Freedom, Justice and Privacy: What Is At Stake Behind the Jargon Of Data Protection
‘Our government and technocrats tell us data is the new oil. This is a lie. At the root of this [narrative] is the erasure of the central power of information. Who holds it. And over whom.
Words by Sreemoyee Mukherjee
December 25, 2020
Artwork by Ariana Gupta
The Universal Declaration Of Human Rights (UDHR), adopted in 1948 by the United Nations General Assembly, enshrines within it human rights and freedoms that are universal and inalienable. It holds guarantees of natural rights that are independent of any culture or nation state. A right to privacy stems from these natural rights – specifically, Article 12 of the UDHR which stipulates, ‘No one shall be subjected to arbitrary interference with [their] privacy, family, home or correspondence, nor to attacks upon [their] honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.’ Data Protection as extension to this right to privacy was specifically envisioned after the digital revolution, when elements of our personhood began to extend outside our physical selves: through biometrics, correspondence records, financial credit and consumer profiles.
David H. Flaherty, a professor and specialist in law and privacy, defines data protection as an aspect of privacy that deals with the collection and use of personal information. In his paper On the Utility of Constitutional Rights to Privacy and Data Protection (1991), he writes, ‘In essence, we all seek [. . .] the right of informational self-determination, which can be defined in practice as the desire of individuals for assurances that custodians of their personal data will comply with fair information practices.’ The guarantee of an individual’s right to privacy thus lies at the heart of data protection.
The coronavirus pandemic has intensified the culture of surveillance, and normalised the invasion of privacy of individuals, all on a global level. Several elaborate monitoring systems have proliferated: new facial recognition applications, Artificial Intelligence-driven indexes to penalise those violating social distancing rules, thermal scanning software, and so on. The uncertainty over who is controlling our data, and how it is being used and stored, is only growing increasingly more important to resolve.
On 15 August 2020, the Prime Minister of India inaugurated the National Digital Health Mission (NDHM). It is proposed to be an integrated and nationalised “Digital Health Ecosystem” under which Indian citizens will be issued new health-specific identity cards, and be subject to the collation of digitised health records. It will require all pre-existing government health databases to be integrated into a single accessible Health ID for each patient. These include the Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (a nationalised healthcare policy), the Reproductive and Child Health Portal, Nikshay (India’s web-based application for tuberculosis), and others.
Shortly after the announcement, the National Health Authority released the Draft Health Data Management Policy (Draft HDM Policy). As health data is extremely sensitive personal information, this document outlines how personal data will be stored, managed and processed across the National Digital Health Ecosystem. It also sets a minimum standard for the regulation of data privacy. On 26 August, the Draft HDM Policy was uploaded for feedback and comments from the public.
India is a participatory democracy, and many of its legislative processes and policies are opened up for comments – where citizens and stakeholders can register their concerns and recommendations before they are implemented. This is a necessary pre-legislative process, upon which our constitutional frameworks are premised. The Draft HDM Policy aimed to be a standard for storing and processing sensitive personal information, and for health data privacy protection in the country. Given its significance, holding a transparent and accessible process of public consultation, and providing citizens ample time to respond to frameworks, is all the more imperative.
According to India’s pre-legislative consultation policy, every draft legislation or rule placed in the public domain, through the pre-legislative process, must be accompanied by an explanatory note detailing key legal provisions in simple language, for a minimum of thirty days. However, the Draft HDM Policy was given less than a ten-day window as its initial period of consultation, which was entirely insufficient given that it is a critical health care policy. Additionally, all healthcare workers were otherwise engaged in the fight against the global COVID-19 pandemic, and their feedback was especially crucial to the draft. A petition was thus filed in the Delhi High Court by disability rights activist Dr. Satendra Singh and lawyers from the digital rights group Internet Freedom Foundation (IFF).
