Summary: IFF says Draft Data Access Policy will enable state-sponsored mass surveillance, should be withdrawn and reconsidered

“Our principal recommendation here is that MeitY reconsiders this policy and aims to withdraw it. […] The Policy is based on a faulty objective of revenue generation and fails to sufficiently acknowledge the resultant risks. In our opinion, if enacted, this policy would lead to grave violations of the right to privacy and other key user rights such as the right to confirmation and access, correction and erasure, data portability and the right to be forgotten. In its present form, it will also facilitate state-sponsored mass surveillance by allowing the creation of 360° profiles of individuals whose data has been collected and processed by government agencies,” the Internet Freedom Foundation (IFF) said in its feedback on the Draft India Data Accessibility and Use Policy 2022.

The draft data access policy, which was published by the Ministry of Electronics and Information Technology (MeitY) on February 21, looks to introduce measures that allow for greater data-sharing amongst government bodies and other private stakeholders. It was open for feedback until March 18, 2022.

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

Change in draft policy without intimation

1. Changes made to draft policy during the consultation period without any notification: IFF strongly objected to the fact that MeitY changed the contents of the draft policy during the consultation period without providing any notification to the stakeholders. The draft policy first uploaded on February 21, 2022, and the version accessible since March 6, 2022, have substantial differences. A comparison of the two versions can be found here. “Effectively this resulted in multiple versions of it, contracted the consultation timeline, and confused stakeholders,” IFF noted.
2. Key aspects have been changed in the new version: IFF pointed out that certain key concepts of the Draft Data Access Policy have been removed such as its application over personal data, identification of certain data-sets as high value, and pricing and licensing frameworks to enable the sale of these datasets. “Such actions inspire a lack of trust in the consultation given that several facial changes were made during the consultation period after receiving criticism from civil society experts,” IFF said.

Recommendation:

• Requires fresh consultation: Given the changes made, IFF called for the draft policy to be immediately withdrawn, and a fresh consultation process to be initiated. Additionally, it asked for a departmental inquiry into this entire matter.

Note: The following feedback was submitted based on the first version of the draft policy. While many of the core concerns remain, the most recent version includes some changes. We have added notes to highlight that wherever necessary. 

Lack of transparency and faulty consultation process

1. The draft policy has skipped the consultative process: By sharing the draft policy directly, the consultative process required for drafting a good policy has been skipped. This fails to abide by the provisions of the Pre-Legislative Consultation Policy, 2014, which was put in place to promote transparency in law-making, IFF said.
2. No identification of stakeholders involved in the framing of the policy: The draft policy published by MeitY claims to have been formed after consultation with stakeholders, but neither were the identities of these stakeholders revealed nor the inputs submitted by them. This is against established thresholds of the consultation policy, which requires a summary of the feedback or comments received from stakeholders to be published on the website of the department, IFF said.
3. No working group involved: “According to best practices, a working group is constituted to build consensus and harmonise interests of various stakeholders. This helps in addressing pain points and maintaining accountability over government actions. However, even a working group seems to not have been established, calling the credibility of this policy formulation process by MeitY under question,” IFF submitted.
4. Formed without parliamentary discussion: According to the Constitution of India, every law should be enacted after going through the legislative procedure where a proposal is brought in the form of a Bill before the Parliament to receive approval from both the Houses, but the draft data access policy bypassed this parliamentary scrutiny as it was formulated without parliamentary discussion, IFF submitted.
5. Sidelines India’s federal structure: The draft policy was made in a centralised manner without keeping in mind India’s federal structure, IFF said. “The proposal to share data has been rejected by the State governments earlier as well, such as when the Department of Food and Public Distribution urged States to share Aadhaar details of National Food Security Act (NFSA) beneficiaries with the National Health Authority (NHA). The States reportedly pushed back against this demand due to the security implications of such a data transfer, fearing that the data may be used for political gains,” IFF explained. But despite this, the central government has gone ahead with the draft policy, IFF said.
6. Cannot verify the authenticity of data cited in the “Background Note”: MeitY published a background note along with the draft policy, but there is no satisfactory referencing in this document, which raises questions about the authenticity of the data cited in the note, IFF submitted.

Recommendation:

• Follow the TRAI model for consultations and involve states: Given the above issues, IFF asked for the government to withdraw the present consultation and publish a fresh paper based on best practices followed by government departments such as the Telecom Regulatory Authority of India.
• Involve states: Furthermore, MeitY should involve state governments “to obviate any federal challenges to the data sharing envisaged in the [policy],” IFF said.

