We are anonymous, we are legion

Legislating for Privacy - Part II

bhairav — 2014-05-28T09:59:56Z

Apart from the conflation of commercial data protection and privacy, the right to privacy bill has ill-informed and poorly drafted provisions to regulate surveillance.

The article was published in the Hoot on May 20, 2014.

In October 2010, the Department of Personnel and Training ("DOPT") of the Ministry of Personnel, Public Grievances and Pensions released an ‘Approach Paper’ towards drafting a privacy law for India. The Approach Paper claims to be prepared by a leading Indian corporate law firm that, to the best of my knowledge, has almost no experience of criminal procedure or constitutional law. The Approach Paper resulted in the drafting of a Right to Privacy Bill, 2011 ("DOPT Bill") which, although it has suffered several leaks, has neither been published for public feedback nor sent to the Cabinet for political clearance prior to introduction in Parliament.

Approach Paper and DOPT Bill

The first article in this two-part series broadly examined the many legal facets of privacy. Notions of privacy have long informed law in common law countries and have been statutorily codified to protect bodily privacy, territorial or spatial privacy, locational privacy, and so on. These fields continue to evolve and advance; for instance, the legal imperative to protect intimate body privacy from violation has now expanded to include biometric information, and the protection given to the content of personal communications that developed over the course of the twentieth century is now expanding to encompass metadata and other ‘information about information’.

The Approach Paper suffers from several serious flaws, the largest of which is its conflation of commercial data protection and privacy. It ignores the diversity of privacy law and jurisprudence in the common law, instead concerning itself wholly with commercial data protection. This creates a false equivalency, albeit not one that cannot be rectified by re-naming the endeavour to describe commercial data protection only.

However, there are other errors. The paper claims that no right of action exists for privacy breaches between citizens inter se. This is false, the civil wrongs of nuisance, interference with enjoyment, invasion of privacy, and other similar torts and actionable claims operate to redress privacy violations. In fact, in the case of Ratan Tata v. Union of India that is currently being heard by the Supreme Court of India, at least two parties are arguing that privacy is already adequately protected by civil law. Further, the criminal offences of nuisance and defamation, amongst others, and the recently introduced crimes of stalking and voyeurism, all create rights of action for privacy violations. These measures are incomplete, – this is not contested, the premise of these articles is the need for better privacy protection law – but denying their existence is not useful.

The shortcomings of the Approach Paper are reflected in the draft legislation it resulted in. A major concern with the DOPT Bill is its amateur treatment of surveillance and interception of communications. This is inevitable for the Approach Paper does not consider this area at all although there is sustained and critical global and national attention to the issues that attend surveillance and communications privacy. For an effort to propose privacy law, this lapse is quite astonishing. The Approach Paper does not even examine if Parliament is competent to regulate surveillance, although the DOPT Bill wades into this contested turf.

Constitutionality of Interceptions

In a federal country, laws are weighed by the competence of their legislatures and struck down for overstepping their bounds. In India, the powers to legislate arise from entries that are contained in three lists in Schedule VII of the Constitution. The power to legislate in respect of intercepting communications traditionally emanates from Entry 31 of the Union List, which vests the Union – that is, Parliament and the Central Government – with the power to regulate “Posts and telegraphs; telephones, wireless, broadcasting and other like forms of communication” to the exclusion of the States. Hence, the Indian Telegraph Act, 1885, and the Indian Post Office Act, 1898, both Union laws, contain interception provisions. However, after holding the field for more than a century, the Supreme Court overturned this scheme in Bharat Shah’s case in 2008.

The case challenged the telephone interception provisions of the Maharashtra Control of Organised Crime Act, 1999 ("MCOCA"), a State law that appeared to transgress into legislative territory reserved for the Union. The Supreme Court held that Maharashtra’s interception provisions were valid and arose from powers granted to the States – that is, State Assemblies and State Governments – by Entries 1 and 2 of the State List, which deal with “public order” and “police” respectively. This cleared the way for several States to frame their own communications interception regimes in addition to Parliament’s existing laws. The question of what happens when the two regimes clash has not been answered yet. India’s federal scheme anticipates competing inconsistencies between Union and State laws, but only when these laws derive from the Concurrent List which shares legislative power. In such an event, the ‘doctrine of repugnancy’ privileges the Union law and strikes down the State law to the extent of the inconsistency.

In competitions between Union and State laws that do not arise from the Concurrent List but instead from the mutually exclusive Union and State Lists, the ‘doctrine of pith and substance’ tests the core substance of the law and traces it to one the two Lists. Hence, in a conflict, a Union law the substance of which was traceable to an entry in the State List would be struck down, and vice versa.

However, the doctrine permits incidental interferences that are not substantive. For example, as in a landmark 1946 case, a State law validly regulating moneylenders may incidentally deal with promissory notes, a Union field, since the interference is not substantive. Since surveillance is a police activity, and since “police” is a State subject, care must be taken by a Union surveillance law to remain on the pale of constitutionality by only incidentally affecting police procedure. Conversely, State surveillance laws were required to stay clear of the Union’s exclusive interception power until Bharat Shah’s case dissolved this distinction without answering the many questions it threw up.

Since the creation of the Republic, India’s federal scheme was premised on the notion that the Union and State Lists were exclusive of each other. Conceptually, the Union and the States could not have competing laws on the same subject. But Bharat Shah did just that; it located the interception power in both the Lists and did not enunciate a new doctrine to resolve their (inevitable) future conflict. This both disturbs Indian constitutional law and goes to the heart of surveillance and privacy law.

Three Principles of Interception

Apart from the important questions regarding legislative competence and constitutionality, the DOPT Bill proposed weak, ill-informed, and poorly drafted provisions to regulate surveillance and interceptions. It serves no purpose to further scrutinise the 2011 DOPT Bill. Instead, at this point, it may be constructive to set out the broad contours of a good interceptions regulation regime. Some clarity on the concepts: intercepting communications means capturing the content and metadata of oral and written communications, including letters, couriers, telephone calls, facsimiles, SMSs, internet telephony, wireless broadcasts, emails, and so on. It does not include activities such visual capturing of images, location tracking or physical surveillance; these are separate aspects of surveillance, of which interception of communications is a part.

Firstly, all interceptions of communications must be properly sanctioned. In India, under Rule 419A of the Indian Telegraph Rules, 1951, the Home Secretary – an unelected career bureaucrat, or a junior officer deputised by the Home Secretary – with even lesser accountability, authorises interceptions. In certain circumstances, even senior police officers can authorise interceptions. Copies of the interception orders are supposed to be sent to a Review Committee, consisting of three more unelected bureaucrats, for bi-monthly review. No public information exists, despite exhaustive searching, regarding the authorisers and numbers of interception orders and the appropriateness of the interceptions.

The Indian system derives from outdated United Kingdom law that also enables executive authorities to order interceptions. But, the UK has constantly revisited and revised its interception regime; its present avatar is governed by the Regulation of Investigatory Powers Act, 2000 ("RIPA") which creates a significant oversight mechanism headed by an independent commissioner, who monitors interceptions and whose reports are tabled in Parliament, and quasi-judicially scrutinised by a tribunal comprised of judges and senior independent lawyers, which hears public complaints, cancels interceptions, and awards monetary compensation. Put together, even though the current UK interceptions system is executively sanctioned, it is balanced by independent and transparent quasi-judicial authorities.

In the United States, all interceptions are judicially sanctioned because American constitutional philosophy – the separation of powers doctrine – requires state action to be checked and balanced. Hence, ordinary interceptions of criminals’ communications as also extraordinary interceptions of perceived national security threats are authorised only by judges, who are ex hypothesi independent, although, as the PRISM affairs teaches us, independence can be subverted. In comparison, India’s interception regime is incompatible with its democracy and must be overhauled to establish independent and transparent authorities to properly sanction interceptions.

