1 Introduction

The debate around Privacy in India has been mainstreamed primarily due to the introduction and implementation of a national biometric identification program called “the Aadhaar” (termed ‘basis’, when loosely translated to English). This program was launched by a Central government agency based in New Delhi, called the Unique Identification Authority of India (UIDAI).Footnote 1 The agency mandate is to issue the Aadhaar, or a set of unique identifying numbers (12 digit) to each individual Indian citizen, which will be foundationally reinforced by highly sensitive citizen biometric information. The proponents of this program are primarily certain corporate heads who are linked to the Information Technology business on one side, and important bureaucrats of the Central Government on the other. Politicians of all hues have been coaxed and convinced to accord extreme importance to the implementation of Aadhaar, while the Supreme Court of India seems totally out of touch, being indecisive, and unable to deliver any judgement - in any matter coming up before it regarding the Aadhaar, and all too importantly, matters related to privacy issues.

The crisis that the Supreme Court of India seems to be suffering from, and the consequential crisis that the court is now inflicting upon the Indian population, is perhaps succinctly presented by Pratap Bhanu Mehta, the Scholar President of Centre for Policy Research (India), in a prominent national newspaper article thus: “[f]irst, the court has created a credibility crisis for itself. Its mendacious evasions on the issue of privacy rights emanating from Aadhaar have eroded its credibility. In a context where the Supreme Court has found time to take over entire private bodies like the BCCI (Board of Cricket Control of India) and run them, the idea that it did not have time to conduct hearings since October 2015 on an issue of such vital importance is frankly scandalous.Footnote 2

“Something is rotten in the state of Denmark.”Footnote 3 This is perhaps the best way to pose the nature of problem associated with the Aadhaar Program to the reader. However, to utilize that well-known declaration in Shakespeare’s Hamlet to present, that in relation to the Aadhaar, there is presently a mishandling of the Indian body politic, which, according to this author, borders on negligence encouraged by a fast flowing river of intellectual and moral (and perhaps even a political) corruption - could perhaps be interpreted being either imperious, or inconsiderate. But, assurances are presented to the reader that it is neither, rather, the reference is being used fairly and justifiably to introduce the reader to the nature and texture of the evil, that which is the Aadhaar. In all, this article shall seek to present certain important multidimensional perspectives, as to why, the largest national biometric identification program in the world, called the Aadhaar, now being illegitimately deployed, should, and in no uncertain terms - be terminated. In Hamlet, “Heaven will direct it,”Footnote 4 said the exclaimant Horatio; where, as in India’s case, no Heaven shall be able to direct good fortunes for the nation from the clutches of this evil known as the Aadhaar. Only a motivated group of well-informed Indians may be able to liberate themselves and their fellow citizens from a central government imposed digital self-enslavement; speedily taking shape in a country widely identified as the World’s largest democracy.

2 The concept of evil, in relation to the launch of “The Aadhaar” program

The author has offered comments within this article, from a basis that the Aadhaar Program and the associated services are “evil.” In order to better explain why a reference to the term “evil” is being made, in relation to the Aadhaar, and to better represent the author’s views regarding parliamentary responsibilities -- especially given the social implications of the way the Aadhaar program is being deployed and used, a proper examination of the term “evil” must first be briefly made. The term “evil” is used cavalierly and liberally in polity, internationally. In fact, the concept of evil can be clouding for many, if not most [1]. Then why has this author chosen to centralize his objections to the Aadhaar, with the use of this term? The answer is fairly simple; in that, if the meaning of the term “evil” as it was being referred to in this article could be provided, and made clear, then the reader could suitably grasp how the author, a Citizen of India, and a parliamentarian would opposed the Aadhaar scheme from the very beginning.

In "The Rhetorical Impact of Evil on Public Policy," Jonathan Anderson has, in this author’s view, managed to condense a good span of Social Science’s view on the proper use of the word “evil”, and in the manner this author has intended. Anderson explains that references to the word “evil” can be, both, represented and understood in terms of "... an intense exploitative connection with another person, or a total disconnection with the humanity of others." Anderson has further qualified that the reference to “evil,” is normally "… limited to human actions toward other humans, separating people designated as evil - from the rest of humanity" and that “[t]he rhetorical reference to evil, represents an example of 'sensemaking,' where such a reference then places the otherwise incomprehensible, within an understandable framework" [1].

Many widely incomprehensible points and fellow aspects regarding the Aadhaar exist. The discussion of each and every incomprehensible point, and their associated aspects are beyond the scope of this writing. However, it is sufficient to say that in the view of this author, many of the specificities associated with the Aadhaar, are manufactured realities. Footnote 5 For those not familiar with the term: manufactured realities, one prominent example of it is the phrase “Axis of Evil”,Footnote 6 -- introduced to the world by the former US President George W. Bush. Representations produced since and surrounding an industrialized publicizing of that term after 9/11 -- have in fact, widely exposed how realities can be manufactured [2].

The very advancement of the Aadhaar program is invigorated in fact, by manufactured realities, packaged neatly with prosaicism, a certain banality, if you must, by the program’s inceptors. The charms and spells of this prosaicism, have at the core, promises of massive national savings to be realized from such things as the curbing of corruption at a transactional level -- one between an Indian Citizen and his/her government, or various government agents. Most programs, or action emphases that are sold to government power structures as being a ‘life or death need,’Footnote 7 are very often stuffed with such neatly packaged prosaicisms.

Elizabeth Minnich [3], has carefully unwrapped for us her attentive examinations of such packaged prosaicisms, which she has identified as, “the evil of banality, the profound dangers of [that emanate from] clichéd thoughtlessness”. Footnote 8 In a very illuminating way, Minnich’s finding could perhaps best explain the national-level cultural and political action motivations behind the Aadhaar. Minnich candidly characterizes humanity’s general tendency to unleash profound dangers through thoughtlessness, in the following manner. She says:

…. when systems go bad, when the extraordinary becomes ordinary, it does not take a Hitler, an Idi Amin, a Jeffrey Dahmer, a Charles Manson. It just takes a practiced conventionality, a cliche’d conscience, emotional conformity, susceptibility to small-scale bribery by salary, goods, and/or status, a sense of isolation, and distrust of the reliability of others that works against taking a differing public stand. It just takes, that is, much of what in better times keeps a society provided with reliable and ambitious workers, status-anxious consumers, polite neighbors, agreeable team players, and citizens who make no waves: an ability to go along thoughtlessly, to play the game. Footnote 9

To take a differing public stand, this author-parliamentarian would like to present to the reader a scholarly view from someone internal to India, from one who has been researching the Aadhaar for the many implications of its introduction into Indian society. Prof. R. Ramakumar, the Dean of the School of Development Studies at the Tata Institute of Social Sciences has fundamentally epitomized the problem that this author has objected to from the very start. It is, as Prof. R Ramakumar has said: the “States were not consulted [4]”! He goes further and has characterized the way the Aadhaar program was ramrodded through Parliament as, “an attempt to destroy the federal fabric of the Indian constitution.”Footnote 10

To introduce such a large public program into the Indian society, and one especially that will adversely affect nearly 1.4 billion people; to legitimize its existence under one ‘stated’ objective; to provide public funds for its bureaucratized implementation, and then to implement it under quite another set of objectives – all carrying with it - as an almost daily mission metamorphosis with alarming social implications and deciding to foist all of this upon a largely unsuspecting population, thoroughly unaware of the social implications, is, plainly “evil”.

