Bhutan is in the process of developing a comprehensive National Digital Identity System. While the project is welcome news, there are risks attached to it. In 2018, a hacker breached the Argentinian government’s IT network and stole ID card details for the country’s entire population, which were found to be on sale in private online forums. It demonstrates just how hard it is going to be to have trust in public or private biometric databases. How can the government protect the private information of its citizens (critical national infrastructures) when it does not have an overarching legal framework? The lack of such legal frameworks would be synonymous to a principle/popular maxim in common law systems, that states “everything which is not forbidden is allowed” for any country when it just has digital infrastructure without techno-legal means to protect them.
As the world moves through many iterations of the Industrial Revolution, we can see that innovative and disruptive technologies in the form of Artificial Intelligence (AI), Machine Learning, and Big Data are taking the world by storm and are changing the dynamics of working conditions and entire lifestyles of people. Of all the intriguing developments taking place in this Fourth Industrial Revolution, the digital identity of its citizens is one of them. Conventionally, proof of identity has been provided through physical documents, such as birth certificates, ID cards, and passports. As the world becomes increasingly digitized, the next generation of ID systems uses new technologies to provide digital proof of legal identity for in-person and remote transactions.
The digital identity system poses legal challenges related to data protection, privacy, and discrimination, to name a few. This paper focuses on the first two: data protection and privacy legal challenges. That is, do Bhutan’s present laws adequately address data protection and privacy in the digital space, especially with regard to digital identity, and, if not, what must change? For this, I will first describe the existing data protection and privacy laws in Bhutan, their importance, and the legal challenges posed by the national digital identity system. Next, I will compare how these legal challenges are addressed in Bhutan and how they are addressed by states that already have a well-established national digital identity system. Finally, I will recommend what Bhutan should do to have these international best practices.
Background/Overview
There is no standard definition of digital identity currently. The World Bank, World Economic Forum, and National Institute of Standards and Technology (NIST), among other organizations, each have a different understanding of it. However, they agree on one all-encompassing element, that is, a digital identity as “a collection of features and characteristics associated with a uniquely identifiable individual—stored and authenticated in the digital sphere—and used for transactions, interactions, and representations online.” In general terms, digital identity is the information, comprising a set of attributes, used by computer systems to recognize a legal person or entity. It is a way for an individual or a business to prove who they are online with a certain level of trust. The function of the digital identity, as opposed to traditional ID, is much more than a legal identity of a person. It also provides digital access to all secure online services. For example, digital identity can be used regularly to securely identify persons and utilize online services ranging from legal travel ID for its citizens, national health insurance card, proof of identification when logging into bank accounts, digital signatures, for i-Voting, to check medical records, submit tax claims, etc, to use e-Prescriptions among others.
Estonia has the most advanced digital identity system in the world. Currently, Estonia leads the digital identity frontier, primarily because of its highly-developed national ID card system. Their mandatory national ID card system does much more than identify an Estonian citizen by providing digital access to all of Estonia’s e-services. Estonia’s platform validates many of the practical benefits of creating a digital ID system around the world. Bhutan can draw inspiration from Estonia in its endeavor to create a highly developed digital identity. In Bhutan, digital identity based on biometric information is one of the major components of the government’s Digital Drukyul Flagship program. For that, the Department of Information Technology and Telecom, Department of Immigration, Department of Civil Registration, and Census have just piloted the project by collecting biometric data with support from De-suups. It is intended to roll out as “National Digital Identity”.
As Bhutan comes up with a digital identity system based on blockchain technology, His Majesty the King, Jigme Khesar Namgyel Wangchuck recently shared that just having a digital identity system in place is not enough. Various legal and policy questions arise as soon as the decision to adopt such a system is taken. For example, how can we protect people’s identity, privacy, and security rights? How much personal data can a government use? There is a growing acknowledgment that it will be impossible to continue to live, work, and play online unless we tackle the fundamental problem of digital identity. And this is not only because of identity theft, credit card fraud, and scams. It's primarily because identity is critical national infrastructure, not a nice-to-have for logging into banks. Hence, these questions must be answered before implementing such a system.
The issue of data protection and privacy has been an ongoing discourse since the time of human existence. The concept of privacy is multi-dimensional. However, scholars across multiple disciplines have tried to define the meaning and scope of privacy. Warren and Brandeis in their seminal essay articulated that the right to privacy was based on a principle of "inviolate personality", thus laying the foundation for a concept of privacy, which we understand as control over one's own information. Westin defined privacy as: “...claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.