Secondly, no interceptions should be sanctioned but upon ‘probable cause’. Simply described, probable cause is the standard that convinces a reasonable person of the existence of criminality necessary to warrant interception. Probable case is an American doctrine that flows from the US Constitution’s Fourth Amendment that protects the rights of people to be secure in places in which they have a reasonable expectation of privacy. There is no equivalent standard in UK law, except perhaps the common law test of reasonability that attaches to all government action that abridges individual freedoms. If a coherent ‘reasonable suspicion’ test could be coalesced from the common law, I think it would fall short of the strictness that the probable cause doctrine imposes on the executive. Therefore, the probable cause requirement is stronger than ordinary constraint of reasonability but weaker than the standard of reasonable doubt beyond which courts may convict. In this spectrum of acceptable standards, India’s current law in section 5(2) of the Indian Telegraph Act, 1885 is the weakest for it permits interceptions merely “on the occurrence of any public emergency or in the interest of public safety”, which determination is left to the “satisfaction” of a bureaucrat. And, under Rule 419A(2) of the Telegraph Rules, the only imposition on the bureaucrat when exercising this satisfaction is that the order “contain reasons” for the interception.

Thirdly, all interceptions should be warranted. This point refers not to the necessity or otherwise of the interception, but to the framework within which it should be conducted. Warrants should clearly specify the name and clear identity of the person whose communications are sought to be intercepted. The target person’s identity should be linked to the specific means of communication upon which the suspected criminal conversations take place. Therefore, if the warrant lists one person’s name but another person’s telephone number – which, because of the general ineptness of many police forces, is not uncommon – the warrant should be rejected and the interception cancelled. And, by extension, the specific telephone number, or email account, should be specified. A warrant against a person called Rahul Kumar, for instance, cannot be executed against all Rahul Kumars in the vicinity, nor also against all the telephones that the one specific Rahul Kumar uses, but only against the one specific telephone number that is used by the one specific Rahul Kumar. Warrants should also specify the duration of the interception, the officer responsible for its conduct and thereby liable for its abuse, and other safeguards. Some of these concerns were addressed in 2007 when the Telegraph Rules were amended, but not all.

A law that fails to substantially meet the standards of these principles is liable, perhaps in the not too distant future, to be read down or struck down by India’s higher judiciary. But, besides the threat of judicial review, a democratic polity must protect the freedoms and diversity of its citizens by holding itself to the highest standards of the rule of law, where the law is just.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-may-20-2014-bhairav-acharya-legislating-for-privacy

Legal Issues pertaining to Cloud Computing

praskrishna — 2022-02-07T15:29:00Z

The Law and Technology Society of National Law School of India University, Bangalore is organizing the 6th edition of its flagship conference ‘Consilience’ on December 14 and 15, 2013 at NLSIU Campus, Bangalore. The Centre for Internet and Society is supporting this event.

The Conference will see some of the best lawyers, jurists and industry leaders in India speak on different issues surrounding the theme. The Conference is co- branded with ‘Salesforce.com’, ‘International Technology Law Association’ and the Centre for Internet and Society (http://www.cis-india.org/). Apart from making an effective contribution towards greater understanding of the subject, the Conference will lead to a recommendatory policy paper to the government of India.

Key speakers for the Conference include:

Senapathy (Kris) Gopalakrishnan (Co-Founder and Executive Vice Chairman, Infosys & President, CII )
Pavan Duggal (Advocate, Supreme Court)
Abhishek Malhotra (Founding Partner, TMT Law Practice)
Azmul Haque (Partner, Shook Lin & Bok, Singapore)
Chris Edwards (Senior Associate, DLA Piper, Singapore)
Prof. Rahul De (IIM Bangalore)
Pamela Kumar (Chair, Cloud Computing Innovation Council of India)
Suhaan Mukherji (Expert advisor, Office of Adviser to the Prime Minister of India on Public Information Infrastructure and Innovations)

Registrations for the Conference are open and fee for the same is as follows:

Students: Rs. 500/-
Professionals: Rs. 750/-

Please find attached the concept note, programme schedule and speakers’ profiles. To register, visit http://www.consilience.co.in/index.php/consilience-2013/register-for-the-conference. For any other queries, please write to ltech.nls@gmail.com .

or contact

Shivam Singla (Ph: +91-9916708701)
Ayushi Sutaria (Ph: +91-8123925725)

Conference Programme

Saturday, December 14th, 2013
Venue: Conference Hall, Academic Block, NLSIU

Lunch
08.30 09.30	Breakfast and Registration
09.45 10.00	Inauguration
10.00 10.30	Keynote Address
10.30 12.30	SESSION 1: INTRODUCTION TO CLOUD COMPUTING How does cloud computing work? - An overview of the basic technical features The current legal regime related to cloud computing in India- Main issues and challenges
13.15 15.15	SESSION 2: THE RELATION BETWEEN PARTIES TO CLOUD COMPUTING- USERS, INTERMEDIARIES AND GOVERNMENT BODIES Legal obligations of the intermediaries towards (i) the government and (ii) the users Cyber security concerns Standards of data protection Government's surveillance powers and privacy issues
Tea Break
15.30 17.30	SESSION 3: REGULATION AND MONITORING OF DATA CONTENT Current data control monitoring systems by intermediaries Data ownership and intellectual property issues- Possible threats and need for regulation Sensitive or critical data- Security concerns relating to their storage
High Tea/Networking Session

Sunday, December 15th, 2013
Venue: Conference Hall, Academic Block, NLSIU

Tea Break
09.00 10.00	Breakfast and Registration
10.00 12.00	SESSION 4: THE INTERNATIONAL PERSPECTIVE ON CLOUD COMPUTING Jurisdiction and choice of law issues- how do we counter the confusion? International laws applicable to cloud computing Need for a comprehensive international framework to simplify the situation?
12.15 14.15	SESSION 5: COMPARATIVE ANALYSIS WITH LEGAL FRAMEWORKS IN OTHER COUNTRIES Legal frameworks in UK and Singapore Beneficial features of these legal regimes and their suitability in the Indian context Lessons to be learnt for India
Lunch
15.00 17.00	SESSION 6: THE WAY FORWARD – SUGGESTIONS AND RECOMMENDATIONS Overview of the important challenges and suggestions Possible Policy and Legislative steps to improve the Cloud Computing regime in India
High Tea/Networking Session

Click to read the sub tracks for discussion
Access the speakers' profiles here

For more details visit https://cis-india.org/events/legal-issues-on-cloud-computing

Lecture at International Summer School, Delhi

Admin — 2019-07-22T01:11:00Z

Ambika Tandon and Aayush Rathi, on July 12, 2019, delivered a lecture at the International Summer School, Delhi.

The ISS is in its 6th year now, and is convened annually as a six week academic program. The ISS is held in affiliation with the Department of Political Science at Jamia Millia Islamia - A Central University (JMI) and with regular support from the Ministry of External Affairs (MEA) over the years.

The lecture formed a part of the Innovation, Technology and the Future of Work course module at this year's edition. The speakers focused specifically on placing an intersectional lens to drive home the point that there will be not one future of work, but multiple. And how it is that we can begin to interrogate the various competing narratives that are being propagated. Ambika and Aayush also focused on how the present gendered ordering of the labour market stands to be reproduced in the various shapes work will take going forward.

The presentation can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/lecture-at-international-summer-school-delhi

Leave the Net Alone

praskrishna — 2014-12-07T04:12:40Z

The Internet, like the air we breathe, has traditionally been neutral ground. Nobody is allowed to buy preferential treatment on the Internet.

This story was published in BW | Businessworld Issue Dated 15-12-2014. Sunil Abraham gave his inputs.

“The Internet is currently not broke, and the FCC is out to fix it,” began John Oliver, American talk-show host and comedian, introducing his show’s discussion on Net neutrality. America’s telecom regulator Federal Communications Council (FCC) had just proposed allowing Internet carriers to give preference on their network to websites in exchange for a fee.

For example, in an Indian context, if BW| Businessworld was to, hypothetically, pay Airtel a fee, and Airtel were to, in turn, give priority access to the website, it might be natural to argue that eventually, Airtel subscribers would prefer BW|Businessworld’s website over its rivals’.

The Internet, like the air we breathe, has traditionally been neutral ground. Nobody (read, no corporate) is allowed to buy preferential treatment on the Internet. “The point of Net neutrality is that on the Internet you cannot have discrimination on where the information is originating from or who is the consumer,” says Mihir Parikh, partner at law firm Nishith Desai Associates. He compares it to telephone networks where calls get connected on a first-come basis. Nobody has a predominant right over call connections.

And that is exactly what the FCC’s proposals threatens to change, by allowing American carriers such as Verizon or Comcast to charge a fee to give priority on their network to fee payers, like, for example, Daily Motion, which would then get an advantage over rival YouTube. On 10 September, several websites including Mozilla and Netflix deliberately slowed down their sites to show how a slow Internet would look like. Last week, US president Barack Obama put his weight behind a free Internet, where nobody can pay ‘their way up’. The FCC will make its final recommendations next year.

