Abnormality manifests
itself in myriad ways. The manifesto titled “2083: A European
Declaration of Independence” brought out by Norwegian gunman and
neo-Crusader, Anders Behring Breivik who carried out the heinous attacks on his
fellow citizens is actually a unique identity manifesto. This manifesto
refers to the word "identity" over 100 times, "unique" over
40 times and "identification" over 10 times. There is reference to
"state-issued identity cards", "converts’ identity cards",
"identification card", "fingerprints", "DNA" etc.
Is it not true that only a misanthrope can approve of it?
Aadhaar
and Other Laws (Amendment) Bill, 2018 has brought the relationship of
Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and
Services) Act, 2016 with Indian Telegraph Act, 1885, and the Prevention of
Money Laundering Act, 2002 to light. Notably, Aadhaar Act which was enacted for "assigning of unique identity numbers" to such individuals who have "resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment" has been found to be questionable in the verdict of the 5-Judge Constitution Bench of the Supreme Court.
Earlier, Finance Act 2017 had brought the
relationship between Income Tax Act, Aadhaar Act and Companies Act, 2013 to the
fore. The expert committee on data protection framework has recorded that at
last 50 existing laws will be impacted by any enactment of data protection law
including Indian Telegraph Act, 1885 and Prevention of Money Laundering Act,
2002 besides Information Technology Act, 2000.
It has also suggested at least two dozen amendments to the Aadhaar Act,
2016 “from a data protection perspective.” It failed to deal with the
DNA
Technology (Use and Application) Regulation Act, 2018 which has now been
passed by Lok Sabha without enacting right to data protection and privacy law.
Both Aadhaar legislation
and DNA legislation are structurally linked. Biometrics is turning
the human body into the universal ID card of the future. As per Section 2 (G)
of Aadhaar Act 2016, “biometric information” means photograph, fingerprint,
Iris scan, or any other biological attributes specified by regulations. Thus,
it clearly includes biological attributes like voice print and DNA. Human DNA
profiling is aimed at regulating the use of Deoxyribose Nucleic Acid (DNA)
analysis of human body substances profiles and to establish the DNA Profiling Board
for laying down the standards for laboratories, collection of human body
substances, custody trail from collection to reporting and also to establish a
National DNA Data Bank and for matters connected therewith or incidental
thereto. The Bill provides for procurement of “Intimate body sample” which
means a sample of blood, semen or any other tissue, fluid, urine, or pubic
hair, a dental impression; or a swab taken from a person’s body orifice other
than mouth obtained through “Intimate forensic procedure”. The intimate forensic procedure means the
following forensic procedures, namely:- an external examination of the genital
or anal area, the buttocks and also breasts in the case of a female breast; the
taking of a sample of blood; the taking of a sample of pubic hair; the taking
of a sample by swab or washing from the external genital or anal area, the
buttocks and also breasts in the case of a female; the taking of a sample by
vacuum suction, by scraping or by lifting by tape from the external genital or
anal area, the buttocks and also breasts in the case of a female; the taking of
a dental impression and the taking of a photograph or video recording of, or an
impression or cast of a wound from, the genital or anal area, the buttocks and
also breasts in the case of a female.
When one looks at
the definition of the "Biometrics" which "means the technologies
that measure and analyse human body characteristics, such as 'fingerprints',
'eye retinas and irises', 'voice patterns', "facial patterns', 'hand
measurements' and 'DNA' for authentication purposes" as per Information
Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011 under section 87 read with section 43A of Information
Technology Act, 2000, it becomes clear that the plan of data collection does
not end with collection of finger prints and iris scan, it goes quite beyond
it.
