- ABSTRACT
This article aims to assess how Digital Public Infrastructure (DPI) impacts the efficiency of the state while balancing the protection of individual rights, by examining the contrasting models of India and Estonia. On one hand there is Aadhaar which represents a very centralised approach and does welfare delivery using a single biometric database, whereas on the other end there is Estonia’s X-Road framework which demonstrates a decentralised system which is based on interoperability, user control, and minimal data. At the core of the study lies the exploration of the digital architectural choices and how they influence fundamental rights like privacy and dignity. The hypothesis advanced is that while India’s centralised digital architecture has expanded the administration, it has an increased risk of exclusion and surveillance, whereas Estonia’s decentralised design represents that technological efficiency can coexist with privacy protections.
- INTRODUCTION
What is Digital Public Infrastructure?
Digital Public Infrastructure (DPI) is a network of interoperable digital systems that provide tools for various foundational purposes such as, creating digital identities, making electronic payments, and securing data exchange, for government as well as private service delivery. All of such systems are viewed as highly essential components of modern governance because they enable financial inclusion, efficient welfare distribution, and enhance overall state capacity. Institutions like the G20 have recognised DPI as a key driver of digital transformation, also pointing out the need to operate within a system that protects human rights and ensures public trust.[1]
Objectives of this Article
The objective is to undertake a comparative public law analysis of DPI models of two countries that diverge sharply in their technical design: India’s Aadhaar and Estonia’s e-ID system supported by their X-Road platform. And the purpose is to evaluate how the system of the two countries affects the questions of accountability, privacy, and inclusion.
Core Challenge
The fundamental question lies at the heart of digital governance, i.e., can the state pursue administrative efficiency without compromising constitutional rights? And in order to answer the same, this study applies comparative public law methods by focusing on the response of each country’s constitutional and regulatory frameworks towards the risk of these technological designs.
- INDIA: CENTRALISED EFFICIENCY AND CONSTITUTIONAL CONFLICT
Scope of the Aadhaar System
Aadhaar is India’s flagship national identification project which was launched in 2009 and was designed to assign a unique 12-digit number to every resident which would be linked to their biometric and demographic data. This program is managed by the Unique Identification Authority of India (UIDAI)[2], and was adopted in order to be able to authenticate and streamline welfare delivery and also to prevent leakages in the said welfare distribution. The process to enrol for this program involves the collection of fingerprints, retina scans, and facial photos. More than 1.4 billion people are enrolled in this program, making it the world’s largest biometric ID system.[3]The single, centralised database for Aadhar is called the Central Identities Data Repository (CIDR), and it stores all the biometric and demographic data in one place. The goal of such a centralised system was efficiency and inclusion, however this centralisation has instead raised questions regarding data security, surveillance, and autonomy of the individual. This choice of design does prioritise administrative scale over distributed control, but also ends up creating a concern with regards to privacy.
Data Privacy and Security Vulnerabilities
A centralisation of data is a risk to privacy and cybersecurity, which can be well understood by the fact that Aadhaar’s database can potentially correlate multiple transactions by using a common unique identifier across contexts, enabling the creation of detailed behavioural profiles. In practice also, the record of Aadhar’s safety has been patchy, several government portals have inadvertently published citizen’s personal data, revealing their names, addresses, and Aadhaar numbers. One investigation revealed that nearly 200 government websites had displayed Aadhar information publicly, while unauthorised access of those websites had also come to light.[4]
A major example of this security gap in India’s DPI was the CoWIN data breach back in 2023, in which, sensitive vaccination and identification details were exposed on platforms like Telegram.[5] Even apart from such breaches, other concerns that have emerged out of the potential use of Aadhaar data include surveillance driven by Artificial Intelligence (AI). With AI applications being expanded in law enforcement, there is an increased possibility of linking biometric data to predictive policing or facial recognition tools, which has been criticised as undermining democratic accountability. [6]
[1]G20 India Presidency, G20 Framework for Systems of Digital Public Infrastructure (Aug. 2023), https://g7g20-documents.org/fileadmin/G7G20_documents/2023/G20/India/Sherpa-Track/Digital%20Economy%20Ministers/2%20Ministers%27%20Annex/G20_Digital%20Economy%20Ministers%20Meeting_Annex1_19082023.pdf.
[2]Unique Identification Authority of India (UIDAI), About UIDAI, https://uidai.gov.in/en/.
[3]Unique Identification Authority of India (UIDAI), Aadhaar Dashboard,https://uidai.gov.in/aadhaar_dashboard/india.php.
[4]Jackson School of International Studies, University of Washington, The Aadhaar Card: Cybersecurity Issues with India’s Biometric Experiment, https://jsis.washington.edu/news/the-aadhaar-card-cybersecurity-issues-with-indias-biometric-experiment/#_ftn11.
[5]The Legal School, CoWIN Data Breach: A Wake-Up Call for India’s Digital Infrastructure, https://thelegalschool.in/blog/cowin-data-breach.
[6]Jackson School of Int’l Studies, The Aadhaar Card: Cybersecurity Issues with India’s Biometric Experiment, supra note 4.