IFF submitted comments in the ongoing consultation for India Digital Ecosystem Architecture (InDEA) 2.0 released by the Ministry of Electronics and Information Technology in January 2022. Our core approach is towards ensuring that the rollout of the architecture happens in a manner that safeguards the rights of the user. In our response, we focus on four core data rights-centric issues that we feel are of extreme significance. Comments on this paper have been invited by the Ministry from the public and other stakeholders latest by February 27, 2022.
Why should you care?
If you ever have had a problem with the GSTN portal, Aadhaar -- or any government digital system, then this framework is about you. Put within a dense 98 page document, we have written a summary, with a focus on the data-rights-centric parts, to help explain its main objectives. If you haven’t had a chance to go through it, here is a quick breakdown of the document for you:
- Lack of economic rationale: The stated objective of InDEA 2.0 is to facilitate a data economy and unlock enterprise value. However, no sources or underlying explanations for the same have been provided..
- Profit motive > Data rights: The document essentially says that our data is an “asset” and must be exchanged for “permitted commercial purposes” (Para 2.4.3). What this means is that our personal and non-personal data will be sold to the private sector. However, this is not the first time the government has monetised our data - Vahan database is accessible by Government and external parties under the Ministry of Road Transport and Highway Bulk Data Sharing Policy.
- No legislative backing: Through the implementation of InDEA 2.0, the government wants to collect and collate all government data (from Aadhaar data to data on beneficiaries of schemes), form an interlinked database and share it within the government as well as with the private sector. In the absence of an anchoring legislation such as a data protection law, the document fails to fulfil the threshold of legality put in place by the Supreme Court in the right to privacy decision.
On January 25, 2022, the Ministry of Electronics and Information Technology (MeitY) released a consultation paper titled India Digital Ecosystem Architecture (InDEA) 2.0. The framework is not legally enforceable in nature and enables the creation of a digital ecosystem to ensure seamless flow of information. Certain key features of the framework such as creation of federated digital IDs and data sharing with the private sector raise significant concerns around questions of privacy and data rights.
Previously, to facilitate rapid digitalisation, the Government of India has developed many sector-specific programmes envisioned to “expand interoperability of services in India through open protocols”. For instance, the National Digital Education Architecture (NDEAR), Unified Health Interface (UHI), Account Aggregator Framework and ‘India Digital Ecosystem for Agriculture' i.e. the Agristack are architectural blueprints for the education, health, financial and agricultural ecosystems respectively (to read IFF’s explainer on these topics, see here, here, here and here respectively).
What is InDEA 2.0?
InDEA can be best explained through an analogy - in the physical infrastructure of a city, it is the responsibility of the government to build roads, parks, public transport etc., which form the public ‘commons’, and it is only above this ‘platform’ that public and private actors can build other things. Similarly, the InDEA framework aims to create a ‘Digital Commons’ using open software, open Application Programming Interfaces (APIs), open standards, open licences etc., while enabling interoperability so that these platforms can interact with each other; and public and private actors can build solutions on top of this platform.
InDEA 2.0 is a revised version of the India Enterprise Architecture (IndEA 1.0) released in 2018. The former is a framework that enables Governments and private sector enterprises to design IT architectures that can span beyond their organisational boundaries and enable delivery of holistic and integrated services to the customers. In sum, InDEA is substantially about digital government.
The framework aims to design architecture in a manner so that it can be reused in another plan or ecosystem. It comprises three different architectural patterns suited to different administrative environments:
- InDEA Domain Architecture Pattern
- InDEA State Architecture Pattern
- InDEA Lite Architecture Pattern
All of these architectural patterns are bonded together by the InDEA 2.0 Master Plan (refer to Figure 1).
In our comments on the consultation paper, we have highlighted the following issues:
- Privacy implications of database interlinkage: In the absence of data protection legislation, sharing of databases both within and outside the government may put digital rights and privacy of individuals at risk. It is thus of utmost importance that data collection and sharing be undertaken keeping in mind the principles of purpose limitation and data minimisation. The framework fails to fulfil the threshold of legality put in place by the right to privacy decision as it has no legislative backing.
- Data sharing, user consent, and market asymmetries: While the framework does acknowledge the need for consent driven data-sharing, given the low levels of digital literacy that currently prevail, it is unlikely that truly informed consent will be conferred. Furthermore, the regulatory mechanisms that would underlie the consent mechanism, namely, the Data Empowerment and Protection Architecture as well as the Personal Data Protection Bill, 2019, may not provide adequate safeguards for data sharing. Lastly, data sharing policies must not be biased in favour of the private sector so as to reduce market competitiveness.
- Robust regulatory environment: It is imperative that data sharing policies are undergirded by a comprehensive regulatory framework. Thus, it is unfortunate that the InDEA framework eschews a similar level of regulatory oversight. Instead, the policy espouses a light-touch regulatory perspective by relegating security practices to simply be one of the ‘rules of engagement’. Two key preconditions for a robust data sharing policy, namely, a) that data sharing will take place under a statutory regime and b) that the underlying legal framework designates the need to ensure user privacy as paramount, are missing. An emphasis on “data as an asset” and the use of regulatory sandboxes only exacerbate these concerns.
- Implementational challenges: While the Governments’ move to embrace digitisation is commendable, the condition of digital literacy in the country remains deplorable. Thus, we recommend that the creation of digital infrastructure be ramped up on a mission mode basis. Additionally, the scale of digital literacy schemes must also be increased, while the quality of the training imparted must be improved. Furthermore, uniform data standards need to be defined to enable aggregation/exchange of information across multiple departments and sources.
Allowing private commercial entities access to personal data entails its own risks like data monetisation. If adopted, InDEA 2.0 may create perverse incentives for greater amounts of data collection and retention beyond the purpose consented by users. This practice will have real, damaging consequences on our privacy and thus must be put to an end immediately.
This post was drafted by Tejasi Panjiar, Capstone Fellow hosted at IFF and reviewed by Rohin Garg Associate Policy Counsel at IFF.