The fact remains
biometric data like finger print, voice print, iris scan and DNA do not reveal
citizenship. While use of biometric technology, an advanced technique for the
identification of humans, based on their characteristics or traits is unfolding
there is agency within India too. These traits can be face, fingerprint, iris,
voice, signature, palm, vein, and DNA. DNA recognition and vein recognition are
the latest and most advanced types of biometric authentication. Biometric
technology is being deployed in the application areas like government, travel
and immigration, banking and finance, and defense. Government applications
cover voting, personal ID, license, building access, etc; whereas travel and
immigration use biometric authentication for border access control,
immigration, detection of explosives at the airports, etc. Banking and finance
sector use biometric authentication for account access, ATM security, etc.
Such profiling is
aimed at examination of human biological material that is coded with “the past
history and thus dictate the future of an individual’s racial and genealogical
makeup, and influence an individual’s medical and psychological makeup.” The
proponents of the biometric profiling such tools can make all citizens ‘safe’
forever. Unmindful of dangerous ramifications of such applications, biometric
ID's are all set to be made as common as e-mail addresses. Biometric
information includes DNA profiling wherein biological traits are taken from a
person because by their very nature are unique to the individual and positively
identifies that person within an ever larger population as the technology
improves.
A decision of the
European Court of Human Rights (ECHR) is quite relevant in this regard. The
case was heard publicly on February 27, 2008, and the unanimous decision of 17
judges was delivered on December 4, 2008. The court found that the “blanket and
indiscriminate nature” of the power of retention of the fingerprints, cellular
samples, and DNA profiles of persons suspected but not convicted of offenses,
failed to strike a fair balance between competing public and private interests
and ruled that the United Kingdom had “overstepped any acceptable margin of
appreciation” in this regard. The decision is nonappealable. The Court cannot
ignore this decision because the Aadhaar Act extends to DNA through the
definition of biometric information in Section 2 (g). The Court’s
observation must be seen in the context of what happened in 1998 at National
Biometric Test Center, San Jose State University set up by the Biometric
Consortium, which is the US government interest group on biometric
authentication. The centre was asked to testify to the USA's House Committee on
Banking and Financial Services hearing on "Biometrics and the Future of
Money". This testimony of May 20, 1998 was reprinted under the title,
"Biometric Identification and the Financial Services Industry. This centre
emerged from a meeting of Biometric Consortium held in 1995 at the Federal
Bureau of Investigation (FBI) training facility. This Test Center has defined
biometric authentication as "the automatic identification or identity
verification of an individual based on physiological and behavioral
characteristics". Agencies like US Department of Defence, North Atlantic
Treaty Organisation, World Bank Group, USAID and Interpol has been promoting
such automatic identification in at least 14 developing countries including Pakistan,
Bangladesh and Nepal without any democratic mandate as part of a convergence
project to ensure merger of private sector, public sector and citizens sector.
The E-identity and biometric UID/Aadhaar related projects are part of World
Bank's e-Transform Initiative formally launched on April 23, 2010 for
convergence.
Amendments
undertaken through the Aadhaar and Other Laws (Amendment) Bill, 2018 draw from
the recommendations made in the report of the expert committee on data
protection framework. The report in question was prepared by a conflict of
interest ridden expert committee which was constituted by the Ministry of
Electronics & Information Technology (UIDAI), the parent ministry of Unique
Identification Authority of India (UIDAI) on 31 July, 2017 as part of its
argument contending that right to privacy is not a fundamental right in order
to avoid adverse verdict by 9-Judge Constitution Bench of the Supreme Court. The
report suffers from sterile legal imagination. The verdict categorically
rejected government’s position on right to privacy. The members of the expert
committee represented government’s position. After the verdict, there was no
change in the terms of reference of the expert committee and the composition of
the committee despite bitter objections. Not surprisingly, the report has been
severely criticized.