The issue of privacy and protection of data becomes inevitable in digital identity because a lot of personal data including unique facial scans, fingerprints, and palm scans with name, date of birth, nationality, residence, passport, health, or driver’s licenses are collected. Every time an individual uses a service buys a product online, registers for email, goes to the doctor, pays their taxes, or enters into any contract or service request, they have to hand over some of their personal data. Even without any knowledge, people’s personal data are increasingly generated and being captured by companies, agencies, and governments. These data must be used carefully and stored in a secured platform as it may jeopardize the right to security, privacy, and what Warren and Brandeis called the “inviolate personality” of an individual. This is where data protection comes in. Data protection is “the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data.” The main objective of this is to strike a balance between individual privacy rights while still permitting data to be used for myriad purposes.
The question of data protection and privacy is even more imperative as the COVID-19 pandemic has exposed the need for more contactless interactions, leading to an acceleration in the design, development, and deployment of digital identity tools and contact-free solutions. The only way citizens and consumers can have confidence in both government and business are through strong data protection practices, with effective legislation to help minimize state and corporate surveillance and data abuse/exploitation.
Data protection is extremely important for the exercise of the right to privacy. The Universal Declaration of Human Rights (UDHR, Article 12) proclaims that “[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence… Everyone has the right to the protection of the law against such interference or attack.” The UDHR has formed the basis for the major international human rights treaties, which similarly enshrine the right to privacy, including the International Covenant on Civil and Political Rights (ICCPR) in Article 17.
The right to privacy in digital identity is important because it prevents the government from spying on people (without cause). It keeps groups from using personal data for their own goals. It helps to ensure those who steal or misuse data are held accountable. Privacy rights help maintain social boundaries. Privacy rights help build trust. Privacy rights ensure we have control over our data. Privacy rights protect freedom of speech and thought and protect you in everything. It gives us a space to be ourselves without judgment, allows us to think freely without discrimination, and is an important element of giving us control over who knows what about us. Hence, it is a fundamental right.
In 2011, the then-UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression issued a report similarly noting that “the protection of personal data represents a special form of respect for the right to privacy.” He further noted the ability of individuals to determine who holds information about them and how [...] that information [is] used. All the citizens need to have the means and tools to exercise their right to privacy and protect themselves and their data from exploitation. Thus, privacy and data protection are very closely linked.
As Bhutan creates its own digital identity, it is essential to look at the legal frameworks that address the most pertinent issues of security, data protection, and privacy. The Constitution of Bhutan envisages the significance of privacy and has a provision under the fundamental rights that states “A person shall not be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence nor to unlawful attacks on the person’s honor and reputation.” Since digital identity falls under the realm of Information and Communication Technologies (ICT), the most prominent and comprehensive law that oversees the usage of ICT is the Information Communication and Media Act of Bhutan, 2018. The Act gives Bhutan a minimal data privacy law and covers almost all uses of electronic information. The Act also covers offences and compensation in such cases. However, there is no clear and comprehensive legal framework that sets out who owns personal data, how it is used, and users’ rights to access and redressal, privacy, and data protection.
One important legislation that is well-developed for the privacy and data protection realm is the General Data Protection Regulation (GDPR) for the European Member States which addresses biometric data. It represents a significant step forward for data protection and privacy with a real international impact. For the analysis, I will use GDPR to see the comprehensiveness and lack thereof in Bhutanese law for digital identity.
Analysis and application of those legal interventions, and policies in the Bhutanese setting.
As noted earlier, digital identity requires personal data from each individual, and their issues of privacy and security must be addressed through techno-legal means. However, for the purpose of this research, it will analyze only if the laws related to privacy and data protection are adequate or more specifically if it can adequately address the privacy issues arising from digital identity.
The breach of privacy usually happens when there is a breach of duty associated with the rights of the individual whose personal data are shared. There are services/facilities that use data to provide digital identity services. A digital identity service means a service or product that, either alone or together with one or more other digital identity services, enables a user to share personal or organizational information in digital form in a transaction with a dependent party. For example, they can do the following things:
In this regard, the ICM Act 2018 imposes a duty on the service providers (considering the digital identity service provider falls within the scope of an “ICT and Media facility or service provider”). In particular, section 336 of the Act provides “an ICT and Media facility or service provider and the vendor shall respect and protect the privacy of personal information, including sensitive personal information which they receive from the users or consumers.” The GDPR aims to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. The text's main objective is to give back to European citizens control over their data while simplifying companies' regulatory framework. This is only one set of rules directly applicable in all the European Member States regarding the protection of personal data. Similar to the ICM Act, GDPR provides enriched rights to data subjects (natural persons) but more elaborately. That is, it imposes strict obligations on the persons processing the personal data (data controllers and data processors). Those data processors can collect personal data only through abiding by six lawful specified bases—consent, contract, public task, vital interest, legitimate interest, or legal requirement. Data controllers must clearly disclose data collection to the user, declare the lawful purpose and basis for processing, and state how long the data will be held and if it will be shared with any third parties.
