Legal Obligations For Privacy - eGov
Privacy Law in India: What does it mean for eGov?
Privacy Law
A1. Provisions In The Constitution Of India
The Constitution of India does not explicitly provide for the right to privacy.
Privacy has been read into the right to life and personal liberty (Art. 21) in the judgement of Puttaswamy v. Union of India. Following the judgement, the right to privacy is an inalienable and inherent right under the Constitution, though still an implied one (not explicitly mentioned as such). The judgement created a 4-fold test on the basis of which privacy practices can be created.
A2. What Should eGov Do?
The Supreme Court has identified a that can measure what potentially affects privacy. eGov should aim at satisfying these tests for privacy compliance.
To satisfy the tests of -
Legality (sanctioned by law)
Every dataset collected, stored, transmitted, analyzed or shared must be done on the basis of legal authority i.e. the entity that is collecting / storing / processing / sharing the data must be able to point to a legal instrument that gives it the power to do those things. For Urban Local Bodies (ULBs), the main source of authority would be Art. 12 of the Constitution, read with Part IXA (Art. 243P-243ZG) and the 12th Schedule.
Legitimate aim
For each item of data collected, stored, processed, or shared, there should be a clear purpose identified; this purpose must flow from a legitimate task that the entity collecting it (i.e. a ULB) is mandated & authorized to perform (hence, legitimate), and this purpose must be communicated to the citizen. This is closely related to the , , and .
Proportionality
Any form of data handling must be tested from a risk-benefit lens. Based on this assessment, we should ask the question: βIs there a less intrusive or lower-risk way to do this?β If yes, we should adopt that method.
Appropriate safeguards
The processes and assessments involved in all of these decisions must be documented. In addition, we can look at multiple layers of safeguards:
Role-based access controls
Indelible logs and audibility
Incident/breach management systems, including notice to legal / investigating authorities and to citizens
Consent frameworks
Security audits (software and process)
B. Provisions In The Information Technology Act, 2000
The IT Act creates a class of entities known as intermediaries, and places obligations upon them with respect to the receipt, storage, transmission, and processing of data.
Intermediary is defined as -
Sec 2 (w) βintermediary, with respect to any , means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-marketplaces and cyber cafes.
An intermediary is thus defined as an entity which, on behalf of another person,
Receives an electronic record
Stores the electronic record
Transmits the electronic record
βprovides any service with respect to electronic recordsβ.
NOTE: The exact interpretation of βservice with respect to electronic recordsβ has not been established yet. To the extent that eGov can demonstrate that it does not interact with any citizenβs data, this provision may not apply to eGov β i.e. eGov is not an intermediary.
B.1. Legal Obligations (All Entities)
The IT Act places certain obligations and penalties on any/all persons, irrespective of .
Sec 43 holds any person up for penalties and compensation for βdamage, unauthorised access, illegal downloads, disruption, denial of access, the introduction of the virus among others to a computer, computer system, etc.β.
Sec 72 makes disclosure of electronic records, information, etc. without consent from the relevant person or authority punishable with imprisonment up to 2 years &/or a fine up to Rs. 1 lakh.
Sec 72A makes disclosure of information without consent and in breach of a lawful contract with an intent to cause wrongful loss or gain punishable with imprisonment up to 3 years &/or a fine of Rs. 5 lakhs.
NOTE: This section is relevant to all employees and contractors at eGov, in their personal capacity, as well as eGov as an organization. If such a breach occurs due to the actions of an eGov employee/contractor, eGov may be liable to fines.
B.2. What eGov Must Do
Tighten access controls
Tighten security
Build in consent-taking mechanisms to avoid liability of wrongful disclosure
Maintain clear contractual liabilities and strictly abide by the contract.
B.3. What eGov May Have To Do
If eGov does interact with citizen data (provides any service with respect to electronic records) then a few obligations as an intermediary are to be complied with -:
Sec 67C - Preservation and retention of information by intermediariesβ(1) Intermediary shall preserve and retain information βas prescribed by the rulesβ. Intentional contravention of this section can lead to imprisonment of up to 3 years and a fine.
NOTE: The Rules relevant to this Section of the IT Act have not been prescribed yet; in any event, the section will not apply if eGov is not considered an intermediary.
Sec 79 of the Act allows intermediaries to be exempt from liability for third-party information β where such information is found to be illegal, criminal, harmful etc. β that they stored, transmitted etc., under certain conditions (sometimes known as βsafe harbourβ). The key to safe harbour is that the intermediary was not aware of the information, did not in any way modify or edit it, and did not make decisions about its transmission.
NOTE: To the extent that eGov would be looked at as an intermediary for processing data, it would fall outside the protection of this provision; however, the question of whether βservicesβ extend to automated processing is still in debate. In any event, the section will not apply if eGov is not considered an intermediary.
Sec 43A read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 mandates bodies corporate to provide a privacy policy, to collect, transfer, and disclose information in a mandated manner, and to maintain reasonable security practices and procedures as provided in the Rules.
