Last week, Parliament passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The passage of the law aimed at creating legislative backing belatedly for a programme that has spent thousands of crores without debate or scrutiny, has predictably sparked debates – about non-citizens availing of public benefits and subsidies and the other important issue of privacy. Given the National Democratic Alliance government’s focus on governance efficiency and execution, I have no doubt that Aadhaar, in its new avatar as a subsidy delivery platform, will benefit our country greatly – it will plug leakages and improve the quality of life of our citizens.

Ironically, political parties like the Congress, which conceived of Aadhaar in its original form, and the Left, which remained silent through its growth backed by thousands of crores of taxpayers money, have woken up belatedly to this debate on individual privacy rights.

The complete disregard of the call for privacy protections from various quarters by the Congress-led United Progressive Alliance and the architects of Aadhaar was what caused it to land in the Supreme Court. Having been closely involved in the debate on Aadhaar and privacy, both as a legislator and an impleading petitioner in the Aadhaar matter in the Supreme Court, I can attest to the fact that the NDA Aadhaar is very different from the UPA Aadhaar in many ways – specifically on the issue of privacy rights – starting with the acknowledgement by the government that privacy is a fundamental right. This is reflected in the NDA’s Aadhaar Bill 2016, with its substantively expanded sections on privacy and protection of information.

Digital privacy for Digital India

This significant progress in privacy around Aadhaar has been welcomed by many – and in a case of heavy irony – including those who paid short shrift to this aspect in the last five years as Aadhaar was being rolled out. Ironic, because my friend Nandan Nilekani (the former head of the Unique Identification Authority of India, which manages the project) only in September last year, in an op-ed in The Indian Express (to which I wrote a counter), tried making a case that no privacy protection was required because the UPA Aadhaar with its supposedly “federated architecture”, ensured “privacy by design”, and that the manner in which the system collated and stored data of citizens “hardly qualifies as a violation of their right to privacy”. Nilekani used this to question the Supreme Court’s interim order that called for the limited use of Aadhaar due to privacy concerns. From that position to marking a new one on March 9, Nilekani has welcomed the privacy provisions in the NDA’s Aadhaar bill and termed it as “unprecedented level for Indian law”.

Whilst I agree with Nilekani’s welcoming of the NDA Aadhaar Bill’s privacy provisions as a significant step from his original discourse, I am afraid that his position remains as it has been throughout the Aadhaar debate – behind the curve on both the architecture and privacy aspects of Aadhaar. Because the reality is that while the NDA’s Aadhaar bill has made big strides on privacy, there are still some ways to travel before digital privacy is a reality for consumers in India.

Need for a privacy law

The Aadhaar built by the UPA was violative of the Citizenship Act, 1955, as the database did not even identify whether a person who was enrolling was a citizen or not. This allowed illegal migrants and non-citizens to enrol with Aadhaar and avail of public money and subsidies. To its credit, the NDA, which had inherited a poorly-conceived Aadhaar, did exceedingly well to convert what was being pushed as a flawed national identification programme into a limited programme that will exclusively deliver subsidies, benefits and services to those who enrol.

This, however, as I’d mentioned in my speech in Parliament, makes Aadhaar only useful if it works alongside many other databases for schemes such as Jan Dhan Yojana, LPG, Mobile and BPL. Since these databases are not covered under the privacy clauses of Aadhaar, a separate robust, overarching privacy legislation will be required to bring all allied government databases into its ambit.

Further, as I’d stated in Parliament, the inherent dangers arising from the centralised nature of the Central Identities Data Repository [a government agency that stores and manages data for the Aadhaar project] under Aadhaar cannot be ignored. A centralised database is inherently less secure and easy to break into. In the past, the government has mishandled Aadhaar data. In 2013, the Maharashtra government admitted the loss of personal data of about 3 lakh applicants for Aadhaar cards. Experts recognise the inherent failings of a centralised system – that information systems and databases with a central point of failure are inherently vulnerable because the possibility of failure exists.

IT Act and privacy protections

Further, while the Aadhaar Bill, 2016, offers expanded privacy protections by invoking Section 43A of the IT Act, 2000, there is a need for this to be further bolstered. There is ample evidence in the public domain which points to how easy it is for governments to get personal data out from entities that have no liabilities under any legislation. In a letter to the minister of communications & information technology last year, Ravi Shankar Prasad, I had urged for amendments to the IT Act – these include an expansion of the definition of sensitive personal data under Rule 3 of the sensitive personal data rules; the extension of data protection provisions to government agencies, not for profits and others; correcting the flaws in the drafting of Section 72A; and aligning India’s privacy protection to international standards.

Further, the cyber appellate tribunals meant to be constituted under the IT Act are currently inactive, and their constitution does not equip them with the kind of technical capacity needed to adjudicate these disputes.

Most will agree that these must be acted on as an urgent priority, in order for us to reach an “unprecedented level of protections for privacy”.

The road ahead

I have argued for several years now that as India becomes more digital under prime minister Narendra Modi’s visionary Digital India programme – a corresponding set of consumer rights needs to be developed to protect Digital Indians. Net neutrality, quality of service or QoS, security and privacy are some of what needs to be in the Magna Carta of Digital India. So, as we are evolving our net neutrality legal framework, the government too should start the debate on privacy and evolve the legal framework for it. I was reassured in Parliament during the Aadhaar Bill debate by Finance Minister Arun Jaitley that the government would look into this need for privacy legislation after the Supreme Court’s decision.

While we await the court to take a view on the issue, the best course of action for the government would be to initiate a multi-stakeholder consultation on the right to privacy, so that the views of various stakeholders, including security agencies, are taken into account while this legislation is being conceived and architected.

Rajeev Chandrasekhar is a Member of Parliament from the Rajya Sabha.