ylliX - Online Advertising Network
IFF submits feedback on UNDP’s Interim Report on DPI Safeguards and Governance
latestnews

IFF submits feedback on UNDP’s Interim Report on DPI Safeguards and Governance

Written by News One


tl;dr

IFF submitted feedback on UNDP’s Interim Report on DPI governance and safeguards, first of its kind, covering issues such as the need to define DPI and its suitability in local contexts, significance of diverse citizen participation, exclusion risks associated with DPIs amid grave digital divides, the lack of data protection laws or adequate citizen safeguards, threats to individual privacy, surveillance and discrimination concerns, and the need to instil transparency and accountability in public-private projects like DPIs.

Important Documents

  1. IFF’s Feedback/Response on the Interim Report ‘Leveraging DPI for Safe and Inclusive Societies’. (Link)
  2. UNDP’s Interim Report titled ‘Leveraging DPI for Safe and Inclusive Societies’ dated April 2024. (Link)

Background

In April 2024, UNDP released its Interim Report titled ‘Leveraging DPI for Safe and Inclusive Societies’ (the “Report”), comprising global perspectives on the current digital public infrastructure (“DPI”) ecosystem, and how it may be harnessed by nations for digital inclusion, good governance, and meeting Sustainable Development Goals. The Report also attempts to address the inherent risks tied to DPI implementation and propose mitigation strategies. It opened up the Report for public feedback until June 30, 2024 through a feedback form. IFF submitted its feedback, an email copy of which can be accessed here.

Why should you care?

Global discussions and similar policy ‘roadmaps’ on DPI manifestly lack perspectives from the Indian public—not on how vastly India has rolled out and invested in DPI projects, but specifically on how distinctly vague, ambiguous, unaccountable, and non-transparent it is. Our Union government has preferred a wide (if any) definition for what constitutes DPI, where not only the usual suspects like UPI or ONDC (read our explainer on ONDC here), but anything from DigiYatra to APAAR student ID is being hailed as DPI without subtext or seemingly much of a criteria. Even though India created a Global DPI Repository (“GDPIR”) as part of its G20 Presidency with the objective of publicly enumerating its DPIs alongside other nations, schemes and projects not listed on GDPIR are also liberally being referred to as DPIs. We worry that such liberal interpretation and our focus on ‘emerging as global leaders in DPI’ may be hollow without a meaningful assessment of how the structures operate or affect Indian populations.

DPI, the way India interprets it, is built on public-private partnerships or provisioning models, and is deployed in the public sector to reach a maximum possible population cover. By keeping private partners, government instrumentalities can evade accountability and transparency requirements that do not similarly extend to the private sector. By keeping government partners, private entities may be able to benefit from exemptions reserved for government instrumentalities under various Indian laws, such as certain provisions of the Digital Personal Data Protection Act, 2023. There is no anchoring law, policy, or act of Parliament governing such vast public systems or providing baseline safeguards—like grievance redress mechanisms—for most DPIs operational in India today.

Despite these glaring shortfalls, the Union government and key market players have keenly taken every opportunity to showcase its DPI ecosystem as groundbreaking and infallibly successful, especially at global fora (see here, here, here, here, here, here, here, here…). News and media, too, are saturated with commentary in praise of India’s (many) DPIs (see here, here, here, here…) and worryingly, even think-tanks/research organisations have offered nothing more (see here, here, here). What this conversation presently (and completely) lacks is critical analysis—assessments of how DPIs affect privacy, data protection, free speech, access, inclusion, and human rights generally.

We believe that it is important for civil society, researchers, human rights activists, and all Indian citizens to break through the noise by asking difficult questions on the DPI ecosystem at play in India and starting necessary conversations on accountability, transparency, and good governance. 

The Feedback Form accompanying the Report asked the following questions, which IFF responded to as per corresponding Sections in the Report:

  1. Please identify any specific areas or arguments within the report that you found unclear or unconvincing.
  2. In section 3 on DPI Opportunities: How accurately does the report capture the potential benefits and risks associated with DPI? Are there additional opportunities or risks not addressed?
  3.  In section 4 on Need for Guardrails: Considering the operational principles contained within the report’s framework, how applicable do you find these principles in the political economy contexts you are familiar with? What factors might limit their applicability? Additionally, how do you think these principles could be modified or contextualized to better suit specific local conditions?
  4. In section 5 on Actionable Framework: In the report, strategies for operationalizing DPI risk mitigation principles are detailed. How do you evaluate the practicality of these strategies for implementing the principles in the contexts you are familiar with? Which aspects of these strategies do you find particularly effective or inadequate? Furthermore, from your experience, are there alternative strategies that could offer more robust solutions for operationalizing these principles to manage DPI risks?
  5. Are there any critical aspects or perspectives that you believe are missing or underrepresented in the report?
  6. In the context of multi-stakeholder processes for implementing DPI, which stakeholders are most well-represented and/or have the most influence and which are under-represented and/or have the least influence, in your experience? Does the under-representation/lack of influence of any stakeholders affect the feasibility of the operationalization pathways outlined for safe and inclusive DPI outlined in the report? If so, how?
  7. Any additional recommendations or suggestions as DPI safeguards WG move to the deductive phase?

