aadhaar applicant, makes the entire data invalid. Furthermore, neither the UIDAI, nor anyone else, certifies the data as having been generated validly or the contents of the data itself.
 
Can the data produced for a transaction be authenticated? To protect valid and genuine data from being replaced by that which is invalid and not genuine, anyone using the data should be able to verify it as being the authentic data generated validly and certified by the one who claims to certify it. The Committee’s proposed Data Protection Bill has no provisions for data to be authenticated as being the same as the one validly generated and certified by the parties certifying it. 
 
In the case of Aadhaar, for example, there is little that the UIDAI does to tell you whether the Aadhaar number, or the biometric or demographic data associated with it, are authentic and the same as validly generated and certified by them.
 
Can the use of the data be logged for the parties referred to in the data? A log of the use of the data is necessary to protect the data from unauthorised access. The Committee’s proposed Data Protection Bill mentions logging requests and approvals but does not define the access to such logs. It does not place responsibility of such logs with the parties in possession of the data. Neither does it guarantee the parties in the transaction access to such logs.
 
Again Aadhaar is an example that illustrates this failure to protect data. Aadhaar is used in ways beyond online authentication of biometrics or demographics as defined in section 7 of the Aadhaar Act. UIDAI has no way to tell about the offline use, nor can it tell about the purpose of the online use. 
 
 Can the access and use of the data be blocked if the data is compromised? The Committee’s proposed Data Protection Bill has no provisions to ensure data can be selectively blocked or released if it is compromised. It considers vague notion of consent, not an explicit transaction like issuing a cheque or filing a form, as sufficient to grant control over restriction of access or use.
 
Aadhaar, again, is a perfect example of the failure to protect an Aadhaar holder from unauthorised use of the number or any data associated with it. The user can do nothing to restrict or block any use without their consent. For instance they cannot reverse, block or restrict sim cards, bank accounts, directorships of benami companies, benefits claimed or even fake tax returns filed using their Aadhaar number or associated data.
 
Is there a means to update the data? Ability to update your data provides you protection from incorrect data being used. The Committee’s proposed Data Protection Bill restricts the ability for updation of data with a data “Data Fiduciary”, or someone who decides the purpose or means of processing data, and not a “Data Principal”, or someone whose data it is. Furthermore there is no provision for complete logs of such updates to protect the Data Principal.
 
Again Aadhaar is an excellent example of failure to protect the Data Principal as anyone with administrative access to the Classless Inter-Domain Routing (CIDR), as exposed by the Tribune, can update data without any knowledge or control of the Data Principal.
 
Is there an audit of the processes of data creation, certification, authentication, use, restriction and updation? Is there an audit of the data itself? Such an audit ensures that the data is protected throughout the entire data life-cycle.  While the Committee’s proposed Data Protection Bill has provisions to audit for “notices”, privacy, transparency, security, and breach, it has no provision to audit the data itself or the processes of data creation, certification, authentication, use, restriction and updation. It has no recognition of the entire data life-cycle.
 
Aadhaar is again an example where data has not been protected as no audit of data itself or the processes of data creation, certification, authentication, use, restriction and updation of the Aadhaar database has ever happened.
 
The idea of a “Data Fiduciary" itself is problematic. It creates rights to third parties, who have no role in the relationships of parties interacting for whatever purposes, for purposes of profit, control or defrauding individuals, organisations or the state.
 
Do the problems with Aadhaar go away?
 
The Committee in its report suggests amendments to the Aadhaar Act.
 
It suggests an offline use of Aadhaar to “verify the identity of individuals”. Clearly the committee is doesn’t understand identification or Aadhaar.
 
RS Sharma, Chairman of the Telecom Regulatory Authority of India (TRAI) and former Director General of the Unique Identification Authority of India (UIDAI), made his Aadhaar number public on 28 July 2018 and challenged the social media to cause him harm through his Aadhaar number. This resulted in, among other things, a physical Aadhaar “card” that was demonstrated as having been used offline with shocking results.
 
 
This offline use of the Aadhaar was sufficient for anyone in possession of this “card” to be “identified” as RS Sharma by service providers including Facebook and Amazon. Other hackers on social media highlighted its use for allegedly altering mobiles associated with his services, obtaining his PAN number, obtaining his demat and bank statements, threatening to file his tax returns and even open bank accounts. Some on social media even demonstrated money transfers, and potentially siphoning of subsidy, by using his Aadhaar number.
 