While an Indian browsing the Net is not likely to be affected by the FCC recommendations, it is possible that the transmission of less favoured US-based websites do not get priority, thereby slowing access to them, says Parikh.

But the episode calls attention to the picture in India. “There are no specific laws that speak to the Net neutrality situation in India,” says Sunil Abraham of Centre for Internet Security. So it could be possible that carriers are already censoring speeds to certain services that take up heavy bandwidth. Slow speeds for torrent downloads are an example. Abraham calls for crowd sourced, technically sound research to explore whether carriers are engaging in such practices, as a prelude to petitioning the government for enlightened regulation.

For more details visit https://cis-india.org/internet-governance/news/businessworld-november-25-2014-leave-the-net-alone

Learning to Forget the ECJ's Decision on the Right to be Forgotten and its Implications

divij — 2014-08-19T05:24:00Z

“The internet never forgets” is a proposition which is equally threatening and promising.

The phrase reflects the dichotomy presented by the extension on the lease of public memory granted by the internet – as information is more accessible and more permanent, letting go of the past is becoming increasingly difficult. The question of how to govern information on the internet – a space which is growing increasingly important in society and also one that presents a unique social environment - is one that persistently challenges courts and policy makers. A recent decision by the European Court of Justice, the highest judicial authority of the European Union, perfectly encapsulates the way the evolution of the internet is constantly changing our conceptions of individual privacy and the realm of information. On the 13^th of May, 2014, the ECJ in its ruling in Google v Costeja,[1] effectively read a “right to be forgotten” into existing EU data protection law. The right, broadly, provides that an individual may be allowed to control the information available about them on the web by removing such information in certain situations - known as the right to erasure. In certain situations such a right is non-controversial, for example, the deletion of a social media profile by its user. However, the right to erasure has serious implications for the freedom of information on the internet when it extends to the removal of information not created by the person to whom it pertains.

Privacy and Perfect Memory

The internet has, in a short span, become the biggest and arguably the most important tool for communication on the planet. However, a peculiar and essential feature of the internet is that it acts as a repository and a reflection of public memory – usually, whatever is once made public and shared on the internet remains available for access across the world without an expiry date. From public information on social networks to comments on blog posts, home addresses, telephone numbers and candid photos, personal information is disseminated all across the internet, perpetually ready for access - and often without the possibility of correcting or deleting what was divulged. This aspect of the internet means that the internet is a now an ever-growing repository of personal data, indexed and permanently filed. This unlimited capacity for information has a profound impact on society and in shaping social relations.

The core of the internet lies in its openness and accessibility and the ability to share information with ease – most any information to any person is now a Google search away. The openness of information on the internet prevents history from being corrupted, facts from being manipulated and encourages unprecedented freedom of information. However, these virtues often become a peril when considering the vast amount of personal data that the internet now holds. This “perfect memory” of the internet means that people are perpetually under the risk of being constantly scrutinized and being tied to their pasts, specifically a generation of users that from their childhood have been active on the internet.[2] Consider the example of online criminal databases in the United States, which regularly and permanently upload criminal records of convicted offenders even after their release, which is accessible to all future employers;[3] or the example of the Canadian psychotherapist who was permanently banned from the United States after an internet search revealed that he had experimented with LSD in his past; [4] or the cases of “revenge porn” websites, which (in most cases legally) publically host deeply private photos or videos of persons, often with their personal information, for the specific purpose of causing them deep embarrassment. [5]

These examples show that, due to the radically unrestricted spread of personal data across the web, people are no longer able to control how and by whom and in what context their personal data is being viewed. This creates the vulnerability of the data collectively being “mined” for purposes of surveillance and also of individuals being unable to control the way personal data is revealed online and therefore lose autonomy over that information.

The Right to be Forgotten and the ECJ judgement in Costeja

The problems highlighted above were the considerations for the European Union data protection regulation, drafted in 2012, which specifically provides for a right to be forgotten, as well as the judgement of the European Court of Justice in Google Spain v Mario Costeja Gonzalves.

The petitioner in this case, sought for the removal of links related to attachment proceedings for his property, which showed up upon entering his name on Google’s search engine. After refusing to remove the links, he approached the Spanish Data Protection Agency (the AEPD) to order their removal. The AEPD accepted the complaints against Google Inc. and ordered the removal of the links. On appeal to the Spanish High Court, three questions were referred to the European Court of Justice. The first related to the applicability of the data protection directive (Directive 95/46/EC) to search engines, i.e. whether they could be said to be “processing personal data” under Article 2(a) and (b) of the directive,[6] and whether they can be considered data controllers as per Section 2(d) of the directive. The court found that, because the search engines retrieve, record and organize data, and make it available for viewing (as a list of results), they can be said to process data. Further, interpreting the definition of “data controller” broadly, the court found that ‘ It is the search engine operator which determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of that activity and which must, consequently, be regarded as the ‘controller’ ’[7] and that ‘ it is undisputed that that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.’[8] The latter reasoning highlights the particular role of search engines, as indexers of data, in increasing the accessibility and visibility of data from multiple sources, lending to the “database” effect, which could allow the structured profiling of an individual, and therefore justifies imposing the same (and even higher) obligations on search engines as on other data controllers, notwithstanding that the search engine operator has no knowledge of the personal data which it is processing.

The second question relates to the territorial scope of the directions, i.e. whether Google Inc., being the parent company based out of the US, came within the court’s jurisdiction – which only applies to member states of the EU. The court held that even though it did not carry on the specific activity of processing personal data, Google Spain, being a subsidiary of Google Inc. which promotes and sells advertisement for the parent company, was an “establishment” in the EU and Google Inc., and, because it processed data “in the context of the activities” of the establishment specifically directed towards the inhabitants of a member state (here Spain), came under the scope of the EU law. The court also reaffirmed a broad interpretation of the data protection law in the interests of the fundamental right to privacy and therefore imputed policy considerations in interpreting the directive. [9]

The third question was whether Google Spain was in breach of the data protection directive, specifically Articles 12(b) and 14(1)(a), which state that a data subject may object to the processing of data by a data controller, and may enforce such a right against the data controller, as long as the conditions for their removal are met. The reasoning for enforcing such a claim against search engines in particular can be found in paragraphs 80 and 84 of the judgement, where the court holds that “(a search engine) enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him.” and that “ Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.” In fact, the court seems to apply a higher threshold for search engines due to their peculiar nature as indexes and databases. [10]

Under the court’s conception of the right of erasure, search engines are mandated to remove content upon request by individuals, when the information is deemed to be personal data that is “ inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes,” [11] notwithstanding that the publication itself is lawful and causes no prejudice to the data subject. The court reasoned that when the data being projected qualified on any of the above grounds, it would violate Article 6 of the directive, on grounds of the data not being processed “ fairly and lawfully’, that they are ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’, that they are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’, that they are ‘accurate and, where necessary, kept up to date’ and, finally, that they are ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed’.” [12] Therefore, the court held that, due to the nature of the information, the data subject has a right to no longer have such information linked to his or her name on a list of results following a search made on their name. The grounds laid down by the court, i.e. relevancy, inadequacy, etc. are very broad, yet such a broad conception is necessary in order to effectively deal with the problems of the nature described above.

The judgement of the ECJ concludes by applying a balancing test between the rights of the data subject and both the economic rights of the data controller as well as the general right of the public to information. It states that generally, as long as the information meets the criteria laid down by the directive, the right of the data subject trumps both these rights. However, it adds an important caveat – such a right is inapplicable “ the in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.” This crucial point on the balancing of two rights directly hit by the judgement was only summarily dealt with by the ECJ, without effectively giving any clarity as to what standards to apply or laying down any specific guidelines for the application of the new rule. [13] Doing so, it effectively left the decision to determine what was in the public interest and how the rights are to be balanced to the search engines themselves. Delegating such a task to a private party takes away from the idea of the internet as a common resource which should be developed for the benefit of the larger internet community as a whole, by allowing it to be governed and controlled by private stakeholders, and therefore paves an uncertain path for this crucial aspect of internet governance.