The near absence of oppositional (tr)action and voices in the Parliament against the Aadhaar is perhaps explainable, if we reflect further with Minnich. By reason, she shows the following reality to otherwise aggrieved minds, who may still acrimoniously glimpse at the veracity of the proposition. She says:

I fear that the banality of evil is itself becoming a banality, a cliche´, in ways that gut its force. In general, now, ‘the banality of evil’ means that ‘ordinary people,’ and not just Grand Villains, are capable of doing excessive harm. That is not wrong, but it is utterly inadequate, sliding as it does toward a notion that goes even further than collective responsibility toward once again swamping individual responsibility. If everyone is guilty, then no one bears actual responsibility.

But collective responsibility and guilt together create an appealing position. The combination gives us company, lots of it, and that is a fine way to avoid those dark nights of the soul in which we take account of our lives. But moving in close, we cannot sustain that step outside, the already-cliche’d ‘we’re all capable . . . ’ in order to think afresh.Footnote 11

3 A brief sanity check

The aforementioned sketch does not represent any judgment by this author, rather, it should only serve to position properly an important point, which in this case is: that a malicious social-engineeringFootnote 12 program, such as the Aadhaar Footnote 13 is now being implemented on a massive scale in this densely populated country, and is virtually going unnoticed or under-noticed (at best)Footnote 14 in India.

To underscore the aforementioned point relating to the Aadhaar program being deployed without generating any great loathing at all by most Indian citizens, the reader’s attention is drawn to a statement recently made by the Attorney General of India, before the Supreme Court on 2 May 2017, where the Attorney General presented before the esteemed court that ‘Citizens (of India) should not expect to have, and in fact do not have, absolute right over their own bodies’.Footnote 15 These words were presented in relation to the Supreme Court’s query to whether there exists a requirement to compel Indian Citizens to avail themselves before government, or government sanctioned entities, to provide biometric information such as, Iris scans, Fingerprints and other type of scans as may be provisioned for, through incremental legislation - including DNA data -- which could be made mandatory for obtaining the Aadhaar card. Only a few newspapers published any extract at all from the submission made by the chief law enforcement officer of the Government of India before the Supreme Court, while the electronic media completely ignored this very important notable.

Today, in the twenty-first century, privacy has not only been challenged by private interests such a online services, merchants and data-brokers, but, through the Aadhaar program, the Indian State itself has launched a major challenge – one, that seems to annihilate right to privacy completely.

4 Programmatic background

The Aadhaar program was launched in 2009, and was purely voluntary till 2016, when the Government of India passed a legislation in the ParliamentFootnote 16giving the program legal status. Since that time the government has been aggressively pushing its implementation across the country, and beyond the bounds of original program intent and allowances. Through Mission-Creep,Footnote 17 the Government of India now claims that it has enrolled 99% of the national population into the Aadhaar program,Footnote 18 which de facto would make the Aadhaar, the largest biometric identification system in the world.

In simple words, the Aadhaar project aims to assign to every citizen a unique 12 digit number which will be foundationally connected to their biometric attributes (Fingerprints, photograph, iris and other scans). This Unique ID (UID) will be stored in a single server, which would have gateways that allow authentication of that person.Footnote 19 The earliest of propositions before the government put forward the grand idea that when a citizen avails himself/herself to collect government assigned welfare benefits, or any other government provided service, the Aadhaar program will be used to authenticate the recipient as being the correct party - rightly authorized to receive government benefits. Since 2009 however, the Government has beenFootnote 20 claiming that the Aadhaar program would prevent informational leakages and curb corruption, which happens presently at a large scale on the ground during distributionFootnote 21 of state largesse.

The manufactured reality Footnote 22 as it related to the Aadhaar program, and its original purpose of merely providing a voluntary “yes/no” authentication mechanism - has dramatically changed in the last year. The born again Aadhaar scheme is dangerous because it now allows third parties, other than the Government of India, to use this citizen database for their own purposes, whatever they may be. A surreptitious concept to be more intrusive into people’s lives and their details - called e-KYC (“Know Your Customer”) was introduced through regulations in SeptemberFootnote 23 of 2016. This KYC allows private companies to acquire Indian government issued licenses that would subsequently permit them to access the Aadhaar server for drawing-out information on registered citizens. Such access is now being used to issue SIM cards by mobile phone companies,Footnote 24 to verify new recruits,Footnote 25 obtain banking servicesFootnote 26 and even the issuances of driving licenses.Footnote 27 Present day reports claim that this system will now be implemented in airports to verify passengers before they fly,Footnote 28 and to compel taxpayers to quote their Aadhaar number when filing returns and paying taxes.Footnote 29

A citizen is required to produce an Aadhaar card and number, to buy an electric vehicle under the Faster Adoption and Manufacturing of (Hybrid and) Electrical Vehicles in India (FAME- India) Scheme, as do those students, who wish to appear for the National Entrance Eligibility Test (NEET). Such drastic changes to the original policy imply that the Aadhaar is not designated for limited uses anymore – particularly not just for availing government doles, or subsidies or even curtailing corruption.

The Delhi State government recently pushed the use of the Aadhaar program even further, by making the unique identification number a compulsory requirement for children who desire to seek admission into any school.Footnote 30 Why is the Indian public being an agreeable and consenting lot - in the deployment of this evil program? For this, the reader should be presented with at least a broader familiarization to the present day constitution of Indian society.

This familiarization shall aim to at least introduce the fundamental reasons as to why the vibrant youth populations of India - digitally very enabled - are yet, far less privacy conscious than their Western counterparts. Additionally, this author shall attempt also to introduce briefly, the deeply entrenched cultural drivers that power and willingly sanction the vast penetration of the Aadhaar program into the multi-layered structure of the Indian society. Within the article’s scope and other limitations, these examinations, at the root, aim to introduce the reader to reasons for which the general population has, more or less proposed that they are blameless in the Aadhaar’s launch, and remain largely unperturbed at present by the manic Aadhaar push undertaken by the Government of India.

5 Cultural background – A contributor to privacy insensitivity

Primarily, privacy is an obscure concept to comprehend for the majority of Indians, due to historical and socio-economic conditions. Interestingly in most Indian languages, no word exists for ‘privacy’. The recent lingua franca in texts on the subject of privacy have per force, preferred to use words that resemble and frame aspects of ‘secrecy’ more. Naturally, since privacy is not a semantic equivalent of secrecy, linguistically, none should synonymize them. The concept of privacy, in the form that it is vigorously considered in the West is mostly an extra-terrestrial proposition to many Indians. So much so that they do not even bother to try and understand what privacy truly could mean to them, and how the absence of privacy could be detrimental to them in a globalized state of existence, both economically and socially.

