Pages

Tuesday, January 08, 2019

Ramifications of relationship between e-commerce laws like Aadhaar Act, DNA Bill and other laws-XVI


Abnormality manifests itself in myriad ways. The manifesto titled “2083: A European Declaration of Independence” brought out by Norwegian gunman and neo-Crusader, Anders Behring Breivik who carried out the heinous attacks on his fellow citizens is actually a unique identity manifesto. This manifesto refers to the word "identity" over 100 times, "unique" over 40 times and "identification" over 10 times. There is reference to "state-issued identity cards", "converts’ identity cards", "identification card", "fingerprints", "DNA" etc. Is it not true that only a misanthrope can approve of it?

Aadhaar and Other Laws (Amendment) Bill, 2018 has brought the relationship of Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 with Indian Telegraph Act, 1885, and the Prevention of Money Laundering Act, 2002 to light. Notably, Aadhaar Act which was enacted for "assigning of unique identity numbers" to such individuals who have "resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment" has been found to be questionable in the verdict of the 5-Judge Constitution Bench of the Supreme Court. 

Earlier, Finance Act 2017 had brought the relationship between Income Tax Act, Aadhaar Act and Companies Act, 2013 to the fore. The expert committee on data protection framework has recorded that at last 50 existing laws will be impacted by any enactment of data protection law including Indian Telegraph Act, 1885 and Prevention of Money Laundering Act, 2002 besides Information Technology Act, 2000.  It has also suggested at least two dozen amendments to the Aadhaar Act, 2016 “from a data protection perspective.” It failed to deal with the DNA Technology (Use and Application) Regulation Act, 2018 which has now been passed by Lok Sabha without enacting right to data protection and privacy law.

Both Aadhaar legislation and DNA legislation are structurally linked. Biometrics is turning the human body into the universal ID card of the future. As per Section 2 (G) of Aadhaar Act 2016, “biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Thus, it clearly includes biological attributes like voice print and DNA. Human DNA profiling is aimed at regulating the use of Deoxyribose Nucleic Acid (DNA) analysis of human body substances profiles and to establish the DNA Profiling Board for laying down the standards for laboratories, collection of human body substances, custody trail from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto. The Bill provides for procurement of “Intimate body sample” which means a sample of blood, semen or any other tissue, fluid, urine, or pubic hair, a dental impression; or a swab taken from a person’s body orifice other than mouth obtained through “Intimate forensic procedure”.  The intimate forensic procedure means the following forensic procedures, namely:- an external examination of the genital or anal area, the buttocks and also breasts in the case of a female breast; the taking of a sample of blood; the taking of a sample of pubic hair; the taking of a sample by swab or washing from the external genital or anal area, the buttocks and also breasts in the case of a female; the taking of a sample by vacuum suction, by scraping or by lifting by tape from the external genital or anal area, the buttocks and also breasts in the case of a female; the taking of a dental impression and the taking of a photograph or video recording of, or an impression or cast of a wound from, the genital or anal area, the buttocks and also breasts in the case of a female.

When one looks at the definition of the "Biometrics" which "means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes" as per Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 87 read with section 43A of Information Technology Act, 2000, it becomes clear that the plan of data collection does not end with collection of finger prints and iris scan, it goes quite beyond it.

The fact remains biometric data like finger print, voice print, iris scan and DNA do not reveal citizenship. While use of biometric technology, an advanced technique for the identification of humans, based on their characteristics or traits is unfolding there is agency within India too. These traits can be face, fingerprint, iris, voice, signature, palm, vein, and DNA. DNA recognition and vein recognition are the latest and most advanced types of biometric authentication. Biometric technology is being deployed in the application areas like government, travel and immigration, banking and finance, and defense. Government applications cover voting, personal ID, license, building access, etc; whereas travel and immigration use biometric authentication for border access control, immigration, detection of explosives at the airports, etc. Banking and finance sector use biometric authentication for account access, ATM security, etc.

Such profiling is aimed at examination of human biological material that is coded with “the past history and thus dictate the future of an individual’s racial and genealogical makeup, and influence an individual’s medical and psychological makeup.” The proponents of the biometric profiling such tools can make all citizens ‘safe’ forever. Unmindful of dangerous ramifications of such applications, biometric ID's are all set to be made as common as e-mail addresses. Biometric information includes DNA profiling wherein biological traits are taken from a person because by their very nature are unique to the individual and positively identifies that person within an ever larger population as the technology improves.

