We are anonymous, we are legion

Report on the 2nd Privacy Round Table meeting

maria — 2013-07-12T11:54:28Z

This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first Privacy Round Table in Delhi, this report entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20^th April 2013.

Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”

The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13^th April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.

DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.

The discussion points brought forward by DSCI were:

What role should government and industry respectively play in developing and enforcing a regulatory framework?
How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?
How can an organization be incentivized to follow the codes of practice under the SRO?
What should be the role of SROs in redressal of complaints?
What should be the business model for SROs?

DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions and preamble: Chapter I & II

The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.

Sensitive Personal Data

The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.

Information vs. Data

During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.

Exemptions

Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.

Discussion of “Protection of Personal Data”: Chapter III

Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.

Data Collection

In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.

Consent

On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they choose to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.

Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.

Data Disclosure

In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.

A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.

Data Destruction

In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.

Data Processing

In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.

However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.

In brief, the following questions with regards to chapter III of the bill were raised during the meeting:

Should consent be required prior to the collection of data?
Should consent be acquired prior and after the disclosure of data?
Should the purpose of data collection be the same as the purpose for the disclosure of data?
Should an executive order or a court order be required to disclose data?
At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?
An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?

Should companies notify individuals when they share their (individuals´) data with international third parties?

In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:

The data subject has to be informed, unless there is a model contract.
The request for consent should depend on the type of data that is to be disclosed.
Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).
The shared data may be considered private data (need of a relevant regulatory framework).
An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.
If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country.
India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.
The problem with disclosure is when there is an exception for certain circumstances
Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability.
Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).
´Data ownership´ should be included in the definitions of the Bill.
What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.

Discussion of “Interception of Communications”: Chapter IV

The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.

Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.

Discussion on self-regulation and co-regulation

The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.

The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.

Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.

Meeting conclusion

The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table

Report on the 1st Privacy Round Table meeting

maria — 2013-07-30T11:11:11Z

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

Overview of Justice A P Shah Report: Purpose, Principles and Framework

The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.

During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.

Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:

The purpose of the collection of data
The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case
Data is shared with third parties and it is hard to control how long they retain the data for
Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data

Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.

While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.

The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.

The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.

Discussion Highlights:

The pros and cons of self-regulation and co-regulation
The national privacy principles – and how to build in insurance for technology
The role of the Privacy Commissioner
The definition of terms used in the draft Privacy (Protection) Bill 2013

Overview, explanation and discussion on the Privacy (Protection) Bill 2013

The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.

During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.

Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.

As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.

Many participants agreed that India´s proposed Privacy Law should meet global standards in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.

The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.

The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.

The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.

Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.

During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on where it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.

The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.

The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.

Discussion Highlights:

If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills
Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)
If personal data should be distinguished in the private and public sector
If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards
The nuances of consumer consent
Various ways to define ´public figures´
Freedom of expression in the context of the draft Privacy (Protection) Bill 2013
The distinction between exemptions and exceptions

In depth explanation and discussions regarding the Privacy (Protection)

Bill 2013

The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.

The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals choose to disclose a large amount of information.

The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.

Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.

A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.

In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.

In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.

Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.

The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.

The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should not be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.

The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies.

Discussion Highlights:

The different instances of data collection and consumer consent
The nuances of data sharing
The issue of consumer consent and security assurances offered by companies
The pros and cons of having a data retention regulatory framework
How transparency is incorporated into the draft Privacy Protection Bill 2013
What is needed in provisions that speak to data destruction

Meeting conclusion

The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.

Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the Privacy Protection Bill, 2013 based on participants´ feedback, concerns, comments and ideas.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting

Report on ICANN 50

jyoti — 2014-10-12T05:42:04Z

Jyoti Panday attended ICANN 50 in London from 22-26 June. Below are some of the highlights from the meeting.

From 22- 26 June, ICANN hosted its 50^th meeting in London, the largest congregation of participants, so far. In the wake of the IANA transition announcement, Internet governance was the flavor of the week. ICANN’s transparency and accountability measures emerged as much contested notions as did references to NETmundial. This ICANN meeting clearly demonstrated that questions as to the role of ICANN in internet governance need to be settled.

ATLAS II

Coinciding with ICANN meeting was the 2^nd At-Large Summit, or ATLAS II, bringing together a network of regionally self organized and self supporting At-Large structures, representing individual Internet users throughout the world. The goal of the meeting was to discuss, reach consensus and draft reports around five issues organized around five issues organized around thematic groups of issues of concerns to the At-Large Community.

The subjects for the thematic groups were selected by the representatives of ALSes, each summit participant was allocated to thematic groups according to his/her preferences. The groups included were:

Future of Multistakeholder models
The Globalization of ICANN
Global Internet: The User perspective
ICANN Transparency and Accountability
At-Large Community Engagement in ICANN

Fahad Chehade Five Point Agenda

ICANN President, Mr Chehade in his address to the ICANN community covered five points which he felt were important for ICANN in planning its future role. The first topic was the IANA Stewardship and transition, and he stated that ICANN is committed to being a transparent organization and seeks to be more accountable to the community as the contract with the US government ends. Regarding the IANA transition, he remarked that ICANN had received thousands of comments and proposals regarding the transition of IANA stewardship and understood there would be much more discussion on this subject, and that a coordination group has been proposed of 27 members representing all different stakeholders in order to plot the course forward for IANA transition.

His second topic was about ICANN globalization and hardening of operations. He said that ICANN has about 2-3 years to go before he is comfortable that ICANN operations are where they need to be. He applauded the new service channels which allows customer support in many different languages and time zones, and mentioned local language support that would add to the languages in which ICANN content is currently available. Chehade spent a few minutes discussing the future of WHOIS "Directory" technology and highlighted the initial report that a working group had put together, led by Jean-Francois Poussard.

Next he covered the GDD, the Global Domains Division of ICANN and an update from that division on the New gTLD program. He mentioned the ICANN Auction, the contracts that had been signed, and the number of New gTLDs that had already been delegated to the Root. Internet Governance was Chehade's 4th topic of discussion, he applauded the NETmundial efforts, though he stressed that internet governance is one of the things that ICANN does and it will not be a high priority. He ended his speech with his last point, calling for more harmony within the ICANN community.

High Level Government Meeting

During ICANN London, UK government hosted a high-level meeting, bringing together representatives from governments of the world to discuss Internet Governance and specifically the NTIA transition of the IANA contract. Government representatives recognized that the stewardship of IANA should be a shared responsibility between governments and private sector groups, while other representatives stressed giving governments a stronger voice than other stakeholders. The consensus at the meeting held that the transition should not leave specific governments or interest groups with more control over the Internet, but that governments should have a voice in political issues in Internet Governance.

GAC Communiqué

GAC Communique, is a report drafted by the Governmental Advisory Committee, advising the ICANN board on decisions involving policy and implementation. Highlights from the communiqué include:

The GAC advises the Board regarding the .africa string, saying it would like to see an expedited process, especially once the Independent Review Panel comes to a decision regarding the two applicants for the string. They reaffirm their decision that DotConnectAfrica's application should not proceed.
The GAC mentioned the controversy surrounding .wine and .vin, where some European GAC representatives strongly felt that the applications for these strings should not proceed without proper safeguards for geographic names at the second level. However, the GAC was unable to reach consensus advice regarding this issue and thus did not relay any formal advice to the Board.
The GAC requested safeguards in the New gTLDs for IGO (Inter-Governmental Organization) names at the second level, and specifically related such advice for names relating to Red Cross and Red Crescent.

Civil Society in ICANN and Internet Governance

NCUC, or the Noncommercial Users Constituency www.ncuc.org, voice of civil society in ICANN’s policy processes on generic top level domain names and related matters, as well as other civil society actors from the ICANN community organized a workshop to provide an opportunity for open and vigorous dialogue between public interest advocates who are active both within and outside the ICANN community.

For more details visit https://cis-india.org/internet-governance/blog/report-on-icann-50

Report on CIS' Workshop at the IGF:'An Evidence Based Framework for Intermediary Liability'

jyoti — 2014-09-24T10:47:30Z

An evidence based framework for intermediary liability' was organised to present evidence and discuss ongoing research on the changing definition, function and responsibilities of intermediaries across jurisdictions.