On the sub-continent, historically, people have had large families and have mostly lived together. Inter-generational family households have been more the norm where parents with multiple daughters, sons, daughters in law, and grand children often live under one roof. One supporting reason for this inter-generational existence is linked to economics [5,6,7] first, where a huge family was/is incapable of owning or hiring a bigger home, and secondly, for a need for greater social cohesion.Footnote 31 Mostly, however, family members appreciate the closeness among members. Under such a setting, when guests and friends are able to visit and discussions of a personal nature are to be conducted, the only available space for such an activity is often one’s own bedroom. Many a times, newly-wed couples have found that it a necessity to share a room with siblings.

As a means of comparatively explaining, consider that on the average, there are 4.91 people per Indian household [10], while there are only 2.64 people on the average per US household [11]. Such a closed circuit upbringing in India has served to not just instill, but to also cement certain inexperience, or unworldliness toward the more global concept of privacy, and the larger world’s societal norms involving privacy. The indigenous cultural foundations have also made it possible for many in India to outwardly project among fellow Indians themselves a complete disregard to and for ‘the need to respect the individual’s space’. In other words, our national mindset has been tuned towards accepting that citizens have no privacy. This should come as no great surprise, when in fact, it has been discovered that people’s views related to “privacy” are generally a byproduct developed from those traditional views and the cultural values they hold and actively exhibit in daily existence.Footnote 32 More generally, it is safe to say that the internal Indian struggle to make progress in the modern world, in all aspects of society, especially in the sphere of economy, is made more cumbersome by deeply entrenched cultural norms and traditions. To make matters more complex, there are those that argue that a blanket privacy law in India akin to that of the EU will not work, and would not be best suited for India, given India’s cultural differences with the West [15].

This parliamentarian has a vastly different view than his compatriots in this regard. There must be a harmonization of Privacy related personal viewpoints, social attitudes, and national frameworks for privacy protections, defence and repatriation mechanisms for Indian citizens, despite the vastly differentiated political and socio-economic nature of Indian States, and respective administrative frameworks, if India is to be a strong economic member of the international community of goods and services producers. Such foundations are equally important and necessary also to enable Indians to thrive as global consumers as well.

5.1 Language & Inter-Generational Tensions as a contributor to privacy insensitivity

The deep tensions and upheavals that the Indian society is experiencing, among which, one is the nature of India’s collective capability to sufficiently and correctly advance lawful and enforceable personal privacy protections, particularly in terms of Privacy, To understand why the acknowledge condition is so, the following information must be well comprehended.

India is home to Christianity, Judaism, Islam, Buddhism, Jainism, Sikhism, Zoroastrianism, and to the world’s oldest continuous faith – Hinduism (Hindooism), among other faith sets and sub-sets, which are practiced today.Footnote 33 The country boasts approximately 780 living languages [16] among the nearly 1.4 billion peopleFootnote 34 who now call the Sub-Continent, home. The Sub-Continent parades many peoples, and their high contrasted cultural and socio-economic existence; these contrasts are made intimate through the wide human geographyFootnote 35 of the country.

With this sea of population and cultural dynamism, India is eager to be informationally connected. India’s younger population is hungry for faster & more efficient economic progress too. Migration from rural & semi-urban areas to urban areas has exposed them to many opportunities on a global scale that was beyond their reach previously. Rural-to-urban and urban-to-urban migration flows have increased, especially among men [17]. The exposure to urban opportunities has granted affluence to many, while many more have continued to remain disadvantaged. An analysis by the World Bank Group has revealed considerable occupational mobility across generations. Over 40% of the children of unskilled worker parents were holding other occupations at the time of the analysis. Furthermore, about 36% of the children of farmers were working as skilled or semiskilled workers, or as white-collar workers. Lastly, occupational mobility across generations has also increased over time.Footnote 36 These indicators show a creation of more affluence among migrants, general upward mobility, and more participation in the national economy. Moreover, as the Confederation of Indian Industry notes, Indian consumers are rapidly advancing towards adopting technology, and towards the end of 2015, for instance, India beat the United States to become the second largest market for smartphones, after China.Footnote 37 As we observe these brief views of pockets of population experiencing enrichment, taking a closer look at the larger national picture relating to migration and affluence will tell a different story; a story of social, economic, psychological strife and political exclusion (Fig. 1).

Fig. 1
figure 1

Connected Youth of India. Source: Public Domain

Full size image

The relationship of aforementioned factors to the lack of personal privacy awareness, individual and collective privacy practices, play a significant role in defining the texture of privacy shapes and privacy conditions in the Indian society. UCLA Historian Vinay Lal has managed to describe what the societal upheavals (in the way they are occurring) and the tension-ridden economic ‘push-pull’ influences have done to Indians. Lal says that India’s drive towards a “culture of modernity,” influenced by “indigenous and foreign corporate interests,” and “international finance organizations such as the IMF and the World Bank,” have stimulated the rise of “gross materialism of middle-class Indians” and has “eroded the image [of India] as a land of sublime spirituality [18].”

Yet, in the middle of all ‘socio-econo-politico’ parboiling of the Indian society, in direct relation to privacy, and in the age of Facebook, Twitter, Snapchat, Uber, Data-Brokers and the Aadhaar, we must scrutinize that India’s Internet User population has jumped from nearly 5.6 million (.5% population penetration) in 2000, to nearly 470 million in 2016 (34.8% population penetration).Footnote 38 The number of Internet Users in India is slated to surpass 500 million by the end of 2017. Of this, nearly 400 million will be mobile users.Footnote 39 We must be reminded that, more and more, the connected mobile populations in India are the young, affluent, and upwardly mobile members of the census, who are largely ‘privacy unconscious.’ For example, Indian mobile Internet users under 25 years of age were carefully reviewed for a University of Maryland study, whereupon it was discovered, and with only negligible differences between sexes, that men and women commonly used their devices for entertainment purposes, negotiation of independence from parents, forming friendships with the opposite sex, and for private communication, and private needs [19]. While salient to those who will independently observe with their “eyes wide open,”Footnote 40 the important point to be considered here with respect to the growing number of ‘privacy unconscious’ young users of India are the following.

Older generations of Indians are no different than the older populations in other countries. The older generations are not adept at navigating new and available technologies, those emerging technologies, and, or their effects upon themselves and society. On the other hand, the younger generations of Indians, while eager and adept at the use of technologies are vastly different from their counterparts in other countries, for they are not guided by those critical attributes, which could have been inter-generationally passed-on through Cultural Transmission.Footnote 41 As Bisin and Verdier have indicated from a theoretical and empirical perspective that, ““Cultural transmission” arguably plays an important role in the determination of many fundamental preference traits, like discounting, risk aversion and altruism. It plays a central role in the formation of cultural traits and norms, like attitudes towards the family, towards fertility practices, and in the job market.”Footnote 42 The absence of cultural transmission pathways that impart critical technology use related knowledge and the multiple social implications of technology use - disadvantage the youth in India. Adjoiningly, one should take note that Social Media platforms like Facebook and Twitter are more recent advents, and in terms of India’s past, cultural history, technology adoptions, and technocratic evolution, contiguously considering also, that previous generations possess neither knowledge nor skills, transmittable through modalities of cultural transmission, that would inherently benefit India’s technologically savvy middle-class with respect to privacy.