Identification requires a certified ID. It also requires that the person identifying takes the responsibility of the identification. In the case of Aadhaar no one certifies the biometric or demographic data associated with an Aadhaar number. It cannot serve as a basis for identification. Furthermore, the UIDAI takes no responsibility for any identification based on the Aadhaar. It cannot, as it does not certify any data and is not present to identify anyone.
 
Online “authentication” does not identify anyone either, firstly because the authenticated data is not certified to identify anyone, and secondly because the UIDAI takes no responsibility to identify anyone or of the identification process.
 
The Committee proposes powers that at least one of its own members called draconian “to issue directions, as well as cease and desist orders to state and private contractors, and other entities discharging functions under the Aadhaar Act”. This makes the UIDAI the “judge, jury, and executioner”. Again, this fails to recognise that without the UIDAI facing the consequence of failing to protect data, no failure will ever be faulted as theirs.
 
Does RTI get better?
 
The Committee interferes with Section 8(1)(j) of the RTI Act. It proposes that “if such information is likely to cause harm to a data principal and such harm outweighs the aforementioned public interest, can the information be exempted from disclosure”. This opens up discretion of deciding the harm and public interest, neither of which are defined.
 
The Committee, however, excludes the RTI from the provisions of the Data Protection Bill. Since the Committee has limited the scope of Data Protection and restricted itself to Privacy, it fails to protect the data sought under RTI from being invalid, uncertified, un-authenticable, without logs, updation records or unaudited.
 
Where does that leave you?
 
By creating a Prevention of Corruption Act that protects the corrupt, you are left helpless. Much the same way the Personal Data Protection Bill promises to unprotect your data by creating rights to third parties and even restricting the rights of parties whose relationship generates the data. It fails to understand the importance of protecting the parties and the legitimate purposes of the relationships they engage in from third parties who colonise, corrupt and destroy these relationships by capturing and interfering with their data.
 
The Committee, its report, recommendations and proposed Bill even fails to save the Aadhaar from the mess it has created. It promises to ruin the RTI that has empowered millions across India. It also promises to alter 49 Acts to destroy governance, justice, liberty, equality, dignity and national security. It neither serves public interest, nor any national interest.
 
(Dr. Anupam Saraph is a renowned expert in the governance of complex systems and advises governments and businesses across the world. He can be reached @anupamsaraph)
  • Like this story? Get our top stories by email.

    User

    More than 20 Illegal Genetically-modified Food Products Sold Openly in India, finds study
    CSE (Centre for Science and Environment), India's leading environment organisation has done a study and found that more than 20 packaged genetically modified (GM) food products are being sold openly in the market to unsuspecting consumers.
     
    This is when the government itself has said that it has not approved food products and that no long-term safety assessment on impact of GM Foods has been done. BJP had promised in 2014 election manifesto that it would not allow such GM foods. GM negatively impacts farmers, consumers, climate, children, trees and wildlife (with genetically modified trees and animals coming in!) and displays institutional corruption. 
     
    These GM foods sold in market illegally include infant food, canola/cottonseed oil, Kellogg's multigrain cereal, popcorn snacks, tofu amongst others. Complaints have been made to multiple government bodies earlier.
    To raise a voice on this and demand accountability/action from government, a Pan-India twitter action has been planned on 27th July from 3-6 pm under the hashtag #StopGMFood
     
    Foods produced from genetically modified organisms (GMOs) are referred to as genetically modified (GM) foods. The safety of GM foods has been a matter of concern. The Food Safety and Standards Authority of India (FSSAI) has not allowed GM foods in India so far.
     
    To understand whether GM foods are available in the Indian market, the Pollution Monitoring Laboratory (PML) at the Centre for Science and Environment (CSE) tested 65 imported and domestically produced processed-food samples. Testing involved qualitatively screening for the presence of GM DNA (deoxyribonucleic acid) through the qPCR (quantitative polymerase chain reaction). The food samples were made from or likely to contain ingredients from soya, corn, rapeseed or cottonseed and were a mix of oils, packaged foods, infant foods and protein supplements.
     