A decision of the European Court of Human Rights (ECHR) is quite relevant in this regard. The case was heard publicly on February 27, 2008, and the unanimous decision of 17 judges was delivered on December 4, 2008. The court found that the “blanket and indiscriminate nature” of the power of retention of the fingerprints, cellular samples, and DNA profiles of persons suspected but not convicted of offenses, failed to strike a fair balance between competing public and private interests and ruled that the United Kingdom had “overstepped any acceptable margin of appreciation” in this regard. The decision is nonappealable. The Court cannot ignore this decision because the Aadhaar Act extends to DNA through the definition of biometric information in Section 2 (g). The Court’s observation must be seen in the context of what happened in 1998 at National Biometric Test Center, San Jose State University set up by the Biometric Consortium, which is the US government interest group on biometric authentication. The centre was asked to testify to the USA's House Committee on Banking and Financial Services hearing on "Biometrics and the Future of Money". This testimony of May 20, 1998 was reprinted under the title, "Biometric Identification and the Financial Services Industry. This centre emerged from a meeting of Biometric Consortium held in 1995 at the Federal Bureau of Investigation (FBI) training facility. This Test Center has defined biometric authentication as "the automatic identification or identity verification of an individual based on physiological and behavioral characteristics". Agencies like US Department of Defence, North Atlantic Treaty Organisation, World Bank Group, USAID and Interpol has been promoting such automatic identification in at least 14 developing countries including Pakistan, Bangladesh and Nepal without any democratic mandate as part of a convergence project to ensure merger of private sector, public sector and citizens sector. The E-identity and biometric UID/Aadhaar related projects are part of World Bank's e-Transform Initiative formally launched on April 23, 2010 for convergence. 

Amendments undertaken through the Aadhaar and Other Laws (Amendment) Bill, 2018 draw from the recommendations made in the report of the expert committee on data protection framework. The report in question was prepared by a conflict of interest ridden expert committee which was constituted by the Ministry of Electronics & Information Technology (UIDAI), the parent ministry of Unique Identification Authority of India (UIDAI) on 31 July, 2017 as part of its argument contending that right to privacy is not a fundamental right in order to avoid adverse verdict by 9-Judge Constitution Bench of the Supreme Court. The report suffers from sterile legal imagination. The verdict categorically rejected government’s position on right to privacy. The members of the expert committee represented government’s position. After the verdict, there was no change in the terms of reference of the expert committee and the composition of the committee despite bitter objections. Not surprisingly, the report has been severely criticized.

In an attempt to undo the verdict of the Supreme Court dated September 26, 2018 in UID/Aadhaar case, the proposed amendment Bill has been moved in the Rajya Sabha by Ravi Shankar Prasad, Minister of Law and Justice, Electronics and Information Technology for consideration. It was passed by the Lok Sabha on 4 January 2019 amidst vociferous protest. In effect, the proposed amendment is an exercise aimed at re-introducing Section 57 of the Aadhaar Act, 2016 which has been pronounced unconstitutional by the Court because it facilitated UID/Aadhaar-based authentication and storage of related data by private commercial and non-commercial entities. The amendments in the Aadhaar Act, Telegraph Act and the Prevention of Money Laundering Act attempts to legalize use of Aadhaar-based e-KYC authentication and storage of Aadhaar related sensitive information by private commercial and non-commercial entities for their electronic commerce. It is apparently being done under the influence of limitless and anonymous donations of beneficial owners of e-technologies and biometric technologies legalized through Finance Act 2017 and Finance Act 2018.   

While verdict of the 5-Judge Constitution Bench of Supreme Court on Union Ministry of Electronics and Information Technology (MEITY)’s Unique Identification (UID)/Aadhaar number database project being implemented by Unique Identification Authority of India (UIDAI), Aadhaar Act 2016 and indiscriminate metadata collection of Indian residents is 1448 pages long, the portion which is authored by Justice Arjan Kumar Singh is only 567 pages long. This part of the order has been written by him but it has been signed by 45th Chief Justice of India Dipak Misra and Justice A M Khanwilkar. Justice J Chelameswar who was the presiding judge of the 3-Judge Bench of the Court who referred the matter to the Constitution Bench by his order was not made part of the Constitution Bench set up by Justice Misra who made himself its part although had never heard the case. In fact when he was made a member of an earlier Bench to hear this very case he had disassociated himself for some reason. In a separate order, Justice Ashok Bhushan has expressed agreement with the order authored by Justice Sikri. The dissenting order of Justice Dr. D.Y. Chandrachud of this 5-Judge Constitution Bench assumes greater significance because it is he who authored the leading order of the 9-Judge Constitution Bench on right to privacy in this very case which had the concurrence of all the judges including Justices J Chelameswar, R F Nariman, Sanjay Kishan Kaul and S.A. Bobde. A harmonious construction of the verdict of Justice Chandrachud as part of 9-Judge Bench and his dissenting order as part of 5-Judge Bench shows a crystal clear picture of Justice Sikri’s order. It is evident that latter’s order is inconsistent with the order of 9-Judge Constitution Bench but its saving grace is that it outlawed the role of private entities in UID/Aadhaar project. The proposed Amendment Bill introduced by MEITY aims to undo even this aspect of Justice Sikri’s order. Given the fact that neither the Privacy Bill nor Data Protection Bill has been introduced prior to the introduction of the proposed Aaadhar Amendment Bill, it emerges that Justice Chandrachud’s trust in government expressed as part of the order authored by him in the right to privacy verdict was misplaced.

The inertia in introducing the Privacy Bill or Data Protection Bill and alacrity with which Aadhaar Amendment Bill has been introduced can be traced to the letter dated 20 November 2018 sent by transnational commercial interests to the Prime Minister, Finance Minister of Finance, Secretary of the Ministry of Electronics and Information Technology, Minister of Commerce and Industry and National Cyber Security Coordinator, National Security Council Secretariat and the Chairman, RBI on the subject of “Data Localization Requirements in India’s Draft Privacy Law and Reserve Bank of India Circular on Electronic Payments”. The letter was authored by the Global Services Coalition (GSC) that claims to represent “the services sector”.  The letter is signed by GSC members like Canadian Services Coalition, European Services Forum (ESF), Hong Kong Coalition of Services Industries, Japan Services Network, BusinessNZ, Taiwan Coalition of Services Industries, TheCityUK, Coalition of Services Industries and Australian Services Roundtable.

These transnational commercial interests serious have expressed “concerns in relation to the Indian Government’s apparent increasing use of mandatory data localization requirements, including the Reserve Bank of India’s April 6, 2018 Directive requiring that all data relating to electronic payment systems be stored locally in India, as well as the data localization requirements contained in the 2018 Personal Data Protection Bill (PDPB).” It asked the Prime Minister to ensure that “cross-border data flows need not be impeded, and that any exceptions should be limited to legitimate public policy objectives, be non-discriminatory in their operation, and comply with the General Agreement on Trade in Services (GATS) Articles XIV and XIV bis.” This is significant because attempts are underway in WTO talks to redefine even goods as services. Notably, the new Consumer Protection law provides for unique identity (UID) number for all consumer goods. The transnational business enterprises will have Indians believe that “Data localization requirements and other policies that restrict data flows are likely to constrain growth and innovation, and reduce the scope for leading Indian IT firms and their GSC counterparts to engage in business and investment contributing to promoting India’s competitiveness and growth.” These commercial interests do not reveal whether or not their own home countries have “Data localization requirements”.

In an explicit response to the Indian Supreme Court’s verdict on right to privacy, UID/Aadhaar and the proposed Privacy or Data Protection Law, in their letter these commercial interests observed, “as the proposed rules would apply to all personal data processed within India, they could in fact cover personal data collected from residents of foreign jurisdictions and sent to India for processing. As many organizations outside India rely on Indian-based companies to process foreign personal data, the application of Indian privacy rules to the processing of such data in India would impose an added layer of regulation, discouraging the use of Indian-based service providers.” This observation reveals that they are more concerned about the personal data collected from residents of foreign jurisdictions and sent to India for processing than the personal data of Indians. They fail to state that “data localization enhances data security”, it simply states that there is no evidence in this regard. Lack of evidence does not prove that data localization harms data security.

Their letter recommends “voluntary set of privacy principles that can guide data protection practices and procedures” in place of mandatory laws to govern data flows. It suggest that Government of India should address its data privacy and security concerns without data localization requirements unmindful of the costs and potential adverse impacts of unregulated and unimpeded cross-border data flow. These transnational commercial interests seem to have prevailed on the Prime Minister, Finance Minister, MEITY and Commerce & Industry Ministry to adopt “alternative regulatory approaches that can ensure data privacy and security while facilitating cross-border data flows” by expressing its trust in “voluntary set of privacy principles”. Notably, the contract agreements which UIDAI has signed in the name of President of India with foreign firms like Accenture, Safran Group and Ernst & Young has ensured free flow of all demographic and biometric data to such firms which they can keep for up to seven years. In electronic age, seven years means for eternity. It means they can milk the data of all present and future Indians for all times to come. Such one sided free flow of data has become a guaranteed source of revenue for these firms.    

