Why Srikrishna Committee has got Data Protection Wrong
The Srikrishna Committee on data protection will fail in its responsibility if it cannot protect us from digital colonisation of our systems by private interests. The challenge is to halt the destruction of the databases that protect our sovereign, socialist, democratic republic status and databases of our financial institutions. It is to secure justice, equality, liberty and fraternity to the participants within their systems.
A serious data protection regime will cover the generation, certification, authentication, restriction, updation and audit of data to ensure justice, dignity, equality and liberty of those who engage in common purposes in their system
Expectations from the Srikrishna Committee
On October 27th, 2017, the Attorney General for India told the Supreme Court that the Data Protection Committee under Justice Srikrishna was examining the entire area of data protection law including allied legislations. He sought to defer the hearing of the Aadhaar petitions till at least March 2018.
Strange. Because the Aadhaar petitions go far beyond data protection. They are about the digital colonisation of India by private interests. They are about the destruction of the databases that protect our sovereign, socialist, democratic republic status and databases of our financial institutions without detection and possibilities for roll back.
The Attorney General is expected to take the brief of national interest, not the government, definitely not private interests. Aadhaar is an auto-immune disease — one where we destroy ourselves and our country because the government can no longer distinguish citizens from residents. It can no longer distinguish real persons from ghosts. It cannot distinguish legal residents from illegal residents. It cannot distinguish illegal residents from terrorists and criminals. It loses the ability to distinguish the national security system from the invader. As in the failure of an immune system to recognise a foreign invasion from the self, the government makes more and more uses of Aadhaar mandatory losing reason, and ability to protect citizens and ensuring their well being.
The challenge is to prevent the digital colonisation of India by private interests. The challenge is to halt the destruction of the databases that protect our sovereign, socialist, democratic republic status and databases of our financial institutions
Addressing data protection?
That said, even if the Committee cannot address all the issues of Aadhaar, now that the White Paper on Data Protection authored by Justice Srikrishna Committee is out, can it even protect data?
When third parties seek profit from data of systems they have no role in, they colonise, corrupt or destroy those systems
In their foreword itself, the Committee declares its objective to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”
When third parties seek profit from data of systems they have no role in, they colonise, corrupt or destroy those systems.
A call to growth the digital economy, rather than to secure justice, equality, liberty and fraternity to the participants within their systems, is to call for a digital colonisation so that private interests may profit from the data generated by those transacting in various systems in the country. The purpose of Data Protection is to protect people — the participants or parties in a system, not the protection of those who seek profits by collecting the data of systems in which they have no role.
In a market system comprising of a buyer and a seller, for example, it is meaningful and fair to protect that data, that will help them conduct their relationship to further their common purposes, and ensure its just, dignified, equal and free nature. Similarly in a banking system comprising of borrowers and lenders. Or a democratic system comprising of the representative and the represented. Or a justice system comprising of the aggrieved, the aggressor and the arbitrator.
Unfortunately, participants in our systems rarely recognise symbiotic nature of systems as the key prerequisite for sustainability. They forget common purposes of the systems they participate in. They often allow third parties to broker transactions that they have no role in. The data generated in these systems finds rampant abuse by either participants of the system itself or more often by third parties. We recognize our systems as unsustainable, colonised, corrupt only when they turn parasitic and are on verge of destruction. The high perception of corruption in India is testimony to our failure to protect data, respect common purposes and symbiotic relationships.
Data Protection is not informational privacy
The Committee, in its foreword itself, declares that a regime for data protection is synonymous with protection of informational privacy. It cites Jerry Kang to define informational privacy as privacy of personal information. If anything, it exposes an intent to restrict the scope of the Committee to personal information, not create a comprehensive data protection regime.
Participants in a healthy, sustainable system evolve their norms to ensure data protection so that the system remains just, equitable, dignified and conducts transactions through free will
Data protection must cover the entire life-cycle of the data. From the time data is generated, certified, authenticated when it is used, restricted from being used by unauthorised third parties, undated to keep it contemporary and subjected to audit of the data as well as the process that generate, certify, authenticate, restrict and updated. Participants in a healthy, sustainable system evolve their norms to ensure data protection so that the system remains just, equitable, dignified and conducts transactions through free will. Data protection fails when it chooses to ignore the data life cycle or intent of protection. It fails when it cannot protect systems from data brokers and data thieves.
Fraudulent data, for example, gets generated by third parties when they force entry into systems where they have no role or common purpose.
Aadhaar is a crying example. When participants in a system already use several ways to identify each other, the UIDAI and its “ecosystem” force their way generating data that prevents the participants of our systems from even identifying those they have been transacting with ever since independence, 70 years ago. Strangely, few question the UIDAI, who has no role to play in a just, equitable, free and dignified system of banking, markets, education, or any system at all, of the hundreds of millions of ghosts and duplicates they bring into the system and make unsustainable, colonise and corrupt these systems.
Again Aadhaar is a shining example of uncertified data. No one certifies the Aadhaar as valid data. Unfortunately only a few have been raising questions the absence of certification of Aadhaar. Even a school ID is certified by its Principal. Replacing certified data with the Aadhaar is colonising, corrupting and destroying every system that uses it.
While it is possible to authenticate an Aadhaar number as being valid by querying https://resident.uidai.gov.in, it unlike IDs issued by participants in the system, has no way to authenticate the persons role or rights in the system. Aadhaar, therefore, opens every system to intrusion by those who may have no role in the system.
Unlike data generated with a system, third party ID’s, like Aadhaar, cannot be restricted from widespread misuse across systems. The Aadhaar, unlike other system specific data can be updated by third parties outside the system leaving participants in systems that use the Aadhaar data completely vulnerable to fraud.
Unlike each system that undertakes an audit of its data generation, certification, authentication, restriction, updation processes, and the data itself to satisfy its participants, the UIDAI has never done this and can never do this to the satisfaction of participants in various systems where the UIDAI has no role to play. This, again, exposes every system using Aadhaar to colonisation, corruption and destruction.
The GSTN, the NPCI are similar third parties that play roles in data of systems in which they have no role to play
Similarly, there is no shortage of examples of third parties destroying our telecom, travel and banking systems by interfering in the data of these systems where they have no role. The GSTN, the NPCI, for example, are similar third parties that play roles in data of systems in which they have no role to play. It cannot be a coincidence that the entry of third parties, into systems where they have no role, through an outsourcing model and the shrinking of the average life time of businesses from about 50 years prior to the nineties to about 8 now happened together.
The way forward
Neither data protection nor the protection from Aadhaar are served by the Srikrishna Committee White Paper.
Data protection must primarily protect the common purposes of the systems we participate in from private interests within our systems or of third parties intending to profit from our transactions
Data protection must primarily protect the common purposes of the systems we participate in from private interests within our systems or of third parties intending to profit from our transactions. It must ensure the sovereign, republic and democratic nature of our systems to ensure their sustainability. A serious data protection regime will cover the generation, certification, authentication, restriction, updation and audit of data to ensure justice, dignity, equality and liberty of those who engage in common purposes in their system.
The challenge is to prevent the digital colonisation of India by private interests. The challenge is to halt the destruction of the databases that protect our sovereign, socialist, democratic, republic status and databases of our financial institutions without detection and possibilities for roll back.
A version of this article was published at www.sundayguardianlive.com on December 2, 2017.
