[This piece has been authored by Katyayani Shukla. This article examines India’s Digiyatra app and argues that its self-sovereign identity framework provides only “pseudo-self-empowerment” to users due to inadequate mechanisms for accountability, explanation, and transparency in how their data is transferred and processed. The author argues that while SSI principles promise user-centricity and decentralization, the absence of a “right to explanation” in India’s DPDP Act, contradictory policy statements on data retention, and limited oversight mechanisms undermine genuine informed consent and create a risk of shifting accountability onto citizens rather than state and corporate actors.]
Background
After Aadhaar, the most controversial digital initiative by the Indian government is the Digiyatra App (DYA). Last June, the CEO of Digiyatra Foundation outlined its expansion plan to incorporate regional languages and other services, such as driving license onboarding and hotel check-ins, within its ambit. It is also crucial to note that the number of passengers who travelled using Digiyatra surpasses 1.5 crore by 2024, as per the government’s report. Meanwhile, the pending commercial dispute between Digiyatra Foundation and Data Evolve, regarding their proprietary rights in the Delhi High Court, brought back the debate about India’s data governance. In light of these facts and India’s bleak data protection regime, it is essential to assess the validity of Digiyatra’s claim regarding user-centricity and broader data protection. It employs a principle of ‘self-sovereign identity’, which ensures ‘pseudo-self-empowerment’ of the individual without a precise mechanism of accountability and explainability on the part of the powerful actors involved.
Digiyatra and Its Foundation
The Digiyatra ecosystem, introduced in 2022, comprises the Digiyatra Foundation, a public-private partnership venture established under Section 8 of the Companies Act, 2013. The entire superstructure of DY was built by Hyderabad-based company Data Evolve. The Digiyatra Central Ecosystem, utilizing facial recognition technology and Aadhaar-linked credentials to authenticate passenger details, aims to provide passengers with seamless and paperless user experiences of airport services, replacing traditional boarding pass check-in and security check-in.
The Digiyatra ecosystem, to fulfil its promise of data decentralization, functions on the “self-sovereign identity” (SSI) principle. SSI starts with the acknowledgement of the power asymmetry and risks inherent in existing digital identification systems. It is simply ‘an identity management system,’ as recognized by scholars, to operate independently of third-party public or private actors, based on decentralized technological architectures, and designed to prioritize user security, privacy, individual autonomy, and self-empowerment. Despite lacking a consensus regarding its formal definition, it aims at ‘right to selective disclosure’ of different aspects of one’s identity and in legal terms conforms to the principle of ‘informational self-determination’. Informational self-determination first originated by the German Federal Constitutional Court in the 1983 Population Census Case. The Court observed this principle to be a pre-requisite for a free and democratic society. The idea of SSI is presumed as a “technological revolution” capable of shifting the power dynamic of the internet with the aim of equalizing it for the benefit of all self-sovereign entities, namely individuals.
The structure of the Digiyatra app, through the storage of personal and biometric information on a user’s smartphone, verifiable credentials (unique credentials used to verify aspects of identity) and distributed ledger, conforms to SSI. It ensures that only limited data is shared with service providers with the informed consent of the users and at no stage it should be stored. However, despite its celebratory claim of moving away from a centralized system of data collection and identification, it needs to pass ample legal and structural tests to truly protect the data as it claims. In the name of ‘self-sovereign,’ it appears to provide a “pseudo-self-empowerment” to individuals, which implies, it assumes knowledge on the part of the data principle (users) regarding the transfer, processing, and usage of their data, which is provided with their consent. The digital identity system, involving complex data flows, will not be sufficiently comprehensible to ordinary citizens without a thorough explanatory mechanism in place. In such a scenario, the entire SSI mechanism will simply be reduced to formality instead of a means to exercise informed consent. The situation is also exacerbated by the low digital literacy among India’s citizens, which stands at 37%, according to the NASSCOM report. Not only this, contradictory policy statements about data storage under DYF, seems to deviate from foundational principle of SSI. The Ministry of Civil Aviation’s claim of purging travel data after 24 hours comes in direct conflict with the DYBBS policy, which mentions travel data and other data will be retained by airport operators for 30 days.
Additionally, Digiyatra users have limited or negligible modalities to ascertain the value chain of data after the consent is granted. The non-applicability of the Right to Information (RTI) Act 2005 to access the transfer and usage of data after consent (as DYF is not a public authority) leaves the individual in a state of confusion, forcing them to guess, thereby diluting the concept of SSI itself. Also, DPDP Act imposes a limited obligation on the part of data fiduciary (in this case Digiyatra) to ensure the completeness, accuracy, and consistency of personal data; undertaking reasonable security safeguards to prevent a data breach; informing the Board and the affected data principal in the event of a breach; and erasing personal data as soon as the specified purpose has been met and retention is not necessary for legal purposes. Furthermore, despite its attempt to broaden the responsibility of both data fiduciaries and consent managers, the “right to explanation,” a key component of the EU General Data Protection Regulation (GDPR), is not expressly incorporated into India’s Digital Personal Data Protection (DPDP) Act 2023, which would have given teeth to the SSI principle.
Secondly, the overemphasis on SSI principles, such as user-centricity and individual empowerment, creates, along with self-sovereignty, an unnecessary risk of “self-accountability.” Correlated to this, it could disempower otherwise powerful actors, such as the state and private sectors, in the identification process, because a decentralized system creates hurdles in entrusting accountability and determining key players involved if any harm is caused. Paradoxically, a principle intended to empower the individual will ultimately prove detrimental to it, due to the imbalance of power, as it may fail to effectively address the over-capture of identifying data. It may also fail to address any historical shortcomings that already exist in identifying data created by the state itself. It might perpetuate discrimination and bias if combined with AI systems in the near future. Not only this, but it also challenges the traditional responsibility of the state to protect and be accountable towards its citizens.
Way forward
SSI, as one of the facets of digital identity, provides a firm foundation for data protection and individual empowerment. However, to fulfil its promise robustly, it needs to incorporate a mechanism for clarification and explanation regarding the transfer, processing, and utilization of citizens’ data. The starting point for realizing such a promise could be the incorporation of the “right to explanation” within the DPDP Act 2023 through amendment. It also requires to take step towards clarifying the policy position regarding collection, storage and purging of individual data. Furthermore, the clarification should also include the distinction between personal data and sensitive data that will be collected and processed. This will help an individual to exercise their informed consent in an effective way. Alternatively, through a policy statement, the Indian government can design a mechanism, with the help of subject matter experts, to explain to citizens the entire value chain of their data, taking into account critical safeguards. Regarding the issue of “shifting accountability” towards the citizen, it is an inherent flaw of the SSI principle that needs a legal and institutional response. In this way, it will not only create an enabling environment for accountability but also strengthen citizens’ trust in the government and establish a robust data governance system.