In
an attempt to undo the verdict of the Supreme Court dated September 26, 2018 in
UID/Aadhaar case, the proposed amendment Bill has been moved in the Rajya
Sabha by Ravi Shankar Prasad, Minister of Law and Justice, Electronics and
Information Technology for consideration. It was passed by the Lok Sabha on 4 January
2019 amidst vociferous protest. In effect, the proposed amendment is an exercise aimed at re-introducing Section
57 of the Aadhaar Act, 2016 which has been pronounced unconstitutional by the Court
because it facilitated UID/Aadhaar-based authentication and storage of related
data by private commercial and non-commercial entities. The amendments in the
Aadhaar Act, Telegraph Act and the Prevention of Money Laundering Act attempts
to legalize use of Aadhaar-based e-KYC authentication and storage of Aadhaar
related sensitive information by private commercial and non-commercial entities
for their electronic commerce. It is apparently being done under the influence
of limitless and anonymous donations of beneficial owners of e-technologies and
biometric technologies legalized through Finance Act 2017 and Finance Act 2018.
While
verdict of the 5-Judge Constitution Bench of Supreme Court on Union Ministry of
Electronics and Information Technology (MEITY)’s Unique Identification (UID)/Aadhaar
number database project being implemented by Unique Identification Authority of
India (UIDAI), Aadhaar Act 2016 and indiscriminate metadata collection of
Indian residents is 1448 pages long, the portion which is authored by Justice
Arjan Kumar Singh is only 567 pages long. This part of the order has been
written by him but it has been signed by 45th Chief Justice of India
Dipak Misra and Justice A M Khanwilkar. Justice
J Chelameswar
who was the presiding judge of the 3-Judge Bench of the Court who referred the matter to the Constitution Bench by his order was not made part
of the Constitution Bench set up by Justice Misra who made himself its part
although had never heard the case. In fact when he was made a member of an
earlier Bench to hear this very case he had disassociated himself for some reason. In a separate order, Justice Ashok
Bhushan has expressed agreement with the order authored by Justice Sikri. The
dissenting order of Justice Dr. D.Y. Chandrachud of this
5-Judge Constitution Bench assumes greater significance because it is he who
authored the leading order of the 9-Judge Constitution Bench on right to
privacy in this very case which had the concurrence of all the judges including Justices J Chelameswar, R F
Nariman, Sanjay Kishan Kaul
and S.A. Bobde. A harmonious construction of the verdict of Justice Chandrachud
as part of 9-Judge Bench and his dissenting order as part of 5-Judge Bench
shows a crystal clear picture of Justice Sikri’s order. It is evident that
latter’s order is inconsistent with the order of 9-Judge Constitution Bench but
its saving grace is that it outlawed the role of private entities in
UID/Aadhaar project. The proposed Amendment Bill introduced by MEITY aims to undo even this
aspect of Justice Sikri’s order. Given the fact that neither the Privacy Bill
nor Data Protection Bill has been introduced prior to the introduction of the proposed
Aaadhar Amendment Bill, it emerges that Justice Chandrachud’s trust in
government expressed as part of the order authored by him in the right to
privacy verdict was misplaced.
The inertia in
introducing the Privacy Bill or Data Protection Bill and alacrity with which Aadhaar
Amendment Bill has been introduced can be traced to the letter dated 20
November 2018 sent by transnational commercial interests to the Prime Minister,
Finance Minister of Finance, Secretary of the Ministry of Electronics and
Information Technology, Minister of Commerce and Industry and National Cyber
Security Coordinator, National Security Council Secretariat and the Chairman,
RBI on the subject of “Data Localization Requirements in India’s Draft Privacy
Law and Reserve Bank of India Circular on Electronic Payments”. The letter was
authored by the Global Services Coalition (GSC) that claims to represent “the
services sector”. The letter is signed by
GSC members like Canadian Services Coalition, European Services Forum (ESF), Hong
Kong Coalition of Services Industries, Japan Services Network, BusinessNZ, Taiwan
Coalition of Services Industries, TheCityUK, Coalition of Services Industries
and Australian Services Roundtable.