As a result, generations of Indians are now standing at an ontological intersection, wondering what privacy is, what is it that they themselves could do to ensure it, and assure it for the future. They are also wondering, more importantly, why, since, in relation to the Aadhaar, the Indian government is bent on embracing and championing a scheme that fundamentally weakens the constitutional rights of the Indian peoples. In fact, robs them of it (See Fig. 2), despite the fact that India is a signatory to the Universal Declaration of Human Rights,Footnote 43 International Covenant on Civil and Political Rights (ICCPR),Footnote 44 and International Covenant on Economic, Social and Cultural Rights (ICESCR).Footnote 45

Fig. 2
figure 2

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act of 2016. Chapter VII (Offences and Penalties), Section 47. Source: Government of India

Full size image

In direct relationship to the aforementioned conventions to which India is a signatory, it will be worth noting, at least philosophically, that, the European Parliament has recognized that any understanding and any “assessment of a Western-type human rights model against an Asian background [will] by no means [be] an easy task, given the big differences in the cultures involved [21].” So, for those who would argue that the privacy protection frameworks to be conceived and instituted in India should (or need) not look or feel like anything similar to what the EU has in place, and that India’s cultural differences might not permit such alignments,Footnote 46 one has to ask the following question regarding ‘privacy as a human right’ - for certain. That question being: what exactly did it mean for India - to accede to the International Conventions above, if the Country’s founders and her subsequent leaders/administrators did not (or do not) believe in granting Indian Citizens, those human rights ‘most fundamental to all’ in the world irrespective of colour, creed, faith, sex, education, beliefs, culture and socio-economic standing etc.? Contrastingly however, and surrounding India are, other nations of the world like China, that are speeding on ahead, in terms of their adaptivity to technology, and improvements in societal laws and practices to assist their standing in the world.Footnote 47

6 Social corruption

In the opinion of many in the know, the Aadhaar scheme is the biggest violation of an individual’s right to privacy that this world has witnessed, especially given the fact that nearly 1.4 billion of the World’s population is involved.Footnote 48 What was once sold to the Indian taxpayer as an aid to curb corruption, inefficiency and waste of resources appropriated with taxpayer funds is now evidently just a ‘big data gathering exercise,’ which is allowing private companies primarily, to access and to use, in any manner they wish, the highly sensitive information of Indian citizens - within Indian government systems.Footnote 49 The harms that such a violation of personal privacy would entail are only just surfacing in the past few months. Various news and views published in the recent past throw immense light on the many irregularities associated with the biometric data collection program undertaken in India. It may sound far-fetched now, but, so much of the data collected, could possibly lead to the realization of outcomes and themes, now vividly portrayed in the highly popular ‘Black Mirror’ TV series.Footnote 50 It is socially and morally troubling to meditate upon, how such situations could play-out in a milieu of mostly illiterate populace.

7 System & Security Failures

Relating to the proposal to install a unique, biometric ID system in the United Kingdom, a number of researchers located at the London School of Economics and Political Science performed a variety of analyses [24]. The researchers discovered that it would be an impossible task to guarantee the safety and security of such a vast and sensitive informational database, likely to be accessed millions of times a day and perhaps facilitating an equal number of transactions all over the UK. The research report cited the Prime Minister’s Official Spokesman at No. 10 Downing Street - to have said:

“The national register of information would be protected and people had that assurance. -- Morning press briefing (25 May 2005)Footnote 51

To this view by the PM’s Spokesman, the EPG/LSE researchers rebutted the Prime Minister’s perspective in the following way:

“In guaranteeing that the national identity database will be secure, the government is ignoring precedent. No database’s security can be guaranteed, particularly one that contains this amount of information, which will likely be accessed millions of times every day, with data changed on thousands of individuals every day, and particularly when this information is so valuable.”Footnote 52

In 2010, the UK government passed legislation to repeal the project.

With respect to the Aadhaar program in India, there are reports almost every day about data leaks originating from Government websites where sensitive biometric information of citizens, including their caste, religion, bank account details, address, next of kin and more, is being made publicly available for anyone to access through a simple Google search. On 1 May 2017, the not-for-profit Centre for Internet & Society revealed in a reportFootnote 53 how four Government resources were the originators of the biggest public leaks of the sensitive information of 135 million people; which amounts to ~10% of India’s total population.

The government and Unique Identification Authority of India (UIDAI), continue to turn a blind eye towards this massive leak, and have tried to set it aside simply as an aberration. They refuse to acknowledge the immense security risk the government itself is placing its citizens in, and continue to push aggressively for the wider implementation of the Aadhaar program.Footnote 54 In a recently published article, one of the chief proponents of the Aadhaar program, and a former CEO of an Indian corporate giant, also widely hailed as the ‘Father of The Aadhaar’, has stated that smart mobile phones leave the user bereft of any privacy anyway, so what further wrong could Aadhaar commit.Footnote 55

The government has been making Aadhaar mandatory for availing numerous schemes like State rationed items, State guaranteed employment, old age pension, crop insurance, disability welfare, meals for school children and even compensation for victims of the Bhopal Gas Tragedy.Footnote 56 The government has condoned such actions and its continuation, despite the Supreme Court’s provisional order that explicitly said, Aadhaar could not be made mandatory for any welfare schemes.Footnote 57 Ground reports indicate that there are massive amounts of errors arising when citizens go to avail their rightful welfare. Their fingerprints are not matching, disabled persons are being refused acknowledgement (and even enrollment), old people with ageing eyes are not able to get authenticated through iris scans, and all of them en masse, are being refused services.Footnote 58 After bulk of the citizens’ data have been collected, Aadhaar is now becoming an exclusionary rather than being an enabler and inclusive tool, as it was originally proposed.Footnote 59

For instance, beneficiaries of India’s Mahatma Gandhi National Rural Employment Guarantee scheme have stated that they were compelled to sign a form expressing their consent to Aadhaar enrollment, as a condition to drawing benefit (quid pro quo), by the administrative staff. In a rush to meet targets, beneficiaries were enrolled under Aadhaar cursorily. The ensuing turmoil was such that it led to many errors in linking Aadhaar numbers to the personal bank account numbers of the workers, thereby causing immense problems during payment of wages.Footnote 60

To add insult to injury, in the span of 1 week - during late February and early March of this year - the government of India made the use of the Aadhaar obligatory to access 11 more government programs, such as mid-day meals for school children, scholarships for disabled citizens and job training help for women rescued from sexual trafficking.Footnote 61 Imagine the horror that a woman would have to bear -- after having had to sum-up all courage to overcome psychological and sociological horrors, and other physical harms endured while being sexually trafficked -- to needing to re-live those horrors because her most critical and personal information was compromised by an illegal, unethical and untrustworthy surveillance system run by her own government.

8 The Aadhaar and a contemporary inspection of its social implications: Surveillance and segregation

In April of 2017, Justices AK Sikri and Ashok Bhushan asked the Attorney General (AG) of India Mukul Rohatgi, "How can you make the Aadhaar card mandatory when we have passed an order to make it optional?"Footnote 62 Rohatgi citing fraudulent use of Permanent Account Number (PAN) Cards (issued by the Income Tax Department) and the siphoning of State funds to shell companies, and without offering any direct evidence to that affect, said, to prevent such type of fraud: "...the only option is to make the Aadhaar card mandatory.”