The discussion from the workshop will contribute to a comprehensible framework for liability, consistent with the capacity of the intermediary and with international human-rights standards.

Electronic Frontier Foundation (USA), Article 19 (UK) and Centre for Internet and Society (India) have come together towards the development of best practices and principles related to the regulation of online content through intermediaries. The nine principles are: Transparency, Consistency, Clarity, Mindful Community Policy Making, Necessity and Proportionality in Content Restrictions, Privacy, Access to Remedy, Accountability, and Due Process in both Legal and Private Enforcement. The workshop discussion will contribute to a comprehensible framework for liability that is consistent with the capacity of the intermediary and with international human-rights standards. The session was hosted by Centre for Internet and Society (India) and Centre for Internet and Society, Stanford (USA) and attended by 7 speakers and 40 participants.

Jeremy Malcolm, Senior Global Policy Analyst EFF kicked off the workshop highlighting the need to develop a liability framework for intermediaries that is derived out of an understanding of their different functions, their role within the economy and their impact on human rights. He went on to structure the discussion which would follow to focus on ongoing projects and examples that highlight central issues related to gathering and presenting evidence to inform the policy space.

Martin Husovec from the International Max Planck Research School for Competition and Innovation, began his presentation, tracking the development of safe harbour frameworks within social contract theory. Opining that safe harbour was created as a balancing mechanism between a return of investments of the right holders and public interest for Internet as a public space, he introduced emerging claims that technological advancement have altered this equilibrium. Citing injunctions and private lawsuits as instruments, often used against law abiding intermediaries, he pointed to the problem within existing liability frameoworks, where even intermediaries, who diligently deal with illegitimate content on their services, can be still subject to a forced cooperation to the benefit of right holders. He added that for liability frameworks to be effective, they must keep pace with advances in technology and are fair to right holders and the public interest.

He also pointed that in any liability framework because the ‘law’ that prescribes an interference, must be always sufficiently clear and foreseeable, as to both the meaning and nature of the applicable measures, so it sufficiently outlines the scope and manner of exercise of the power of interference in the exercise of the rights guaranteed. He illustrated this with the example of the German Federal Supreme Court attempts with Wi-Fi policy-making in 2010. He also raised issues of costs of uncertainty in seeking courts as the only means to balance rights as they often, do not have the necessary information. Similarly, society also does not benefit from open ended accountability of intermediaries and called for a balanced approach to regulation.

The need for consistency in liability regimes across jurisdictions, was raised by Giancarlo Frosio, Intermediary Liability Fellow at Stanford's Centre for Internet and Society. He introduced the World Intermediary Liability Map, a project mapping legislation and case law across 70 countries towards creating a repository of information that informs policymaking and helps create accountability. Highlighting key takeaways from his research, he stressed the necessity of having clear definitions in the field of intermediary liability and the need to develop taxonomy of issues to deepen our understanding of the issues at stake towards an understanding of type of liability appropriate for a particular jurisdiction.

Nicolo Zingales, Assistant Professor of Law at Tilburg University highlighted the need for due process and safeguards for human rights and called for more user involvement in systems that are in place in different countries to respond to requests of takedown. Presenting his research findings, he pointed to the imbalance in the way notice and takedown regimes are structured, where content is taken down presumptively, but the possibility of restoring user content is provided only at a subsequent stage or not at all in many cases. He cited several examples of enhancing user participation in liability mechanisms including notice and notice, strict litigation sanction inferring the knowledge that the content might have been legal and shifting the presumption in favor of the users and the reverse notice and takedown procedure. He also raised the important question, if multistakeholder cooperation is sufficient or adequate to enable the users to have a say and enter as part of the social construct in this space? Reminding the participants of the failure of the multistakeholder agreement process regarding the cost for the filters in the UK, that would be imposed according to judicial procedure, he called for strengthening our efforts to enable users to get more involved in protecting their rights online.

Gabrielle Guillemin from Article 19 presented her research on the types of intermediaries and models of liability in place across jurisdictions. Pointing to the problems associated with intermediaries having to monitor content and determine legality of content, she called for procedural safeguards and stressed the need to place the dispute back in the hands of users and content owners and the person who has written the content rather than the intermediary. She goes on to provide some useful and practically-grounded solutions to strengthen existing takedown mechanisms including, adding details to the notices, introducing fees in order to extend the number of claims that are made and defining procedure regards criminal content.

Elonnai Hickok introduced CIS' research to the UNESCO report Fostering Freedom Online: the Role of Internet Intermediaries, comparing a range of liability models in different stages of development and provisions across jurisdictions. She argued for a liability framework that tackles procedural and regulatory uncertainty, lack of due process, lack of remedy and varying content criteria.

Francisco Vera, Advocacy Director, Derechos Digitales from Chile raised issues related to mindful community policy-making expounding on Chile's implementation of intermediary liability obligation with the USA, the introduction of judicial oversight under Chilean legislation which led to US objection to Chile on grounds of not fulfilling their standards in terms of Internet property protection. He highlighted the tensions that arise in balancing the needs of the multiple communities and interests engaged over common resources and stressed the need for evidence in policy-making to balance the needs of rights holders and public interest. He stressed the need for evidence to inform policy-making and ensure it keeps pace with technological developments citing the example of the ongoing Transpacific Partnership Agreement negotiations that call for exporting provisions DMCA provisions to 11 countries even though there is no evidence of the success of the system for public interest. He concluded by cautioning against the development of frameworks that are or have the potential to be used as anti-competitive mechanisms that curtail innovation and therby do not serve public interest.

Malcolm Hutty associated with the European Internet Service Providers Association, Chair of the Intermediary Reliability Committee and London Internet Exchange brought in the intermediaries' perspective into the discussion. He argued for challenging the link between liability and forced cooperation, understated the problems arising from distinction without a difference and incentives built in within existing regimes. He raised issues arising from the expectancy on the part of those engaged in pre-emptive regulation of unwanted or undesirable content for intermediaries to automate content. Pointing to the increasing impact of intermediaries in our lives he underscored how exposing vast areas of people's lives to regulatory enforce, which enhances power of the state to implement public policy in the public interest and expect it to be executed, can have both positive and negative implications on issues such as privacy and freedom of expression.

He called out practices in regulatory regimes that focus on one size fits all solutions such as seeking automating filters on a massive scale and instead called for context and content specific solutions, that factor the commercial imperatives of intermediaries. He also addressed the economic consequences of liability frameworks to the industry including cost effectiveness of balancing rights, barriers to investments that arise in heavily regulated or new types of online services that are likely to be the targeted for specific enforcement measures and the long term costs of adapting old enforcement mechanisms that apply, while networks need to be updated to extend services to users.

The workshop presented evidence of a variety of approaches and the issues that arise in applying those approaches to impose liability on intermediaries. Two choices emerged towards developing frameworks for enforcing responsibility on intermediaries. We could either rely on a traditional approach, essentially court-based and off-line mechanisms for regulating behaviour and disputes. The downside of this is it will be slow and costly to the public purse. In particular, we will lose a great deal of the opportunity to extend regulation much more deeply into people's lives so as to implement the public interest.

Alternatively, we could rely on intermediaries to develop and automate systems to control our online behaviour. While this approach does not suffer from efficiency problems of the earlier approach it does lack, both in terms of hindering the developments of the Information Society, and potentially yielding up many of the traditionally expected protections under a free and liberal society. The right approach lies somewhere in the middle and development of International Principles for Intermediary Liability, announced at the end of the workshop, is a step closer to the developing a balanced framework for liability.

See the transcript on IGF website.

For more details visit https://cis-india.org/internet-governance/report-on-cis-workshop-at-igf

Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill

elonnai — 2014-04-14T06:10:20Z

Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill.

Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill

Constitutional Right to Privacy

The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.

Nine National Privacy Principles

The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:

Notice: The principle of notice as recommended by the Report of the Group of Experts on Privacy differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.

Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.

