By Ashit Kumar Srivastava
Recent advisories given by the Unique Identification Authority of India (UIDAI) and the Ministry of Electronics and Information Technology (MEITY) to Aadhaar users have been contradicting each other.
The first advice by UIDAI, through a press release, was that an Aadhaar-user should not share the photocopy with any organisation as it could lead to misuse. In less than 24 hours, MEITY advised Aadhaar users to practice “normal prudence” in sharing information.
This created a lot of concern in the minds of Aadhaar users with regard to security, especially as there are a plethora of regulations for ensuring verification of Aadhaar in a prescribed manner. However, it will not be a misnomer to say that almost no one takes note of it. It is not merely a question of breach of a legal right (or fundamental right of privacy). Rather, it is more about lack of privacy-consciousness.
The fact is that K.S. Puttaswamy-I (2017) became the harbinger for laying down the foundation of privacy as a fundamental right. Yet, it is more of a question of privacy-consciousness than a question of having a right. India drastically lacks a consciousness of privacy; we do not have that culture. Though we recognise privacy as a fundamental right, yet, we culturally do not justify the existence of the right. And who is to be blamed for this, knowing that the inherent nature of privacy rights is anomalous.
Thus, to draw a contour of privacy rights leads to a lot of trouble and in the absence of any settled premise, one will never get to know whether there has been a breach of privacy or not. This is especially so in cases of informational privacy. What impact a data can have on the life of an individual is hard to tell. The correct measure to bring a surety into safeguarding informational privacy can only come with a Data Protection Authority (DPA), a statutory ombudsman body to look after the protection of personal data.
A DPA is a recognised body in western countries where privacy rights are taken much more seriously and where more commitment has been shown in safeguarding the personal data of citizens. In fact, Regional Data Protection Authorities in Europe have been very active in cases of data protection. No wonder many multinational corporations working in the discipline of search engines and social media intermediaries have been at the receiving end from these bodies and have been penalised heftily in case of lapses.
All this goes to show that the character of informational privacy is hard to deduce and thus, a regulatory body might help in deciphering its scope. Interestingly, the essence of it can also be seen in the Indian Personal Data Protection Bill. The original bill of 2018 and the revised version of 2019 have exempted the anonymised data (data that does not meet the criteria necessary to qualify as personal data) from the purview of the data protection regime. It was emphatically believed that an anonymised data is hard to be tracked back to the owner of that data. However, a recent Joint Parliamentary Committee report recommended that even anonymised data be a part of personal data definition, as even this data is capable of being used as meta data.
The whole idea of personal data protection is about data minimalism—ensuring that the data is utilised for a particular purpose and only that much data should be collected which is required for that purpose. For example, in 2020 when Covid-19 hit the world, many state governments came up with contact-tracing to trace those infected with the virus. One such example can be taken from Germany’s contact-tracing application “Luca”. Daily life information is required to be shared with the contact-tracing application for making it functional. However, the information collected by the application is also utilised by the police to trace possible criminals. This sort of misuse of data leads to breach of trust and more importantly, a breach of purpose limitation.
Individuals share data for a particular purpose, and once that purpose is fulfilled, the data shouldn’t be used for any other purpose. Intertwined with this principle of purpose limitation is the idea of data minimalism which perpetuates the same idea of ensuring sharing of a limited set of data.
For example, during the peak of the pandemic, classes were being taken through the online mode. In most cases, the teacher’s camera used to be open and also those of students at times. However, as these lectures were being recorded and the recording was being shared with students and a few administrative staff, the personal data of the teacher was being exposed to anyone who could access the recording. Any kind of data could be taken from that video—the background of the house, the financial situation of the teacher, etc. The same could apply to students also.
Thus, if we follow the data minimalism principle, only the minimal amount of data which can be shared in a lecture should be shared. It would have been a good idea to blur the background so that no one gets more insight into one’s identity and data over-exposition can be prevented. In fact, the Hungarian Data Protection Authority had given guidelines to educational institutions and colleges to ensure that they follow a protocol for ensuring minimum sharing of personal data when conducting distance learning.
This is the structural problem with informational privacy—it is hard to tell to what extent a data is capable of exposing an individual or how detrimental a piece of information can be. Considering these issues, the series of guidelines given in the case of Aadhaar do not seem unjustifiable. After all, it is hard to tell what repercussion there could be, might be by sharing a photocopy of one’s Aadhaar.
—The writer is Assistant Professor of Law, Dharmashastra National Law University, Jabalpur.