The question that this parliamentarian has had, in relation to that event, and the courtroom question posed by the Supreme Court Justices, is the following. How is it possible that the Attorney General of India can demand the implementation of a practice that is largely unconstitutional, while choosing to contravene specifically the Supreme Court’s earlier decision to utilize the Aadhaar program in only a voluntary capacity? How could the AG, in a Republic, and without taking the fundamental steps to ensure ‘due-process of law,’ unilaterally determine that his decision should assert ultimate validity for 1.4 billion people and that it was to carry legal sufficiency to make a corrosive program such as the Aadhaar, mandatory in Indian society?

Moreover, and importantly, in asking the court to make something that is unconstitutional - mandatory, nowhere was it clearly qualified how the Aadhaar program, which then had 440,000 fake students in just 3 Indian States officially enrolled [25], was going to be an adequate security barrier for all the fraud that AG Rohatgi was claiming to exist, and that which was supposedly funneling state-funds to shell companies. How could such an intrinsically flawed and mis-directed program, one that is neither safe nor secure, ensure to be that line of defense and purportedly be able to halt the flow of fraudulent funds into thieving hands? This question cannot be answered, for there is no moral and truthful answer. All in all, the level of technical, legal, social and political incompetence that has reigned around this issue remains too high-a-heap, to adequately sample here, and within the scope of this writing.

By making the Aadhaar mandatory, and in seeking a wider deployment for this savagery and repression of the digital age, the government of India is pushing for and toward ensuring the collection of even more data. At the same time, the government will be ignoring consequential actions that violate privacy each day, and for all times to come, all throughout the various Indian government departments.Footnote 63

The push is on, to make the Aadhaar, the ‘base ID’ scheme to which all government services and personal details of every citizen are getting connected. One Aadhaar number connected to all bank accounts, tax details, driving licenses, government benefits and every other aspect of a person’s life. It is fast becoming the ultimate tool for effective government surveillance. And quite probably, in an uncertain future, this device will be a very dependable tool for ethnic cleansing. Such a thought could have only been considered as preposterous, if relatable and observable facts had not provided evidence to the contrary. Disability activists have long complained that the Aadhaar program is an exclusionary system,Footnote 64 which neglects the needs of the disabled, who were declined, repeatedly, to be enrolled in the Aadhaar. Fact remains that the disabled and elderlyFootnote 65 continue to experience significant difficulty in enrollment, and many have routinely and continually been experiencing denials in essential services.Footnote 66

By connecting every aspect of a citizen’s life to this one number, the centralized bureaucratic system of power in this case can easily and efficiently keep track of the activities of every person resident in India. By such actions, this program has the potential of causing catastrophic individual and communal harms, if citizens’ sensitive information should fall into the wrong hands.

At this time, it is important to remember that the Aadhaar Act’s provisions could require the use of DNA as ‘biometric information’ in the future. Given the many advances today, in the field of genetics, a DNA enabled Aadhaar card will open up possibilities of segregating, isolating or excluding citizens based on their race & ethnicity, under some despotic future regime. Only the limits of one’s imagination could perhaps limit how such tools could be redirected from original designs and be used by some in India to pursue wicked outcomes, given communal frictions and ethnic divisions spanning centuries.Footnote 67 The preceding statement needs to be qualified. It is presumed that all Indians are of the same stock. However, recent studiesFootnote 68 have shown that Indians exhibit different ethnic and genetic variations. Therefore, the possibility of some future ruler turning against one particular ethnic group in India would not be all together implausible.

These auguries might sound dystopian at this point of time, but all the tools to make these prognostications a reality already exist. The only factor required to push for this fatalistic future to be made a part of our present, is the rise of a despotic ruler, who has a specific strain of hatred towards a class/creed/religion or race of people. Given the racial and ethnic divisions in India, which have taken shape over centuries, and the political climate across the world today, the possibility of such a person coming into command and to be possessing an array of phobias, strong aversions and the power to freely act on the hate-filled thoughts, cannot be ruled out entirely.

History vividly tells us of the atrocities that Adolf Hitler was able to commit against Jews, with a simple cloth arm-band, and a paper register. The possibilities to use the Aadhaar program as a surgically precise tool for mass surveillance is obvious, especially when one cares to notice how it is designed, and how it is now being foisted upon a largely unaware population as a ‘must have’. Another example where a National ID was used to unleash genocide, where an estimated 800,000 human beings were massacred in a period of 100 day was in the Republic of Rwanda.Footnote 69 There, National ID cards, which identified Rwandans by tribal affiliations, were used effectively to engineer the mass murder of populations.Footnote 70

Tribals (known as Adivasis) in India are currently facing a huge problem.Footnote 71 It is mostly amidst the tribal inhabited interior areas that valuable minerals deposits are found. The Adivasis occupying large tracts of land in the interior are being subjected to extreme inhuman atrocities, and are now being forcibly evicted from their lands and their homes by government agencies, often with the involvement of para-military forces sent to enforce the government’s unilateral decisions on eviction; all this in the sole interest of large corporations.Footnote 72 It is noteworthy that the Aadhaar is being meticulously and stringently implemented in Adivasi areas.

The Aadhaar card for a citizen can easily be sourced to be a ‘one-stop-shop’ to acquire all the information on any particular person, and to track them categorically. Whenever a citizen uses the authentication mechanism associated with her/his Aadhaar number, alerts will be dispatched to various entities regarding each of the activities, and of all her/his movements. Given the extent to which citizen activities will be mapped through the Aadhaar program and their participation in, either government programs and services, or other more public activities such as rail travel, land and property sale and purchase and banking services, if, and when, this tool is used for insidious purposes, the destructive societal implications of this program will be catastrophic. Creating and nurturing such an ever-growing instrument of evil design, with no safeguards, and other protective measures being unavailable to a citizen, and at a supremely high cost to the taxpayer, is not seemingly intended to serve any humane or social empowerment goal. The reader is specifically reminded that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act of 2016, Chapter VII (Offences and Penalties), Section 47 explicitly prohibits all citizens (See Fig. 2) from the ability to either launch a legal complaint, or a civil suit, for example, in relation to any aspect of the administration of the Aadhaar program or services, and, or, for any harms that may be suffered by an individual or party. Consequently, Indian citizens have no ability to protect themselves when harm occurs.

On 3 May 2017, in presenting arguments before the court related to the Aadhaar Program, the Chief Law Enforcement Officer, the Attorney General of India (AG) shocked the world when he declared before the highest court in the land that the Citizens of the nation -- widely acknowledged to be the world’s largest democracy, “do not have absolute rights over their own bodies,” (See Fig. 3) in essence - declaring that the Government of India could lay claims to “one’s self,” on demand. The AG, however, did not elaborate then, just how, when, or under what specificities, such demands could be presented before a citizen by the State. However, in this author’s view, the AG has struck a match, which is sufficient to spark a Constitutional Crisis.

