Putting all Aadhaar data in one big box is ill-advised: Mishi Choudhary

Interview with Technology lawyer and legal director, Software Freedom Law Center

Mishi Choudhary

Mishi Choudhary

Sudipto Dey
The Delhi High Court recently put restrictions on sharing of users' data between popular social media platforms WhatsApp and Facebook. Mishi Choudhary, technology lawyer and legal director at the New York-based Software Freedom Law Center, an organisation that offers pro-bono legal services to developers of free and open source software, tells Sudipto Dey why absence of data security and privacy laws could lead to a digital disaster. Edited excerpts:

The Delhi High Court recently observed in the WhatsApp case the lack of clarity on whether the Right to Privacy was a fundamental right. Does this highlight a dichotomy where companies and businesses have privacy policies, while the country does not have a legislation to protect privacy?

Let me point out to you a very interesting piece by Arun Jaitley, which he had penned after a controversy erupted around his call detail records (2013). He had said, "Firstly, every citizen in India has a right to privacy. His right to privacy is an inherent aspect of his personal liberty. Interference in the right to privacy is interference in his personal liberty by a process which is not fair, just or reasonable. A person's call detail records can throw up details of several transactions. In the case of an average citizen, it can reflect on his relationships. In the case of a professional or a business person, it can reflect on his financial transactions. In the case of a journalist, it can reveal the identity of his sources. In the case of a politician, it can reveal the identity of the person with whom he has regular access. Every person has a 'right to be left alone'. In a liberal society, there is no place for those who peep into the private affairs of individuals. No one has the right to know who communicates with him...".

The Delhi High Court joins the chorus of multiple voices waiting for the government to make up its mind whether the Constitution grants its citizens the right to privacy or not. The Supreme Court had decided to set up a constitutional Bench to look into the question in October 2015, and we are still waiting.

Without a clear and determined set of policy commitments to protect the privacy of Indian citizens comprehensively, the digitisation of identity and payment, we are preparing for an unmanageable disaster of the digital kind.

In a similar case in Germany, the city of Hamburg's data protection commissioner ordered Facebook to stop collecting and storing data on WhatsApp users in Germany and to delete all information already forwarded from WhatsApp on roughly 35 million German users. But in India, after September 25, WhatsApp can operate with its amended privacy policy.

Do you expect the Digital India drive to throw up challenges on the privacy and data protection front?

Digital India is a laudatory, ambitious agenda. The four pillars of the government's intentions have been declared and are already under construction: A policy to prefer free and open source software in all e-governance software solutions; new guidelines on patenting "computer-related inventions", which will adhere strictly to the prohibition on patenting computer programs; comprehensive reliance on Aadhaar to provide a biometrically-backed digital identity for every Indian citizen; and the 'India Stack', a set of software designs that build atop the Aadhaar unified digital identity to provide cashless payment systems available to all Indians, electronic government services and a 'consent layer' for transactions exchanging Indians' personal information in the private market.

The Aadhaar legislation ensures that there will be a single database, at Central Identities Data Repository (CIDR), holding fingerprint, retinal scan and, eventually, full genomic information on every Indian, along with name, address, phone number.

After the litany of data breaches, can we seriously say that we aren't set up for a disaster? Until we can see a realistic plan to manage the risks of making Aadhaar mandatory, putting all the data in one big box is ill-advised.

Without data protection and privacy laws, do you expect data-driven businesses getting increasingly embroiled in such cases?

The digital model is built on data and information as the primary items of exchange between parties, the burden falls on the businesses to retain consumer's privacy and security of the data, while adapting to the industry mechanics. You see that Yahoo! told us about the breach two years post facto. In the US, there is at least the possibility of a class-action law suit. What is it that an Indian user can do? We are often more concerned with government surveillance that has some legitimate uses such as prevention of terrorist attacks. But we rarely touch upon corporate surveillance, a dangerous honey pot, where troves of data is collected and sold for the "benign" purpose of advertising. The Information Technology Act is ill-equipped to handle data breaches or any other abuse.

Aadhaar is now getting a legal cover for seeking government services and subsidies. But there is no dedicated law for data protection and user privacy in the country. Are we headed towards a litigation minefield around data protection and privacy related issues?

The government's most basic obligation is to protect its citizens' rights - both their right to sustenance and their right to the privacy that enables freedom - equally. The ultimate resolution of this present controversy must recognise both the need for Aadhaar - in order to provide efficient and honest government services to citizens - and the need for stringent rules concerning access to and security of citizens' biometric data, in order to preserve their privacy.

In the 21st century, a government that cannot or will not protect its citizens' privacy rights cannot credibly maintain a democratic regime of equal treatment under the rule of law. Freedom of opinion and association; freedom of religion (or irreligion); the ability to make choices and decisions autonomously in society free of surrounding social pressure, including the right to vote - all of these depend on the preservation of the "private sphere."

Data is the core of artificial intelligence (AI). What legal challenges do you foresee from increasing use of AI and robotics in business?

I think we should retrofit the three laws of robotics from Isaac Asimov! You remember the letter written by Stephen Hawking, Elon Musk and the hundred others issuing a warning against the use of AI weapons development?

What happens when a robot commits a crime, a self-driving vehicle gets into an accident; when Pokemon GO players trespass someone's property and end up destroying something, where does the liability lie? That's why companies are setting up AI ethics councils to understand what issues, seen and unseen, may crop up to surprise us.

First Published: Oct 02 2016 | 9:34 PM IST

Explore News