Implications of the ECJ ruling

The decision has far reaching consequences on both privacy and on freedom of information on the internet. Google began implementing the decision through a form submission process, which requires the individual to specify which links to remove and why, and verifies that the request comes from the individual themselves via photo identification, and has also constituted an expert panel to oversee its implementation (similar to the process for removing links which infringe copyright law).[14] Google has since received more than 91,000 requests for removal, pertaining to 328,000 links of which it has approved more than half.[15] In light of such large volumes of data to process, the practical implementation of the ruling has been necessarily problematic. The implementation has been criticized both for implicating free speech on the internet as well as disregarding the spirit of the right to be forgotten. On the first count, Google has been criticized for taking down several links which are clearly are in public interest to be public, including several opinion pieces on politicians and corporate leaders, which amounts to censorship of a free press.[16] On the second count, EU privacy watchdogs have been critical of Google’s decision to notify sources of the removed content, which prompts further speculation on the issue, and secondly, privacy regulators have challenged Google’s claim that the decision is restricted to the localised versions of the websites, since the same content can be accessed through any other version of the search engine, for example, by switching over to “Google.com”.[17]

This second question also raises complicated questions about the standards for free speech and privacy which should apply on the internet. If the EU wishes for Google Inc. to remove all links from all versions of its search engine, it is, in essence, applying the balancing test of privacy and free speech which are peculiar to the EU (which evolved from a specific historical and social context, and from laws emerging out of the EU) across the entire world, and is radically different from the standard applicable in the USA or India, for example. In spirit, therefore, although the judgement seeks to protect individual privacy, the vagueness of the ruling and the lack of guidelines has had enormous negative implications for the freedom of information. In light of these problems, the uproar that has been caused in the two months since the decision is expected, especially amongst news media sites which are most affected by this ruling. However, the faulty application of the ruling does not necessarily mean that a right to be forgotten is a concept which should be buried. Proposed solutions such as archiving of data or limited restrictions, instead of erasure may be of some help in maintaining a balance between the two rights.[18] EU regulators hope to end the confusion through drafting comprehensive guidelines for the search engines, pursuant to meetings with various stakeholders, which should come out by the end of the year. [19] Until then, the confusion will most likely continue.

Is there a Right to be Forgotten in India?

Indian law is notorious for its lackadaisical approach towards both freedom of information and privacy on the internet. The law, mostly governed by the Information Technology Act, is vague and broad, and the essence of most laws is controlled by the rules enacted by non-legislative bodies pursuant to various sections of the Act. The “right to be forgotten” in India can probably be found within this framework, specifically under Rule 3(2) of the Intermediary Guideline Rules, 2011, under Section 79 of the IT Act. Under this rule, intermediaries are liable for content which is “invasive of another’s privacy”. Read with the broad definition of intermediaries under the same rules (which includes search engines specifically) and of “affected person”, the applicable law for takedown of online content is much more broad and vague than the standard laid down in Costeja. It remains to be seen whether the EU’s interpretation of privacy and the “right to be forgotten” would further the chilling effect caused by these rules.

[1] Google Spain v Mario Costeja Gonzalves, C‑131/12, Available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=264438.

[2] See Victor Mayer-Schonberger, Delete: The Virtue of Forgetting in the Digital Age, (Princeton, 2009).

[3] For example, See http://mugshots.com/; and http://www.peoplesearchpro.com/resources/background-check/criminal-records/

[4] LSD as Therapy? Write about It, Get Barred from US, (April, 2007) available at

http://thetyee.ca/News/2007/04/23/Feldmar/

[5] It’s nearly impossible to get revenge porn of the internet, (June, 2014), available t http://www.vox.com/2014/6/25/5841510/its-nearly-impossible-to-get-revenge-porn-off-the-internet

[6] Article 2(a) - “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Article 2(b) - “ processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

[7] ¶36, judgment.

[8] The court also recognizes the implications on data profiling through the actions of search engines organizing results in ¶37.

[9] ¶74 judgment.

[10] In ¶83, the court notes that the processing by a search engine affect the data subject additionally to publication on a webpage; ¶87 - Indeed, since the inclusion in the list of results, displayed following a search made on the basis of a person’s name, of a web page and of the information contained on it relating to that person makes access to that information appreciably easier for any internet user making a search in respect of the person concerned and may play a decisive role in the dissemination of that information, it is liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page.

[11] ¶92, judgment.

[12] ¶72, judgment.

[13] ¶81, judgment.

[14] The form is available at https://support.google.com/legal/contact/lr_eudpa?product=websearch

[15] Is Google intentionally overreacting on the right to be forgotten? (June, 2014), available at http://www.pcpro.co.uk/news/389602/is-google-intentionally-overreacting-on-right-to-be-forgotten.

[16] Will the right to be forgotten extend to Google.com?, (July, 2014), available at http://www.pcpro.co.uk/news/389983/will-right-to-be-forgotten-extend-to-google-com.

[17] The right to be forgotten is a nightmare to enforce, (July, 2014), available at http://www.forbes.com/sites/kashmirhill/2014/07/24/the-right-to-be-forgotten-is-a-nightmare-to-enforce.

[18] Michael Hoven, Balancing privacy and speech in the right to be forgotten, available ati http://jolt.law.harvard.edu/digest/privacy/balancing-privacy-and-speech-in-the-right-to-be-forgotten#_edn15

[19] EU poses 26 questions on the right to be forgotten, (July, 2014), available at http://www.cio-today.com/article/index.php?story_id=1310024135B0

For more details visit https://cis-india.org/internet-governance/blog/learning-to-forget-ecj-decision-on-the-right-to-be-forgotten-and-its-implications

Learning Forum: Transparency and Human Rights in the Digital Age

praskrishna — 2014-12-04T16:14:38Z

Pranesh Prakash spoke at this event organized by Global Network Initiative on November 6, 2014 in California.

Pranesh Prakash spoke on transparency reports and their use and abuse in India; the Intermediary Liability Rules in India (and its non-provision of any transparency mechanism); and the need for transparency in private speech regulation, not just governmental speech regulation.

The Global Network Initiative and the Telecommunications Industry Dialogue on Freedom of Expression and Privacy present:

2014 Learning Forum - Silicon Valley
Transparency and Human Rights in the Digital Age

Hosted by LinkedIn

Agenda

1:30PM - Registration

2:00PM - Opening Remarks

Mark Stephens, Independent Chair, Global Network Initiative

Jeffrey Dygert, Executive Director of Public Policy, AT&T

Pablo Chavez, Vice President, Global Public Policy and Government Affairs, LinkedIn

2:15PM - Why does transparency matter for protecting and respecting rights online?

Arvind Ganesan, Director of Business and Human Rights, Human Rights Watch

Deirdre Mulligan, Associate Professor, UC Berkeley School of Information

Michael Samway, School of Foreign Service, Georgetown University

3:00PM - What is the state of transparency reporting by companies and governments, and what's missing?

Steve Crown, Vice President and Deputy General Counsel, Microsoft

Jeffrey Dygert, Executive Director of Public Policy, AT&T

Jason Pielemeier, Bureau of Democracy, Human Rights, and Labor, U.S. Department of State

Pranesh Prakash, Policy Director, Centre for Internet & Society, Bangalore

Moderated by Bennett Freeman, Senior Vice President, Sustainability Research and Policy, Calvert Investments

4:00PM - Break

4:30PM - How do companies communicate with users in response to live events?

Ben Blink, Senior Policy Analyst, Free Expression and International Relations, Google

Patrik Hiselius, Senior Advisor, Digital Rights, TeliaSonera

Rebecca MacKinnon, Director, Ranking Digital Rights Project, New America Foundation

Hemanshu Nigam, CEO, SSP Blue

Sana Saleem, Director, Bolo Bhi

Moderated by Cynthia Wong, Senior Internet Researcher, Human Rights Watch

The program will be followed by a reception from 5:30 to 6:30pm.

By invitation only, non-transferrable.

Have questions about Learning Forum: Transparency and Human Rights in the Digital Age? Contact Global Network Initiative

The original was published here.

For more details visit https://cis-india.org/internet-governance/news/learning-forum-transparency-and-human-rights-in-the-digital-age

Learn It Yourself

praskrishna — 2011-12-23T05:01:14Z

The peer-to-peer world of online learning encourages conversations and reciprocal learning, writes Nishant Shah in an article published in the Indian Express on 30 October 2011.

