On 28 May, Arghya Sengupta, the founder, manager and research director of the Vidhi Centre for Legal Policy, a private think tank, tweeted a list of “contributors”—released by the government—who had helped develop the controversial COVID-19 contact-tracing app, Aarogya Setu. Sengupta was listed among the “Industry and Academia Leadership” of the team. Vidhi has also consulted the central government on Aadhaar and the Personal Data Protection Bill, 2019, among several other pieces of legislation. Documents accessed by The Caravan show that the ministry of home affairs owed dues to the tune of Rs 22,14,000 to Vidhi for the fiscal period between 2017 and 2019. The MHA’s dues included payments to be made by the National Intelligence Grid, a centralised network of databases for intelligence and law enforcement agencies. 

Curiously, the MHA has never publicly announced this association with Vidhi. As per the think tank’s annual filings with the ministry of corporate affairs, the dues—Rs 90,000 by NATGRID for the fiscal year 2018–19 and Rs 21,14,000 by the MHA for the fiscal year 2017–18—were listed under “amount receivable” which is the balance of money due to a company for services delivered but not yet paid for by the customer. The MHA had contracted the think tank for an unspecified service. Notably, at the same time Vidhi was advising the central government on legislation for privacy rights which would directly impact all the monitoring and surveillance systems that come under the MHA, indicating a conflict of interest. 

Apart from this, according to a privacy-rights activist, who chose to remain anonymous, Vidhi has played a key role in transforming India’s technology-related policy making into a highly problematic process. He explained, “For some time now, technology-related policy-making started with a group of private entities … working with the government with exclusive access to data, to build software and applications. The code that is developed this way is then translated into law”—laws that Vidhi then helps formulate, almost exclusively. “The law is framed to cover and fix the vulnerabilities of the code” developed by these private entities, said the activist. Aadhaar, and now Aarogya Setu demonstrate that instead of framing a law and then bringing in software and systems that run in accordance, India has followed the practice of engaging private entities to build software and applications, and then framed the laws to fit these systems. 

This diagnosis is an apt representation of the current state of privacy legislation in India. The PDPB, which was tabled in Parliament on 11 December 2019, and is yet to be passed unto law, was meant to create an overarching framework to govern all data collection, storage, requisitioning and usage. In the absence of this privacy framework, the government’s implementation of Aadhaar—which is the largest biometric-identification system in the world—and other data-gathering and surveillance systems, have faced heavy criticism. 

In the past six years, the Modi government has pushed ahead with policies and monitoring systems that enable creation of citizens’ databases and mass surveillance, the absence of a privacy framework notwithstanding. In September 2019, soon after he took charge as the union minister of home affairs, Amit Shah announced his plans to revive the process of building the NATGRID.