15 Jun 2023 4:36 AM GMT
Some newspapers have reported that there has been a compromise of the Co-Win database. In line with its past behavior, the Government was quick to deny that the database was breached. While the government’s statement may sound like an outright denial, but it is limited to the breach of the Co-Win portal and does not deny a compromise of data through other means. The PIB release itself...
Some newspapers have reported that there has been a compromise of the Co-Win database. In line with its past behavior, the Government was quick to deny that the database was breached.
While the government’s statement may sound like an outright denial, but it is limited to the breach of the Co-Win portal and does not deny a compromise of data through other means. The PIB release itself points out the following ways in which the data could have been breached:
Mixing up National Cyber Security with Privacy
Deny first and then investigate has been the government’s modus operandi for all the previous instances of breach. For instance, there are no proven instances where the Aadhaar database has been breached. We need to be cognizant of the fact that for any data breach to occur, the core database need not be breached. The vulnerabilities in any seeder database could also end up compromising the data. If one was to believe the government, one can reasonably assume that the CIDR of UIDAI had never been breached. If true, it is a testament to our national cyber resilience strategy and security.
However, it is irrelevant from the perspective of an individual’s rights on whether the compromise happened from a government database or a seeder database of another department or state government. Regardless, an individual runs the risk of social engineering and other risks regardless of where the breach happened.
Investigation while in denial
Would an investigation while in denial lead to reliable findings? Would an investigation focused on cyber/national security away from the pubic gaze lead to finding gaps with respect to the protection of individual privacy? It is unlikely, so we must divorce cyber security from data protection. The government must probe the cyber security issues using its might but should also empower its citizens with a right to enforce their rights. This will build accountability within government and amongst private actors dealing with personal data of Indians.
This begs the question, what is the right of citizens if our data has been compromised? Mind you, whether you are vaccinated or not is a piece of sensitive personal information. Most countries have laws which protect the information as sensitive, and such a breach would entitle them to get remedies from the data protection authority. But not in India.
A private complaint mechanism empowers citizens to come with their resources without entirely relying on the state's resources. It will improve the accountability of entities processing personal data.
The government needs to take data seriously.
Puttuswamy judgement unequivocally established privacy as a fundamental right of Indian citizens. To put this in context, the eight judges of that nine-judge bench have retired, and we have had 6 new chief justices since then, but we do not have the data protection law promised by the government to the Supreme Court.
But then again, what is the use of a non-enforceable fundamental right to privacy? What is the use of non-accountable investigations to alleged breach? Do we expect to burden the writ courts of the country to adjudicate matters relating to fundamental right of privacy.
India is negotiating our most ambitious international policy push since the non-alignment movement, i.e. “the digital public infrastructure (DPI)”. While CO-Win may not officially be classified as a DPI, it shares many characteristics of the DPI that was or is still used by both the private sector and the public sector in our battle against COVID-19.
For a robust DPI ecosystem, we need trust in the DPI. The government also knows this, and DEPA is its answer to the trust. But how can trust be genuinely achieved without enforcement?
We expect DPI models to be adopted in many countries in few years due to its potential for governance, service delivery and ensuring access. We cannot expect the world to be convinced of our DPI model without a data protection law with proper enforcement.
We eagerly await the DPDP bill to be introduced in the Monsoon session. The time is ripe to introduce sections in the DPDP Bill relating to:
This will not only boost the individual rights regime in the country but also truly help us be the global leader for DPI.
(The author is a tech & media lawyer and can be reached at Nikhil.Narendran@trilegal.com. The views expressed are personal and do not necessarily reflect the views of his organisation or LiveLaw)