Digital Identity and Citizenship: Progress amid Privacy Challenges

1. Revolutionizing Identification: The Dawn Of Digital Identity

Imagine a world where individuals’ identity, their name, age, fingerprints, biometric data and even a proof of being a citizen is stored on a small chip which can be scanned through a single click. Finally, in this 21st century, the technology has advanced to such an extent that this so called unrealistic imagination has come to a reality. The technology has given a way to digital identity which refers to the trusted and verifiable representation of individuals’ identity in the digital world. Furthermore, digital identity serves as the foundation for the digital citizenship which basically refers to the way and ability to use technology in a safe and secure manner. 

With the advent of digital identity, countries have seen many improvements in their overall system as well. Individuals can be now authenticated remotely. Also, digitalisation with its wide scope has led to an inclusive digital economy enabled through many digital platforms including online services and digital payment systems. Digital identity has helped citizens to access government services without any hindrance as it has led to accurate and reliable data unlike offline registries where chances of manual errors were higher. Countries have seen reduced gender inequalities and improved safety nets for poor. 

2. The Flip Side: Privacy Concerns In The Digital Realm

However, just like every coin has two sides, these benefits of digital identity and citizenship come with their own set of challenges, with privacy being a major concern. Real-life incidents have brought these issues into sharp focus, reminding us of the pressing need to address them with care and urgency. Without the proper oversight and safeguard, the issue of privacy concern will only be heated up. Digital identity being very recent phenomenon is engraved with very little transparency and also the system governing it follows the top-down approach leaving very little chance to let their citizens know about their privacy rights and a very high probability of misuse of their personal information.

The biggest example in the Indian history can be traced back in 2018 when huge allegations of data breaches were faced by Unique Identification Authority of India (UIDAI) which serves over 1.3 billion people. It was alleged that the personal information of millions of Aadhaar holders was being sold online for as little as Rupees 500 (approximately $6.50). Of particular concern was the security of biometric data, such as fingerprints and iris scans, which form the cornerstone of Aadhaar’s identity verification system. Similarly, according to the report by a US based cybersecurity firm in 2023, personal data of 81.5 crore Indians leaked through Aadhaar and was on sale on the dark web. 

Due to the increasing privacy concerns, Supreme Court of India in case of Justice K.S. Puttaswamy (Retd.) & Anr. v Union of India & Ors (2017), also looked into the issue and limited the Aadhaar Act for governance and ensuring the protection of personal data. A writ petition was filed as there were the allegations of collection of data without adequate safeguards and any backing statutory provision. The court held that Article 21 of the Indian Constitution includes right to privacy for individuals and hence, limited the Aadhaar Act and prohibited its private use. 

Another wake up call for the privacy concern was the “Facebook-Cambridge Analytica scandal of 2018.” It exposed how personal data, shared online in good faith, could be misused in ways that most people never imagined. The scandal took place as the data of a great chunk of Facebook users was secretly collected and used it for political purposes for winning the US elections of 2016. This incident clearly reflected how people aren’t fully aware of the way their data is being shared or misused and how digital identities can be exploited to manipulate opinions and societal outcomes. 

3. Balancing Trust: State’s Response To Privacy Concerns

Although the privacy concerns persisted and had been a great issue, questioning the continuance of digital identity and citizenship, an immediate heed was paid by the authorities. Significant initiatives were taken to minimize the data risks. In 2018, European Union introduced General Data Protection Regulation (GDPR) marking a huge milestone in the realm of digital data protection. It established principles like data minimisation, consent of the individual and the right to access or delete the personal data. Inspired by the standards set by GDPR, India’s journey towards robust data protection laws began with Personal Data Protection Bill (PDPB), 2019. Provisions for the data localisation and establishment of a DPA was proposed in this bill. Intensive public and parliamentary debates took place which laid the foundation of Digital Personal Data Protection Act (DPDPA), 2023.

This act was brought mainly to deal with the privacy concerns regarding the digital information of individuals. It widened the scope of privacy policy and brought the concept of privacy notice that also included information on DPBI, grievance redressal or exercise of rights of data principles. Also, the act now requires a notice to be provided while obtaining the data principal’s consent. Privacy policy which was brought under the Information Technology Rules, 2011 did not require any such information. This step of government represents its efforts to bring a reformed version of IT Rules which would ensure transparency regarding the data fiduciary’s processing activities to the external stakeholder. 

Building on these efforts to address the privacy issue, the government also took proactive measures to mitigate the rising issues of Aadhaar info leak and fraud. UIDAI has recently brought the new concept of masked Aadhaar to mitigate the Aadhaar based misuses and related privacy concerns. The very idea behind this concept is not to reveal the whole 12 digits of Aadhar card in front of the third party but only the last 4 digits. This would not only prevent the third party from accessing full Aadhaar number but could also be used for identification purpose.

4. Pioneering Solutions: The Path Towards A Secure Digital Future

While the government has made significant efforts in these several years by repetitive amendments and policies to cater this issue, still there are certain gaps which are needed to be filled. A system with multifaceted and multi-stakeholder approach is required to form a solid foundation for the future digitalised world. Countries should also focus on the technology that is context appropriate and equitable. Efforts should be made to decrease the costs of qualitative and secured technology. Also, limiting the collection of personal sensitive information and its exposure would bring a level of assurance among data principles. Additionally, the collection and assessment should be done by responsible entities that matches the recognized international standards who uses information for authentication purposes only. 

Bringing into sight the Estonia’s concept of e-ID, it would be a guiding path for all other countries. The electronic identity along with its unique concept of identity wallet allows digital signing and secure identification.  This highlights the technological advancements of Estonia and its forward-thinking approach which is based on an encrypted technology, securing the personal information of the individuals. Though identity wallet brought its own concerns but to deal with such issues, it further developed split-key technology working as a substitute for traditional security solutions. This serves as a benchmark for other countries, demonstrating that the challenges in digital identity systems can be effectively addressed.

In the above discussed DPDPA, 2023 as well, some further reforms can better resolve the issue which the government can take into account. Section 5 of DPDPA does not mention about some key information in its privacy notice like data retention and its processing locations, and most importantly the way modifications brought under privacy notice would take place. Amending the act in favour of such reforms would further support the digital identification system with diminished privacy concerns.

5. The Concluding Remarks

As discussed so far, digital identity and citizenship is a great technological leap offering the deepest advantages. Although privacy issues pose a problem, they should not overshadow the immense possibilities of this digital change. Therefore, governments all over the world, including India, have made tremendous strides by drafting a robust framework such as the DPDPA, 2023 and innovation in the form of masked Aadhaar to protect user data.

However, the journey is far from over and it is essential to view these shortcomings as opportunities for refinement and growth. Enhancing transparency and reducing the amount of sensitive data collection, would then further fortify the digital environment by making it a lively place that upholds user trust and responsibility. Digital identity can become the very tool for advancement, balancing innovation with the protection of privacy, in a more empowered future if it adopts a cooperative, solution-focused approach