Below is a summary of our responses, categorised based on themes rather than questions for better comprehension.

On defining ‘DPI’

The Report forms a robust base for the effective regulation and good governance of DPI, but a pivotal step before regulation is to define what is understood across States as DPI. Though the UN Secretary General’s Roadmap for Digital Cooperation defines digital public goods (“DPGs”) and a global authority has prescribed a set of nine indicators to determine whether a solution is a digital public good, this is not the case for DPIs. Not all DPGs can be used as building blocks for DPI. DPGs having their own lifecycle and governance structures implies that they predate or outlast State-specific DPIs.

In contrast to DPG, DPI has been trickier to define. Due to differences at the global level, States have preferred to define DPI according to their local contexts and needs. India, for instance, does not have a narrow or comprehensive definition for DPI, which has led to an environment of confusion and speculation as old and new projects alike are being identified/announced as DPI without the underlying reasoning or subtext being provided to the public. Projects like the DigiYatra to APAAR student ID have been hailed as DPI on government social media channels, for instance, but do not feature in India’s list of projects on the Global DPI Repository. 

On suitability of integrating DPIs into a society

While the Report, as a whole, carefully balances the potential benefits and risks of leveraging DPI in meeting sustainable development goals (“SDGs”), one must pose the question of suitability at the outset—encouraging States to assess whether building and relying on such infrastructures is the most optimal route for them to a) attain said SDGs, and b) deliver welfare benefits to their populations. In most cases, building DPI entails large-scale digitalisation of core state functions, which can sometimes have grave implications for access to entitlements and rights guarantees. 

For instance, India’s Aadhaar project, which is identified as a DPI by the Indian Union government, has increasingly become the primary channel for citizens to access social security and welfare guarantees provided by the State. We used the example of one such welfare framework in India: the National Rural Employment Guarantee Act, 2005 (“NREGA”). We have previously analysed how attempts by the State to digitalise NREGA at various turns have received steady, informed, and grounded pushback from workers, local communities, and civil society. DPI interventions in NREGA have undermined the welfare framework at a rapid pace and potentially entrenched it with an additional set of issues around access, inaccuracy, exclusion, and disenfranchisement. 

Therefore, it is pertinent for States to independently assess the suitability of adopting DPI in their local contexts. We urged the Report to point out that the current exponential adoption of DPI in some States should not set the pace for its adoption by others, and that States must spend time understanding the needs of their populations before finding solutions in DPI-based interventions.

On citizen participation in DPI governance

The Report, at multiple turns, emphatically recommends rooting DPI implementation in engagement with key stakeholders including civil society and local communities. Noting the lack of public and multi-stakeholder consultations across DPI projects in India, we strongly supported the recommendation and reiterated that a robust and proactive citizen engagement model is an essential prerequisite to all DPI projects.

Addressing the Digital Divide

The Report made references to addressing exclusion due to implementation of DPI. Tech-based exclusion and discrimination has been a persistent concern for India for decades. At present, over half the Indian population has access to the internet, but wider internet adoption does not translate into meaningful access. India suffers from a gaping digital divide, where factors of low literacy and unfamiliarity with emerging technological tools can impede many population groups from reaping the benefits of the internet and digital technologies recreationally as well as for better quality of life. During the COVID-19 pandemic, increased digitalisation and reliance on online tools across sectors like education, labour, and health, forced many to fall through the cracks. Data from the Telecom Regulatory Authority of India reveals a wide digital divide, and repeated reliance of the government on digitalisation and technology-first solutions has also not helped bridge these gaps. Check out IFF’s Connectivity Tracker for statistics and deeper analysis.

Despite the glaring divide, the last decade has seen large-scale and simultaneous roll-outs of DPI projects such as UPI, ONDC, Ayushman Bharat, COWIN, Aarogya Setu, Digi Locker, Digi Yatra, POSHAN Health Tracker, APAAR Student Registry and IDs, eSanjeevani telehealth service, and more, with most of these emerging close to one another in the last five years. Without proactive measures to bridge the gap, India’s long list of DPIs will remain underutilised.

Further, the government’s ‘Digital India’ programme launched to “transform India into a digitally empowered society and knowledge economy” has struggled with addressing foundational encumbrances like infrastructural capacity, tech-preparedness, and the aforesaid digital divide. The programme envisions inter alia large-scale digitalisation across sectors to set up DPIs for collaborative public-private provisioning of digital services. Naturally, an exercise of this magnitude also envisions large-scale data collection and processing. Without adequate data literacy and empowerment, populations may be confronted with exploitative data sharing and collection practices in the absence of informed consent or due compensation. 