These transnational commercial
interests serious have expressed “concerns in relation to the Indian
Government’s apparent increasing use of mandatory data localization
requirements, including the Reserve Bank of India’s April 6, 2018 Directive requiring
that all data relating to electronic payment systems be stored locally in
India, as well as the data localization requirements contained in the 2018
Personal Data Protection Bill (PDPB).” It asked the Prime Minister to ensure
that “cross-border data flows need not be impeded, and that any exceptions
should be limited to legitimate public policy objectives, be non-discriminatory
in their operation, and comply with the General Agreement on Trade in Services
(GATS) Articles XIV and XIV bis.” This is significant because attempts are
underway in WTO talks to redefine even goods as services. Notably, the new
Consumer Protection law provides for unique identity (UID) number for all
consumer goods. The transnational business enterprises will have Indians believe
that “Data localization requirements and other policies that restrict data
flows are likely to constrain growth and innovation, and reduce the scope for
leading Indian IT firms and their GSC counterparts to engage in business and
investment contributing to promoting India’s competitiveness and growth.” These
commercial interests do not reveal whether or not their own home countries have
“Data localization requirements”.
In an explicit response
to the Indian Supreme Court’s verdict on right to privacy, UID/Aadhaar and the
proposed Privacy or Data Protection Law, in their letter these commercial
interests observed, “as the proposed rules would apply to all personal data
processed within India, they could in fact cover personal data collected from
residents of foreign jurisdictions and sent to India for processing. As many
organizations outside India rely on Indian-based companies to process foreign
personal data, the application of Indian privacy rules to the processing of
such data in India would impose an added layer of regulation, discouraging the
use of Indian-based service providers.” This observation reveals that they are
more concerned about the personal data collected from residents of foreign
jurisdictions and sent to India for processing than the personal data of Indians. They fail to state that “data
localization enhances data security”, it simply states that there is no evidence
in this regard. Lack of evidence does not prove that data localization harms
data security.
Their letter recommends “voluntary set of privacy principles that can
guide data protection practices and procedures” in place of mandatory laws to
govern data flows. It suggest that Government of India should address its data privacy
and security concerns without data localization requirements unmindful of the costs
and potential adverse impacts of unregulated and unimpeded cross-border data flow.
These transnational commercial interests seem to have prevailed on the Prime
Minister, Finance Minister, MEITY and Commerce & Industry Ministry to adopt
“alternative regulatory approaches that can ensure data privacy and security
while facilitating cross-border data flows” by expressing its trust in “voluntary
set of privacy principles”. Notably, the contract agreements which UIDAI has
signed in the name of President of India with foreign firms like Accenture,
Safran Group and Ernst & Young has ensured free flow of all demographic and
biometric data to such firms which they can keep for up to seven years. In
electronic age, seven years means for eternity. It means they can milk the data
of all present and future Indians for all times to come. Such one sided free
flow of data has become a guaranteed source of revenue for these firms.
Referring to UID/Aadhaar project, Justice
Sikri observes: “Its
use is spreading like wildfire, which is the result of robust and aggressive
campaigning done by the Government, governmental agencies and other such
bodies….The Government boasts of multiple benefits of Aadhaar.” It may be
recalled that first Chairman of UIDAI used to refer to “robust and aggressive
campaigning” as marketing saying success or failure of UID/Aadhaar depends on
its marketing or campaigning. The judge in question recognizes that this
project is a result of marketing. He carefully uses the word “boasts” with
regard to government’s claims about its “multiple benefits” from UID/Aadhaar
project.
The Forty-Second Report of Parliamentary
Standing Committee on Finance submitted to the Lok Sabha and Rajya Sabha on 13 December, 2011
revealed that “Bharatiya - Automated Finger Print Identification
System (AFSI), was launched in January 2009, being funded by” the government “for
collection of biometric information of the people of
the country.” But UIDAI chose not to use it because, “The quality, nature and manner of collection of biometric data by other
biometric projects may not be of the nature that can be used for the purpose of
the Aadhaar scheme and hence it may not be possible to use the fingerprints
captured under the Bhartiya-AFSI project.” Government reached the conclusion that biometric
technology of foreign firms is better than the existing Indian one from the
point of uniqueness without any comparative study.