    Overall, 32% of the food product samples tested were GM positive. Forty-six per cent of imported food products tested positive. These were made of or used soya, corn and rapeseed and were imported from Canada, the Netherlands, Thailand, the UAE, and the US. About 17% of the samples manufactured in India tested positive. All of these were of cottonseed oil. Out of the 20 GM-positive packaged samples (excluding crude cottonseed oil), 13 did not mention use of GM ingredients on their labels. Some brands had claims on their labels suggesting that they had no GM ingredients but were found to be GM positive.
     
    56% of oil samples—including canola oil (rapeseed) imported from Canada and the UAE, and Indian cottonseed oil—tested positive. Twenty-five per cent of packaged food samples were positive. All of these were imported samples and most were corn-based from the US. Two infant food samples imported from the US and the Netherlands also tested GM positive.
     
    CSE has recommended that in the interest of public health and informed consumer choice, the FSSAI take the following necessary actions at the earliest:
     
    • Identify all illegal GM foods, ensure that they are not available in the Indian market and take necessary legal action against concerned companies and traders.
    • Set up a stringent system for approving domestically produced and imported GM food products based on safety assessments.
    • Enact ‘GM labelling laws with stringent exemption limit, clear symbol-based depiction of GM label and qualitative screening as an enforcement tool.
    • Set up laboratories for testing GM foods.
     
  • Like this story? Get our top stories by email.

    User

    COMMENTS

    Vivian Fernandes

    1 year ago

    Are you sure they are illegal? This is what the Business Standard says: {A}ccording to Pawan Agarwal, chief executive officer, FSSAI, sales or imports of GM positive food items are not illegal in the country.

    “The FSSAI’s job is to ensure safe food to Indian consumers. Currently, there are no laws under our purview that prohibits use of GM ingredients in packaged food,” he said.

    GM foods are safe. The cottonseed oil that we eat is all made from genetically-modified Bt cotton. The cottonseed oil meal that is fed cattle is also from Bt cotton. Canola oil is all rapeseed imported from Canada. Oils being fatty acids do not contain GM proteins. But de-oiled cake does. The EU and Japan do not allow cultivation of GM crops but feed GM soybean oil meal to their cattle, fish and poultry. We must be wary of scare-mongering NGOs like CSE. Earlier it made a brouhaha about pesticide residues in MNC colas. The traces were so minute they would not have affected our health.

    Shankare Gowda

    1 year ago

    This is very unfortunate, societies/people should not encourage commercial benefits for any business at the cost of human health. Smoking and alcohol consumptions are also bad for health, they are making bad choices to indulge in them. This GM food will find ways into our kitchens without our notice. This is sad and should be stopped. How are we bringing up our next generation?

    Banks are supposed to provide doorstep banking to senior citizens and differently abled persons
    Many a times, most senior citizens (70 years and above) and persons with disabilities find it difficult to visit ATMs or bank branches for their banking requirements. Banks also discourage and turn away such people instead of empathising with their difficulties or helping them avail of services. Consequently, based on representations and complaints, the Reserve Bank of India (RBI) had asked banks to provided doorstep banking service to senior citizens and differently abled persons. However, many in the target groups, who need such help, are not aware of this direction. Since senior citizens were often harassed for submission of a life certificate and were asked to visit specific branches, the RBI has also directed banks to accept them at all branches. This is another facility that is not known to the lay person.
     
    In a circular issued on 9 November 2017, the Reserve Bank had said, "...in view of the difficulties faced by senior citizens of more than 70 years of age and differently abled or infirm persons (having medically certified chronic illness or disability) including those who are visually impaired, banks are advised to make concerted effort to provide basic banking facilities, such as pick up of cash and instruments against receipt, delivery of cash against withdrawal from account, delivery of demand drafts, submission of know your customer (KYC) documents and life certificate at the premises and residence of such customers.
     
    RBI Governor Dr Urjit Patel, in a statement on Developmental and Regulatory Policies issued in October 2017, had explicitly mentioned about providing banking facilities to senior citizens and differently abled persons. "It has been reported that banks are discouraging or turning away senior citizens and differently abled persons from availing banking facilities in branches. Notwithstanding the need to push digital transactions and use of ATMs, it is imperative to be sensitive to the requirements of senior citizens and differently abled persons. It has been decided to instruct banks to put in place explicit mechanisms for meeting the needs of such persons so that they do not feel marginalised. Ombudsmen will also be advised to pay heed to complaints in this context," the central bank had said.
     