Referring to UID/Aadhaar project, Justice Sikri observes: “Its use is spreading like wildfire, which is the result of robust and aggressive campaigning done by the Government, governmental agencies and other such bodies….The Government boasts of multiple benefits of Aadhaar.” It may be recalled that first Chairman of UIDAI used to refer to “robust and aggressive campaigning” as marketing saying success or failure of UID/Aadhaar depends on its marketing or campaigning. The judge in question recognizes that this project is a result of marketing. He carefully uses the word “boasts” with regard to government’s claims about its “multiple benefits” from UID/Aadhaar project.

The Forty-Second Report of Parliamentary Standing Committee on Finance submitted to the Lok Sabha and Rajya Sabha on 13 December, 2011 revealed that “Bharatiya - Automated Finger Print Identification System (AFSI), was launched in January 2009, being funded by” the government “for collection of biometric information of the people of the country.” But UIDAI chose not to use it because, “The quality, nature and manner of collection of biometric data by other biometric projects may not be of the nature that can be used for the purpose of the Aadhaar scheme and hence it may not be possible to use the fingerprints captured under the Bhartiya-AFSI project.” Government reached the conclusion that biometric technology of foreign firms is better than the existing Indian one from the point of uniqueness without any comparative study.

Justice Sikri‘s order refers to the Fifty Third Report of this very Standing Committee on Finance that presented to the Lok Sabha and Rajya Sabha on April 24, 2012 which summarised the objectives and financial implications of the UID scheme but it does not factor in the recommendations of this very Parliamentary Standing Committee in its Forty-Second Report which shows the existence of India’s own biometric technology.

The parliamentary report had apprehended that “Although the scheme claims that obtaining aadhaar number is voluntary, an apprehension is found to have developed in the minds of people that in future, services / benefits including food entitlements would be denied in case they do not have aadhaar number.” Its apprehension has been found to be correct.

Parliamentary Standing Committee’s Forty-Second Report relied on the Report of the London School of Economics (LSE)Report on UKs Identity Project inter-alia states that “…..identity systems may create a range of new and unforeseen problems……the risk of failure in the current proposals is therefore magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals”. It records that “the United Kingdom shelved its Identity Cards Project for a number of reasons, which included:- (a) huge cost involved and possible cost overruns; (b) too complex; (c) untested, unreliable and unsafe technology; (d) possibility of risk to the safety and security of citizens; and (e) requirement of high standard security measures, which would result in escalating the estimated operational costs.” It states that “As these findings are very much relevant and applicable to the UID scheme, they should have been seriously considered.” It has not been done even after eight years of the scheme.

The claim of uniqueness of UID/Aadhaar which Justice Sikri has accepted is based on the unscientific assumption that there are parts of human body likes fingerprint, iris, voice etc that does not age, wither and decay with the passage of time. A report “Biometrics: The Difference Engine: Dubious security” published by The Economist in its 1 October 2010 issue observed “Biometric identification can even invite violence. A motorist in Germany had a finger chopped off by thieves seeking to steal his exotic car, which used a fingerprint reader instead of a conventional door lock.” Amidst ongoing starvation deaths of citizens, it is evident that UID/Aadhaar database project is an invitation of myriad forms of violence including civil death.

It is possible that such civilian and non-civilian applications are being bulldozed by some commercial entities in order to store and read biometric and DNA script of Indian population in the aftermath of the sequencing of Human Genome for epigenetics, medicine, big data, social control, inheritance, eugenics and genetic determinism. Under the tremendous influence and unprecedented onslaught from unregulated and ungovernable technology companies, so far Central Government and State Governments have failed to safeguard national security and citizens’ liberty which is part of right to life.

These aspects have been ignored in the proposed Aadhaar Amendment Bill. Given the fact that five review petitions have been filed seeking review of Justice Sikri’s order, the proposed Bill seems to be aimed at presenting a fait accompli. It is apparent that the passage of Human DNA Profiling Bill is part of the Plan B of the technology vendors and their collaborators. These developments assume significance in a context wherein the Supreme Court has chosen to limit its own power of judicial review under Article 32 by forgetting to read it jointly with Article 13 of the Indian Constitution. Unless Court undertakes joint reading of both the Articles providing for judicial review as an exception to separation of powers between different organs of the State, it will continue to pave the way for making Constitution of India subservient to contract agreements.     

Dr Gopal Krishna   

The author is convener Citizens Forum for Civil Liberties (CFCL). CFCL is research and advocacy forum focused on surveillance and DNA profiling technologies since 2010. He had appeared before the Parliamentary Standing on Finance that examined and trashed the Aadhaar Bill, 2010. He is also the editor of www.toxicswatch.org  

No comments:

Post a Comment