Fig. 3
figure 3

Front Page Story - Times of India 3 May 2017. Attorney General of India Notified The Nation’s Highest Court That Indian Citizens Do Not Have The Right To Self-Determination. Source: Times of India

Full size image

Apart from the fact that the Republic of India has a democratic system of government, the nation is also a signatory not only to the Universal Declaration of Human Rights but to a whole plethora of international agreements on very many Rights for the citizens. On all fronts then, this primarily means, both at the constitutional level and in terms of India’s accession to the aforementioned international covenants, that the Indian government, various Indian governmental instruments and its agents are responsible to extend to every Indian Citizen, in every respect, all importance, all considerations and all deliberations concerning unenumerated and enumerated rights, bequeathed under the Constitution of the Republic, and that the same entities mentioned above will additionally harmonize, and complementarily extend, any and all other rights, acknowledged as being fundamentally universal human rights. In all these respects, the ‘right to self-determination [26, 27],’ is a universally fundamental human right for peoples, and for all Indians, therefore.

That which the AG has in effect said, and as Chief Law Enforcement Officer of the nation is, that he has personally determined that Indian Citizens to not be worthy of being afforded the right to self-determination. Footnote 73 Perhaps, it is high time that the Indian Parliament debate the issue of having the AG’s outlook reoriented, on-account of the simple fact that he is neither schooled properly on rights that are constitutionally conferred upon every Indian Citizen, nor is he intimate with the details of those important international human rights conventions to which his country has acceded. Such is the nature of complex conundrums that India has to face daily in terms of privacy.

New rules related to the Aadhaar program seem to appear daily, and seem to do so without any Parliamentary advise, or consent.Footnote 74 In light of such occurrences, it is impossible to comprehend how it is possible for a nation like India with broad societal differences, to be able to afford value to procedures and practices related to privacy, when the Attorney General of the country, who has the legal responsibility to protect and defend all Indians, has willfully made such deplorable, intellectually underfed and morally shriveled statements.

Although the Indian Supreme Court has been feeble on all matters related to the Aadhaar program, especially on matters related to privacy, it remains the last bastion for hope and sanity to prevail in India. However, we must consider that the highest court in India is also a reflection of those in Indian society that have a careless outlook towards Privacy. At present, the court seems to demonstrate no clarity or conviction of its own related to the importance of privacy, and is seemingly capable of acquiescing to a push by a few - toward imposing a national ID card for all. The inherent tensions between the various pillars of this democratic republic -- the legislature and the executive on one, and the judiciary on the other, have also come to play a role in the rulings by the Judiciary. This case of protect the ‘Right to Privacy’ of citizens is also being subject to the tumultuous, turbulent times that India is going through after 70 years of Independence from the British. We, as a society, are evolving. One hopes that the courts shall follow.

The awareness about the possible ways in which the Aadhaar can be misused is growing extremely slowly in India.Footnote 75 Unfortunately, most people have not - the slightest understanding of the implications of their personal privacy being violated, their bodies being tagged & surveilled. Meanwhile, it must be admitted, political discourse has completely died out on this subject as the bureaucracy and big business interests have, together, pushed the Aadhaar program with extreme vigor on all political fronts equally. The Aadhaar was born when the Indian National Congress (INC) was in government. The Bharatiya Janata Party (BJP), the primary opposition of that time and its leadership including Mr. Narendra Damodardas Modi, the Prime Minister today, had vehemently opposed it earlier. However, in the 2014 general elections, the tables were turned. The BJP won, defeating the INC, and has been in power since then. Still, the Aadhaar is being implemented, despite their initial opposition to it, and with increased vehemence now. Smaller regional political outfits seem not to even notice the existence of the Aadhaar. In this bleak background, one can only hope that good collective public sense prevails and this harmful Aadhaar program is scrapped.

9 Privacy state in India: A forward look beyond The Aadhaar

In an Harvard Business Review article called “Values in Tension: Ethics Away from Home [28],” Tom Donaldson of the Wharton School of Business painted a tale of how, in the 1980, European tanneries and pharmaceutical companies shopped around the world, for cheap waste-dumping sites; countries where those companies could unload highly toxic wastes. Those companies found Nigeria to be a willing taker of the Poly-Chlorinated Biphenyls (PCBs) that the European companies wanted to unload. Donaldson describes Nigerian workers with no protection whatsoever, receiving highly toxic PCBs, and then depositing them next to Nigerian residential areas, where neither the workers, nor the residents were made aware of the locating of the PCBs in their neighborhood, or of the PCB’s toxicity. By the presentation, Donaldson wanted to have the reader adequately contemplate the application of the requisite template for ethical business conduct, both domestically and internationally. Interestingly, the speed and rates of modern business data and other forms of information flows have curtailed such practices as Donaldson describes, but have not altogether eliminated them, as the Aadhaar demonstrates in India today.

However, strangely, Donaldson’s story is useful to analyze what lies ahead for India in terms of privacy. At present, and in a certain way, India is similar to Nigeria in the case above; terribly unaware of the dangers associated with the loss of privacy, and dreadfully unfazed by the plethora of risks that loss of privacy poses to every single Indian citizen.

10 Privacy context specificity to India’s economic future

It is this author’s assessment that the reliability, robustness, stability, safety, and security as it is related to the shaping of India’s privacy framework will decidedly shape the nation’s economic future also. For Indian politicians, at a very personal level, the lack of understanding of technological contextualization needs, in terms of India’s strategic development tracks, economic and political myopia, and a lack of tactical and strategic understanding of technology development cycles and their applicability to India - puts the country’s leadership (their friendships with tech-titan CEOs aside), at a clear disadvantage.

Micro, Small and Medium Enterprises (MSMEs) constitute the present day backbone to the Indian economy. MSMEs now employ in excess of 110 million of workforce, and now account for - in excess of ~37% of India’s GDP [29]. However, future growth in this sector can only come at the expense of training that is more multi-sector, greater technology awareness and greater connectedness to the vital construct of privacy. Personal Privacy in the Digital Century is translatable synonymously to the safety and security of information technology assets and the critical information that it holds, anywhere. In this sense, Privacy and Informational Safety and Security are one - and the same.

Therefore, India’s ability to offer vibrant Information Technology Enabled Services competitively, and in a changing word, is inextricably linked to the country’s ability to recognize the critical value of privacy, and the established need for the security and safety of information, and information systems. In the here and now, the twenty-first century, and in the midst of the fourth industrial revolution, India must ensure to have in place, for her citizens, the most fundamental of human rights to which she had acceded in 1948, but has yet to deliver upon.Footnote 76 Directly to India’s economic future, is the necessity for India to demonstrate to her trade partners that she is a developed, mature, and wise member among the community of World nations.

Importantly and structurally, in this regard, India must instrument privacy, information safety and security policies and practices. Also, India must connectedly establish those means and methods for oversight, enforcement, legal intervention, adjudication and the means to suitably recompense injured parties in those case where there are infractions, or when losses are sustained.