Choice and Consent: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data.

Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.

Collection Limitation: The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken.

Purpose Limitation: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data.

Access and Correction: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual.

Disclosure of Information: The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.

Security: The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.

Openness: The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect.

Accountability: The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles.

Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).

With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised.

With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.

Additional Protection for Sensitive Personal Data

The Report of the Group of Experts on Privacy broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The 2014 Privacy Bill incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.

Privacy Officers

The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.

Co-regulatory Framework

The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.

Recommendations in the Report that are not in the Bill

Scope

The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.

Exceptions

The Report of the Group of Experts recommends the following as exceptions to the right to privacy:

National security
Public order
Disclosure in the public interest
Prevention, detection, investigation, and prosecution of criminal offenses
Protection of the individual and rights and freedoms of others

The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.

The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:

Sovereignty, integrity or security of India or
Strategic, scientific or economic interest of India; or
Preventing incitement to the commission of any offence; or
Prevention of public disorder; or
The investigation of any crime; or
Protection of rights and freedoms others; or
Friendly relations with foreign states; or
Any other legitimate purpose mentioned in this Act.

Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.

Constitution of Infringement of Privacy

The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.

The Data Protection Authority

The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.

Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.

The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.

Tribunal and System of Complaints

Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.

Penalties and Offenses

The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.

Conclusion

The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.

In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.

References

For more details visit https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill

Reply to RTI filed with BSNL regarding Network Neutrality and Throttling

tarun — 2014-12-22T14:45:03Z

As part of its work on Network Neutrality, the Centre for Internet and Society through Tarun Krishnakumar had filed a Right To Information (RTI) application with Bharat Sanchar Nigam Ltd. (BSNL), a state-owned teleco holding a market share of 65 per cent in the Indian land line and broadband markets — regarding its position on and adherence to Network Neutrality principles.

The application — targeted at easing the information asymmetry between internet service providers (ISPs) and consumers — elicited responses that provide interesting insights into the functioning of ISPs in India.

The application queried BSNL about its:

Adherence to net neutrality / non-discrimination principles
Throttling on the basis of content
Throttling on the basis of protocol
Limiting traffic / speeds for pornographic websites
Limiting traffic / speeds for P2P / torrent connection

In its reply, BSNL denied all forms of throttling on the basis of content and reaffirmed that it is bound by the terms of its ISP license granted by the Department of Telecommunications. The application and response are below:

Application:

Request for Information under the Right to Information Act, 2005

To,

Sh. Suresh Kumar
Addl.GM (MIS) & CPIO ,BSNL Co.
R. No. -29, IR Hall
Eastern Court, Janpath
New Delhi – 110001

Date of application: 08-10-2014

Subject: Network Neutrality / Throttling / Data discrimination policies of BSNL

Please provide information as to the policies of BSNL / decisions taken in respect of the following questions. Please supply where possible a copy of the relevant documents, minutes of meeting, position papers etc.

Does BSNL support the principle of net neutrality and non-discrimination of data?
Does BSNL regulate internet traffic flows depending on the type of content being accessed by the user on its broadband connections?
Does BSNL regulate internet traffic flows depending on the type of protocol being used by the user on its broadband connections?
Please provide details of the various types of content/protocols for which BSNL regulates traffic and the nature of such regulations, restrictions as the case may be.
Please provide a list of traffic for which BSNL engages in limiting internet speed or throttling.
Does BSNL limit internet traffic or upload/download speeds for pornographic websites and content?
Does BSNL limit internet traffic or upload/download speeds for Peer-to-peer or torrent connections?

Please provide copies of all documents that pertain to BSNL’s policies and decisions in this regard.

It is certified that I am a citizen of India and that I do not fall within the BPL category. I am enclosing Rupees thirty (Rs. 30) towards the application fee and photocopying costs under the RTI Act for the information and documents requested. Kindly inform me at the address stated below if any further fees are required to be paid.

Applicant:

Tarun Krishnakumar
Centre for Internet and Society
No.194, 2nd C Cross Road, Domlur II Stage,
Bangalore - 560071

RESPONSE FROM BSNL:

To,

Sh. Tarun Krishnakumar
Centre for Internet and Society
No. 194, 2^nd C Cross Road, Domulur II stage,
Bengaluru – 560071

Subject: Supply of Information under RTI ACT – 2005

Case of Shri. Tarun Krishnakumar – reg.

Ref: - 1. No. BSNL/BBNW/RTI Act/Vol II/2012-13/52 dtd 28.10.2014

2. No. 23-744/14-RTI dtd 21.10.2014

With reference to the above subject, for the point wise information furnished as below:

BSNL is following the guidelines as per the ISP License Agreement of DOT.
NO, BSNL is NOT regulating the Internet traffic flow based on content.
NO, BSNL is not regulating the Internet traffic flow based on the type of protocol.
Not Applicable
Not Applicable
NO
NO
The documents relating to above are available on DOT’s website http://dot.gov.in

(Sd/-)

DE Admin and APIO
O/o General Manager
BBNW, BSNL,
5^th floor, BG (E), TE Building,
Lazar Road, Fraser Town,
Bengaluru – 560005
Tel No. 080 - 25808878

Copy to:

The Addl. GM (A) & CPIP O/o CGM, BBNW, New Delhi for information pl.

The scanned version of the reply is available here.

For more details visit https://cis-india.org/internet-governance/blog/reply-to-rti-filed-with-bsnl-regarding-network-neutrality-and-throttling

Reply to RTI Applications filed with respect to Foreign Contractors and Vendors of IT and Telecommunication Enterprises

Lovisha Aggarwal — 2015-02-25T14:13:52Z

An RTI application was filed by the Sh. Matthew Thomas on August 06, 2014 enquiring about the details of the foreign contractors and vendors of certain Information Technology and Telecommunication enterprises. Mr. Mathews in his application asked some specific questions.

Information sought in the RTI Application

The specific questions asked are as follows:

1. Names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India.

2. Permission to inspect files pertaining to subject matter.

3. Details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount is for Rs. 50 crore or more.

Enterprises to which the RTI Application was addressed

The application was sent to the following enterprises:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

4. Centre for Development of Telematics (C-DOT) - an Indian Government owned telecommunications technology development centre which designs and develops digital exchanges and intelligent computer software applications.

5. Centre for Development of Advanced Computing (C-DAC) - a research and development organization under the Department of Electronics and Information Technology, Government of India.

6. Bharat Sanchar Nigam Ltd. (BSNL) - an Indian state-owned telecommunications company. It is India's oldest and largest communication service provider.

Reply to the RTI Application

The reply to the information sought in the RTI application by these enterprises is as follows:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

The RTI application was addressed to the Deputy Director of the department who forwarded the application to the Joint Director directing him to provide the requisite information directly to the applicant or transfer the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to his division. In response, the Joint Director of the Department of Electronics & Information Technology said that the information on the subject matter was NIL as far as Engineering/BM section, Fire, Security and Protocol Sections of Department of Electronics and Information Technology is concerned.

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

The RTI application was forwarded by the Deputy Secretary & Nodal Officer (RTI) of the Department of Telecommunications to the following divisions for providing the requisite information directly to the applicant or transferring the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to their division and their replies are as under:-

a. Investment Promotion Cell: The Director (IP Cell) & CPIO said that no information was available as the subject matter of the application did not pertain to IP Cell.

b. Access Services-I Division: Director (AS-I) & CPIO asked to treat the information as NIL.

c. Licensing Finance - II Branch: Director (IF-II) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

d. Licensing Finance - III Branch: Director (IF-III) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

e. Deputy Wireless Adviser: CPIO & Deputy Wireless Adviser to the Govt of India of WPC Wing, SACFA Sectt. said that the information sought was not available with that PlO.

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

The Public Information Officer (HQ) of the Information Technology Branch of Department of Food, Supplies & Consumer Affairs forwarded the RTI application to Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department to provide the Para wise information directly to the applicant in accordance with section 5(4) of RTI Act as the record related to the information sought was said to be available with their office. Section 5(4) of RTI Act reads, "The Central Public Information Officer or State Public Information Officer, as the case may be, may seek the assistance of any other officer as he or she considers it necessary for the proper discharge of his or her duties." However, a reply hasn't been received from the Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department yet.

4. The Centre for Development of Telematics

Referring the information sought in the RTI application as vague, the Centre for Development of Telematics asked the applicant to clearly define the information requirements and the period for which it required. The Centre claimed that the information sought at present would lead to handing over of a large amount of data which would require application of significant resources of public authority, since the number of the vendors and contractors could be more than seven hundred in numbers of different categories, namely, component vendors, equipment suppliers, administrative service contractors, etc. The reply was in consistency with section 7(9) of the Right to Information Act which reads, "An information shall ordinarily be provided in the form in which it is sought unless it would disproportionately divert the resources of the public authority or would be detrimental to the safety or preservation of the record in question."

5. Centre for Development of Advanced Computing

The Centre for Development of Advanced Computing disregarded the information sought by the applicant and observed that theinformation sought was vague in nature, not specific and open ended, therefore, could not be termed as Information under the RTI Act without providing any further explanation in this regard.

6. Bharat Sanchar Nigam Ltd. (BSNL), Government of India Enterprise

The RTI application was referred to the MM cell of BSNL by the AdditionaI General Manager (MIS) & CPIO of BSNL (RTI Cell) who replied that no information with respect to the names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India was available. As far as the third question regarding details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount was for Rs. 50 crore or more was concerned, the AGM of MM cell said that the information could be provided for specific contractor.

For more details visit https://cis-india.org/internet-governance/blog/reply-to-rti-applications-with-respect-to-foreign-contractors-and-vendors-of-it-and-telecommunication-enterprises

Reply to RTI Application under RTI Act of 2005 from Vanya Rakesh

vanya — 2016-01-13T02:40:57Z

Unique Identification Authority of India replied to the RTI application filed by Vanya Rakesh.

Madam,

Please refer to your RTI application dated 3.12.2015 received in the Division on 10.12.2015 on the subject mentioned above requesting to provide the information in electronic form via the email address vanya@cis-india.org, copies of the artwork in print media released by UIDAI to create awareness about use of Aadhaar not being mandatory.
I am directed to furnish herewith in electronic form, copy of the artwork in print media released / published in the epapers edition of the Times of India and Dainik Jagran in their respective editions of dated 29.8.2015 in a soft copy, about obtaining of Aadhaar not being mandatory for a citizen, as desired.
In case, you want to go for an appeal in connection with the information provided, you may appeal to the Appellate Authority indicated below within thirty days from the date of receipt of this letter.
Shri Harish Lal Verma,
Deputy Director (Media),
Unique Identification Authority of India
3nd Floor, Tower – II, Jeevan Bharati Building,
New Delhi – 110001.

Yours faithfully,

(T Gou Khangin)
Section Officer & CPIO Media Division

Copy for information to: Deputy Director (Establishment) & Nodal CPIO

Below scanned copies:

RTI Reply

Coverage in Dainik Jagran

Download the coverage in the Times of India here. Read the earlier blog entry here.

For more details visit https://cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh

Reply to RTI Application on the List of Nodal Officers Designated Under the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009

praskrishna — 2013-03-21T06:30:57Z

The Centre for Internet and Society had sent an RTI to the Department of Electronics & Information Technology on December 4, 2012. The Department responded to the same through this notification on January 7, 2013. The letter sent and the notification received are reproduced below.

Shri Anil Kaushik Scientist E Office of PIO (RTI) Electronics Niketan
Department of Information Technology (DIT) Ministry of Communications and Information Technology 6, CGO Complex, New Delhi

Dear Sir,

Subject: Information on nodal officers appointed requested under the Right to Information Act, 2005.

1. Füll Name of the Applicant: Centre for Internet and Society

2. Address of the Applicant:

E-mail Address:

Mailing Address:
Centre for Internet and Society
194, 2-C Cross,
Domlur Stage II,
Bangalore-560071

3. Details of the information required:

The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 ("Rules") provides for the désignation of nodal officers under Rule 4. Rule 4 states that every Organization shall designate one of its officers as the Nodal Officer for the purpose of implementing the Rules. Rule 4 also provides that every Organization shall inform the Department of Information Technology of the désignation of such a Nodal Officer. In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act, 2005:

Does the Department of Electronics and Information Technology maintain a list of all Nodal Officers designated under Rule 4 of the Rules?
If so, please provide me a copy of any list containing information about the Nodal Officers designated under Rule 4 of the Rules.
Years to which the above requests pertain:'

2009-2012

5. Designation and Address of the PIO from whom the information is required:
Shri Anil Kaushik Scientist E Office of PIO (RTI) Electronics Niketan
Department of Information Technology (DIT) Ministry of Communications and Information Technology
6, CGO Complex, New Delhi

To the best of my belief, the details sought for fall within your authority. Further, as provided under section 6(3) of the Right to Information Act ("RTI Act"), in case this application does not fall within your authority, I request you to transfer the same in the designated time (5 days) to the concerned authority and inform me of the same immediately.

To the best of my knowledge the information sought does not fall within the restrictions contained in section 8 and 9 of the RTI Act, and any provision protecting such information in any other law for the time being in force is inapplicable due to section 22 of the RTI Act.

Please provide me this information in electronic form, via the e-mail address provided above. This is to certify that I, Smitha Krishna Prasad, am a citizen of India.

(Smitha Krishna Prasad

A fee of Rs. 10/־ (Rupees Ten Only) has been made out in the form of a demand draft drawn in favour of "Pay and Accounts Officer, Department of Information Technology" payable at New Delhi.

Date: Tuesday December 4, 2012
Place: Bengaluru, Karnataka

Below is the reply received from the Department of Electronics & Information Technology:

No. 14(142)/2012-ESD
M/o Communiciations & Information Technololgy Department of Electronics & Information Technology Electronics Niketan,6, CGO Complex
New Delhi-110003

Dated: 7.1.2003

Subject: RTI application received from Shri Smitha Krishna Prasad

This is with reference to your RTI application requesting for the following information:

The Information Technology (Procédure and Safeguards for blocking for access of information by public) Rules, 2009 ("Rules") provides for the désignation of nodal officers under Rule 4. Rule 4 states that every organisation shall designate one of its officers as the Nodal Officer for the purpose of implementing the Rules. Rule 4 also provides that every organisation shall inform the Department of Information Technology of the désignation of such a Nodal Officer. In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act,2005.

Does the Department of Electronics and Information Technology maintain a list of all Nodal Officers designated under rule 4 of the Rules?
If so, please provide me a copy of any list containing information about the Nodal Officers designated under Rule 4 of the rules.

The information as received from the custodian of the information is placed below:

Department of Electronics and Information Technology maintains a list of Nodal Officers designated under rule 4 of the Information Technology (Procédure and Safeguards for blocking for access of information by public) Rules, 2009.
A copy of list of Nodal Officer is enclosed at Annexure.