This petition pointed out that the policy was, first, inaccessible to non-English speakers and those without smart devices. Secondly, it was not published on any Adaptive User Interfaces – those that are accessible to persons with visual impairments. In response, the court directed for the consultation date to be amended to 21 September by the Health Ministry. The Ministry informed the public that it had made use of Adaptive formats to make the document accessible to visually impaired persons. However, on 20 September, Dr Singh tweeted that despite being legally mandated, the web accessibility provided was full of errors.
The Software Freedom Law Center, a tech-policy think tank, describes the Draft HDM Policy as: ‘A patchwork to avoid legal challenges.’ The policy has a number of contentious issues. For instance, the phrase ‘sensitive personal data’ has a vague and expansive definition of the data that may be collected under its aegis. It includes intrusive details on financial information, sex life, gender, caste or tribe, and has a clause for further additions by the National Health Authority.
On 14th December, 2020 the Centre passed the revised HDM policy for implementation, having received 6983 emails and over 900 comments on the draft. One of the changes they implemented was to use the definition of sensitive information given in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, which however, is still an astounding amount of sensitive private information.
Akademi corresponded with Apar Gupta, of the Internet Freedom Foundation, to enquire about this rush to collect and monetise the personal data of citizens, and what role we as the producers of the data play in this landscape. He says:
‘Our government and technocrats tell us data is the new oil. This is a lie. At the root of this [narrative] is the erasure of the central power of information. Who holds it. And over whom. For instance, imagine that someone knows everything there is in your smartphone, does it make them have control over you? This is at the heart of data politics. This is why personal data is not oil, it is power. Power over people.
Many call this surveillance capitalism and others data maximisation. The truth is that there is a dangerous and powerful tag team that is pulverizing individual privacy today. The private sector has a financial incentive for profit by gathering more of your personal data, and subsequently, the government gets it through them, and even more directly through mass surveillance programs.
But let us imagine a better future. Does this always have to be this way? Can we do something to change it? The answer to these questions is a loud, emphatic, YES! For this better future to happen both technology and legal solutions exist. One sorely needed measure is a data protection law. It will bring regulation to the technology sector and this can be done without hurting innovation or the convenience we enjoy. But it will only happen when people demand for it. Here lies a lesson of history. Power is never given, unless it is demanded.’
Data Protection, What is it Really About?
Up until the late 2000s, there was no significant global move towards data protection, despite the sharply rising information-technology boom. Data protection existed in the form of obsolete laws like the European Union’s Data Protection Directive (1995). Technology progressed radically beyond the purview of this legislation, and personal data breaches became increasingly common. In 2012, LinkedIn had reported a breach that led to the stealing of 6.5 million user passwords. In 2016, it was revealed those involved in the breach were selling the email addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the time).
In 2012, the European Commission, in an attempt to boost Europe’s digital economy, proposed to improve upon its Data Protection Directive by strengthening online privacy rights. After four years of consultation between the European Parliament, Council and Commission, the General Data Protection Regulation (GDPR) was registered in 2016. The GDPR came into force on 25 May 2016, exactly two months after the biggest privacy scandal in recent global history.
On 17 March 2016, The Guardian, The Observer and The New York Times simultaneously ran a detailed interview with data scientist Christopher Wylie, who revealed that his ex-employer Cambridge Analytica (CA) had acquired Facebook data of almost 87 million users without their consent or knowledge. CA was a tech firm that specialised in PR and consultancy for political parties and militaries all over the world. Wylie disclosed how CA had built psychological profiles based on the purchased details of Facebook users, which were central to Donald Trump’s 2016 US presidential election campaign. They sent American citizens highly targeted propaganda, primarily via social media platforms.
After the scandal broke, reports emerged that the firm had been involved in the UK Brexit Leave campaign – the successful bid to leave the European Union. These revelations, and questions of whether Facebook colluded with the campaigns, set off a series of parliamentary and congressional hearings in the UK and US. Facebook founder and CEO Mark Zuckerberg was also forced to testify. Eventually, in 2019, The Federal Trade Commission fined Facebook 5 billion USD for its role in the mishandling of personal data. Cambridge Analytica, and its parent company SCL Group, began insolvency proceedings and shut offices down in May 2018.
