By Manas Pimpalkhare | November 17, 2023

Karnataka’s new tourism policy violates the Digital Personal Data Protection (DPDP) Act, months after the law got the President’s assent.

The Muzrai department, the religious endowment division of the Karnataka government, asked beneficiaries of the ‘Kashi Yatra – 2023’ scheme to upload a geotagged selfie with the Kashi Vishwanath temple, on its website, and keep their mobile phone location “on” for a Rs.5000 subsidy.

The scheme previously asked beneficiaries to show receipts from a state-owned guest house in Varanasi to avail the subsidy. Emails sent to the Karnataka government’s Muzrai and Information Technology departments remained unanswered.

The central government’s Har Ghar Tiranga campaign, launched last year, similarly asked citizens to post pictures holding the national flag on the website created by the Ministry of Culture for India’s
75th Independence Day.

The campaign’s privacy policy said it will track a user’s behaviour on the website. It said that visiting
any part of the website constitutes the user’s “full and final acceptance” of the privacy policy. It did
not mention the use of the collected data.

The Karnataka government cannot collect user information without informing them of the use of
the data under the DPDP Act, said Ruhi Kanakia, an associate at IndusLaw.

The Kashi Yatra privacy policy says it will collect data such as a user’s name, email address, phone
number, and contact details. It will also collect information about the pages that users visit on affiliated websites like “Evidhya.com”, the links they click on, and other browsing information.

“A data fiduciary’s privacy policy is the first step in data protection. If that policy is weak, data can leak out easily. Or worse, it can be sold,” Disha Verma, associate policy counsel, Internet Freedom Foundation.

This violates the principle of data minimisation included in the DPDP Act, said Verma. Data minimisation means collection of minimum required personal data for a specific purpose, according to the Ministry of Electronics and IT.

The website owners will share the information with its “business associates and partners” and “on an aggregate with its partners or third parties where it deems necessary”, states the privacy policy, without any clarity on partners or parties. The DPDP Act has a provision for citizens to know about the parties with whom the data will be shared under section 9(b).

The Kashi Yatra privacy policy says it will use encryption to protect user data, but does not state what encryption means, said Verma. “They are not telling us how they will protect the selfies,” she said.