(A.K. Kaushik)
Additional Director & CPIO
(E-Security & Cyber Laws)

Centre for Internet & Society
194, 2-C Cross, Domlur Stage II
Bangalore - 560071

Annexure

List of Nodal Officers

Director, Dept. of Agriculture, Krishi Bhawan, New Delhi
Adviser, Dept. of Biotechnology, Block-2, Room - 707, CGO Complex, New Delhi- 110003
Dy. Director General, Dept. of Chemicals & Petrochemicals, Shastri Bhawan, N. Delhi-1
Jt. Secretary (Admn.), Room No. 321-A, Shastri Bhawan , N. Delhi-1
Scientist Gr. IV(6), Council of Scientific & Industrial Research, Anusandhan Bhavan, 2 Rafi Marg, New Delhi-110 001
Director (Coord), Dept. of Defence, R, No. 94, South Block, New Delhi - 110001
Director (B&C), Dept. of Defence Production, R. No. 146, B-Wing, Sena Bhawan, New Delhi
Director, DESIDOC, 405, Cresent Apartment, Pocket 2, Sector 18A, Dwarka, New Delhi - 110075
Deputy Secretary (res - I), Dept. of Ex-servicemen Welfare, Room No. 237, B-Wing, Sena Bhawan, New Delhi-11
Scientist E, Room No. 3, Administrative Block, DSIR, Technology Bhavan, New Mehrauli Road, New Delhi-110 016
Director, Ministry of Earth Sciences, Block-12, CGO Complex, New Delhi - 110003
Dy. Secy (Budget Monitoring), Dept. of Economic Affairs, Room No. 238-B, North Block, New Delhi-110001
Deputy. Secretary, Room 1222, Paryavaran Bhawan, CGO Complex, Lodi Road, New Delhi-3
Jt. Secy. (XP), Ministry of External Affairs, R.No. 152, Shastri Bhawan, New Delhi
Deputy Secretary, Dept. of Financial Services, Ministry of Finance, 3rd Floor, Jeevandeep, Parliament Street, N Delhi-1
Under Secretary, Min. of Food Processing Industry, Panchsheel Bhawan, Room No 117, August Kranti Marg, New Delhi - 110049
DDG (Stats), Dept. of Health & Family Welfare, 518-A, Nirman Bhawan, New Delhi
Jt. Director, Ministry of Home Affairs, 35, Sardar Patel Marg, New Delhi
Sr. Tech. Director,NIC, Room No. 108, A-Wing, Shashtri Bhawan, N. Delhi-1
JS & Legislative Counsel, Legislative Department, Min. of Law & Justice, Room No. 430A, A-Wing, Shastri Bhawan, N Delhi-11001
Deputy Secretary, Department of Legal Affairs, Min. of Law & Justice, Room No. 433A, A-Wing, Shashtri Bhawan, N Delhi-11001
Joint Secretary, Min. of Mines, Shastri Bhawan, New Delhi
Director (R&A), Min. of Petroleum & Natural Gas, Room No. 203, B-Wing, Shastri Bhawan, New Delhi-110 001
DDG (Technology) Dept. of Posts, Room No. 524, Dak Bhawan, Parliament St., New Delhi - 110016
Joint Secretary, Min. of Power, Room No. 202, Shram Shakti Bhawan, Rafi Marg, New Delhi-110001
Dy. Secretary, Dept. of Public Enterprises, Room No. 410, Block-14, Public Enterprises Bhavan, CGO Complex, N Delhi-110003
Executive Director (C&IS) Railway Board, Min. of Railways, Rail Bhavan, Raisina Road, New Delhi - 110 001
Director (Narcotics Control), Dept. of Revenue, Min. of Finance, Room No 48-A, North Block, N Delhi
Jt. Secy (T&A), Min. of Road Transport & Highways, Transport Bhawan, 1 Parliament Street, New Delhi
Deputy Secretary, Ministry of Shipping, Room 428, Transport Bhavan, Sansad Marg, N Delhi-110001
Deputy Director, INSES, Indian Space Research Organisation, Antariksh Bhavan, New BEL Road, Bangalore-560231
Dy. Secy, Ministry of Steel, Udyog Bhavan, New Delhi
Additional Surveyor General, International Boundary Directorate (SGO), Room 37-B, L-II Block, Brassey Avenue, Church Road, N Delhi
Asstt. Director (PG-I), Department of Telecom, Sanchar Bhawan, 20 Ashoka Road, N Delhi-1
Director, Ministry of Textile, Room No. 231, 2nd Floor, Udyog Bhawan, New Delhi
Director (Admn), Min. of Urban Development,Room No. 235, "C" Wing, Nirman Bhawan, New Delhi
Director (IT), Ministry of Water resources, 627, Shram Shakti Bhawan, Rafi Marg, New Delhi-110001
SD(IT)-2, A&N Admin., Govt. Polytechnic Campus, Junglighat (P.O.), Pahargaon, Port Blair-744 103
Special Officer (Portal), Room No. 208, A-Block, IT&C Department, A.P. Secretariat, Hyderabad-500022
Managing Director, Bihar State Electronics Devp. Corp., Beltron Bhawan, Shastri Nagar, Patna-3
Director, Information Technology, Dept. of IT, 5th Floor, Addl. Deluxe Building, Sector-9, Chandigarh
Chief Executive Officer, CHIPS office, IT & BioTech Department, Mantralaya, D.K.S. Bhawan, Raipur-492001
Director (IT) Room No. 207-208, Secretariat, Amli, Silvassa-396 230
Principal Home Secretary, Dèlhi Secretariat, IP Estate, New Delhi-11002
DCP, Economic Offences Wing, Crime Branch, Delhi Police
Secretary (IT), Dept. of IT, Secretariat Complex, Porvorim, Goa-403521
Principal Secretary Science & Tech. Dept.. Block - 7, 5th Floor, New Sachivalaya, Gandhinagar- 382 010
Spl. Secretary, Secretariat for IT, 9th Floor, Haryana Civil Secretariat, Chandigarh
Director. Dept. of IT, STPI Building, Block-24, SDA Complex, Kasumpti, Shimla- 71009
Regional Dy. Director, Revenue & Land Reforms Department, Project Bhawan, Dhurva, Ranchi-834002
Project Officer. HRMS Project, Room No. 145-A, M.S. Building, Gate No. 2, Dr. В R Ambedkar Veedhi, Bangalore 560001
Principal Secretary, Information Technology Department, Central Secretariat, Trivandrum - 695 001
Director (Information Technology) Department of Information Technology, Administration of the UT of Lakshadweep, Kavaratti - 682 555
OSD, Department of Information Technology, Room No. 132, Vallabh Bhavan, Bhopal - 462 004
Jt. Commissioner of Police (Crime), Govt. of Maharashtra, Mumbai
Principal Informatics Officer, Dept. of Information & Comm. Technology, Govt. of Mizoram, Secrétariat Annex-l, Aizawl, Mizoram
Secretary IT&C, Nagaland Civil Secrétariat, Kohima - 797004
DGM. Orissa Computer Application Centre, OCAC Building, Plot N/1-7D, Acharya Nagar, PO-RRL. Bhubaneswar-751013
Director (IT), Directorate of IT, No. 505 Kamraj Salai, PRD Complex, Saram, Puducherry - 605 013
Director, Department of IT, SCO 193-95, Sector 34-A, Chandigarh
Additional Director, Dept. of IT & Communication, First Floor, Yojana Bhawan, Tilak Marg, Jaipur
Principal Secretary, Information Technology Department, Secrétariat, Chennai
Additional Director, Govt of Tripura, Directorate of IT, Indranagar, ITI Road, Agartala - 799 006
Special Secretary, IT & Electronics Dept., Bapu Bhawan, II Floor, No. 209, U.P. Admn. Lucknow
Uttra Portal Subject Specialist, ITDA, 93, Phase-II, Vasant Vihar, Dehradun
Executive Director (Technical), WBEIDC Ltd., Webel Bhawan, Block EP & GP, Salt lake, Sector-V, Kolkata-700091

For more details visit https://cis-india.org/internet-governance/resources/arreply-to-rti-application-on-nodal-officers-from-deit

Reply to RTI Application on Blocking of website and Rule 419A of Indian Telegraph Rules, 1951

praskrishna — 2013-03-21T07:58:12Z

The Department of Telecommunications sent its reply to an RTI application from the Centre for Internet and Society. The application was sent on December 27, 2012 with reference to blocking of websites and Rule 419A of the Indian Telegraph Rules, 1951.