Draft policy raises several privacy concerns

1. Goes against purpose limitation principle: The data-sharing ecosystem proposed by the draft policy goes against the purpose limitation principle of data processing, according to which the personal data collected should be relevant to the purpose for which they are processed and only used for the intended purposes, IFF said.
2. Could be used to build 360-degree profiles of citizens: The draft policy essentially allows the government to “own” the data and decide how it should be shared with other departments and for how much, which is “worrisome considering that this may enable the building of a 360° profile of every citizen […] potentially without their knowledge as to the nature of the datasets being used or how the dataset may be utilised,” IFF said. “Hence, collection of data by multiple agencies to create such comprehensive profiles of individuals may facilitate greater surveillance,” IFF added. IFF gave examples of the various projects under the Digital India program such as Aadhaar and the new InDEA 2.0 policy that may be used to build these 360-degree surveillance profiles.
3. UIDAI will get access to all “seeded data”:  “Once one’s Aadhaar number becomes publicly available, given that it must be necessarily disclosed by beneficiaries, it increases the risk of identification without consent across domains. Moreover, anyone with access to the ‘control’ end of the Ginger platform may gain access to all the data associated with an Aadhaar number. Thus, UIDAI effectively gets access to all “seeded” data. Seeding allows multiple databases to be tagged with unique identifiers, thus establishing a relationality as well as enabling big data analytics,” IFF submitted.
4. Will it satisfy the Puttaswamy test: The cross-departmental interlinkage of databases raises legislative concerns because, according to the Puttaswamy judgment, the use of individuals’ personal data and the interlinkage of individuals’ databases must satisfy the three-part test, IFF said.
5. Fails to acknowledge deanonymisation problem: The draft policy intends on making all government departments comply with some minimum anonymisation standards but the policy “fails to acknowledge the technical ease with which de-anonymisation of data can be conducted,” IFF submitted. “One study showed that just 4 data points about mobile phone location could uniquely identify 95% of the test population. Another study showed that just three transactions are enough to identify an individual’s credit card,” IFF said. Furthermore, since the anonymisation standards will be developed by MeitY itself, there are no checks for the quality or effectiveness of the tools deployed.
6. No clarity on who will have the final say between IDO and DPA: The proposed India Data Office (IDO) in the draft data access policy has overlapping functions with the Data Protection Authority (DPA) proposed in the Data Protection Bill, and it is not clear “if the IDO will be answerable to the DPA since the latter is designated to be the primary authority regulating data protection norms,” IFF said.

Recommendation: 

• Clear boundaries should be drawn in the absence of a data protection law: In the absence of a data protection law, “clear standards need to be drafted defining the contours of data exchange, sharing and processing of personal data,” IFF suggested. Even the proposed Data Protection Bill has its own limitations in its current form as it has not codified many of the internationally recognised data protection principles and provides multiple exemptions to governments and private entities, IFF added.
• Separate powers of IDO and DPA: “The Draft Data Access Policy should lay down clear guidelines on the separation of powers between the IDO and the DPA,” IFF recommended.

The policy is guided by economic incentives without accounting for privacy and security

1. Financial incentives for data collection sets a dangerous precedent: The draft policy makes “personal data of citizens a saleable commodity” and “this revenue generation or data monetisation objective of MeitY sets a dangerous precedent as it will prompt a financial incentive for state authorities to collect more data than necessary,” IFF said. “Commercial interests will prompt the government to collect more granular personal details through greater capture of data and increased retention periods. This unrestrained collection of information will risk Indian citizens’ government records being sold and profiled by the private sector,” IFF stated. “A similar case was seen in 2020 when the Ministry of Road Transport and Highways (MoRTH) withdrew the Bulk Data Sharing Policy following concerns over privacy and misuse of data. The Bulk Data Sharing Policy, formulated in 2019, allowed MoRTH to “share complete data” with specified agencies, automobile industries, banks and finance companies. While this mostly held non-personal details like chassis number, model type, year of manufacture among others, the MoRTH itself admitted that this data could be subject to triangulation. Here, triangulation refers to the combination of different data- sets, which individually do not reveal much but when viewed together lead to individual identification and the dilution of user privacy,” IFF explained.
2. Promotes big data usage in government without adequate safeguards: IFF submitted that the draft policy promotes the usage of big data in government departments without acknowledging India’s lack of digital infrastructure and laws to adequately protect the collected data. To make its point, IFF cited the increasing number of cybercrimes in recent years reported by the Indian Computer Emergency Response Team (CERT-In) related to breaches of privacy and fraud.
3. Limits access to data to the wealthy:  The “pricing of datasets will limit the ability to access data to the wealthy, thereby defeating the intended goal,” IFF submitted.

Note: The newer version of the draft policy has removed clause 11 which dealt with pricing and licensing. So, it remains unclear if the existing proposal of pricing certain data sets is still applicable.

Ambiguous definitions and the resultant arbitrariness

1. Several concepts are vague in the policy: The Supreme Court struck down section 66A of the Information Technology Act, 2000, because it was overbroad and allowed for arbitrary interpretations. Key concepts in the draft policy also “suffer from a similar vice of vagueness and lack of clarity, or, in some cases, willful misinterpretation,” IFF submitted.
2. Various important terms have been undefined: The draft policy has left various important terms to be defined in subsequent frameworks and it is unclear whether these subsequent frameworks will be made available for public consultation and feedback, defeating the purpose of a public consultation exercise, IFF said.
3. Several key concepts are ill-defined: IFF points out deficiencies in the definitions or the lack thereof of various concepts such as “data anonymisation,” “high-value data sets,” “pricing,” and “licensing,” but we have left them out because the newer version of the draft policy has either removed or modified these concepts.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

• Government Data Should Be Free And Shared After Data Protection Act Is Implemented, SFLC Suggests
• Summary: Draft India Data Accessibility And Use Policy, 2022
• A Guide To Non-Personal Data Regulation In India
• Road Transport Ministry Scraps Policy Which Allowed It To Sell Vehicle Registration And Driving License Data: Report

Have something to add? Subscribe to MediaNama here and post your comment.