The Cambridge Analytica scandal brought discussions about data privacy to the mainstream and encouraged nation states like Brazil, Chile and Thailand to consider regulations similar to the GDPR. The GDPR’s crucial efficacy lies in its area of effect. Essentially, the law is applicable to those managing the data or digital behaviour of users inside of the EU, regardless of where they are based. This is clearly defined in a third clause which stipulates, ‘This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.’
It is an import stipulation, and has resulted in most international companies rolling out data protection measures that are uniform for most countries, and created a global standard users have come to expect. The GDPR has also largely been the model for data protection legislation around the world, including in India, where our legislators have framed our possible personal data protection law under the basic principles of the GDPR.
Data Protection in India
Data protection is often considered to be an intangible concept. It is therefore useful to mark out certain benchmarks or standards against which the current conditions of data privacy in India can be measured. In this regard, data protection principles outlined in the GDPR prove useful. They include: consent, transparency, purpose limitation, data minimisation, accountability and accuracy. By using these provisions, we may gauge the personal data processing projects initiated by the Indian government in the last two years and see how they have raised concerns about the privacy of citizens.
These concerns range from the reports of large scale data-breaches since 2017, where Aadhaar details of Indians were leaked on the internet, to how the transport ministry had been selling its collected administrative data under severe privacy risks in 2019. A close examination of technological tools set up during the pandemic, like Aarogya Setu, reveal how profit-making was put above user privacy. Large government initiatives like the National Digital Health Ecosystem, or the proposed National Population Register (NPR), give the government absolute access to personal data. The state has also undertaken projects like NATGRID and The National Social Registry, which raise crucial questions of the severity of state-sponsored surveillance.
Most data collection and monitoring processes ask for permission, or ‘consent’ from their users. By clicking to agree with the ‘Terms and Service Agreement’ of apps and platforms, users give their consent to the platforms they engage with. But the danger is: we rarely ever read these agreements and yet, we are handing over their data and signing up for what the app or platform chooses to do with it. Yet valid, legal consent according to article 7 of the GDPR is defined as ‘freely given, specific, informed and unambiguous.’
The premise of ‘freely given’ consent becomes especially tricky when the government is the one asking for private data. It is a figure of authority and users need the service they are getting in exchange for their data. The consent obtained for Aadhar or Aarogya Setu cannot be considered unambiguously valid until citizens are equipped to understand the consequences of handing over their consent.
These apps and identity cards, initially declared as mandatory by the state or media, were ruled as optional after extensive lobbying and legal petitions issued by concerned organisations. Now, even if users do know that it is not mandatory to download, one requires caste and class privilege to be able to refuse. With Aadhaar, where citizens have to possess an Aadhar Card to access a number of government schemes, it is only those that are not dependent on public schemes for survival that may choose to disengage. Gautam Bhatia, a lawyer and primary litigator in the petition against the constitutional validity of Aadhar, writes how the choice between accessing benefits and losing privacy is a false one, and heavily disadvantages those who are already marginalised.
Moreover, if the collected data is never really deleted by the platform, by giving your consent once, you are forever giving up your biometric information for the government to use as they please.
Our constitutional right to freedom guarantees a continuous freedom, and giving it away with just one click is in violation of that legal right. The government, while itself having the power to withhold a citizen's fundamental right to privacy under certain grounds (as stated in the constitution), cannot ask us to waive our fundamental rights for a benefit. It is important to repeat that certain state-sponsored apps and ID cards ask us to give up our data permanently. This includes the personal information collected via Aadhar, through the contact tracing Aarogya Setu, or the proposed National Health ID.