To
Shri Subodh Saxena
Central Public Information Officer (RTI)
Director (DS-II), Room No 1006, Sanchar Bhawan
Department of Télécommunications (DoT)
Ministry of Communications and Information Technology
20, Ashoka Road, New Delhi — 110001

Dear Sir,
Subject: Information on Website Blocking Requested under the Right to Information Act, 2005

1. Full Name of the Applicant: Centre for Internet & Society

2. Address of the Applicant

Mailing Address: Centre for Internet and Society
194, 2־C Cross,
Domlur Stage II,
Bangalore 560071

3. Details of the information required

It has come to our attention that Airtel Broadband Services ("Airtel") and Mahanagar Téléphoné Nigam Limited ("MTNL") have recently blocked access to a number of domain sites for all their users across the country. Airtel has blocked Fabulous Domains (http://www.fabulous.com/), BuyDomains (http://www.buvdomains.com/) and Sedo (http://sedo.co.uk/uk/home/welcome/). MTNL has blocked Sedo (http://sedo.co.uk/uk/home/welcQme/). Subscribers trying to access this website receive a message noting "This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Télécommunications". In this regard, we request information on the following queries under Section 6(1) of the Right to Information Act, 2005:

Does the Department have powers to require an Internet Service Provider to block a website? If so, please provide a citation of the statute under which power is granted to the Department, as well as the safeguards prescribed to be in accordance with Article 19(1)(a) of the Constitution of India.
Did the Department order Airtel or MTNL to block any or all of the above mentioned websites? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel and MTNL for blocking of websites?
Has the Department ever ordered the blocking of any website? If so, please provide a list of addresses of all the websites that have been ordered to be blocked.
Please provide use the present composition of the Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.
Please provide us the dates and copies of the minutes of all meetings held by the Committee constituted under rule 419A of the Indian Telegraph Rules, 1951, and copies of all their recommendations.

4. Years to which the above requests pertain: 2012

5. Designation and address of the PIO from whom the information is required

Shri Subodh Saxena
Central Public Information Officer (RTI)
Director (DS-II), Room No 1006, Sanchar Bhawan
Department of Télécommunications (DoT)
Ministry of Communications and Information Technology
20, Ashoka Road, New Delhi — 110001

To the best of my belief, the détails sought for fall within your authority. Further, as provided under section 6(3) of the Right to Information Act ("RTI Act"), in case this application does not fall within your authority, I request you to transfer the same in the designated time (5 days) to the concerned authority and inform me of the same immediately.

Please provide me this information in electronic form, via the e-mail address provided above. This to certify that I, Smitha Krishna Prasad, am a citizen of India.

A fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a demand draft drawn in favour of "Pay and Accounts Officer (HQ), Department of Telecom" payable at New Delhi.

Date. Monday November 26,2012
Place: Bengaluru, Karnataka

Below is the reply received from the Department of Telecommunications for the above RTI application

Government of India
Department of Télécommunications
Sanchar Bhawan, 20, Ashoka Road. New Delhi -110 001
(DS-CelI)

No. DIR(DS-II)/RTI/2009																		Dated:ll/01/2013

To,
Centre for Internet and Society,
No. 194, 2-C Cross,
Domlur Stage II,
Bangalore - 560 071

This has reference to RTI application dated 27/12/2012 with reference to Blocking of website and Rule 419A of Indian Telegraph Rules, 1951

In this regard it is submitted that Internet Service licensees are to follow the provisions of Information Technology Act 2000 as amended from time to time. Under Information Technology Act 2000, "Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009" were notified on 27/10/2009.(Annexure) Aforesaid notified rules describes the "Designated Officer" for the purpose of issuing direction for blocking for access by the public any information generated, transmitted, received, stored or hosted in any computer resource under subsection (2) of Section 69(A) of the ACT. Wide Gazette Notification dated 20/01/2010 Group Coordinator , Cyber Law division, Department of Information Technology has been authorized and designated as "Designated Officer".

As per the directions of Group Coordinator, Cyber Law division, under Information Technology Act 2000, instructions for blocking/ unblocking of websites/URLs are issued to Internet Service Licensees.

As per the available information no instruction to Internet Service Providers has been issued for Blocking of http://www.fabulous.com/, http://www.buydomains.com/, http://sedo.co.uk/uk/home/welcome/ and http://sedo.co.uk/uk/home/welcome/ as mentioned in your RTI application.

Copies of Blocking order for which blocking instructions issued by DoT are not being provided are not provided as per Clause 16 of "Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009" which says "Strict confidentiality shall be maintained regarding all the requests and complaints received and actions taken thereof."
With reference to information (Para 4 & 5 of RTI Aplication ) on Rule 419A of Indian Telegraph Rule, 1951 , the RTI is being forwarded to Dir (AS-III) & CPIO, DoT for providing the information.
The appeal, it any, may be made before Shri Nitin Jain, DDG(DS) & Appellate Authority, Department of Télécommunications, Room No. 1201, Sanchar Bhawan, 20 Ashoka Road, Nevy Delhi-110 001 within 30 days from the date of receipt of this letter.

Encl: As above
																							(Subodh Saxena) DIR (DS-II) 011-2303 6860 011-2335 9454

Copy to:

(I) Shri Rajiv Kumar, CPIO & Director (AS-III), DoT, New Delhi

NOTIFICATION
New Delhi, the 27th October, 2009

G.S.R. 781 (E). — In exercise of the powers conferred by clause (z) of sub-section (2) of section 87, read with sub-section (2) of section 69A of the Information Technology Act 2000 (21 of 2000), the Central Government hereby makes the following rules, namely:

