Shashwat Lohia is a student of NUSRL Ranchi
1. Introduction
Several states are preparing to facilitate the upcoming elections in India. The Electoral Rolls(‘Rolls’), are a public document that determines who can vote. The Roll assists political parties in campaigning, for which they are supplied a free verified copy of the Roll. The Rolls contain substantial personal information such as the name, age, and address of an individual. It therefore comes as a matter of grave concern that a perusal of the Commission’s website reveals unrestricted access to personal data derived from a combination of data available, irrespective of who is accessing this information, and is, therefore, a cause for alarm.
Consequently, this freely accessible extensive dataset poses a significant risk of misuse and has been misused in the Anti-Sikh Riots where they had been utilised to find and identify the houses of Sikh families. Being a public document, the document is available to the ‘Public’ which the courts[1] have expanded to refer to a class or community residing in a particular locality or region. Extending this line of thought, it can be reasonably claimed that ‘Public’ ought to refer only to the citizens and residents of India. Construing it otherwise to include the whole world would lead to an absurd definition and would negate the territorial nexus of the law. The duty of regulating the Rolls falls to the Election Commission (‘EC’ or ‘Commission’). Despite the powers of the EC, significant steps have not been taken to protect this set of personal data. Thus, there may be a significant impact on voter data in the upcoming elections.
2. Data within The Roll
While the copies of the Electoral Roll available online do not contain photographs of the individuals within a particular constituency, they do contain their names, ages, gender and addresses which can be supplied free of cost to recognised candidates. This easy access allows any individual to obtain the data of any district without verification and for potentially mala fide purposes. It can be concluded that the data available within the Roll is valuable information containing multiple parameters which form useful datasets for statistical research, such as age, gender, and address. Their value is further demarcated as can be seen by the behaviour of the Delhi Police in requesting copies of the Roll for assistance in controlling the aftermath of the Delhi Riots.
3. The Rights and Duties of the Commission
In the United Kingdom, the Electoral system has multiple registers, one of which seeks to create an open register by ensuring data anonymisation to protect individual data. Their system has managed to strike a balance between the requisites of both democracy and privacy. The Indian Commission has the power for the application of a purpose limitation and its disposal. In practice, this means that the EC has the necessary ability to ensure the timely and proper disposal and use of the Rolls. However, this power of the Commission has not been used effectively. The Electoral Rolls play an important part in obtaining information for a larger data set the voter data. Nonetheless, the data within the Roll independently is also prone to misuse. An effect of open access as well as a lack of a purpose limitation on the Roll have led to the misuse of the roll in riots such as the Anti-Sikh Riots.
In an increasingly digitising world, the potential harm via acts of cyber-crimes using the Rolls grows exponentially. Such information being freely available can potentially pose a huge security threat due to the personally identifying nature of the data. The EC refused access when the Delhi Police requested direct access to the Rolls to control the aftermath of the 2020 Delhi Riots citing the Guidelines for Inter-Governmental Data Sharing citing “citizen privacy issues”. This action of the EC is indicative of the Commission utilising its powers to attempt a balance between democracy and privacy. However, the EC has not taken additional steps to secure the Roll’s information, which is available online for general access.
4. Voter Data, Manipulation and Data Protection: The Role of the Rolls
With the issues of linking one’s Aadhar and Electoral identity and the data leak allegations that the UIDAI has faced (also see here), voter data is at potentially high risk for misuse. Voter information is an important data asset thar can be used in conjunction with social media and other data to create an election campaign that is acute and targeted, thereby maximising a candidate’s chances of winning the majority. Tactics include using social media to feed misinformation to change or ensure their voting patterns. The Obama re-election campaign, the 2022 US elections, and the Modi election campaigns (see here, here and here) are some of the events in which voter data played a key role. The purpose of the Electoral Roll is to aid political parties in campaigning. However, campaigning ought not to definitively allow for a move beyond voter manipulation.
The Cambridge Analytica scandal depicts the dangerous potential of voter data and the need for a rigorously enforced data protection regime. From the facts of the scandal, we can see the presence of a nexus between the misuse of voter data (obtained ethically or unethically) and its transfer beyond national borders. Thus, to prevent misuse, some controlling mechanism for voter data, which comprises the information within the roll is required. Voter data and electoral rolls are often used for various purposes, such as voter outreach, political campaigns, demographic analysis, and election administration. With voter manipulation tactics becoming a global problem, it is pertinent that a conclusive solution that ensures a free and fair election is found. The obligation of which falls on the Commission.
Under the Digital Personal Data Protection Act, 2023(‘DPDP, 2023’or ‘the Act’), the Roll would qualify as personal data due to the combination of information it possesses. However, Section 3 of the Act carves an exception for the Commission from being compelled to protect digital electoral roll data, as it is a ‘person’ compelled by law to make the data publicly available. In the event that the Commission would be specially placed in Sections 7, 10, and 16 of the Act, it would necessarily be required to protect all data in its possession or under its control. A data protection regime would also aid in preventing potential misuse of the Roll as has been alleged to have occurred in Bengaluru.
Unlike the EU GDPR, the DPDP, 2023 does not mention mandatory data localisation compliance and allows for sectoral data protection. Much of the Act’s mandates being futuristic reduces the understanding or scope for any data localisation. The present Electoral Roll availability also moves against the objective of data localisation. It is necessary to prevent unfettered international access to the Roll because it is necessary to limit its use to prevent misuse. Thus, data localisation would benefit voter data, particularly by preventing or limiting some amount of untethered access.
5. Solution
The first possible step to protect personal data can be to create an identity verification system directed to determine whether an individual is a citizen or resident of India and therefore constitutes “Public.” This identity verification would serve the purpose of ensuring that there is a limited or counted supply of copies of the Roll. Numbering the Rolls or assigning a unique identifying sequence would aid in identifying and securing the Roll in the event of a data leak by tying a particular copy of the Roll to a particular individual or organisation. A secondary step would be to enforce the pre-existing purpose limitation powers of the Commission which would seek to use the Rolls only for their permitted purpose and must be destroyed post the completion. Strict punitive or financial penalty measures to enforce these regulations would also benefit the mechanism. Another step would be to provide pseudo-anonymised or anonymised Rolls instead of the informative form the Roll currently possesses.
6. Conclusion
The lack of data protection on the Rolls can be attributed to the absence of a prominent data protection regime. The ease of access to the data of multitudes signifies that there is a shoddy and impractical approach to the enforcement of data protection and digital privacy. There is a need to ensure that voter data and electoral data are not misused. Observing the past uses of electoral data, it becomes pertinent to make sure that there are free and fair elections. The enforcement of the SPDI Rules, 2011 under the IT Act, 2000 has been lacking. Proposed policy measures and Acts on Data Governance and Data Access (see here and here) to further regulate the Data Ecosystem provide hope for a Digitally Secure India. Until then, ensuring that voter data is secured requires more immediate measures.
[1] Harnandan Lal v. Rampalak Mahto, 1938 SCC OnLine Pat 264.