Maintaining Fairness and Transparency
Aarogya Setu, an application proposed in the interest of public health, was initially made mandatory, without any transparency of its source code, or terms of service. On 6 May 2020, a French ethical hacker, Robert Baptiste, alleged that he could hack into the Aarogya Setu app. He tweeted, ‘A security issue has been found in [the] app. The privacy of 90 million Indians is at stake.’ When Aarogya Setu team members denied his claims, he asked for the app’s source code, citing that he could identify sick persons even in the Prime Minister’s Office.
An MIT Technology Review gave India’s Aarogya Setu app two out of five points for its transparency issues and because it collected ‘more data than it needed to.’ After months of litigation by different legal NGOs working with privacy rights, the downloading of Aarogya Setu has been made on a “best-effort” basis rather than mandatory. However, several private and public organisations continue making it a clause for their service.
A BloombergQuint article states that the underlying fear tech advocates have about Aarogya Setu is that it may become ‘a delivery device for various government initiatives which may have no relevance to the pandemic by riding on top of a public safety initiative to gain widespread adoption.’
On 18 September 2020, the IFF, Jan Swasthya Abhiyan, Forum for Medical Ethics Society and the All India People’s Science Network, issued a Joint Statement regarding Aarogya Setu. It points out how the app’s Terms of Service Agreement does not mention a clear protocol for deleting the personal data the application collects. It also states that the Aarogya Setu asserts that none of its privacy clauses are applicable for the anonymised data which it can share with third parties.
‘Data anonymisation’ is at the very heart of how personal data can be used for commercial and legal purposes through what is popularly known as ‘data science.’ Data anonymisation is defined by the International Organisation for Standardisation (ISO) in its standard for ‘pseudonymisation’ (for protection of personal health information) as a ‘process by which personal data is irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other party’. Simply put, it means changing the data in aggregated sets enough so that it cannot be used to reveal individual identifying information. It is an ideal standard, and in practice impossible to achieve; studies have repeatedly shown that most anonymised data can be re-identified through a number of processes unless they meet certain standards.
Purpose limitation or Limiting the Use of Data
Personal data collection is usually limited to purposes that are specified, explicit and legitimate. Further processes can be expanded in public interest, but these require users to be given adequate information about the type, purpose and storage information of such data. In violation of this principle, called ‘purpose limitation’, and in the absence of a personal data protection legislation, the Indian government has been looking to gain economic benefit from the citizen data it collects.
In March 2019, the Ministry of Road Transport and Highways (MoRTH) rolled out the Bulk Data Sharing Policy for its databases containing car registration details. According to an RTI filed by Medianama, the government made nearly Rs 68 Crores selling this 25 Crore-large vehicle record database maintained by the MoRTH that same year. 142 entities – including thirty public and private sector banks, and eighteen insurance organisations – had purchased this data.
Though the bulk data sharing policy claimed that the data being shared was to be anonymised, a report by Observer Research Foundation showed that the data parameters published could easily be used to identify a user through the process of triangulation – where multiple data-sets are linked to reveal the identifying information of a person. The report mentions how the car ownership details from the Vahan database (an open-source repository of car registration details) could be combined with Know Your Customer (KYC) details to reveal a person’s entire vehicle usage history.
The dissemination of private information like the name, vehicle information and traffic violations of individuals can have devastating impacts. During the Delhi Riots in February 2020, reports emerged of mobs using the Vahan database to identify and torch vehicles of select individuals based on their names. IFF wrote to the government raising the alarm. On 26 June 2020, the MoRTH finally revoked the Bulk Data Sharing Policy citing risks to user privacy, but individual data is still accessible through the Ministry of Road Transport and Highways’ m–Parivahan application.
Data Standards and Mass Surveillance
The NPR is a proposed register of Indian residents mentioned under Citizenship (Registration of Citizens and issue of National Identity Cards) Rules (2003). The proposed details to be collected for this register included the Aadhar. An IFF brief explains how the NPR, as currently proposed, would contain a large amount of sensitive personal data in the form of biometrics and official identifiers. As NPR's only purpose is to determine citizenship, the linking of biometric data is unnecessary. There is no reason to collect this data, and it violates the principle of data minimisation – the practice of collecting the least amount of data needed for a service in order to prevent data breaches and storage cost. It is thus in direct contravention to the six general data protection principles that makes the core of GDPR.
