Data gathering public agencies picks up even as law hangs fire
The customs department mandating airlines to share personal details of international flyers, the Civil Aviation Minry’s facial recognition system DigiYatra, the MeitY’s proposal to share non-personal data collected the government with start-ups and researchers, CERT-In’s mandate asking virtual private network (VPN) service providers to store data of their users: these are among a rising number of moves made the Central government and its agencies to collect and process citizens’ data — all in the absence of a data protection law.
Experts have raised concerns over this trend, questioning the government’s efforts of data collection and monetisation in the absence of a basic data protection regime. Earlier this month, the Centre withdrew the Data Protection Bill, 2021, saying that it will soon come out with a “comprehensive legal framework” for the online ecosystem.
The Bill, more than four years in the works, had gone through multiple iterations, including a review a Joint Parliamentary Committee. While it had significant exemptions for the Centre and its agencies, it laid down a framework for consent-related mechanisms before gathering data, how personal data was supposed to be handled various entities, and provided for a recourse mechanism in case a person’s data was compromised.
In the backdrop of the Bill’s withdrawal, so far this year, a number of Central government institutions and its related entities — ranging from the Minry of Electronics and Information Technology (MeitY), the Central Board of Indirect Taxes and Customs (CBIC), the Civil Aviation Minry, cybersecurity regulator CERT-In, and the Indian Railway Catering and Tourism Corporation (IRCTC) among others — have all either introduced new types of data collection or monetisation plans. While some of them eventually relented under criticism and withdrew their proposals, the initial efforts and the underlying idea of monetisation are undeniable, experts contend.
Last month, IRCTC released a tender detailing its plans to monetise its bank of passenger data for doing business with government and private entities. According to the tender, customer data that could potentially be monetised includes passengers’ name, age, mobile number, gender, email address, payment mode, “login/password”, among other things. However, last Friday, the company withdrew the tender given the absence of a data protection law in the country.
In February, the MeitY had floated a draft India Data Accessibility and Use Policy which proposed that data collected the Centre that has “undergone value addition” can be sold in the open market for an “appropriate price”. This draft was withdrawn after it faced severe criticism over its proposal to monetise government data and the MeitY has now come out with a draft data governance framework which looks to leverage non-personal, that is data that can not identify individuals, instead.
Experts believe that there is a fundamental issue in treating citizens’ data as a “wealth resource”.
“There is a fundamental issue with our approach of trying to treat data as a ‘sovereign wealth resource’ which then creates incentives for attempts to accumulate, and subsequently monetise large volumes of data. Until this lens perss, we can expect more efforts to monetise citizens’ data even without any additional safeguards,” said Prateek Waghre, policy director at Delhi-based digital rights group Internet Freedom Foundation.
“The government’s primary concern should be service delivery and safeguarding the information it gathers from citizens towards this end. Its key objective should not be to monetise this data for profit.
“The 2018-2019 Economic Survey of India referred to data as a ‘public good’. definition, that means it should be treated as ‘non-excludable and non-rivalrous public good’ and not traded as if it were a commodity,” he added.
Within the Centre, there are past precedents of scrapping an active policy that monetised citizens data, over privacy concerns.
The Minry of Road Transport, in 2020, had scrapped its Bulk Data Sharing Policy, under which the minry used to sell vehicle regration data (Vahan) and driving licence data (Sarathi) to private and public entities. The policy was scrapped over potential misuse of personal information and privacy issues.
Aside from monetisation, the Centre has also upped the ante on mandating entities to collect new types of citizen data and, in some cases, share it with the government.
With its new Passenger Name Record Information Regulations, 2022, issued earlier this month, the CBIC has asked airlines to mandatorily share PNR (passenger name record) details of all international passengers with the National Customs Targeting Centre-Passenger, 24 hours prior to departure of flights.
Aimed at “risk assessment”, the data to be shared includes name of the passenger; date of intended travel; all available contact details; all available payment or billing information such as credit card numbers; travel status of the passenger, including confirmation and check-in status; baggage information; seat information; and travel agency or agent from where the ticket was issued. While the notification says that the data will be subject to “strict informational privacy, it will be stored for a period of five years.
There are more instances of data collection happening in the aviation sector — under the Civil Aviation Minry’s DigiYatra initiative, facial recognition technology and scanners will be used at various airport checkpoints like security and boarding to ascertain the identity of passengers. Earlier this month, the Delhi International Airport soft-launched the initiative, rolling out the beta version of its app for Android platforms. The policy outlining how the initiative will be implemented states that the facial scanner will have the ability to change data purge settings based on “security requirements” and security and government agencies could be given access to passengers’ facial data.
In April, the Indian Computer Emergency Response Team (CERT-In) released a set of cybersecurity guidelines which mandated VPNs, cloud service providers and data centres to store user information like their IP address, email, address, and contact numbers among others. These are data points which could potentially be accessed the agency in case an entity faces a cybersecurity incident.
In December 2021, the Department of Telecommunications (DoT) had amended the Unified Licence Agreement asking telecom operators and internet service providers as well as all other telecom licensees to maintain commercial and call detail records for at least two years, instead of the then current one-year practice. DoT sources had earlier told this newspaper that the amendment was based on requests from multiple security agencies.
Queries sent to IRCTC, MeitY, CBIC, CERT-In, Civil Aviation Minry, and DoT did not elicit a response until press time.
Before all this, in 2020, the government had launched the contact tracing app Aarogya Setu — which was downloaded millions of Indians at the height of the coronavirus pandemic — and collected data like their names, phone numbers and location. In its early days, the app was necessary for accessing a number of services including flights, until the Karnataka High Court in October 2020 ordered that the app cannot be made mandatory. The app had also triggered privacy-related concerns, given that it had access to people’s personal data, and in response, the government had released a data sharing protocol for the app. And now, as the app heads towards becoming a health app of sorts, the protocol has expired, a right to information request IFF revealed.
All these developments comes as India continues to lack a basic data protection legislation. However, government sources have said that the new Bill will incorporate the broader ideas of data protection as recommended the Joint Parliamentary Committee and will be in line with the Supreme Court’s landmark judgement of 2017 wherein it held privacy as a fundamental right.