In a little surprising but welcome development, the Government of India has released a notification under Section 67C of ITA 2008 viz G.S.R. 711 (E) dated 21st July 2016 titled “Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules 2016. which may not perfectly fit under Section 67C but is otherwise related to the setting up of a new regulatory authority called the Digital Locker Authority and defining a new set of business in the Digital India project.
Apparently, the purpose of this notification is to define the rules under which public documents shall be preserved and protected when lodged with the Digilocker authorities and the notification is issued under Section 67C of Information Technology Act 2000/8. It sets a new trend of “Data Retention” defined specific to a domain of activity.
Sec 67C was perhaps meant to define “how long” and in “what form” intermediaries may retain information and “manner” of retention was incidental. However, this notification actually goes to define the “Manner” in which a certain type of intermediary shall retain information without much emphasis on the format and period for which the information has to be retained. Also the “Information” referred to in the Section 67C of the Act is being used to identify the “Documents” that a subscriber would like to lodge in the safe custody of an agency as an “Uniquely Identifiable Document” with an “URI” (Unique Resource Identifier). No specific structure for the URI like a standard structure for a URL has been defined as part of the “manner of retention of information” under Sec 67C.
It therefore appears that Section 67C has been used as an excuse to define some new business proposition which has its own implications for Digital India. It has redefined Sec 67C itself and altered its scope.
May be we can call this an innovative and creative interpretation of law but the possibilities of unintended consequences that may follow from a loosely regulated service needs to be watched out.
New Opportunities Unleashed
In effect, through this notification, the Government seems to have defined a new business proposition for private sector to develop services to set up and manage “Portal”, “Access Gateways” and “Repositories” to store electronic documents deposited by public and verifiable and retrievable by authorised entities.
The service as conceived is bigger than UIDAI and without a separate Act like the UIDAI Act, it enables a new system by which electronic documents are authenticated, preserved and verified.
Obviously there will be Privacy and Security issues as well to contend with.
Further, since the Main DigiLocker authority would be the Government, the notification provides an admission that its own department may now be considered as an “Intermediary” if it also provides its own digilocker services in addition to private sector players. Such department will therefore be subject to Sec 79 obligations.
To ensure protection of the department as well as avoid conflicts, it may be necessary for Deity to refrain from directly providing the digi locker service as they are dong now and to make the DLA as the regulator like the Controller of Certifying Authorities which will only restrict itself to regulatory issues and not provide a service of its own. These should have been part of the notification such as “Appointment of a Digital Locker Authority”, but unfortunately they are not released as of now. We need to wait for the notification to be issued as a supplementary notification in due course.
The “Digilocker Credentials” which may ultimately be just the log in ID and Password will henceforth become a pointer to the other documents such as Aadhaar, PAN etc held within the Digital Locker and its security would be a key obligation of the service provider since it becomes a proxy to the subscriber’s identity.
Just as the Unified Payment Interface (UPI) is becoming a Universal identification for all financial instruments owned by an individual, this Digi Locker Account may become the universal identity document for an individual.
The Digi Locker service provider would be having a “Digital Locker Practice Statement” similar to the one used by a Certifying Authority for Digital Signature and would be bound by it.
The practice statement would be a self declaration and only verified by an audit by an independent auditor. Since the Digital Locker Service Provider has to be gazette notified, the practice statement may be subject to an approval process.
The service provider would obviously be open to obligations under Section 43A for reasonable security practice and compliance of all aspects of ITA 2000/8.
At present the qualifications of an Auditor is not defined and I hope it would be determined on a “Ability to Audit basis” and not on a “Qualification Certificate Issued by Preferred entities basis”.
In summary, it appears that the Government through this notification has opened up a new business opportunity which is as responsible as a Licensed Certifying Authority in the case of a Digital Signature issue and the Unique Identification Authority of India (UIDAI) without an elaborate legislation. It could be an innovative approach but hopefully not questioned in the Courts for its validity.
The Start Up community may welcome this move as it opens up new opportunities where they can integrate several of their services.
We need to watch out how this notification gets absorbed by the community and harnessed for business.
(These are preliminary views and more would follow)