This is especially significant as Aadhaar data has already been leaked online, or lost in massive data breaches. It is only in 2018 that the Supreme court ruled that Aadhar was not mandatory for many services, but by then, the damage was done. Medianama keeps a list of all the Aadhar leaks since 2017, and in 2018 BBC cited a Tribune report that claimed that Aadhar details could be bought online for Rs 500.
The Cambridge Analytica scandal illustrated just how far corporations and political parties can go with using users’ personal information against them – and how these manipulations endanger the democratic method by misleading citizens. Rajesh Jain, a member of Unique Identification Authority of India (under whose remit the Aadhar falls), and owner of AI-powered marketing firm Netcore, reportedly said that the company planned to connect Voter ID with mobile numbers for micro-targeted political campaigns.
A large number of Aadhar database breaches have occurred in Andhra Pradesh. Srinivas Kodali, an internet governance activist, revealed six major data leaks up until 2018 alone. In 2019, the Hyderabad based company IT Grids was under investigation for owning 7.8 Crore Aadhar profiles from Telengana and Andhra Pradesh. HuffPost India reported that IT Grids was working for the ruling Telugu Desam Party. By calling and profiling voters and then applying to get their names removed from voter lists, the company managed to remove nearly 10 Crore names from the electoral rolls. These citizens were profiled for being in favour of voting for the opposition, and this information gathered through telephone interviews.
India has a host of surveillance systems of its own (the Centralised Monitoring System and National Cyber Coordination Centre, for instance), which it has built up in the interest of national security. These systems allow government agencies to intercept, monitor and review communications over the telephone and internet.
The state is currently creating a large surveillance database which will be accessible to all law enforcement agencies the centre gives permission to. It is being called the National Intelligence Grid (NATGRID), and is intended to come into effect by the end of 2020.
The NATGRID proposes to directly connect law enforcement agencies with data providers like airlines, banks, stock markets, and governmental enterprises like railway and telecom. The idea is to access data gathered from a number of databases to investigate crime and terror threats in the country. Despite the privacy concerns surrounding NATGRID, there is not much information about how secure and private user information is. Since it is a ‘matter of national security’, it is exempted from Right to Information Act (RTI) filings. There are currently no means by which citizens can ask for transparency on the matter, or hold the government accountable.
The National Crime Records Bureau has also been bidding for an Automated Facial Recognition System, preferably one that can read over face masks. It is hoping to initiate a centralised web application, which lays down the foundation for a national-level searchable platform for facial images. This will be integrated with other databases such as the Crime and Criminal Tracking Network and System (CCTNS), which connects different police stations, the Inter-operable criminal justice system (ICJS), and the National Automated Fingerprint Identification System (NAFIS) – creating an enormous nexus of citizen’s private data.
On 17 March, 2020, a HuffPost exclusive – based on an RTI filed by internet governance activist Srinivas Kodali – revealed how the government had turned the National Social Registry, a regular project for revamping the Socio-Economic Caste Census, to automatically update itself into a plan for a 360 degree surveillance system. According to the RTI filed, The National Social Registry is proposed to create a ‘searchable Aadhaar-seeded database or “multiple harmonised and integrated databases’. Using Aadhaar numbers this registry integrates religion, caste, income, property, education, marital status, employment, disability and ancestry data of every single citizen.
It is a real-time tracker of Indian citizens and will combine all databases – including health, financial and other administrative information – the government has. This kind of surveillance, termed as ‘welfare surveillance’, can quickly turn sour.
Where is India’s Personal Data Protection Bill?
In the absence of direct data protection legislation, Indian law derives its right to privacy from the Puttaswamy judgement, and its privacy laws from the Information Technology Act, 2000, and rules made under it. Retired judge Puttaswamy of the Karnataka High Court was the chief petitioner to the Supreme Court challenging the ‘mandatory’ nature of Aadhaar in 2012. His case was combined with 26 other petitions over the next five years, all challenging the mandatory nature of the biometric identification project. In 2018, in a landmark judgement, the Supreme Court of India, in Justice K S Puttaswamy (Retd.) and Anr vs Union Of India and Ors. recognised privacy as a constitutionally protected right. This judgement mentions that the State is obligated to protect the personal data of its citizens, under reasonable restrictions. The judgement established a ‘proportionality and legitimacy’ test – a test that needs to be fulfilled before the state can knowingly breach an individual’s privacy. According to this test, the state can only intervene in a citizen’s privacy if there is a proportional lawful and legal need for it. It was on the basis of this judgement that the 2018 Aadhaar decision was delivered, which finally made Aadhaar largely choice-based.
Other protections to our right to privacy comes from Section 43A of Information Technology Act (2000). The Act stipulates that any institution, processing personal data, which fails to provide reasonable security resulting in wrongful loss or gain, is liable to pay damages for the same. Simultaneously, Section 72A of the IT Act makes deliberate disclosure of personal information without consent of the individual, and in breach of contract, a punishable offence. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ( 2011) do lay down guidelines for handling sensitive personal data, however, given that technology has advanced in leaps and bounds in the last decade, the guidelines are inadequate for providing comprehensive privacy protection.
While India has jumped on the bandwagon of digitisation, we do not yet have a formal personal data protection law. In 2018, a special committee headed by Justice B N Krishna released a framework for the same. This, and a draft bill – both drawn extensively from the GDPR, and after studying US and Chinese approaches to data protection – form the backbone of the current Personal Data Protection Bill (PDP) (2019) that is still under consultation. This framework envisions data protection in India as one that protects individual privacy, ensures autonomy, and creates a free and fair digital economy. It combines economic and privacy concerns in the same way as the GDPR does.
The Personal Data Protection Bill (2019) was introduced in the Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad. It was referred to a Standing Committee for considering public concerns, and was scheduled to be tabled in the second week of the Monsoon Session of Lok Sabha in 2020. It was postponed to the Winter Session on 24 September 2020, after the monsoon parliament was adjourned early. Justice Sri B N Krishna, who headed the original committee on personal data protection was quoted saying: ‘The current version of the Bill has removed a lot of safeguards that were suggested by my committee. It has been watered down to give more powers to the executive [branch of the government].’
The overlying critique of the PDP Bill is that it grants impunity to the government, diluting citizens right to privacy from the state. For instance, Clause 35 of the PDP Bill allows the Central Government to exempt any agency from data protection obligations as it deems fit, either for national security reasons or as specified in the orders. This almost-blanket exemption erases the government’s culpability from adhering to personal data privacy laws.
There is also a larger focus on private sector financial interests than on the protection of individual privacy. This does not belong in a personal data protection law. IFF’s legislator’s brief on the PDP bill explains how ‘A data protection legislation must not have an enabling provision for the government to mandate sharing of non-personal and anonymised data with it, for setting up regulatory “sandboxes”(isolated environments where certain companies can develop new technology without adhering to the privacy data laws) and for framing policies on digital economy, especially when the possibility of misuse of anonymised and non personal data and threats arising from new technology have not been sufficiently addressed.’
As it stands now, our personal data protection law, while imperative, grants sweeping authority to the Central government, which can overrule the proposed Data Protection Authority. It violates basic democratic requirements of transparency and accountability. This is in part because citizen’s data is imagined as a resource the government can use for its own profit and interest. This, overwhelmingly, does not align with the interest of citizen welfare.
Digital Rights Literacy and the Idea of ‘Data as Commons’
One might wonder – are we just destined to be oppressed by a government-corporation data processing nexus that profits off of our data? An answer to this question, which is born out of deep frustration, lies in a radical reimagining of data ownership, public interest in democratic processes, and holding our governments accountable.
The power imbalance between those who store, analyse and understand data (i.e. corporate bodies or governments) and those who produce it (i.e. internet users and citizens) creates a valid deficit of trust. When we look at how the data breach in Andhra Pradesh directly led to the erasure of names from electoral rolls, we know that it is the poor, disenfranchised population which is left out of the system, despite having the highest stakes in the electoral process.
When policies are made without public intervention and interest, they exacerbate existing structures of inequality. During the 2018 hearing on Aadhaar’s constitutional validity, Advocate Jayana Kothari told the court that agencies collecting demographic information for Aadhaar could not insist on the disclosure of gender identity, as it is covered under privacy.
Importantly: forcing trans people to reveal their biometric and demographic information would expose them to harassment, violence and surveillance. In 2018, a petition was filed by Reshma Prasad, a transgender person and social activist from Bihar, as they could not link their PAN Card with their Aadhar, as the PAN ID form simply does not consider genders other than Male or Female.
There is also an impossibility of providing documentations valid enough for creating these IDs themselves, and by linking them to welfare schemes and government aid packages, the most disenfranchised are left out of the very policies they were meant to benefit from. Such disregard for real-world implication of digitisation schemes come when legislation becomes largely a one-way process.
The lack of clarity and transparency between what the State proposes to do, and how we are forced to go through with it without question, creates an oppressor-oppressed binary.
Digital intelligence, defined by as ‘The sum of social, emotional, and cognitive abilities that enable individuals to face the challenges and adapt to the demands of life in the digital world’, or to actively know and engage with our privacy rights, could, in many ways, be our only way of resolving this.
Akademi contacted Prasanth Sugathan, of Software Freedom Law Center, to enquire about the role the public has played in the general scheme of data protection in India. He says:
‘We are going full steam ahead with rolling out various data collection schemes without giving a thought to digital literacy. Even the chunk of population which understands the harms caused by these IDs, finds it difficult to negotiate for their rights. For example: even though Aadhaar is voluntary in nature, we still find this being asked for by many Government departments and even private players, and the public readily obliges. One of our fears is that the Digital Health ID will end up becoming voluntary-mandatory(where the choice to opt-in is false, because you have to forgo a vital benefit for it or the rules are unclear therefore you are socially enforced to download it). We have already seen this happen in Chandigarh where the Digital Health Mission was implemented on a pilot basis. They had rolled out an executive order mandating digital health IDs for doctors, nurses etc. along with their families. The order was only modified after an uproar in the media.’
Being aware of our data rights, or having digital intelligence, is a part of what the state owes us as citizens. How can citizens consent to something they do not understand? I was fifteen-years-old when my Aadhar card was made. I did not know what I was signing away. According to data protection norms, children have the right to withdraw consent once they come of age. We have the right to be left alone, and the right to have our digital records expunged. But if we do not know we have these rights, how do we go about asserting them?
Meaningfully and consciously participating in the interconnected and data-centric digital world requires awareness about the potential for the manipulation of our sensitive personal information. Terms like ‘internet governance’, ‘digital rights’, ‘data privacy’ are thrown about all the time, but we don’t always understand what they imply or specifically mean. All of this falls under tech-advocacy, which is a niche field with an astounding amount of jargon and intimidating abbreviations.
Anita Gurumurthy, the founder of IT for Change and an advocate for communal ownership of data, writes extensively about who should have primary rights, or profit from data. She highlights in an introduction to a framework law for digital rights, ‘Big Tech has stolen the aggregate data of people, which needs to be reclaimed [. . .] As a feminist, I think it absolutely necessary to grapple with the question of data’s multivalence.’
The conversation around the world is increasingly shifting towards ownership of personal data, and whether data collectors should be paying users for using their personal data. This type of reclamation of our digital selves is a future that we can aspire to, but it begins with an understanding of our rights and advocating for more robust legislation to protect them.
Digital identities are imposed on top of pre-existing social inequalities. While all of us as the owners of data have some stake in this process, the data collectors and processors have dominated the conversation of how our privacy should be regulated.
India’s technology policy movements were born in community-based advocacy, as ‘citizen’s rights’, rather than as exercises of pure litigation. The most recent example of this is of course the Net Neutrality movement. It was a sustained social mobilisation to prevent the Telecom Regulatory Authority of India from implementing programmes like ‘Free Basics’ – a Facebook initiative in which users could access select portions of the internet for free. Allowing for internet use to be governed by private corporations like Facebook could have severely curbed freedom of the internet. Formed as a group of volunteers fighting to keep all data on the internet equal, the #savetheinternet movement later formed the Internet Freedom Foundation.
Some Citizens Are More Equal Than Others
Only 54.4% of Indians have access to the internet. Caste and class allow only certain demographics to avail the knowledge production of digital rights. As most policy documents are still made in formats that are non-Adaptive, they cannot be accessed by persons with disabilities. Digital rights literacy is also disproportionately available to only those with an English education (because all government policies are published in English and Hindi, and a majority of litigation, public advocacy documents, and work by tech policy NGOs are in English).
Furthermore, the internet, on the basis of ‘national security’, is severely and arbitrarily restricted, despite being a vital need in the pandemic. The internet shutdown in Kashmir, which began on 4 August 2019, a day before the abrogation of Article 370 by the Indian government, is the longest internet shutdown in the history of any democracy. While 2G services have been partially restored in certain districts, people in the Valley still do not have access to 4G internet.
Internet shutdowns have been used as a tactic to stifle dissent and protests in the Valley for a while now. Sanjay Kak, in his book Until My Freedom Has Come: The New Intifada In Kashmir, wrote how, since the Arab Spring-inspire people’s protests began in 2008, the resistance in Kashmir acquired a people-centric nature, with the internet becoming a source of information dissemination. People coordinated, organised protests and campaigns through social media.
With the August 4 communication blockade mobile internet, telephone connections, broadband, and even SMS services were shut down. Three or four months into the shutdown, Kashmiris had to line up at police stations to call their families and check up on them. It succeeded in its purpose of curtailing freedom of speech and information: very little information from the Valley could come out in the aftermath of the abrogation of Kashmir’s constitutional autonomy. Except for reportage from international media houses, it became very difficult for news about local protests to reach mainland India. It was because of this information vacuum that the government was able to confidently, and misleadingly, claim that their decision was welcomed by everyone in Kashmir.
The internet shutdown affected the people of Kashmir in many crucial ways. Local businesses faced losses, and there were many that had to close down completely. This is especially interesting in the context that the government had promised that with the abrogation of Article 370, the economy would flourish.
Journalists based in Kashmir, on several occasions, had to travel all the way to New Delhi to file their stories. Healthcare and education also came to a standstill when pharmacies were unable to stock up on medicines without online orders, and classes remaining shut for months on end.
The lockdown exacerbated mental health issues among several Kashmiris as they were unable to access resources online. Tourism, one of the important sources of revenue in the Valley, became virtually non-existent as well. The shutdown has sparked important conversations over whether having access to the internet in a digitally-run world is a fundamental right. In that case, to exercise it in a safe and secure way is a matter of data protection. It is the digitally disenfranchised who most need the guarantees of data protection, yet they the most removed from the possibility of advocating for it.
In a democratic process, however broken, every policy change has consultation processes. So the onus falls on those who can equip themselves with the knowledge required to take action. We must, and should, engage with ideas of data protection. As citizens we can do this directly by offering recommendations, or atleast supporting those that these decisions disproportionately affect by volunteering, donating, translating and making information accessible to people with disabilities.
As Ruth Bader Ginsburg said, ‘Fight for the things that you care about, but do it in a way that will lead others to join you.’and who knows, it might make a world of difference.
SREEMOYEE MUKHERJEE is a media and communications scholar currently studying at Jamia Milia Islamia University, Delhi.