Technologies and learning have always had a close link. In the past, distance learning programmes of higher education through the postal service, remote education programmes using satellite TV and interactive learning projects using information and communication infrastructure, have all been deployed with varied results in promoting literacy and higher education. In the last two decades, the internet has also joined this technology ecology in trying to provide quality and affordable education to remotely located areas through “citizen service centres” envisioned to reach 6,40,000 Indian villages in the future.

These technology-based information outreach programmes expand the ability of traditional formal learning centres like universities, to cater to the needs of those who might not have access to learning resources. This vision of networked education relies on existing systems of centralised syllabus making, teacher-to-student information transfer, grade-based evaluation and accreditation systems, and a degree-centred approach to learning.

I was in New York last week, at an international summit on the future of learning, Mobility Shifts, organised by the New School, where more than 260 speakers from 21 countries discussed the possibility of learning beyond the bounds of the school and university system. Many discussions were around the declining public education system (with huge disinvestment moves from the government), privatisation of education, increasing tuition and fees, and the non-relevance of current education. However, along with this digital expansion of the traditional education system is an emerging trend that challenges the ways in which we understand education and learning – DIY Learning or Do It Yourself Learning.

DIY Learning is a product of the networked condition. It recognises that as more people get onto digital information networks, there is a possibility of producing peer-to-peer learning conditions, which do not have to follow our accepted models of learning and education.

We have seen the rise of various decentralised and democratised knowledge repositories like Wikipedia. The search based algorithms of search engines also take into consideration the idea that knowledge is personal. User generated content sites like eHow.com show that the individual learner is not merely a recipient of information and knowledge. Information seeking spaces like Quora have shown that knowledge-sharing communities can incite new conditions of learning. Our contexts, experiences, everyday practices, aspirations etc. equip us with valuable information, which not only shape how we learn but also what we find relevant to learn for ourselves. DIY Learning picks up on the idea that the infrastructure of education is not necessarily designed towards learning. Learning often happens outside the classrooms, in informal conversations.

Thus DIY Learning offers a new model of learning. It destabilises the established hierarchy of knowledge production and pedagogy and creates an each-one-teach-one model with a twist. Instead of a centralised board of curriculum designer who shape syllabi for the “average” student, you have the possibility of customised, highly individual, interest-based learning curricula where the student is a part of deciding what s/he wants to learn. DIY Learning doesn’t recognise the distinctions between teachers and students, but recognises them as “peers” within a network, encouraging conversations and reciprocal learning rather than information transfer based classroom models. Instead of mass-produced education that caters only to an imagined average, the DIY Learning model recognises that within the same student group, there are different rates and scales of learning, thus offering environments suited to the aptitude of the students.

Within the DIY Learning model, aspects of education, from the design of curriculum and learning methods, to grading and evaluation are geared towards individual preferences and aspirations.

Many people think of DIY Learning as an alternative to mainstream learning processes and structures. However, it is perhaps more fruitful to think of DIY Learning as a way of figuring out the problems that beset our traditional educational system. It allows us to rethink the relationships between learning, education, teaching and technologies. It recalibrates the space of the classroom and reconfigures the role of the teacher and the student.

DIY Learning emphasises that merely building schools and universities is not enough to assure that learning happens. Learning happens through experiences, practice, conversations, internalisations and through making mistakes. DIY Learning offers these possibilities in an education universe that is constantly refusing to take risks, innovate and adapt to the needs of the present. By itself it might not be able to take on the roles and functions of the existing education systems. But it does warn us that we are preparing our students for our pasts rather than their futures. And the time to change is now.

The original story was published in the Indian Express, it can be read here

For more details visit https://cis-india.org/news/learn-yourself

Leaked Privacy Bill: 2014 vs. 2011

elonnai — 2014-04-01T10:52:41Z

The Centre for Internet and Society has recently received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted.

Note: After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post.

This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in April 2011 and September 2011.

When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions. Below is an outline of significant changes from the September 2011 Privacy Bill to the 2014 Privacy Bill:

Scope: The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India. The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.
Definitions: The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.

Terms that have been added in the 2014 Bill and the definitions

Personal identifier: Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.
Legitimate purpose: A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.
Competent authority : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.
Notification: Notification issued under this Act and published in the Official Gazette
Control : And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.
Telecommunications system: Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.
Privacy standards: The privacy standards or protocols or codes of practice. developed by industry associations.

Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions

Communication data:The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications
Data subject : Any living individual, whose personal data is controlled by any person
Interception: In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication.
Person: Any natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban local body, or any other officer, agency or instrumentality of the state.
Sensitive personal data: Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation. Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.
Individual: a resident of Indian
Covert surveillance: covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual
Re-identify: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;
Process: “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;
Direct marketing: Direct Marketing means sending of a commercial communication to any individual
Data controller: any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;
Government: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;

Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:

Consent: Includes implied consent
Maintain: Includes maintain, collect, use, or disseminate.
Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller.
Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund.
Prescribed: Prescribed by rules made under this Act.
Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)
DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual.

Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):

Authority: The Data Protection Authority of India
Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.
Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject.
Member: Member of the Authority
Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data.
Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller.

Exceptions to the Right to Privacy: According to the 2011 Bill, the exceptions to the Right to Privacy included:

Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state
Preventing incitement to the commission of any offence
Prevention of public disorder or the detection of crime
Protection of rights and freedoms of others
In the interest of friendly relations with foreign state
Any other purpose specifically mentioned in the Act.

The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.

Acts not to be considered deprivations of privacy: The 2011 Bill lists five instances that will not be considered a deprivation of privacy - namely

For journalistic purposes unless it is proven that there is a reasonable expectation of privacy,
Processing data for personal or household purposes,
Installation of surveillance equipment for the security of private premises,
Disclosure of information via the Right to Information Act 2005,
And any other activity exempted under the Act.

The 2014 limits these instances to:

The processing of data purely for personal or household purposes,
Disclosure of information under the Right to Information Act 2005,
And any other action specifically exempted under the Act.

Privacy Principles: Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices.

Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:

Collection of personal data,
Processing of personal data,
Data quality,
Provisions relating to sensitive personal data,
Retention of personal data,
Sharing (disclosure) of personal data,
Security of personal data,
Notification of breach of security,
Access to personal data by data subject,
Updation of personal data by data subject
Mandatory processing of data,
Trans border flows of personal data.

Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:

Collection of personal data,
Processing of personal data,
Access to personal data,
Updating personal data
Retention of personal data
Data quality,

The 2014 Bill has further includes provisions addressing:

Openness and accountability,
Choice,
Consent,
Exceptions for personal identifiers.

The 2014 Bill has made changes to the provisions addressing:

Provisions relating to sensitive personal data,
Sharing (disclosure of personal data),
Notification of breach of security,
Mandatory processing of data
Security of personal data
Trans border flows of personal data.

The changes that have been made have been mapped out below:

Provisions Relating to Sensitive Personal Data: The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:

For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.
Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

Notification of Breach of Security: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach.

Notice: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:

The documented purposes for which such personal data is being collected
Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service
The consequences of the failure to provide the personal data
The recipient or category of recipients of the personal data
The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller
If such personal data is intended to be transferred out of the country, details of such transfer.

In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:

What data is being collected and
The legitimate purpose for the collection.

If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:

The use to which the personal data will be put
Whether or not the personal data will be disclosed to a third party and if so the identity of such person
If the personal data being collected is intended to be transferred outside India and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data.
The security and safeguards established by the data controller in relation to the personal data
The processes available to a data subject to access and correct his personal data
The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto
The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller.

Disclosure of personal data: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing. In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. As a safeguard, the 2014 Bill requires that any person to whom personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.

Transborder flow of information: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

Mandatory Processing of Data: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.

Security of Personal Data: The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of security.

Conditions on which provisions do not apply: Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy will not apply to personal data. Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill carves out an exception for Government Intelligence Agencies - stating that the provisions of updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.
Privacy Officers: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.
Power of Authority to Exempt: Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .

The Data Protection Authority: The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority. For example, new functions of the Authority include:

Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act,
Suggesting international instruments relevant to the administration of the Act,
Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.

The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.

At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement, if for the objectives of (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.

This power is instead vested with a court of competent jurisdiction.

The National Data Controller Registry: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.
Direct Marketing: Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’ and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.
Interception of Communications: Though maintaining some of the safeguards defined in the 2011 Bill for interception, 2014 Bill changes the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees, removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.
Video Recording Equipment in public places: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed.

The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.

Privacy Standards and Self Regulation: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them. For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.
Settlement of Disputes and Appellate Tribunal: The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish. If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court.

In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.

Offences and Penalties: The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section.

Offences: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:

Unauthorized interception of communications
Disclosure of intercepted communications
Undertaking unauthorized Covert Surveillance
Unauthorized use of disclosure of communication data

The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.

Penalties: The 2014 Bill provides a list of penalties including:

Penalty for obtaining personal data on false pretext
Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers
Penalty for disclosure of other personal information
Penalties for contravention of directions of the Authority
Penalties for data theft
Penalties for unauthorised collection, processing, and disclosure of personal data
Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines

Adjudicating Officer: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default

Civil Remedies and compensation: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense.

The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.

Exceptions for intelligence agencies: Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.

The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.

In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.

For more details visit https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011

Law yet to catch up with tech-enabled peeping toms

praskrishna — 2012-11-08T08:06:07Z

Devices that give sharp images are the order of the day. But this clarity is lacking when it comes to regulating use of cameras and camera phones in public places, say policy makers.

The article by Sandhya Soman & Pratiksha Ramkumar was published in the Times of India on November 7, 2012.

If there is one thing that sends more clients harried by blackmailers to detectives like A M Malathy of Malathy Detective Agency, it is the pervasive presence of the camera, most often inside modest cell phones. "One girl had to leave a town as her ex-boyfriend uploaded her photo on the internet and referred to her as a call girl. We got the web page removed," says Malathy.

But tracing culprits is difficult if they are strangers on the road. Absence of a privacy law makes it difficult for police to book culprits. "If someone photographs a woman on a bus, we can ask the person to delete it. But we can't book the person s there is no law," says Jegabar Sali, assistant commissioner, cyber crime cell.

The Information Technology (IT) Act, 2000 talks of punishment only in cases where a person's private areas have been photographed. However, things are looking up with the government trying to draw up the Right to Privacy Bill.

"The problems posed by digital technology are complex and we need to define what these new crimes are," says Rajeev Chandrasekhar, independent Member of Parliament, who introduced the Right to Privacy Bill,2010 in Parliament. "I did it because I got representations from parents and women about how MMS clips were being used to blackmail them," says Chandrasekhar.

There have been attempts at legislation earlier. The Mobile Camera Phone Users (Code of Conduct) Bill, 2006 attempted to regulate the use of camera phones in public places. It proposed that manufactures build camera phones that flash a light or emit a 'click' sound, and that users should get consent of the person being photographed.

"The sound and light are for informing people that they are being filmed," says Sunil Abraham, executive director, Centre for Internet and Society, a Bangalore-based organisation that was part of the committee. These provisions are part of South Korea's privacy law, which sought to bring down cases of technology-enabled 'upskirt' photography, where photos of women were taken without their permission, he says.

For more details visit https://cis-india.org/news/times-of-india-sandhya-soman-and-pratiksha-ramkumar-nov-7-2012-law-yet-to-catch-up-with-tech-enabled-peeping-toms

Launching CIS’s Flagship Report on Private Crypto-Assets

Admin — 2021-12-03T15:16:27Z

The Centre for Internet & Society is launching its flagship report on regulating private crypto-assets in India, as part of its newly formed Financial Technology (or Fintech) research agenda. This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.

About the private crypto-assets report

The first output under this agenda is our report on regulating private cryptocurrencies in India. This report aims to act as an introductory resource for policymakers who are looking to implement a regulatory framework for private crypto-assets. The report covers the technical elements of crypto-assets, their history, proposed use cases as well as its benefits and limitations. It also examines how crypto-assets fit within India’s current regulatory and legislative frameworks and makes clear recommendations for the same.

About the Event

The launch event will feature an initial presentation by researchers at CIS on the various findings and recommendations of its flagship report. This will be followed by a moderated discussion with 5 panelists who represent the space in policy, academia and industry. The discussion will be centered around the current status of crypto-assets in India, the government’s new proposed regulations and what the future holds for the Indian crypto market.

The confirmed panelists are as follows:

Tanvi Ratna - Founder, Policy 4.0 and expert on blockchain and cryptocurrencies
Shehnaz Ahmed - Senior Resident Fellow and Fintech Lead at Vidhi Centre for Legal Policy
Nithya R. - Chief Executive Officer, Unos.Finace
Prashanth Irudayaraj - Head of R&D, Zebpay
Vipul Kharbanda - Non resident Fellow specialising in Fintech at CIS
Aman Nair - Policy Offer, CIS (Moderator)

Registration link: https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw

Agenda

17.30 - 17.35

Welcome Note

17.35 - 18.35

The status of private crypto-assets in India

Presentation on CIS’ flagship Report on regulating private crypto-assets in India
Moderated discussion with panelists across industry, government, journalism and academia providing their insight as to the current and future state of private crypto-assets, and their regulation, in India.

18.35 - 19.00

Audience questions and discussion

For more details visit https://cis-india.org/internet-governance/events/launching-cis-flagship-report-on-private-crypto-assets

Launching CIS’s Flagship Report on Private Crypto-Assets

Aman Nair — 2021-12-13T09:11:18Z

This event will serve as a venue to bring together the various stakeholders involved in the crypto-asset space to discuss the state of crypto-asset regulation in India from a multitude of perspectives.

About the private crypto-assets report

About the Event

The confirmed panelists are as follows:

Tanvi Ratna - Founder, Policy 4.0 and expert on blockchain and cryptocurrencies
Shehnaz Ahmed - Senior Resident Fellow and Fintech Lead at Vidhi Centre for Legal Policy
Nithya R. - Chief Executive Officer, Unos.Finace
Prashanth Irudayaraj - Head of R&D, Zebpay
Vipul Kharbanda - Non resident Fellow specialising in Fintech at CIS
Aman Nair - Policy Offer, CIS (Moderator)

Registration link: https://us06web.zoom.us/webinar/register/WN_TdY-EPLoRvGY2rfsq4CENw

Agenda

17.30 - 17.35	Welcome Note
17.35 - 18.35	The status of private crypto assets in India Presentation on CIS’ flagship Report on regulating private crypto-assets in India Moderated discussion with panelists across industry, government, journalism and academia providing their insight as to the current and future state of private crypto-assets, and their regulation, in India.
18.35 - 19.00	Audience questions and discussion

For more details visit https://cis-india.org/internet-governance/blog/launching-flagship-cis-report-on-private-crypto-assets

Lack of clarity about cashless and online transactions makes digital payments more worrisome

praskrishna — 2016-12-02T16:20:39Z

Even as demonetisation pushes for more and more cashless and online transactions through, e-wallets, banks and other such apps, there is a serious lack of clarity on how these companies handle customer data, and how it is shared with other entities. "Data is the new oil," is an oft repeated phrase in nearly every technology related conversation that comes up anywhere in India today.

The article by Neha Alawadhi was published in the Economic Times on December 1, 2016. Sunil Abraham was quoted.

However, the handling of this data, most of which carries some of our most personal information, has little protection if it is misused by a private or government entity.

Sample this: at an industry event, a Bengaluru-based startup claimed to solve the problem of credit worthiness of individuals for small loans by using some unusual means. To determine credit worthiness, the company maps everything in your phone — right from how many SMSes you receive for non-payment of dues, to how you fill out your loan application form. The company also claims that it can map, using your phone data, the area of your residence and office.

There are several other companies, especially those in the financial technology (fintech) space, doing similar mapping. The Wall Street Journal on Monday reported that more than three dozen local governments across China are compiling digital records of social and financial behaviour to rate credit worthiness. A person gets a score deduction for violations such as fare cheating, jaywalking and violating family-planning rules.

India may be some distance away from such a credit scoring system, but the increased use of online transactions — financial or otherwise — is sure to lead to similar business models.

"You have no clue what data you are sharing with fintech companies. They are collecting data from other sources and combining it to assess your credit score," said Sunil Abraham, executive director of the Centre for Internet Society.

For example, there is no clarity on what an e-wallet company does with your details and transaction history even after you delete the app. "If there is large level of customer migration of users from an app company, they will just become a data analytics company. The bigger danger in future is the growth of large data intermediaries which are similar to Visa and Mastercard networks, which purchase big databases and further sell this data and build their services or product on top of that. There are large privacy concerns there," said Apar Gupta, advocate and Internet policy expert. While lack of a privacy law or controller has been a long standing concern, the existing law for data protection — Section 43(A) of the Information Technology Act— also offers only very basic protection and is "grossly inadequate", according to Abraham.

To make matters worse, they also lack a strict enforcement mechanism. "We don’t know what are the data practices (adopted by apps). There is no privacy controller or some other body, so it is very difficult for a user to know what are the actual ways their data is being implemented," said Gupta.

There have also been cases of government entities making sensitive and personal information public. Earlier this year, DataMeet, a community of data science enthusiasts, found that Bengaluru Police released 13,000 call data records (CDR) of potential on-going investigations during a hackathon with focus on solving problems of cities.

"There has been very little talk about data ethics and data practices in India. But cases of misuse of data are frequent," noted DataMeet member Srinivas Kodali in a blogpost.

For more details visit https://cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome

Konkan Corridor Project — A Lecture by Vasant Gangavane

praskrishna — 2012-04-13T13:49:32Z

Well known social worker Vasant Gangavane will be giving a public lecture on the Konkan Corridor Project at Ashoka Innovators for the Public in Bangalore on April 16, 2012. The lecture will focus on the role of Information & Communication Technology for total rural transformation by inclusive integrated development with no change of land ownerships. The event is co-organized by Ashoka Innovators for the Public and the Centre for Internet and Society.

Citing examples from the 117 village clusters in the regions of Ratnagiri and Sindhudurga districts of Maharashtra the lecture hopes to throw light on questions like what is a village cluster, what does it mean to urbanize one village cluster and what do we need to do to urbanize one village cluster, how will we organize and coordinate the project. This apart the vision, status and action plans of the Konkan Corridor Project, the skills development in each cluster, intensive agriculture in each cluster, farm produce processing, water conservation in the project area, rivers in the project area, energy, transportation, industry, science communication, and self administration in each clusters will also be discussed.

Vasant Gangavane

In the 1970s Vasant Gangavane, a management graduate from Indian Institute of Management and Wharton, returned to his village in Konkan, Maharashtra, to give his people what he felt they needed most — the knowledge to manage their natural resources. In the process, he set up several models of rural development. Gangavane found that the rate at which people migrated out of the Konkan was very high, despite the fact that the area was rich in natural resources. He studied the area and realised that land improvement and watershed development were key issues. He conducted a series of experiments in agriculture, dairy and poultry farming before setting up the Gokul Prakalp Pratishthan (GPP) in 1978. With the Maharashtra government's comprehensive watershed management programme (COWDEP), Gangavane's Pratishthan afforested 400 hectares of land in Vilye village with mango and cashew trees. Gangavane then acquired 40 acres of wasteland in the village and built water conservation structures called Gokul bandharas. This resulted in the wells in the area being recharged and ensured enough drinking water for 25 families.This model was later adopted by the Indo-German Watershed Programme.

When Gangavane's project began, the village of Vilye was bereft of young people. Its young had migrated. Now there is reverse migration and 3,000 people have benefited from the programme. The village has been transformed — water runoff has been arrested and afforestation has changed the look of the village.

After the watershed programme, Gangavane formulated a theoretical plan for model villages called the Gokul project. The aim was communication and knowledgesharing. A participatory rural appraisal is also done to explore natural resource availability, potential and use. The awareness is meant to empower people and convince them that watershed programmes can address problems of poverty and inequity. Gangavane believes that with this knowledge, and with the resources available, a small family in the area can live sustainably.

Gangavane's Pratishthan has set up an Ashramshaala at Laanja, Ratnagiri district, which is a tribal residential school, where 300 children are provided free boarding and lodging up to the secondary level. GPP has also introduced computer education in schools. For his work Gangavane was awarded the Vanashree award, Vasantrao Naik Pratisthan award and the Indira Priyadarshini Vrikshamitra award.

Download the presentation here [PDF, 228 KB]

For more details visit https://cis-india.org/internet-governance/talk-by-vasant-gangavane

Know thy selfie

praskrishna — 2015-08-05T01:23:12Z

The trend of clicking selfies is not a mere self-indulgent fad. It's a modern form of peer validation that helps in building a social bond, say Prasun Chaudhuri and Sharmistha Ghosal

The article was published in the Telegraph on November 27, 2014. Nishant Shah and Rohini Lakshane were quoted.

Ever since her father gifted her an expensive smartphone, Anwesha Ray, a third year student at a Calcutta college, can't stop clicking selfies. First, she started uploading selfies on her Facebook page once a week. But the growing number of 'likes' inspired her to capture more images. Now she clicks at least five pictures a day and changes her profile picture at least twice a week. She deletes a picture within hours if it fails to garner at least 200 'likes' from over 4,000 friends.

Rohit Chattopadhyay, a third year student at an engineering college in south Calcutta, mastered the art of taking selfies and editing them courtesy Instagram. He uploads at least a couple of self-portraits a day. Sometimes he works well past midnight chasing that "perfect" shot.

Aliah Shamim, a second year student at a top Calcutta college, loves to click selfies with friends and family. However, she shares them only with her close contacts on Facebook and WhatsApp.

Welcome to the world of selfie-engrossed teenagers ready to do anything to get that perfect self-portrait. In every college you'll find students who are mad about selfies. Anwesha knows her obsession leads to her "wasting a lot of time", but she can't kick her habit of clicking selfies.

"I simply love those 'likes' on Facebook. It gives me a feeling of deja vu. I feel as if I'm a celebrity," she says a tad sheepishly. "Just imagine how many admirers I have," says Rohit proudly showing a particular top shot of his face which has garnered 602 'likes'.

Are these students really being too self indulgent? Or is it just their way of getting endorsement of their self worth? Dr Shefali Batra, founder, Mind Frames, a psychiatric clinic in Mumbai, feels the act of taking selfies is a way of feeling "empowered" as students attempt to compensate for their lack of self worth in the real world. According to her, the selfie obsession borders on narcissism — an excessive interest in or admiration of oneself and one's physical appearance — and clouds their judgement; they fail to see the real world.

She is worried because she's been getting quite a few teen patients who are obsessed with selfies. Although not as extreme as a 15-year-old girl from Philippines who died after falling down the stairs while taking a selfie or a Russian teen who plunged to his death after trying to take a selfie atop a railway bridge, she is scared the trend might catch on in India.

Calcutta-based psychiatrist J.R. Ram too is concerned about the increasing number of selfie-obsessed teens in his clinic. He says, "Last week, I met a 13-year-old girl who stole money to get a haircut like pop singer Rihanna. Her parents were worried but she was nonchalant as her portrait got 167 'likes' on a social networking site."

According to Ram, selfies are the modern day equivalent of a reflection in a pool which led mythological Greek hunter Narcissus to drown in a stream as he was enamoured of his own image. "The virtual image is more important to these teenagers than the real one," he avers.

Agrees Rima Mukherjee, a psychiatrist based in Calcutta. "Virtual appreciation means a lot to these kids and it doesn't matter if most of the 'likes' they get on social networking sites are fake," she says. According to her, the trend is pushing some youths to compete with their friends to garner more 'likes'. "If a friend's picture gets more 'likes' students feel compelled to go on an overdrive to shoot and upload more selfies," she notes.

Take the case of Ashmita Dasgupta. "I make it a point to score quality 'likes,' unlike Anwesha [her classmate]. I don't go on adding random friends to maximise the 'likes'," she says.

As an associate dean at Praxis B-school, Calcutta, Charanpreet Singh has a ringside view of student behaviour and activities. He says, "These kids do have a large network of friends but the relationships are very superficial. The so-called 'likes' don't come from the heart and mean nothing." He's also observes that those students who don't have many real world friends are more active on social networking sites. "They vie for appreciation out of emotional insecurity."

Some argue that this trend of clicking and uploading selfies has been fuelled by the celebrity culture. Says Aroona Broota, a former professor of psychology in Delhi University, "Some teenagers are inspired by celebs who frequently click selfies to promote themselves. The kids fail to understand that for the celebrities it's a shrewd way of marketing themselves or advertising a product." Also, for some, clicking selfies has become an escape route from the daily drudgery and frustrations that one face in real life such as scoring low marks in exams, having no job or other personal problems.