Privacy concerns with DPI

The Report notes that DPI interventions must not intervene with individual privacy, and in later sections, prescribes a few standards to this effect. A foundational fallacy of India’s digitalisation programme which relies so heavily on citizen data collection, is the lack of an active data protection law. The DPDPA was passed and notified in 2023 after a long and winding journey through committees and consultations. Yet, its final version seemed unrecognisable and was never opened up for public scrutiny and consultation. The DPDPA, 2023 has not yet been implemented, and the Rules set to operationalise many of its provisions have not seen the light of day. In its present form, the Act falls short on many counts, so even when it is implemented, India’s overarching data protection law will suffer from holes and pitfalls. Read our detailed analysis of the Act here.

In other States as well, there is a possibility that the presumed data protection regime or law either does not exist, or does not carry enough safeguards to ensure that DPI is adopted with due regard to human rights, choice, privacy, dignity, and safety. We suggested that the Report set out further operational principles for States to adhere to while adopting DPI, including but not limited to:

  • Data minimisation as a rule;
  • Privacy and data security by design;
  • Purpose and storage limitations;
  • Necessity, proportionality, and reasonable nexus in privacy-infringing systems;
  • A robust data protection law in place comprising comprehensive safeguards, rights, and entitlements of data principles/subjects;
  • No sweeping exemptions to government instrumentalities/public entities/law enforcement agencies;
  • No dilution of right-to-information instruments. 

Surveillance and discrimination

Surveillance and discrimination are tangible risks and glaring concerns associated with DPIs, especially in the Indian context. Many DPI projects in India entail creation of ‘unique digital IDs’ stored in centralised databases, at a time when the cybersecurity infrastructure of the Indian public sector has been demonstratedly weak and prone to breaches. Without adequate redlines and safeguards, or even an active data protection law, such rich and extensive databases can be accessed by a number of exempted instrumentalities and result in mass surveillance, 360-degree profiling of individuals, and targeted policing of vulnerable/marginalised communities.

Finally, the Report draws attention to the need for DPI implementation to be voluntary for citizens to participate in. In India, DPI projects create an illusion of ‘voluntary’ participation, or remain optional on paper, while in effect being mandatory or coercively operationalised. The colloquial concept of ‘voluntary-mandatory’ emerged from the Aadhaar project, which is arguably India’s largest DPI.

Citizen’s Aadhaar numbers and information are ubiquitously linked with several welfare schemes, and it is widely documented that common folk cannot afford to opt out of the project for risk of losing out on essential benefits. Similar patterns are seen in smaller DPI roll-outs like Digi Yatra, where recent reports indicate such high prevalence of coercion and arm-twisting by the State that airline passengers in India either do not realise they have signed up for the service, or have no choice but to participate in it.

In order to provide true ‘informed’ consent for opting into a DPI project, one needs to meaningfully engage with the infrastructure, which can, in some cases, demand high digital, technological and legal literacy. Given the abovementioned digital divide in India and similar jurisdictions, DPI implementation may not be based on truly ‘informed’ consent until fundamental societal inequities are addressed, and may even be thrust upon populations using coercion, misrepresentation, or the ‘voluntary-mandatory’ model. It is further unreasonable to expect individuals to be able to give informed consent when certain welfare schemes or healthcare benefits are contingent on enrollment in these systems. While the Report encourages States to make DPI voluntary and offer alternatives, we urged the Report to prescribe guardrails or minimum standards to ensure that what is voluntary on paper, must remain voluntary in practice.

On public-private partnerships

Wide DPI adoption within a State may impact technology procurement/provisioning systems and promote public-private partnerships in a way that dilutes transparency and accountability in the system(s), or impedes meaningful grievance redressal. DPIs in India are run by private or public-private entities. For instance, Digi Yatra has been operationalised through a private company created for this purpose, Digi Yatra Foundation. Despite it being a government-backed initiative and identified as a DPI, citizens do not have comprehensive channels to seek grievance redress, nor can they seek transparency on the system under the Right to Information Act, 2005 as the Foundation is a private entity. Given the scale of the project and the sensitive nature of data it collects from Indian citizens, such non-transparency and poor governance framework is a glaring cause for concern and a tangible risk across India’s DPI projects.

The Report references ‘Governance Models of DPI Systems’ and mentions transparency and accountability as key tenets in operationalising mixed provisioning. We strongly agree with this significant guardrail, as DPI implementation is increasingly relying on public-private partnerships across jurisdictions. Indian DPIs, at their core, are built on public-private partnerships and are deployed in the public sector to reach a maximum possible population cover. At present, there is no anchoring law, policy, or act of Parliament governing such vast public-private systems or providing baseline safeguards. There is little publicly available critical and human rights analysis on the infrastructure, and the success or efficacy of such mixed models in provisioning state functions is yet to be convincingly demonstrated in the Indian academic space. This gap in knowledge, juxtaposed with a strong push and rapid deployment of the mixed systems in India, is worrisome.

* This submission was made with assistance from Shravani Nag Lanka, Freedom Innovation Fellow, Internet Freedom Foundation



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *