Editorial Simplified: Short on Nuance | GS – III

Relevance: GS Paper III (Science & Technology)

Why has this issue cropped up?

B N Srikrishna committee’s draft data protection bill is expected to be tabled soon in Parliament.

Pros of the committee

  • The committee’s inclusive functioning style and seeking a public opinion at all stages are commendable.
  • Its recommendations pertaining to user-centric design, setting up of an independent data protection authority, regulating the government along with the private sector and a new law for intelligence gathering for national security are steps in the right direction.
  • Also welcome is the suggestion that the Aadhaar Act requires several modifications and provisions for regulatory oversight.
  • So is the recognition the committee has accorded to data portability.

Cons of the committee

  • It has suggested that the UIDAI be both the data fiduciary and the regulator for Aadhaar.
  • There is also the suggestion that even though personal data can be transferred outside India, data fiduciaries will be required to store a local copy.
  • The committee’s cliched vocabulary and superficial treatment of several important issues are the most disappointing. For example, the concepts of fair and reasonable processing, purpose and collection limitation, notice and consent, data quality and data storage limitation are not new. They have largely failed to prevent identity thefts, unethical profiling and other privacy violations.
  • The committee does discuss artificial intelligence and big-data analytics but fails to define clear-cut guidelines for their safe use. It ends up vaguely suggesting that no processing of personal data should result in taking decisions about a person without consent, but does not provide guidelines about enforcement.
  • It does not appear that the committee has carefully evaluated the data processing requirements of the diverse private sector, spanning healthcare, insurance, social media and e-commerce, and how these requirements may infringe upon privacy.

Way forward

  • A data protection framework is incomplete without an investigation of the nuances of digital identity, and guidelines for the various use cases of authentication, authorisation and accounting.
  • It is also incomplete without an analysis of the extent to which personal information needs to be revealed for conducting businesses, and during eKYC processes.
  • In addition, effective protection requires an understanding of the possible pathways of information leaks, comprehending the limits of anonymisation with provable guarantees against re-identification attacks and a knowledge of the various possibilities with virtual identities.
  • Also required is an analysis of the possibilities of privacy preserving tools, techniques and protocols from computer science including hash functions, symmetric and public key cryptography, etc.
  • Most theories for improving state efficiency in the delivery of welfare and health services using personal data will have to consider improved data processing methods for targeting, epidemiology, econometrics, tax compliance, corruption control, analytics, and topic discovery.
  • This, in turn, will require digitisation, surveillance and processing of large-scale personal transactional data. Acquisition, storage and processing of personal health data will be crucial to such systems.
  • There should be detailed analyses of how such surveillance — targeted towards improving efficiency of the state’s service delivery — can be achieved without enabling undesirable mass surveillance that may threaten civil liberty and democracy.
  • The committee needs to balance the seemingly conflicting requirements of individual privacy and the benefits of large-scale data processing, and it is not obvious that a trade-off is inevitable.
  • A data protection framework is incomplete without defining the requirements and standards of access control, and protection against both external and insider attacks in large data establishments, both technically and legally.
  • The computer science sub-areas of security and automatic verification will certainly have a lot to offer.
  • Civil society can play a crucial role as it’s participation in discussions on data protection has been exemplary, especially in the wake of the Aadhaar debates and privacy judgment.