Bengaluru: Concerns over online data and user privacy have been growing and a government-appointed committee, led by justice B.N. Srikrishna, is preparing a data protection framework for India. Ahead of the submission of the panel’s report, the Telecom Regulatory Authority of India has released a set of recommendations on data privacy that favour giving users control of their data and personal information.
In an interview on Tuesday, Nandan Nilekani, a former Unique Identification Authority of India (UIDAI) chairman and architect of the biometric-based Aadhaar identification number, emphasized the need for the committee to address key issues, including data collection, consent and the need for accountability in cases of misuse of data. “The Srikrishna committee report... will lay out the framework for data collection, what is the responsibility of the people who collect data, how do they take consent, what is the accountability of these organizations if they misuse the data, and so on and so forth," said Nilekani, who is also chairman of Infosys Ltd. Nilekani also spoke about how India’s data empowerment policies are far more progressive than those of other countries such as the US and China, the need for a broader law for both government and private agencies, and whether Aadhaar should be part of the new data privacy framework. Edited excerpts:
Should the new data privacy law apply to both government and private agencies?
I think there should be a broader law on data protection and privacy, which applies to everyone. That’s my view.
Should that include Aadhaar?
Aadhaar will definitely be a part of this. I am sure if something needs to be modified in the Aadhaar law, it will be done. The fact is that we have to thank Aadhaar for bringing in a modern data privacy regime in India. Eight years ago, in May 2010, I wrote to the prime minister, saying that we should have a data privacy law. And I’m glad that eight years later, it looks like it’s going to come. I think the fundamental right to privacy has laid down a very brilliant conceptual framework—the argument is that there is a fundamental right to privacy, but the state in the pursuit of certain social and national objectives, can circumscribe it... I think Aadhaar fits squarely in that matrix (fundamental right to privacy).
You say that Aadhaar has facilitated a data privacy regime, but there has been considerable debate on that point, especially on whether it has been misused.
The fact of the matter is that if you go back and see the history of data privacy in India... in some sense, it began with my letter in May 2010. And then as you know, the department of personnel and training took up the matter of drafting a privacy law. Then there was the A.P. Shah committee, Ashok Pal Singh of UIDAI was a member of that committee. So, we have been involved in this thing for a long time. Then, the Aadhaar case led to the government saying that there was no fundamental right to privacy, which went to the Supreme Court (SC) nine-judge bench. That bench happened because there was an Aadhaar case. The arguments on Aadhaar led to the impetus to first of all define privacy as a fundamental right, and under what conditions privacy can be circumscribed. The Aadhaar bill was passed by the government, and then the SC upheld the decision of mandatory linkage of PAN cards with Aadhaar. Now, we’ll have two important things—the draft law from the Srikrishna committee and the SC judgement. All of this will happen in the next two months. All this wouldn’t have happened, but for Aadhaar.
How can Aadhaar be regulated to stop misuse?
I think Aadhaar has very strong privacy protection. It’s designed for privacy. It’s not a data collection mechanism. It’s an ID verification mechanism. The database is federated, the data is there in different databases... Now, with additional safeguards that have come with virtual ID, tokenization and face authentication, I think it’s really designed for privacy.
What are your expectations from the Srikrishna committee report?
There are two things: fundamental right to privacy and data protection law. The Srikrishna committee report will lay out the framework for data collection, the responsibilities of the people who collect data, how do they take consent, what is the accountability of these organizations if they misuse the data, and so on and so forth. To me, the real story is about the data empowerment that is happening in India.