“The use of FRT does not require any anchoring legislation” - The Meghalaya Government

tldr;

In July, 2021, a press release by the Government of Meghalaya stated that facial recognition technology (FRT) would be used to verify the identity of pensioners to issue a Digital Life Certificate. On August 5, 2021, we provided support to Mr. Jade Jeremiah Lyngdoh, a law student, in sending a legal notice to the relevant authorities seeking reconsideration of such use of FRT in view of the possible privacy concerns. The Meghalaya Government by its response dated November 1, 2021 has explained its position. We welcome the department’s reply and believe that it encourages discussion and transparency around FRT, however, the reply suffers from various legal infirmities which we have analysed below.

Background

The Finance (Pension Cell) Department of the Government of Meghalaya issued an Office Memorandum dated July 15, 2021, clarifying that generating a Digital Life Certificate by using the “Pensioner’s Life Certification Verification” mobile application would also be considered as a valid means of submission of Life Certificate to the Pension Distributing Authority. According to a press release issued by the Government of Meghalaya, also dated July 15, 2021, the pensioner’s identity was to be verified by the mobile application using “Face Verification Technology” or facial recognition technology (FRT).

Mr. Jade Jeremiah Lyngdoh, a law student, approached us in July 2021, and we assisted him in drafting a legal notice to the relevant authorities to caution them against such use of FRT (the “Notice”).

In the Notice we highlighted the following:

  1. FRT is innately invasive and classifies as “sensitive personal information”;
  2. The Supreme Court in K.S. Puttaswamy v. Union of India 2017 SCC 1, held the right to privacy includes the right to informational autonomy, and any processing of sensitive personal data must follow the principles of lawfulness, fairness, and transparency; data minimisation and collection limitation; purpose limitation; storage and retention limitation; accuracy; integrity and confidentiality of data; and principles of accountability. “Pensioner’s Life Certification Verification” mobile application does not comply with any of these principles;
  3. The application has been rolled out without any anchoring legislation which governs the processing of personal data and thus lacks lawfulness and the Government is not empowered to process data;
  4. Because of a lack of an anchoring legislation, the residents of Meghalaya, amongst other things, do not have any statutory recourse in case their biometric information is misused; and
  5. Facial recognition systems are also not accurate.

We have written more about it here.

The Government of Meghalaya Finance (Pension Cell) Department has responded to the Letter on November 1, 2021. We welcome the department’s reply and believe that it encourages discussion around the use of FRT. However, the reply suffers from various legal infirmities which we have analysed below.

The Government's Response and our Analysis

The Government of Meghalaya Finance (Pension Cell) Department has stated in its reply dated November 1, 2021 that the collection of sensitive information for the limited purpose of establishing identity of a pensioner as mentioned in the office memorandum dated July 15, 2021, does not violate the right to privacy. More particularly, the response highlights the following:

  1. Optional Nature of FRT: the deployment of FRT is optional and not mandatory, and is in addition to the already available modes for obtaining life certificate. Further, if a user wishes to check opt out of the system at a later stage, they can submit a request to the Treasury Officer accordingly.

IFF’s response: The issue here is the protection of sensitive personal data, and even in optional cases, the principles of information security as laid down in Puttaswamy (above) must be complied by any authority collecting data, even when such collection is on a voluntary basis.

2. Legislative requirement and the right to privacy: The use of FRT does not require any anchoring legislation. The use of the app is optional, and so it meets the test of proportionality. The purpose of the technology is well defined i.e., for the establishing of the identity of the concerned pensioner. And the technology has a legitimate aim, which is offering additional convenience to pensioners.

IFF’s response: Even if the aim is considered to be legitimate, the fact that the use of FRT for identifying pensioners is optional does not, by itself, make its use proportional, since it puts the sensitive personal data collected at a high risk of being misused in the absence of a data protection law. Such risk outweighs the legitimate aim of offering additional convenience to pensioners. In any event, Puttaswamy requires any act of government that may infringe to be anchored in specific legal provisions, and as such, the Meghalaya Government use of FRT does indeed require an anchoring legal provision specifically permitting its use.

3. Remedy: Citizens would not be rendered remediless in case of misuse of personal information. The Information Technology Act, 2000 classifies biometric data as sensitive personal data, and Section 43A of the IT Act makes a body corporate possessing, dealing or handling sensitive personal data liable in the event of negligent implementation and maintenance of reasonable security practices and procedures and causing wrongful loss or wrongful gain to any person. Section 66E also protects private information. Recourse to provisions of IPC is also available in case of misuse of information.

IFF’s response: Section 43A of the IT Act, which puts an obligation only on body corporates, and does not apply to government departments at all. This means that if the government department in charge of handling the sensitive FRT data fails in its duty - there are no consequences under S. 43A.  In any event, S. 43A of the IT Act does not provide for protection of sensitive personal data, but only provides for a penal consequence of mishandling of data. This is not the same as having a data protection policy in place for the use of FRT.

Further, Section 66E only applies to transmission of images of a private area of any person without his or her consent, and has absolutely no application or relevance in the use of FRT at all.

4. Privacy Policy: The privacy policy of the mobile application clearly states about the collection and purpose of data as well as the period for which information will be retained.

IFF’s response: While the said policy mentions the purpose for data collection using FRT, it is not clear on its data retention policy which only mentions a “reasonable time” till which data may be retained.

We’re considering the appropriate next steps in this matter, and will keep you updated.

Mr. Lyngdoh’s view

Mr. Lyngdoh, upon receiving the government’s response, made the following statement:

The response offered by the Government of Meghalaya is unsatisfactory for multiple reasons. While IFF has offered a detailed policy response, it is important to note the following. One, state governments do not have blanket authority or “competence” to deploy privacy-invasive technologies. Two, the argument of the state government that “the use of FRT does not require any anchoring legislation” reflects poorly on the government’s understanding of our constitutional rights.

Going forward, it is important for governments to reality-test any proposed projects, especially when they affect the privacy of citizens. In this regard, it would be useful for the government if it were to engage in public consultations with academics and civil society before such projects are sanctioned.

Important Documents

  1. Notice to Finance Department, Government of Meghalaya against use of FRT for verification of pensioners’ identity dated August 5, 2021 (link)
  2. Reply dated November 1, 2021 from the Finance (Pension Cell) Department, Government of Meghalaya to the Notice dated August 5, 2021 (link)
  3. Previous blogpost titled “We wrote to the Govt. of Meghalaya against the use of FRT for verification of pensioner's identities.” (link)