Indian companies tussle with courts over prized citizen data

India has become the unexpected front line in the debate over the how much personal data governments and companies should be allowed to collect.

The country has seen a dramatic explosion in the amount of information generated by its citizens over the past decade.

Indian consumers are flocking to digital services such as online shopping and movie downloads thanks to plunging data costs, while the government has built what has become the world’s largest biometric identification system.

Over the past 10 years more than 99 per cent of Indian adults — well over 1bn people — have been enrolled into the Aadhaar database, which contains their personal information as well as iris and fingerprint scans.

The government says this has revolutionised the efficiency of benefit claims and other state services while reducing fraud — although critics point to cases where some of the poorest Indians have been deprived of vital rations due to problems with the system.

Meanwhile, a host of companies have made enthusiastic use of access to the high-tech system to sign up customers far more quickly and cheaply than in the past — from financial companies focused on low-income rural Indians, to Reliance Jio, a disruptive telecom operator that has signed up more than 200m users in its first two years.

But the system has been condemned by activists concerned that India is creating a surveillance state.

A Bangalore-based retired judge challenged the Aadhaar system in court, arguing that it represented an intrusion to privacy and should be abolished.

The case went to India’s supreme court, which ruled in September that companies were not permitted to use the Aadhaar system to verify customer identities, warning that this would “enable commercial exploitation of . . . individual biometric and demographic information”.

Companies in telecom and other sectors immediately started rushing to find other ways to verify customer identities. “To all intents and purposes, Aadhaar is now dead to us,” says Rajan Mathews, director-general of the Cellular Operators Association of India.

Advocates of the Aadhaar system portray the court ruling as a temporary hiccup, however, and have urged the government to push through a new law that will permit private companies to regain access to the database. The government has not said whether it will do so, but finance minister Arun Jaitley underscored its commitment to Aadhaar after the court’s ruling, saying: “Everyone who has been criticising Aadhaar should understand that they cannot defy technology.”

“The regulatory framework will now fall into place,” asserts Sharad Sharma, co-founder of iSPIRT, a think-tank that has been a major cheerleader for Aadhaar. “There will be confusion for a month or two but then clarity for the next 10 to 15 years.”

The permanent loss of private sector access to the data would damp the furious pace of growth in parts of India’s digital economy, by pushing up the costs of customer addition, warns Jayanth Kolla, co-founder of consultancy Convergence Catalyst.

The supreme court ruling was part of a flurry of data security-related interventions this year by Indian institutions. In April, the Reserve Bank of India infuriated Visa and Mastercard by ordering that foreign payments companies would need to stop storing Indian customer data offshore.

The move “is something that we haven’t really seen anywhere else”, says Porush Singh, south Asia president at Mastercard.

A recent draft policy on ecommerce included a proposal to put similar restrictions on Amazon and other foreign online retailers. This came alongside a far more wide-reaching set of proposals delivered by a committee under a retired senior judge that recommended India lay down a set of individual rights around personal data, along similar lines to those mandated by the EU’s General Data Protection Regulation.

Some critics have warned, however, that these protections could be misused by corrupt officials trying to conceal wrongdoing. Others believe tighter rules are needed to ensure the government’s collection of citizens’ data does not enable creeping authoritarianism.

Raman Jit Singh Chima, a lawyer and policy director at digital rights group Access Now, voices concern about the state’s “increasing drive to track all types of data”, while little is done to strengthen the controls around such activities.

While fears of an emerging police state seem overblown, there are increasing concerns that personal data could be used by politicians to exploit caste or religious divisions in India’s diverse society, says Sivarama Krishnan, India cyber security head for PwC.

Amid all the fierce debate about data policy, he adds that a series of serious reported data breaches from public bodies and private companies makes clear the need for higher standards in general.

Mr Krishnan says: “India needs to worry about the security of its technology infrastructure, inside or outside the government.”