Forty-four years ago, the Church committee report revealed the malpractices of the American Presidency as how they, either initiated or encouraged, the intelligence activities to carry out domestic search operations. The operations were used to surveil political opponents, subversive citizens and dissenting voices – like Martin Luther King, Muhammad Ali, Norman Mailer, Howard Baker etc.
An expert committee framed by the Ministry of Electronics and Information Technology (Meity) has recently released a report on Non-Personal Data (NPD) Governance Framework. The report suggests that the government may collect and use NPD “for purposes of national security, legal purposes, etc.” The policy terms these as sovereign purposes which include, cybersecurity, protection of physical infrastructure, law enforcement, pandemic mapping etc.
This broad language can spur concerns regarding state surveillance, and potentially discourage consumers from sharing data with the government or with businesses, stunting innovation and growth. Moreover, clause 35 of the Personal Data Protection Bill, 2019, grants unbridled powers to the government to collect data without consent and now access to Non-Personal data, through this report will make citizens walking ID Cards. This is perfect fodder for enhancing future surveillance capabilities of the government by mixing personal and non-personal datasets.
For example, the Telecom Enforcement Resource Management Cells (TERM Cells) are responsible for lawful interception & monitoring of internet/call traffic passing through Indian telecommunications & internet service providers network, especially for national security purposes. This enables TERM Cells to crunch huge amounts of NPD like – location details, call record details, complete list of subscribers, data records for even failed call attempts, MSISDNs (help to map subscriber identity to the telephone number), IMEI, Call Duration, Type of connection etc.
Though these NPD in silos might not cause harm but once aggregated can be used for re-identification of an individual amounting to violation of autonomy, human dignity and privacy of an individual.
Data sovereignty is deployed as a tool to undermine mandatory data privacy rules and the principles of self-determination, purpose limitation and data minimization. In a democratised country, if data sovereignty needs to be enforced, a data protection framework which respects fundamental rights guaranteed by the constitution is vital.
The present notion of data sovereignty gives rise to ‘honeypots’ of tempting personal and non-personal data which raises security considerations. Thus, to enhance the principles of data sovereignty, India needs more robust security safeguards like robust encryption, anonymity tools and independent auditing requirements.
The Anonymisation Trap
The privacy statutes should be framed in such a manner that it respects the free flow of data. Free flow fuels the economy, optimize the workings of institutions and favours the standards of liberty. Before enacting another legislation on privacy, policymakers should balance the advantages of unfettered information sharing against its risks and then calibrate existing regulations.
However, lawmakers have implemented a perfect, golden bullet solution — anonymisation — that has absolved them of the need to indulge in transparent balancing act. Anonymisation has liberated policymakers by encouraging them to skim over the calculation and balancing of countervailing values such as security, innovation and the free flow of information. The overemphasis and faith on anonymisation is still prevalent, even after researchers have proven that anonymisation is not a panacea.
The expert committee report too agrees with this conclusion that:
‘Even NPD, including anonymised data, could provide collective insights that could open the way for collective harms (exploitative or discriminatory harms) against communities’. The report also identifies nine different techniques of anonymization like k-anonymity, l-diversity, T-closeness, Anonimatron and differential privacy techniques.
However, none of them has been proven to be fully adequate to obviate leakage of information. Death of anonymization will throw the laws of the state out of control, and legislators will need to find a new way to regain lost order and thereby data sovereignty. The main pillar of any data protection statute is its security safeguards, and if those prove to be ineffective, it means the rights of the data principal are in a black hole.
Data sovereignty is the right of ownership of data vested in an individual and the inefficacious anonymity tools invade the rights of the data principal like right to privacy, freedom to choose, right to erasure etc.
Data Sovereignty – Old Wine In A New Bottle?
Justice Chelameswar, in his opinion in KS Puttaswamy v. Union of India stated: “Constitutions like our own are means by which individuals – the Preambular ‘people of India’ – create ‘the state’, a new entity to serve their interests and be accountable to them, and transfer a part of their sovereignty to it”. Citizens since time immemorial have been granting their sovereignty to the government in exchange for safeguarding their rights, and in the digital age, their information rights.
It is not a new concept, however, in the digital age, it is portrayed that data sovereignty akin to data localization would prove to be expensive, reduce foreign investments, create hindrance in promoting India as a new hub for new age services and increase local surveillance. This narrative around sovereignty emerges out of the current intellectual and geopolitical context in which states remain powerful both in political system and political imagination and often confused with data colonialism. However, the notion of sovereignty should be seen from the social contract theory angle as not only as an aspect of territoriality alone.
The notion of sovereignty should only be considered when all privacy-respecting standards are in place. The central aim of data sovereignty cannot be datafication of our bodies via mass surveillance, thereby altering the relationship between the nation and the state.
The RBI notification on storage of payment data and e-pharmacy regulations regards the storage of financial and health records as sensitive data to be stored in India. These rules now have to acknowledge the changing landscape of data flows, privacy and emerging challenges, thereby setting up new standards for enforcing fundamental rights.
[The article was co-authored by Kazim Rizvi founding director, The Dialogue and Harsh Bajpai, Doctoral Researcher and Part-Time Tutor at Durham University]