11 Privacy related contextualization example: India-EU economic relations

To materially contextualize, it should be understood that the EU is one of India’s vital trading partners (14% of India’s overall trade in 2015–16).Footnote 77 Even though the Broad-based Trade and Investment Agreement (BTIA) that was being negotiated between India and the EU has stalled, economics is the fundamental driver for a strategic alignment with the EU which kicked-off with the EU-India Strategic Partnership arrangement in 2004. Not only is the EU India’s biggest trading partner, but, in the last 15 years, EU member countries have made more Foreign Direct Investment (FDI) into India, than the US and Japan combined,Footnote 78 and in spite that Mark Zuckerberg and Narendra Damodardas Modi are BFFs.Footnote 79

Maintaining the logical thought connection as related to privacy, information technologies, and India’s economic future, the following considerations must be made. India is the world’s largest Offshore IT sourcing destination, accounting for 67% of the US$ 130 billion outsourcing market [30]. And, India has had over 25 years of experience in Business Process Offshoring (BPO), being the destination of choice for the outsourcing desires of Western companies overall.Footnote 80 In dealing with Indian firms for the better part of 25 years and more, Western companies did not choose India for its willingness to accept toxic waste. Rather, India had offered highly competitive services at attractive and lower cost points, match for timeliness, higher quality performance, and a general prospect for higher business profitability. The Indian BPO sector now employs over 3.7 million people, experienced record annual growth of 10%.Footnote 81 The IT Enabled Services (ITES) (BPM - Business Process Management and BPO-Business Process Offshoring) sector in India is estimated to expand at 10% (CAGR) to a whopping US$ 300 billion by 2020. The IT sector as a whole is expected to triple to US$ 350 billion by FY 2025. With respect to Europe directly, and in 2016 alone, India provided EU with its lion-share of IT services totaling US$30 billion.Footnote 82 However, BPO involving the handling of increasingly sensitive “Information” items such as telemedicine data from the US and the EU have been changing over time, as regulations involving Information exchange and management in other countries have been becoming stricter. India has been standing still in this area of sensitive information handling, as fundamentally, constructs relating to privacy have been alien to Indian society, even with a robust IT/ITES sector within the country.

Consequently, BPO growth is expected to be undermined dramatically, owing to immense changes happening in the world of Privacy, where again, India has virtually stood still. India does not have a meaningful national Privacy Law, nor does it have a central government Data Protection and Privacy Officer. At present, individual Indian States also do not have necessary privacy protection mechanisms that are either suitable or conducive to attracting business prospects from those foreign countries who will intend to originate data - that may later be handled in India. In the absence of reliable, durable, safe and secure privacy laws and accompanying durable structures to manage and maintain information, other outsourcing destination points (countries) like the Philippines may appear more attractive for overseas businesses.

Although an American perspective, Barbara George and Deborah Gaut frame the threat that India faces in this respect well, and their characterization is widely applicable. They say:

India's cultural history is a significant factor for American outsourcers to consider in pressing for either data privacy legislation in India or protective contractual provisions with Indian companies. Indian cultural history may affect Indian companies' interpretation of the concept of privacy, which will affect the degree of importance that India as the host country is willing to place on the protection of privacy. A pertinent statement appears in The European Union's Assessment of Adequacy, a report addressing the effect of differing political and cultural values on interpretations of standards of "adequacy" of data privacy protection measures to meet the E.U. standards:

A final difficulty is that of cultural and institutional non-equivalence. Judgments about adequate protection must remain sensitive to important cultural differences. Despite the growing convergence of international data protection policy, 'privacy' still means something very different in various cultural and national traditions, perhaps particularly in non-Western jurisdictions but by no means there alone.... [31]

India has to be an attractive business destination for information technology companies in the digital century. However, to become that attractive business destination above all other choices in the digital century, it will require those in Indian government, industry and civil leadership to prioritize matriculating oneself into “night-school,” with the intention to expeditedly acquiring their E-MBAs in Privacy, prior to the new law known as the General Data Protection Regulation (GDPR)Footnote 83 going into effect within the EU member States.

The Data Protection Directive of 1995Footnote 84 will soon be replaced with a rigorous and more codified privacy practice framework of the GDPR. That GDPR will undoubtedly be the de facto framework in force beyond data protection, for privacy, with which the Indian IT sector businesses will have to negotiate; and they are likely to negotiate badly, as Indian IT firms have historically found their ability to comply with the less rigid Data Protection Directive of 1995 in the EU (presently in force), most difficult.

If Indian firms are not prepared to comply with the GDPR’s overall dictates, it is as Nasscom’s former President, R Chandrasekhar had announced, that, "...security in Europe has the potential of going into directions which will not be conducive for (those) countries as well as our (IT) industry. They will get hurt and we will also get hurt." Lastly, a Nasscom-DSCI (Data Security Council of India) poll has revealed that there exists the very real possibility of “a significant opportunity loss for the IT-BPO industry on the account of data transfer related issues as clients hesitate to offshore work to India because of stringent data protection requirements in the EU [32].”

The idea of “Data Protection” encapsulates the concepts of privacy, and the safety and security of all information that IT systems house. Everything is inter-connected; and nothing can be disconnectedly considered, and singularly; such as the subject of safety apart from security, or privacy apart from security. At present, the EU’s Data Protection Directive permits the transference of data originating from the EU to third parties -- that is to say, countries beyond the EU, and the EEA, only if such a third party State has been determined by the EU as being “Data-Secure.” Looked at - in another way, the EU Data Protection Directive mandates member States to forbid the ‘transfer’ of personal data to a non-EU member State, unless the State has demonstrably met all data protection criteria, having in place, “adequate” data and privacy protection methods, means, structures and systems.

India is not a “Data-Secure” State in the eyes of the EU.Footnote 85 However, for some time now, India has lobbied the EU for a “Data-Secure” State status declaration.Footnote 86 Naturally, the EU and, or other states cannot be expected to “rubber-stamp” such declarations, when the awareness of privacy and data protection constructs by the Indian workforce is generally weak, and is usually coupled to the existence of weak institutional policies, practices and frameworks related to information safety and security practices. The one widely available and discussed case of the theft of US$ 350,000 from 4 New York based clients of Citibank, by their call-center operators in Pune, India, operated by Mphasis (formerly MsourcE) has become the bane of Indian BPO firms.Footnote 87

However, from a Safety and Security point of view, this case demonstrates some interesting things, if one investigates further, that are the following. The operating Call-Center had received a BS 7799 (UK) security certification, which meant that the Center had demonstrated meeting the desired best practice methods for protecting information -- meeting ‘information confidentiality,’ ‘information integrity’ and ‘information availability’ criteria. It also meant that the Center had demonstrated ‘BS 7799 - Part 1’ proficiency in the established standards of practices relating to ‘information security,’ and ‘BS 7799 - Part 2’ proficiency in practice specification for ‘information security management systems.’ What is more, the Center operated by Mphasis, by the company’s own pronouncement, had undergone “a comprehensive information security audit by the Standardization, Testing & Quality Certification (STQC) Directorate Footnote 88 covering Information Risk Management, Network Security, Physical Security, Personnel Security and Business Continuity Planning.” Footnote 89 Also that, MsourcE had especially “worked with”Footnote 90 the global accountancy and consulting firm of Ernst and Young to gain the certification. Additionally, the Center also received a CMM Level 5 quality certification.Footnote 91

If after being certified in the aforementioned way, by recognized global standards, and by recognized global entities, it is possible for a facility with such certifications to sustain a breach, then, there is a valid cause for concern by entities like the EU. Just as everyone was beginning to breathe a sigh of relief, in less than a year, it happened again, when a HSBC Bank Data Processing Center employee accessed and used the "personal, security and debit card information" to pick-pocket 20 of the bank’s U.K. - based customers to the tune of US$420,000.Footnote 92 Adjacently, an Indian forensic consultancy reported that the lack of institutional whistleblower policies/protections, fraud response plans and the lack of proper levels of ethics training of employees, were at least partially to blame for such security breaches [34].