Short title and commencement — (1) These rules may be called the Information Technology (Procedure and Safeguards for Blocking for Access and Information by Public) Rules, 2009.
(2) They shall come into force on the date of their publication in the Official Gazette.
Definitions. — In these rules, unless the context otherwise requires. —
(a) "Act" means the Information Technology Act, 2000 (21 of 2000);
(b) "computer resource" means computer resource as defined in clause (k) of sub-section (1) of section 2 of the Act;
(c) "Designated Officer" means an officer designated as Designated Officer under rule 3;
(d) "Form" means a form appended to these rules;
(e) "intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;
(f) "nodal officer" means the nodal officer designated as such under rule 4;
(g) "organisation" means
(i) Ministries or Departments of the Government of India;
(ii) State Governments and Union Territories;
(iii) Any agency of the Central Government, as may be notified in the Official Gazette, by the Central Government
(h) "request" means the request for blocking of access by the public any information generated, transmitted, received, stored or hosted in any computer resource;
(i) "Review Committee" means the Review Committee constituted under rule 419A of Indian Telegraph Rules, 1951.
Designated Officer — The Central Government shall designate by notification in Official Gazette, an officer of the Central Government not below the rank of a Joint Secretary, as the "Designated Officer", for the purpose of issuing direction for blocking for access by the public any information generated, transmitted. received,, stored or hosted in any computer resource under sub-section (2) of section 69A of the Act.
Nodal officer or organisation.— Every organisation for the purpose of these rules, shall designate one of its officer as the Nodal Officer and shall intimate the same to the Central Government in the Department of Information Technology under the Ministry of Communications and Information Technotogy, Government of India and also publish the name of the said Nodal Officer on their website.
Direction by Designated Officer. — The Designated Officer may, on receipt of any request from the Nodal Officer of an organisation or a competent court, by order direct any Agency of the Government or intermediary to block for access by the public any information or part thereof generated, transmitted, received, stored or hosted in any computer resource for any of the reasons specified in sub-section (1) of section 69A of the Act.
Forwarding of requests by organisation. — (1) Any person may send their complaint to the Nodal Officer of the concerned organisation for blocking of access by the public any information generated, transmitted, received, stored or hosted in any computer resource:
Provided that any request other than the one from the Nodal Officer of the organisation shall be sent with the approval of the Chief Secretary of the concerned State or Union territory to the Designated Officer.
Provided further that in case a Union territory has no Chief Secretary, then, such request may be approved by the Adviser to the Administrator of that Union territory.
(2) The organisation shall examine the complaint received under sub-rule (1) to satisfy themselves about the need for taking of action in relation to the reasons enumerated in sub-section (1) of section 69A of the Act and after being satisfied, it shall send the request through its Nodal Officer to the Designated Officer in the format specified in the Form appended to these rules.
(3) The Designated Officer shall not entertain any complaint or request for blocking of information directly from any person.
(4) The request shall be in writing on the letter head of the respective organisation, complete in all respects and may be sent either by mail or by fax or by e-mail signed with electronic signature of the Nodal Officer.
Provided that in case the request is sent by fax or by e-mail which is not signed with electronic signature, the Nodal Officer shall provide a signed copy of the request so as to reach the Designated Officer within a period of three days of receipt of the request by such fax or e-mail.
(5) On receipt, each request shall be assigned a number along with the date and time of its receipt by the Designated Officer and he shall acknowledge the receipt thereof to the Nodal Officer within a period of twenty four hours of its receipt.
Committee for examinatlon of request.— The request along with the printed sample content of the alleged offending information or part thereof shall be examined by a committee consisting of the Designated Officer as its chairperson and representatives, not below the rank of Joint Secretary in Ministries of Law and Justice, Home Affairs. Information and Broadcasting and the Indian Computer Emergency Response Team appointed under sub-section (1) of section 70B of the Act.
Examination of request.— (1) On receipt of request under rule 6, the Designated Officer shall make all reasonable efforts to identify the person or intermediary who has hosted the information or part thereof as well as the computer resource on which such information or part thereof is being hosted and where he is able to identify such person or intermediary and the computer resource hosting the informalion or part thereof which have been requested to be blocked for public access, he shall issue a notice by way of letters or fax or e-mail signed with electronic signatures to such person or intermediary in control of such computer resource to appear and submit their reply and clarifications, if any, before the committee referred to in rule 7, at a specified date and time, which shall not be less than forty-eight hours from the time of receipt of such notice by such person or intermediary.
(2) In case of non-appearance of such person or intermediary, who has been served with the notice under sub-rule (I), before the committee on such specified date and time, the committee shall give specific recommendation in writing with respect to the request received from the Nodal Officer, based on the information available with the committee.
(3) In case, such a person or intermediary, who has been served with the notice under sub-rule (1), is a foreign entity or body corporate as identified by the Designated Officer, notice shall be sent by way of letters or fax or e-mail signed with electronic signatures to such foreign entity or body corporate and any such foreign entity or body corporate shall respond to such a notice within the time specified therein, failing which the committee shall give specific recommendation in writing with respect to the request received from the Nodal Officer, based on the information available with the committee.
(4) The committee referred to in rule 7 shall examine the request and printed sample information and consider whether the request is covered within the scope of sub-section (1) of section 69A of the Act and that it is justifiable to block such information or part thereof and shall give specific recommendation in writing with respect to the request received from the Nodal Officer.
(5) The designated Officer shall submit the recommendation of the committee, in respect of the request for blocking of information along with the details sent by the Nodal Officer to the Secretary in the Department of Information Technology under the Ministry of Communications and Information Technology, Government of India (hereinafter referred to as the "Secretary, Department of Information Technology").
(6) The Designated Officer, on approval of the request by the Secretary, Department of Information Technology, shall direct any agency of the Government or the intermediary to block the offending information generaled, transmitted, received, stored or hosted in their computer resource for public access within time limit specified in the direction:
Provided that in case the request of the Nodal Officer is not approved by the Secretary, Department of Information Technology, the Designated Officer shall convey the same to such Nodal Officer.
Blocking of Information in cases of emergency.— (1) Notwithstanding anything contained in rules 7 and 8, the Designated Officer, in any case of emergency nature, for which no delay is acceptable, shall examine the request and printed sample information and consider whether the request is within the scope of sub-section (1) of section 69A of the Act and it is necessary or expedient and justifiable to block such information or part thereof and submit the request with specific recommendations in writing to Secretary, Department of Information Technology.
(2) In a case of emergency nature, tne Secretary. Department of Information Technology may, if he is satisfied that it is necessary or expedent and justifiable for blocking for public access of any information or part thereof through any computer resource and after recording reasons in writing as an interim measure issue such directions as he may consider necessary to such identified or identifiable persons or intermediary in control of such computer resource hosting such information or part thereof without giving him an opportunity of hearing.
(3) The Designated Officer, at ihe earliest but not later than forty-eight hours of issue of direction under sub-rule 2, shall bring the request before the committee referred to in rule 7 for its consideration and recommendation.
(4) On receipt of recommendations of committee, Secretary, Department of Information Technology, shall pass the final order as regard to approval of such request and in case the request for blocking is not approved by the Secretary. Department of Information Technology in his final order, the interim direction issued under sub-rule (2) shall be revoked and the person or intermediary in control of such information shall be accordingly directed to unblock the information for public access.
Process of order of court for blocking of Information — In case of an order from a competent court in India for blocking of any information or part thereof generated, transmitted, received, stored or hosted in a computer resource, the Designated Officer shall, immediately on receipt of certified copy of the court order, submit it to the Secretary, Department of Information Technology and initiate action as directed by the court.
Expeditious disposal of request - The request received from the Nodal Officer shall be decided expeditiously which in no case shall be more than seven working days from the date of receipt of the request.
Action for non-compliance of direction by Intermediary — In case the intermediary fails to comply with the direction issued to him under rule 9, the Designated Officer shall, with the prior approval of the Secretary, Department of Information Technology, initiate appropriate action as may be required to comply with the provisions of sub-section (3) of section 69A of the Act.
Intermediary to designate one person to receive and handle directions — (1) Every intermediary shall designate at least one person to receive and handle the directions for blocking of access by the public any information generated, transmitted, received, stored or hosted in any computer resource under these rules.
(2) The designated person of the intermediary shall acknowledge receipt of the directions to the Designated Officer within two hours on receipt of the direction through acknowledgement letter or fax or e-mail signed with electronic signature.
Meeting of Review Commlttee — The Review Committee shall meet at least once in two months and record its findings whether the directions issued under these rules are in accordance with the provisions of sub-seclion (1) of section 69A of the Act and if is of the opinion that the directions are not in accordance with the provisions referred above, it may set aside the directions and issue order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.
Maintenance of records by Designated Officer — The Designated Officer shall maintain complete record of the request received and action taken thereof, in electronic database and also in register of the cases of blocking for public access of the information generated, transmitted, received, stored or hosted in a computer resource.
Requests and complaints to be confidential — Strict confidentiality shall be maintained regarding all the requests and complaints received and actions taken thereof.

FORM
(See rule 6(2))

A. Complaint

Name of the complainant: --_________________________________________________________________
(Person who has sent the complaint to the Ministry/Department/State Govt./Nodal Officer)
Address: ________________________________________________________________________________
________________________________________________________________________________
City: ______________________________ Pin Code: __________________
Telephone: ________________________ (prefix STD code)
Fax (if any): _______________________
Mobile (if any): ______________________
Email (if any): __________________________________

B. Details of website/computer resource/intermediary/offending information hosted on the website
(Please give details wherever known)
URL / web address: ____________________________________
IP Address: _______________________________________
Hyperlink: ________________________________________
Server/Proxy Server address: ________________________________________
Name of the Intermediary: _________________________________________
URL of the Intermediary: __________________________________________
(Please attach screenshot/printout of the offending information)
Address or location of intermediary in case the intermediary is telecom service provider, network service provider, internet service provider, web-hosting service provider and cyber cafe or other form of intermediary for which information under points (7), (8), (9), (10), (11) and (12) are not available.
___________________________________________________________
___________________________________________________________
___________________________________________________________
C. Details of Request for blocking
Recommendations/Comments of the Ministry/State Govt: ________________________
________________________________________________________________________
________________________________________________________________________
The level at which the comments/recommendation have been approved
(Please specify designation) ________________________________________________
Have the complaint been examined in Ministry / State Government: Y/N
If yes, under which of the following reasons it falls (please tick):
(i) Interest of sovereignty or integrity of India
(ii) Defence of India
(iii) Security of the State
(iv) Friendly relations with foreign states
(v) Public order
(vi) For preventing incitement to the commission of any cognisable offence relating to above
D. Details of the Nodal Officer, forwarding the complaint along with recommendation of the Ministry/State Govt. and related enclosures
Name of the Nodal Officer: ___________________________________________
Designation: ______________________________________________________
Organisation: _____________________________________________________
Address: ________________________________________________ _________

__________________________________________________________

City: __________________________ Pin Code: _________________
Telephone: ___________________________ (prefix STD code)
Fax (if any) _____________________
Mobile (if any) ______________________
Email (if any): ___________________________
E: Any other information:
F: Enclosures:

1.

2.

3.