But not all psychiatrists or psychologists feel that the trend is scary. Zena Deb, a Calcutta-based clinical psychologist, finds nothing wrong with students clicking selfies unless their obsession leads them to taking risks such as shooting from the top of a building or a cliff.

Deb, a mother of an 18-year-old girl says, "Most do this to seek attention and get some validation from peers. It doesn't matter if one is ugly or pretty — you can seek a certificate for your self-worth and you get it so easily on a social network." For a teenager such 'peer review' is of utmost importance and it must not be confused with narcissism.

Ali Khwaja, founder of counselling centre Banjara Academy, Bangalore, too feels narcissism is too strong a word to describe the trend. "With a strong medium at their disposal they want to spread the message that they want to be different, creative and adventurous. They hope to expand their contacts and create an identity," he says.

Nishant Shah, co-founder of the Centre for Internet and Society, Bangalore, feels the act of taking selfies is a networking phenomena. He says, "These are meant for creating interesting routes of connectivity with a photographic object that goes beyond individualistic relationships. It forms social and cultural capital for youths."

Rohini Lakshané, a researcher at the CIS, believes we are living in times where users of social media, especially "digital natives" find it rewarding to constantly promote themselves in their chosen ways and forms through these channels. She says, "The selfie often circumvents the artistic pursuit of making a self portrait. Instead it tries to make a spectacle or testimony that the selfie-taker was indeed present at a certain place, at a certain time, in a certain attire or mood, and (perhaps) in the company of certain people." According to her, selfie-takers enjoy control over how the photos turn out to be, how they look in the photo, and the time and social network in which such a photo is published — all of which are 'advantages' over having someone else take their photos or being shot candidly. She adds, "While I would consider the act of taking several selfies self-indulgent, I am not sure if it qualifies as narcissistic."

They have the tools of self-expression which their parents didn't have, says Kaustuv Sengupta, a youth trend analyst and an associate professor at NIFT, Bangalore. "This is a more expressive generation which wants to become more visible," he says. As a panel member of a youth survey — called Millennial Paradox — conducted by Titan Industries last year, he found that despite the unprecedented levels of self-obsession and independence, India's millennnials (21-35 year old) do not operate in isolation — they have a strong desire to share and belong to a community. "Sharing has become the principle form of validation....everything requires endorsement — whether that takes the form of a 'friend' a 'like' or even a 'retweet", concludes the survey, describing the new trend as "collective individualism".

For the current generation of digital natives, endorsements in the virtual world matter more than the feedback they get from the real world, says Dr Subhrangshu Aditya, a student counsellor at Jadavpur University. "The real world — parents, guardians and other authorities — doesn't approve of the 'Kiss of Protest' movement against moral policing, but it is appreciated by their virtual friends," he observes.

Nishant Shah of CIS points out that social media are a potent tool for today's youngsters. These can be used as a political weapon when they identify crises in their immediate environment. And all the recent movements across the world — anti-corruption or the post-gangrape protests in India, occupy Wall Street in the US or Shahbag protests — have originated in the digital world. More power to the social media, we say.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-november-27-2014-know-thy-selfie

Killing the Internet Softly with Its Rules

pranesh — 2011-08-20T12:51:42Z

While regulation of the Internet is a necessity, the Department of IT, through recent Rules under the IT Act, is guilty of over-regulation. This over-regulation is not only a bad idea, but is unconstitutional, and gravely endangers freedom of speech and privacy online.

A slightly modified version of this blog entry was published as an op-ed in the Indian Express on May 9, 2011.

Over-regulation of the Internet

Regulation of the Internet, as with regulation of any medium of speech and commerce, is a balancing act. Too little regulation and you ensure that criminal activities are carried on with impunity; too much regulation and you curb the utility of the medium. This is especially so with the Internet, as it has managed to be the impressively vibrant space it is due to a careful choice in most countries of eschewing over-regulation. India, however, seems to be taking a different turn with a three sets of new rules under the Information Technology Act.

These rules deal with the liability of intermediaries (i.e., a large, inclusive, group of entities and individuals, that transmit and allow access to third-party content), the safeguards that cybercafes need to follow if they are not to be held liable for their users' activities, and the practices that intermediaries need to follow to ensure security and privacy of customer data.

Effect of not following the rules

By not observing any of the provisions of these Rules, the intermediary opens itself up for liability for actions of its users. Thus, if a third-party defames someone, then the intermediary can be held liable if he/she/it does not follow the stringent requirements of the Rules.

The problem, however is that, many of the provisions of the Rules have no rational nexus with the due diligence to be observed by the intermediary to absolve itself from liability.

What does the Act require?

Section 79 of the IT Act states that intermediaries are generally not liable for third party information, data, or communication link made available or hosted. It qualifies that by stating that they are not liable if they follow certain precautions (basically, to show that they are real intermediaries). They observe 'due diligence' and don't exercise an editorial role; they don't help or induce commission of the unlawful act; and upon receiving 'actual knowledge', or on being duly notified by the appropriate authority, the intermediary takes steps towards some kind of action.

So, rules were needed to clarify what 'due diligence' involves (i.e., to state that no active monitoring is required of ISPs), what 'actual knowledge' means, and to clarify what happens in happens in case of conflicts between this provision and other parts of IT Act and other Acts.

Impact on freedom of speech and privacy

However, that is not what the rules do. The rules instead propose standard terms of service to be notified by all intermediaries. This means everyone from Airtel to Hotmail to Facebook to Rediff Blogs to Youtube to organizations and people that allow others to post comments on their website. What kinds of terms of service? It will require intermediaries to bar users from engaging in speech that is disparaging', It doesn't cover only intermediaries that are public-facing. So this means that your forwarding a joke via e-mail, which "belongs to another person and to which the user does not have any right" will be deemed to be in violation of the new rules. While gambling (such as betting on horses) isn’t banned in India and casino gambling is legal in Goa, for example, under these Rules, all speech ‘promoting gambling’ is prohibited.

The rules are very onerous on intermediaries, since they require them to act within 36 hours to disable access to any information that they receive a complaint about. Any 'affected person' can complain. Intermediaries will now play the role that judges have traditionally played. Any affected person can bring forth a complaint about issues as diverse as defamation, blasphemy, trademark infringement, threatening of integrity of India, 'disparaging speech', or the blanket 'in violation of any law'. It is not made mandatory to give the actual violator an opportunity to be heard, thus violating the cardinal principle of natural justice of 'hearing the other party' before denying them a fundamental right. Many parts of the Internet are in fact public spaces and constitute an online public sphere. A law requiring private parties to curb speech in such a public sphere is unconstitutional insofar as it doesn't fall within Art.19(2) of the Constitution.

Since intermediaries would lose protection from the law if they don't take down content, they have no incentives to uphold freedom of speech of their users. They instead have been provided incentives to take down all content about which they receive complaints without bothering to apply their minds and coming to an actual conclusion that the content violates the rules.

Cybercafe rules

The cybercafe rules require all cybercafe customers be identified with supporting documents, their photographs taken, all their website visit history logged, and these logs maintained for a year. Compare this to the usage of public pay-phones. Anyone can use a pay-phone without their details being logged. Indeed, such logging allows for cybercafe owners to blackmail their users if they find some embarrassing websites in the history logs—which could be anything from medical diseases to sexual orientation to the fact that you're a whistleblower.

The cybercafe rules also require that all of them install "commercially available safety or filtering software" to prevent access to pornography. In two cases along these lines in the Madras High Court (Karthikeyan R. v. Union of India) and the Bombay High Court (Janhit Manch v. Union of India), the High Courts refused to direct the government to take proactive steps to curb access to Internet pornography stating that such matters require case-by-case analysis to be constitutionally valid under Art.19(1)(a) [Right to freedom of speech and expression].

Such software tends to be very ineffective—non-pornographic websites also get wrongly filtered, and not all pornographic websites get filtered—and the High Courts were right in being wary of any blanket ban. They preferred for individual cases to be registered. If the worry is that our children are getting corrupted, it is up to parents to provide supervision, and not for the government to insist that software do the parenting instead.

Given that all of these were pointed out by both civil society organizations, news media, and industry bodies, when the draft rules were released, it smacks of governmental high-handedness that almost none of the changes suggested by the public have been incorporated in the final rules.

For more details visit https://cis-india.org/internet-governance/blog/killing-the-internet-oped