    The circular issued by RBI in November 2017, had asked banks to implement its instruction by 31 December 2017 and also give due publicity of these extended facilities to senior citizens and differently able persons in their branches and on website.
     
    (a) Dedicated Counters/Preference to Senior Citizens, Differently abled persons
    RBI had asked banks to provide a clearly identifiable dedicated counter or a counter, which provides priority to senior citizens and people who are differently abled including visually impaired persons.
     
    (b) Ease of submitting Life Certificate
     
    As per extant guidelines issued by Department of Government and Bank Accounts, in addition to the facility of Digital Life Certificate under “Jeevan Praman” Scheme, RBI says pensioners can submit physical life certificate form at any branch of their pension paying bank. 
     
    Reserve Bank said it is observed that often the life certificate is not updated promptly by the receiving branch in the core banking solution (CBS) system of the Bank, resulting in avoidable hardship to the pensioners. "It is, therefore, advised that banks shall ensure that when a life certificate is submitted in any branch, including a non-home branch, of the pension paying bank, the same is updated or uploaded promptly in CBS by the receiving branch itself, to avoid any delay in credit of pension," RBI says. 
     
    This means a customer a Bank can submit her life certificate in any branch of the Bank. For example, a senior citizen customer of State Bank of India (SBI) from Mumbai can submit her life certificate in a branch at Delhi or any other place and not necessarily at the home branch (where she has her account). 
     
    (c) Cheque Book Facility
     
    (i) Banks shall issue cheque books to customers, whenever a request is received, through a requisition slip which is part of the cheque book issued earlier.
    (ii) Banks are advised to provide minimum 25 cheque leaves every year, if requested, in savings bank account, free of charge.
    (iii) Banks shall not insist on physical presence of any customer including senior citizens and differently abled persons for getting cheque books.
    (iv) Banks may also issue cheque books, on requisition, by any other mode as per Bank’s laid down policy.
     
    (d) Automatic conversion of status of accounts
    Presently, in some banks, even fully KYC - compliant accounts are not automatically converted into ‘Senior Citizen Accounts’ on the basis of date of birth maintained in the bank’s records. Banks are advised that a fully KYC compliant account should automatically be converted into a ‘Senior Citizen Account’ based on the date of birth available in bank’s records.
     
    (e) Additional Facilities to visually impaired customers
    RBI has advised banks to provide facilities to sick, old or incapacitated persons. (Ref: Paragraph 9 of RBI Master Circular DBR.No.Leg.BC.21/09.07.006/2015-16 dated 1 July 2015 on Customer Service in Banks) This circular talks about operations of accounts through identification of thumb, toe impression or mark by two independent witnesses and authorising a person who would withdraw the amount on behalf of such customers that should be extended to the visually impaired customers.
     
    (f) Ease of filing Form 15G/H
    RBI also asked banks to provide senior citizens and differently abled persons Form 15G/H once in a year, preferably in April, to enable them to submit the same, where applicable, within the stipulated time.
     
    What to do if Bank refuse any of the above mentioned services?
    Reserve Bank had directed banks to set up an appropriate Grievance Redressal Machinery internally for redressing complaints about services rendered by its ‘agents’. The name and telephone number of the designated Grievance Redressal officer of the ‘bank’ must be made available to customers including on the bank’s website. The designated officer is required to ensure that genuine grievances of customers are redressed promptly. 
     
    This means, the senior citizen or differently able person first need to approach designated Grievance Redressal officer of the bank and submit her complaint. If there is no reply received within 30 days or the bank had rejected her complaint or the customer is not satisfied with the bank's reply she need to escalate the matter.  
     
    If a customer feels that her complaint has not been satisfactorily addressed by the designated Grievance Redressal officer of the bank, she can approach the Banking Ombudsman's office in her area. Here is the link to offices of Banking Ombudsman spread across the country... https://www.rbi.org.in/commonman/English/Scripts/AgainstBankABO.aspx 
     
    From this link, the customer can even file complaint online.
  • Like this story? Get our top stories by email.