When the EU-GDPR law does go into effect in 2018, it will likely become the de facto Data Protection and Privacy framework for the world, as all nations who will intend to, and currently do business with the EU member States, will have to comply with the GDPR in relation to all manners of conducting normal business. The widespread change effect that the GDPR will impose, and extract worldwide, will not go unnoticed in India.

In the meantime, in one hand, India has a Draft Privacy BillFootnote 93 in various forms; and the last leaked version of it was the 2014 edition.Footnote 94 The Parliament has not seen any version of this Bill. In the other hand, is that law, which India would like to claim is her equivalent of a Privacy & Data Protection Law, one that would provide adequate protection related coverage for Data Protection and Privacy Protection -- the one called the Information Technology Act of 2000, as amended in 2008.Footnote 95 There are only just a few major problems with these lines of arguments that IT sector representatives have managed to place forward. In a Confidential academic report to the European Commission, titled: “First Analysis of the personal data protection Law in India: Final report to the European Commission,” the authors state:

Although the Information Technology Act, 2000 is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session, it is often quoted in India as an Act containing provisions pertaining to data protection.” “…In general, the IT Act is more an Act related to e-commerce and cyber crime than a data protection Act [35].

Furthermore, Graham Greenleaf as the party who performed a data and privacy protection “adequacy” assessment for the EU, and in accordance with the Data Protection Directive, Article 25, recommended that India’s Data and Privacy Protection frameworks would not adequately be protective of that data transferred from the EU to India. Greenleaf, as part of his later assessment of IT Act of 2000, as amended in 2008, had the following to say. Greenleaf said,

…the most important legislative protections are as yet, not functioning. In particular, the key data protection provisions of the 2008 amendments to the Information Technology Act 2000 are not yet effective, and the consumer protections in the credit reporting legislation appear to be ignored by regulators and credit bureaux alike [36].

Finally, it is this author’s read that while the government has attempted to convey to the outside world through the existence of "Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011”, India has met key data and privacy protection “adequacies”, the government will only be fooling itself. Despite the existence of Information Technology (Reasonable security practice and procedures and sensitive personal data or information) Rules, 2011, under s87(2)(ob) of the IT Act, and under section 43A’, Graham Greenleaf’s own words describe the situation best, that, “India does not have a comprehensive data protection law covering any sector [37].” Instead of clearly and constructively putting-together - a national Privacy & Data Protection Bill responsibly, that not only will adequately cover today’s working needs, but will also allow for the necessary legislative flexibility and the socio-economic growth anticipated, and be capable of accommodating for constitutional protections for Citizens, India has chosen to implement the most difficult legislative choices. The government of India has decided to cobble-together, legislative elements that add complexity all the way around, while also blurring jurisdictional and adjudicational abilities.Footnote 96

Lastly, with respect to the Draft Privacy Bill of 2011,Footnote 97 it is acknowledged that the legislation’s "exclusion of the Indian government [activities] from the scope of the Bill [represents] a very severe weakness, particularly because there are so many privacy-invasive public sector projects going forward in India at present, including the national ID number, and NATGRID ... Some of this surveillance legislation also empowers private organisations to act as agents of the government in collecting data, probably outside this Bill.”Footnote 98 In an assessment of the Bill’s fundamentals as circulated, and unseen as yet by the Indian Parliament, it remains uncertain the implementation of Rules by Bill can deliver data protection in reality, or, if it will be “just an unenforceable illusion.”Footnote 99

We are essentially riders of bicycles with training wheels in thoroughfares which high-performance vehicles make their home. The mere fact that none have been hit or killed while in motion says nothing about the muddle and strangeness this reality represents, and is but a simple golden act of providence. Graham Greenleaf wrote in a later paper, criticizing the orientation and the functions of the as yet uncirculated and unintroduced Bill in Parliament; Indian Privacy Bill. It seems the Privacy Bill, and the protections it would afford the Private Sector in India would not apply to those in the Public Sector. It so appears that the World’s largest democracy is intent on creating a national legal framework that proposes the erection of a “double standard” statute. Greenleaf qualified it best saying, “[a] bizarre aspect of the Bill, for a country seeking an EU adequacy finding, is that it limits its protection to Indian businesses… India is therefore one of the few countries to have enacted data privacy laws for its private sector, but not for its public sector. That may not prove to be tenable in the longer run.” Footnote 100 If all this were not enough, like icing on a cake, the Indians are left to negotiate and to navigate an unconstitutional government sponsored surveillance and tracking mechanism called the Aadhaar.

12 Conclusion

At the present, the Republic of India does not have in force a comprehensive, clear, and robust Privacy law. Article 21 of the Indian Constitution has asserted the need to assure “protection of life and personal liberty.” But, as in the case of the United States, India does not explicitly guarantee a Citizen’s right to privacy. However, Govind vs State Of Madhya Pradesh & Anr. (1975) Footnote 101 and Unni Krishnan, J.P. And Ors. Etc. vs State Of Andhra Pradesh And Ors. (1993) Footnote 102 have recognized one’s enumerated right to personal privacy.

In Govind vs State Of Madhya Pradesh & Anr., it was clearly asserted, for instance, that while one’s right to privacy ‘at the time’ was not determinable by the court as being absolute, the court had ruled that restricting one’s privacy, and in any way had to be upon “the basis of compelling public interest”, Footnote 103 and that any infringement upon privacy, “must satisfy the compelling State interest test.” Footnote 104

One of the most important points to note, and in relation to the aforementioned statement is, as follows. Being a member of the national legislature, this author can attest to the fact that no such compelling State interest test has ever been discussed, conceived, deliberated, consented to, or developed - with the cooperation and, or consent of the Parliament, in relation to the Aadhaar program. Additionally, and again as a member of the national legislature, this parliamentarian can further attest that, no compelling state interest in relation to the need to have the Aadhaar program deployed has ever been introduced, and, or formally brought forward for deliberation before the national legislature; either supported by results of any compelling national interest test, or separately by the widely acknowledged presence of any compelling state interest , which has been incontestably surfaced, and through incontrovertible means.

Also, it must be noted strongly that, in terms of deploying a program that would ultimately affect nearly 1.4 billion people, the many States in the Indian federalism have neither been adequately consulted, nor has the issue been adequately deliberated authoritatively. This is not a small process deviation in the least, or a democratic process breakdown at most, rather a demonstration of moral bankruptcy in the fabric of national governance.