Furthermore, keeping in mind, that the digital identity service provider requires them to share personal data with third parties for seamless transactions or facilitation of service, the ICM Act requires those service providers to be responsible for the protection of such information. That is “When ICT and Media facilities or service providers and vendors transfer personal information, including sensitive personal information to third parties, they shall remain responsible for the protection of such information.” The GDPR also strictly binds the data processor from sharing digital identity data with third parties including third countries.
In Bhutanese context, the ICM Act extends the duty on those service providers to ensure through contractual, legal, or other means, that all third parties to whom the information is transferred comply with the privacy provisions of this Act.
The Act also has provisions mandating the service providers to embrace any security mechanism consistent with current global industry standards principles governing the collection of data electronically and its disclosure. Keeping this in mind, the Act requires the service providers to have effective controls to protect the integrity and confidentiality of payment and other personal information, including sensitive personal information that users or consumers may provide. Whereas, GDPR has special provisions on “Privacy by Design” and “Privacy by Default”. Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. Whereas Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. The ICM Act does not specify this requirement.
Both the GDPR and ICM Act further considers the requirement of consent from the individual whose personal data are used. Specifically, in ICM Act, section 384 states “a person shall obtain the express written permission of the subject for the collection, collation or processing of any personal information unless permitted or required to do so by law. The GDPR also mandates the requirement of written consent. The duty is extended to cover the disclosure to the third parties with certain conditions applied. Section 385 states “A person shall not disclose any of the personal information held by it to a third party unless required or permitted by law or specifically authorized to do so in writing by the concerned person.”
The ICM Act 2018 also provides what or for how long the information can be stored by the service providers. Section 386 states “the person possessing, dealing or handling any personal data, including sensitive personal data or information shall delete or destroy all personal information which has become obsolete.” This is also well envisaged in the GDPR where the special provision on “Right to be forgotten” explains that the data subject shall have the right to withdraw his or her consent at any time and in terms of the lawfulness of the purpose of personal data processing, data usage should be limited to what is necessary. The regulation states that personal data shall be collected for "specified, explicit and legitimate purposes." and it shall not be further processed "in a manner that is incompatible with those purposes."
From the comparative understanding, it seems Bhutan has overarching and general provisions but it fails to consider some salient issues. For example, the ICM Act does not impose privacy by design and default mandates on the data processors. In addition, it does not talk about what must be done if there is any data breach (in the case of digital identity) which is well provided in GDPR. The GDPR not only establishes a clear set of consumer rights but also includes measures aimed at improving enterprise security measures. For example, if a company discovers a data breach, then processors must inform the authorities without undue delays.
Furthermore, the most crucial inadequacy of the ICM ACT is that it does not talk about any penalties and sentencing with respect to data breaches. Whereas, GDPR imposes penalties on the defaulter in the most severe ways. For example, data processors managing biometric data could be hit with huge penalties if they do not secure that data. These could reach 20 million euros or 4% of annual worldwide turnover.
If you look at Estonia, its digital infrastructure saw its most serious challenge in 2007 when it experienced extensive three weeks long computer hacking attacks. The Distributed Denial of Service Attack (DDoS) predominantly targeted its government portals, news outlets, internet service providers (ISPs), prominent banks, and hundreds of businesses. More recently in the summer of 2021, some 300,000 document photos were breached.
The Public Information Act operationalizes the constitutional right to privacy by setting out: i) the conditions for accessing and refusing to grant access to public information; ii) public information for which access is restricted; iii) the conditions for establishing and administering databases, and iv) the mechanism for state and administrative supervision of organization access to public information.
The Identity Documents Act fails to set up any redressal mechanisms pertaining to the use of the ID. The Personal Data Protection Act identifies the Data Protection Inspectorate as an extra-judicial body to settle complaints from persons whose rights have been violated under the Act. It also sets up a system of fines in case of violation of rights by the controller or supervising agencies. Whereas in Bhutan, we have the Bhutan InfoComm and Media Authority (BICMA) legitimized by ICM Act to oversee such issues.
Compensation may also be payable for violation of rights, under the State Liability Act in case of violations by the State while performing public duties, or the Law of Obligations Act in case of private parties in contractual relationships. They at least have specific laws to make the state liable for its failure to reasonably carry out its duty, but Bhutan doesn’t.
Conclusion
The Digital Identity System comes with both advantages and disadvantages. From the research, one thing is clear, even though there are provisions to protect the privacy of individuals related to their personal data, they are not enough and miss many important provisions that are in GDPR that are valuable as we create our own digital identity. For privacy and data protection, we can build on the existing ICM Act by looking at international best practices and drawing inspiration from well-established regulations like GDPR.
For footnoted article visit: National Digital Identity System in Bhutan - Meeting Data Protection and Privacy Imperatives