NOTE: eGov is not a βbody corporateβ within the meaning of the IT Act/Rules. Nonetheless, given that our software is intended to be used by governments, and will be used to collect/store/process large volumes of citizensβ personal data (including sensitive personal data), eGov should abide by the guidelines as a matter of responsibility & good practice.
The new changes in the IT law have now removed the 2011 rules and replaced them with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules obligate intermediaries to -:
Publish - in English language or any , their privacy policy, user agreement for access and use of our products and services as well as the rules and regulations that apply to anyone using our products and services.
The rules eGov sets for the usage of its products and services must be designed on the following principles -:
No one is allowed to host, display, upload, modify, publish, transmit, store, update, or share any information -
that one does not have any rights over and does not belong to that person (third-party information),
defamatory, obscene, pornographic, paedophilic, invasive of anotherβs privacy, including bodily privacy, insulting or harassing on the basis of gender, libellous, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or otherwise inconsistent with or contrary to the laws in force;
is harmful to any child;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any information which is patently false or misleading but may reasonably be perceived as a fact;
impersonates another person;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting other nation;
contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource;
is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person;
Inform users that non-compliance with any rules/privacy policy or user agreement would lead to immediate termination of access/usage of eGov products/services and deletion of such content.
C. Provisions Of The Digital Personal Data Protection Act, 2023 (DPDP Act)
Presently, the βActβ enters into force as a stand-alone legislation to protect digital personal data i.e. all personal data available in a digital form.
Definitions -:
means any data about an individual who is identifiable by or in relation to such data.
defines bodies such as the data fiduciary, data processor and significant data fiduciary.
means a wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
As we wait for further clarification and rules to be passed to better understand the law, we explore the parts of the law that are relevant to eGov, when it plays different roles in its functions.
C. 1 Role eGov Plays & Corresponding Duties Under The Act
C.1.1 eGov as a Platform Owner (PO)
As a platform owner, eGov would not deal with data at all. It would simply create the code base and hand over the platform to the administering authority or implementation agency for integration.
There would be no interaction with data - no personal data would be touched and therefore this Act would not be attracted by eGov.
C.1.2. eGov as an Implementation Agency or Supporting Agency
eGov may decide to take up the role of a Supporting agency or Implementation agency.
As with any of the above two roles, eGov would be a data processor i.e. it would on behalf of or on the instructions of the or program owners.
As an Implementation agency (IA): Where eGov is contracted to deploy and configure its platform into the administrative authority or program owner's systems, functioning as an implementing agency, eGov would be involved in setting up the hardware necessary for the program; OR customise, extend, configure, and install/set up the software (platform) as per the needs of the program owner; OR train staff or contractors of the program owner on how to use the platform; OR perform other such functions to ensure program readiness as may be agreed upon between the implementing agency and the program owner and/or administrative authority responsible for such platform implementation. As an IA, eGov would have access to data (the extent of such access to data may be defined in the agreement between the administering authority and eGov as an IA). Till the time eGov does not decide the purposes and the means of processing, it will remain a processor and not become a data fiduciary.
As a Supporting agency (SA): As an SA, eGov would provide support in any functional aspect required by the program owner with respect to that platform implementation (e.g. assistance in the maintenance of the platform, technical or operational problem-solving, bug/error resolution). SA will have access to such data as is necessary to perform their functions, and this shall normally be specified in the agreement/contract between the supporting agency and the program owner / administrative authority.
Being an IA and a SA would make eGov a processor of data under the Act. (Refer to the definition of a data processor above).
C.1.3. As a processor as per the Act:
C.1.3.1 Indirect obligations:
The Act holds the data fiduciary responsible for the actions and functions of the data processor. The fiduciary would hire the processor to conduct the relevant processing.
It is to be assumed that an indirect burden of obligations under this law for the data fiduciary is also applicable to the data processor (Section 8 (1) is applicable to the data fiduciary and in parallel to data processors). Hence the must-doβs for processors are to be widely read into the obligations of the data fiduciaries as well.
There are obligations that are applicable to the data fiduciary but involve the function of the processor and include processing. It may then become an indirect obligation on the data processor as well)
eGov may be instructed or mandated to do the below by the data fiduciary -:
Maintain the completeness, accuracy, and consistency of personal data [ Section 8(3)]
Implement appropriate technical and organizational measures to implement the Act [Sec 8(4)]
Intimate the data fiduciary on any personal data breach [so that the data fiduciary can inform the Board and data principal about such a breach - Sec 8(6)]
C.1.3.2 Direct obligations/Must doβs for eGov as a data processor
Below are a few specific obligations the law provides for to be followed by the data processors ( therefore to eGov as a processor)
Process any data only if there is a valid contract between the administering authority and eGov ( data fiduciary & processor) [Sec 8(2)]
Maintain security safeguards to prevent personal data breach [Sec 8(5)]
Follow the instructions given by the data fiduciary on data deletion
Follow processing standards issued through Central government policies ( as issued under Sec 7(b)(ii) - yet to be issued)
Maintain a record of data processed ( to assist the data fiduciary i.e. the relevant administering authority with obligation Sec 11 of the Act).