    User

    COMMENTS

    suneel kumar gupta

    1 year ago

    Idea seems excellent but security concern of such gullible people comes at stake. Complete must be laid for successful operation.

    Deepak Narain

    1 year ago

    Despite all these platitudes, reality at the ground level is very disturbing. Instead of advice, RBI should ORDER all the Banks to follow these suggestions meticulously.

    ptikamdas

    1 year ago

    It is a commendable initiative but the bank officials as we know their mindset over the years would not heed. I suppose. Pessimism obviously based on experience over the decades.

    Silloo Marker

    1 year ago

    The circular of the RBI issued on 7th November 2017, to facilitate banking services for senior citizens and medically certified handicapped persons, should make life easier for senior citizens. Do hope the banks are aware of this development! Generally, rules remain on paper unless one takes the trouble to see that they are put into action. The onus is on the same Senior Citizen or the Handicapped Person to have his Grievance redressed. The manager of the bank or some authority should be made responsible for ensuring that in trying to make life easier for senior or handicapped citizens, they are not made to do an extra round of running around.

    K V RAO

    1 year ago

    It is incorrect to generalise that all senior citizens should get preferential treatment. Interestingly banks give preferential treatment based on value of accounts. If it is said that all senior citizens irrespective of their status should get preferential treatment,it is a tall order. Doubtful whether banks are equipped to face that situation.

    Debo C

    1 year ago

    with SBI, Citibank, many private banks you can submit chequebook requests through mobile app or online. if banks have to send someone to doorstep of every senior citizen, bank will become a social service department which it is not

    MOHAN SIROYA

    1 year ago

    Thanks to Moneylife for bringing in this topic again.
    You are right most of the senior citizens or differently abled may not be aware of these RBI directives that they are elibile to get home service privileges from the bank. But even those who are aware and ask for it ,are they getting ? My experience is plain and simple NO
    1. Many years before this Nov. 2017 circular of RBI a few bacnks and even Post offices used to have such dedicated counters or the preferential service on the same counter. No more such facility or demarcation in Banks to day. If any senior complains to the Branch Manager, then he orders the counterman to give him /her
    preferential service.
    c) CQ.book facility : To submit a requisition duly signed, the account holder has to go to the bank and submit, Bank does not get it collected from home .But why a request from the registered mobile no. is not accepted to avoid personal visit ?

    Even aftr getting signed requisition, it takes 8-10 days to get the CQ book delivered as it is now personalized and reires details of account no. and name of the signatory printed on the CQS.

    D) Auto conversion of the status to a senior citizen account is not done on the basis of kYCor DOB being available. Account holder hs to go in person to the branch and get it done. There is an instanc eof IDBI bank, where instead of auto change of account to the Senior citizen ,it was converted into a lower category without intimating to the account holder ,which disqualified the account holder to issue r receive cheque of a larger amount.

    F) Ease of filing 15G/H : For last so many years including in April 2018, No bank has ever sent these forms duly filled in for the signature of senior citizen at his/her home.They qre required to go ,fill the form in Triplicate by themselves( Whether correctly or wrongly) na banks hands over a copy as ack .duly stamped.

    G) This is the most tall and false claim of RBI .What happens if bank fails to comply? Nothing. Most of the banks do not have any robust laid down grievance procedure even on their web site. When even Nodal officer does not care to reply , customer has to jump into the whirlpool. Complaint is first made to the RBI's Consumer Education and Protection Committee (CEPC), which routinely advises to refer this to the Banking Ombudsman. When done to the Banking Ombudsman ,it even doe not get any ack or complaint no. since it was shifted from Worli to Byculla, although BO scheme provides such mandate. Aftr 6-8 months continuous follow up, one fine day, lone line reply form Banking Ombudsman office will come informing "Complaint is disposed of "Summarrily" meaning no appeal to executive director of RBI can be made. AND THIS IS DONE WITHOUT EVEN HEARING THE COMPLAINANT..

    This is a ground reality of privileges to senior Citizens or differently abled bank customers. Call it a Farce or Beneficial heaven as claimed by RBI.

    Ramesh Poapt

    1 year ago

    In practice,banks are rudewith sr.citizens.just ad of Kalyan jewellers revoked.it was too much though

    We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone