Tuesday, March 8, 2011

260 - Column : Where’s the privacy Bill? - FINANCIAL EXPRESS

Bibek Debroy
Posted: Tuesday, Sep 28, 2010 at 2346 hrs IST

The Cabinet has approved the National Identification Authority of India (NIAI) Bill and it is expected to be placed before Parliament in the Winter Session. Before reacting, it is still a Bill. It will be referred to a Standing Committee, then passed by both Houses, then receive President’s assent and then be notified. Until then, it isn’t law. There are two strands behind transition towards the UID (unique identity) idea. First, there was a multi-purpose national identity card (MNIC) idea, driven by considerations of security and identified with the NDA government in 2002. This was meant for citizens, not residents. So there can be a national register of citizens (NRC) and a national register of residents (NRR) and the two are not identical.

Under the UPA, UID became equated with the NRR and not NRC. On this difference, UIDAI’s (Unique Identification Authority of India) response will be that it is only the first step and UID (with photographs and biometry) doesn’t create any entitlements. There is nothing to prevent the ministry of home affairs (MHA) from using UID to eventually segregate NRC from NRR. However, that’s not how ministries and the government departments (say, the police) are likely to look at UID. Existence of UID is likely to be looked upon as creating entitlements and establishing citizenship.

Second, under the UPA, UID was driven less by concerns of security and more by intentions of improving efficiency of public expenditure and facilitating e-governance. Even if we don’t identify the poor and target subsidies (outside UIDAI’s mandate), UID can curb fake identity and reduce leakage and corruption. That’s the Aadhar idea. But who has legally authorised Aadhar and UIDAI and allowed it to collect data?

No one, and neither Aadhar nor UIDAI have any constitutional or legal sanction. As of now, they are outside Parliamentary scrutiny, too. A limited objective of the Bill is to provide legal sanctity to UIDAI, to be renamed NIDAI (National Identification Authority of India). But surely such a major exercise should not be based on a narrow and limited agenda. For instance, both tort law and constitutional law protect private data from unlawful intrusion. There must be safeguards on recording inaccurate data, corruption of data, unauthorised access and disclosure, mission creep (where additional features and objectives are bunged into the main database) and profiling. The point is we do not have legislation on privacy and data protection, the civil rights angle. The Bill has some clauses on commercial abuse of database, some restrictions on nature of information collected and penal clauses on abuse. It also borrows on the IT Act of 2000. But that’s not enough.

One response is the following. We have a rollout deadline in Maharashtra and a subsequent timeframe of 2014. Let’s not hold that up. Arrangements have already been made for the first 12-digit number to be handed over by the Congress president in Nandurbar district in Maharashtra on September 29 and the PM is going to be there too. Parallel legislation on privacy and data collection will surface.

The NIAI Bill is only one part of the jigsaw. If parallel legislation on privacy and data collection doesn’t surface, surely it will be flagged by the Parliament’s Standing Committee when the Bill is introduced in the Lok Sabha. Let’s not bother about that now. After all, as legislation it is still only a draft. That’s a very casual and ad hoc way of approaching the problem. If there is one thing that has characterised Nandan Nilekani and UIDAI’s work so far, that is transparency, placing information in public domain and consultations. Comments were also invited on the draft Bill, and points that civil society organisations are making now are not new. Therefore, the NIAI Bill should have been cleared by the Cabinet with proposed legislation on privacy and data collection, as part of a package and not in isolation.

On December 16, 2009, Neeraj Shekhar asked a question in the Lok Sabha: “(c) whether confidentiality of personal details of individuals will be at risk after issuing UIN; (d) if so, whether the government needs to bring a privacy policy to safeguard the same; (e) if so, the details thereof; and (f) the method by which the UIN project will maintain a balance between privacy of individuals and requirement of security agencies to combat terrorism.”

V Narayanaswamy, the minister of state, replied, “A legal framework is being envisaged to safeguard the privacy of the resident’s data and also take care of the security requirements of the country.” This Bill is certainly not the one that envisaged law or legal framework. Was it necessary to have that deadline of September 29 and rush things through? As far as one can make out from reports, the Cabinet had no constructive comments on the draft Bill, apart from FM’s point about taxation decisions (context was exemption for resources collected by UIDAI) being finance ministry’s mandate. That’s not the way to address fears about Big Brother. Coincidentally, beyond 2013, UIDAI has annual targets of 300 million and Orwell’s “1984” talks about 300 million people, “all with the same face”.

The author is a noted economist