India’s National ID System: Danger Grows in a Privacy Vacuum
Computer Law & Security Review, Vol. 26, No. 5, pp. 479‐491, 2010
23 Pages Posted: 25 Nov 2011 Last revised: 3 Apr 2015
Date Written: October 26, 2011
India is juggling demands and proposals for at least three national data surveillance projects of vast scope. This article focuses on the unique identification (UID) number (called the Aadaahar), which it is proposed will be allocated to India’s 1.2 billion people, with 600M UIDs to be allocated by 2015. The draft National Identification Authority of India Bill 2010, drawn up by the Unique Identification Authority of India (UIDAI) as legislation to formally create the Authority which will administer the UID, contains few protections for privacy or other liberties. They are needed because there is otherwise a privacy vacuum in Indian law.
The draft Bill leaves most of the details of the demographic and biometric information which will be required to be included Regulations, and imposes no controls on which organisations can require UIDs, or what they can do with them. This article focuses on the planning documents for the UID, and the Bill, to argue that India may be building an identification system that puts peoples’ liberties at risk, and does so in a way which will be largely out of control of democratic or judicial restraints on such a powerful use of information technology. This article argues that the current operation of the aadhaar, and the draft Bill are deficient in that they lack at least the following protective provisions: (i) Outsourcing of the operation of the CIDR should be by regulations identifying the outsourcing provider, and thus disallowable. Any movement of CIDR data outside India should also be by regulations. (ii) The Central Information Commission, or a similarly independent tribunal, should be empowered to adjudicate all disputes between the Authority and individuals. (iii) Individuals should be able to obtain compensation and injunctions for any breaches of their rights. (iv) The biometric and demographic information which can be collected by the Authority should be defined in the Bill, and collection of other personal data prohibited. New legislation, and thus positive Parliamentary approval, should be required for any expansion. (v) The Bill should clarify whether obtaining a UID is compulsory or voluntary, and whether services may be denied to people because they do not have one. (vi) If the UID is voluntary, any special measures in relation to marginalised groups should also involve special steps to ensure that voluntariness is respected. (vii) Incentives given to any persons involved in the enrolment process should be designed to ensure that voluntariness is respected.(viii) UID holders should not be required to update their identity details unless this is necessary for the integrity of their UID and authentication. A continuously updated population register is not necessary for an ID number. (ix) The legislation should specify with which other agencies, and in relation to which benefits, the CIDR data can be shared, and any future changes should also be by legislation. (x) It should be prohibited for anyone to require a UID holder to obtain their CIDR data. (xi) It should be prohibited for any other databases to record the UID number.
Amendments such as these would not necessarily make the UID safe for India’s 1.2 billion people, but they would reduce the risks of abuse. As India’s economy and society become increasingly similar to those of other successful capitalist economies, the Indian government will increasingly need to adopt a full data protection law, as is the case throughout Europe and in an increasing number of countries in the Asia-Pacific. It has often been the case that the introduction of a new data surveillance system such as an ID card or a data matching system has shown the need – and provided the political trade-off – for the introduction of a full data protection law.
Suggested Citation: Suggested Citation