Justice Sikri‘s order refers to the Fifty
Third Report of this very Standing Committee on Finance that presented to the
Lok Sabha and Rajya Sabha on April 24, 2012 which summarised the objectives and
financial implications of the UID scheme but it does
not factor in the recommendations of this very Parliamentary Standing Committee
in its Forty-Second Report which shows
the existence of India’s own biometric technology.
The parliamentary report had apprehended that “Although the scheme claims
that obtaining aadhaar number is voluntary, an apprehension is found to have
developed in the minds of people that in future, services / benefits including
food entitlements would be denied in case they do not have aadhaar number.” Its
apprehension has been found to be correct.
Parliamentary
Standing Committee’s Forty-Second
Report relied on the Report of the London School of Economics (LSE)
“Report on UK’s Identity Project inter-alia states that “…..identity
systems may create a range of new and unforeseen problems……the risk of failure
in the current proposals is therefore magnified to the point where the scheme
should be regarded as a potential danger to the public interest and to the
legal rights of individuals”. It records that “the United Kingdom shelved its
Identity Cards Project for a number of reasons, which included:- (a) huge cost
involved and possible cost overruns; (b) too complex; (c) untested, unreliable
and unsafe technology; (d) possibility of risk to the safety and security of
citizens; and (e) requirement of high standard security measures, which would
result in escalating the estimated operational costs.” It states that “As these
findings are very much relevant and applicable to the UID scheme, they should
have been seriously considered.” It has not been done even after eight years of
the scheme.
The
claim of uniqueness of UID/Aadhaar which Justice Sikri has accepted is based on
the unscientific assumption that there are parts of human body likes
fingerprint, iris, voice etc that does not age, wither and decay with the
passage of time. A report “Biometrics: The Difference Engine: Dubious security”
published by The Economist in its 1
October 2010 issue observed “Biometric identification can even invite violence.
A motorist in Germany had a finger chopped off by thieves seeking to steal his
exotic car, which used a fingerprint reader instead of a conventional door
lock.” Amidst ongoing starvation deaths of citizens, it is evident that UID/Aadhaar
database project is an invitation of myriad forms of violence including civil
death.
It is possible that such civilian and non-civilian
applications are being bulldozed by some commercial entities in order to store
and read biometric and DNA script of Indian population in the aftermath of the
sequencing of Human Genome for epigenetics, medicine, big data, social control,
inheritance, eugenics and genetic determinism. Under the tremendous influence
and unprecedented onslaught from unregulated and ungovernable technology
companies, so far Central Government and State Governments have failed to
safeguard national security and citizens’ liberty which is part of right to
life.
These aspects have been ignored in the proposed Aadhaar
Amendment Bill. Given the fact that five review petitions have been filed seeking
review of Justice Sikri’s order, the proposed Bill seems to be aimed at presenting
a fait accompli. It is apparent that the passage of Human DNA Profiling
Bill
is part of the Plan B of the technology vendors and their collaborators. These developments
assume significance in a context wherein the Supreme Court has chosen to limit
its own power of judicial review under Article 32 by forgetting to read it
jointly with Article 13 of the Indian Constitution. Unless Court undertakes joint
reading of both the Articles providing for judicial review as an exception to
separation of powers between different organs of the State, it will continue to
pave the way for making Constitution of India subservient to contract agreements.
Dr Gopal Krishna
The author is convener Citizens
Forum for Civil Liberties (CFCL). CFCL is research and advocacy forum focused on surveillance and DNA profiling
technologies since 2010. He had appeared before the Parliamentary Standing on
Finance that examined and trashed the Aadhaar Bill, 2010. He is also the editor of www.toxicswatch.org
Post a Comment