Date Place Signature

[No. 9(16)J2004-EC]
N. RAVI SHANKER, Jt. Secy

3855GI/09-5

For more details visit https://cis-india.org/internet-governance/resources/reply-to-rti-application-on-blocking-of-website-and-rule-419a-of-indian-telegraph-rules-1951

Removing Barriers to Connectivity: Connecting the Unconnected

praskrishna — 2013-11-09T03:14:43Z

The workshop was organised by Internet Society and ETNO on October 23, 2013. Pranesh Prakash was a panelist.

Click to read the details on IGF website here

In the spirit of Paragraph 50 of the Tunis Agenda, our panel aims to highlight best practices that will help in “turning the digital divide into digital opportunity”, and will look at what can be done to promote broadband penetration and access to infrastructure. By forging better Internet governance environments through dialogue and interaction, stakeholders can work together to build better local infrastructure and more efficient deployment of infrastructure. Internet technical community experts, policy-makers, and development experts know well the challenges that exist in promoting deployment of Internet infrastructure. From public-works challenges to human capacity development, each country may have their own unique challenges. Provisions and policies must be put in place to ensure that broadband connections are developed, maintained and improved to sustain the rise in Internet traffic and particularly to accommodate the fast growth of video traffic. Against this backdrop, this workshop proposes to assemble a group of experts and practitioners to discuss observations from the field (practical examples and information) about how to help encourage connectivity and to “lift” barriers to connectivity. We also will identify barriers for investment faced by the private sector and tries to define ways to improve the policy landscape and identify a sustainable economic model to foster private investment. We plan to do this by identifying connectivity challenges and by identifying best practices for working with all stakeholders to manage those challenges. The developing country perspective will be reflected, and the workshop will specifically address what is needed in practical terms to connect the unconnected – eg low-cost devices, open systems and public / private partnerships. Workshop participants will engage the audience to encourage a dialogue that seeks feed-back from participants. An output of the workshop would be a collaborative “living” list of best practices and observations identified during the workshop that can serve as a baseline to be added to given national and local dynamics.

Panelists

Raj Singh, Internet Society, Male, Technical Community, SINGAPORE, Asia-Pacific Group
Martin Levy, Hurricane Electric, Male, Private Sector, UNITED STATES, Western Europe and Others Group - WEOG
Christoph Steck, Telefonica, S.A., Male, Private Sector, SPAIN, Western Europe and Others Group - WEOG
Jennifer Haroon, Google, Female, Private Sector, UNITED STATES, Western Europe and Others Group - WEOG
Simon Milner, Facebook, Male, Private Sector, UNITED KINGDOM, Western Europe and Others Group - WEOG
Pranesh Prakash, Centre for Internet & Society India, Male, Civil Society, INDIA, Asia-Pacific Group

For more details visit https://cis-india.org/news/igf-2013-removing-barriers-to-connectivity

Religious pluralism and freedom of expression in India, Europe and other countries

praskrishna — 2013-11-08T05:54:06Z

The Venice-Delhi Seminars are Reset-Dialogues on Civilizations project, in cooperation with the Jamia Millia Islamia, Seminar and the India Habitat Centre is organizing this event from October 10 to 12, 2013. Chinmayi Arun will be speaking at this event.

Click to read the full details published by Reset DOC on October 10, 2013.

This year, the Rome-based international association Reset-Dialogues on Civilizations will continue promoting dialogue between cultures and the culture of dialogue, reciprocal awareness between East and West and valorising the cultural, religious and political differences in a globalized world.

The schedule for autumn 2013 is as follows; the next Venice-Delhi Seminars will take place from October 10 to 12 in Delhi with the participation of the Indian magazine Seminar, and Jamia Millia Islamia, the Islamic University of Delhi and the India Habitat Centre. After the first meeting in the Indian capital in October 2010 on the subject “Minorities and Pluralism” (see Seminar 621, 2011) and a second meeting in Venice at the Giorgio Cini Foundation from October 18 to 20, 2012, dedicated to “Cultural differences in times of economic turbulence. Social tensions, cultural conflicts and policies of integration in Europe and India”, the Venice-Delhi Seminars have become a regular event, with one being held in Venice and the next in Delhi.

Pluralism

The project’s general framework is religious and cultural pluralism, seen through the perspective analysis of social and political processes and exchanges between East and West. Every encounter is an opportunity to deepen political, social and economic trends that run through society, like India’s and, increasingly, European society, where cultural, ethnic and political differences coexist and interact. Each meeting consists of five sessions lasting three days and papers presented by by experts and academics from all over the world attending roundtable discussions dedicated to the analysis of policies relating to minorities and the global challenge of the multi-ethnic composition of our societies.

The proceedings and more articles from our 2012 edition in Venice, Italy, are published in the September 2013 issue of Seminar magazine. You can visit its website here: www.india-seminar.com

10-12 October 2013 – Third Venice-Delhi Seminars
Coexistence and mutual respect, rights to be protected, freedom of speech and freedom of worship, blasphemy, the ethics of responsibility

The third Venice-Delhi Seminars will take place from October 10 to 12, 2013 in Delhi and will be dedicated to three days of study on the subject “Religious Pluralism and Freedom of Expression in India and Europe: Coexistence and Mutual Respect, Rights to Protect, Freedom of Speech and Freedom of Worship, Blasphemy, Ethics of Responsibility”. The objective of this second round of the “Plural Future” project will be to critically examine the growing tension between the democratic need to protect differences and the right to freedom of expression and the vital need for modern democracies to guarantee peaceful coexistence between majorities and minorities, as well as freedom of worship in conditions of cultural and religious pluralism protected from the extremist excesses of demands based on ethnicity and identity. We will therefore also analyze the public visibility of radical and extremist tendencies from the United States to Europe, to Muslim-majority countries and India.

Analysis will take place from a perspective paying particular attention to the manner in which this wave of violent opposition to dialogue and cultural differences challenges liberal democratic order, tested by a new need to implement rights and respect of minorities. Specific importance will be attributed to conditions experienced by Muslim and Christian minorities. The subject of respect between communities and the rights of minorities will be analyzed also in the European context. European, Indian and American scholars will attend.

Particular attention will paid to the media in this 2013 edition, and its role in portraying cultural and religious differences as well as its capacity to encourage or prevent the development of peaceful co-existence and an acceptance of differences in conditions of cultural, religious and ethnic pluralism.

The Reset-Dialogues on Civilizations project has been organised also so as to involve a large number of students, graduates and doctoral students.

For more details visit https://cis-india.org/news/resetdoc-october-10-2013-religious-pluralism-and-freedom-of-expression-in-india-europe-other-countries

Reliance-Jio Users Complain Of Porn Websites Being Blocked; Company Yet To Issue Official Statement

Admin — 2018-10-29T02:35:43Z

Going by a lot of Jio network users, it seems that Mukesh Ambani’s Jio has banned hundreds of porn sites, in compliance with the order of the Department of Telecommunications.

The blog post was published by Logical Indian on October 27, 2018. Pranesh Prakash was quoted.

The order came after the Uttarakhand High Court on September 28, 2018, had directed the Centre to block over 850 pornographic websites. Many Jio users have taken to social media to show their protests. On Twitter, several users have threatened even to change their network if Jio doesn’t lift the ban.

However, the telecom operator has not issued an official statement confirming the ban or on the development so far. The complaints have come to notice after many users pointed out on social media platforms like Reddit and Twitter that several porn websites are no longer available on Jio network, as reported by the Financial Times.

The High Court’s Order

According to The Indian Express, the Uttarakhand High court’s order came after the alleged gang rape of a 16-year old girl by four students at her boarding school in Dehradun. It is alleged that the accused were “instigated by watching pornography” on their mobile phones before committing the crime.

In the order, the division bench of acting chief, justice Rajiv Sharma and justice Manoj Kumar Tiwari said, “There shall be a direction to all the Internet Service License Holders to punctually obey the notification dated 31st July 2015 and to block the publication or transmission of obscene material in any electronic form.” It further added that material containing sexually explicit act or conduct and also publishing or transmitting of material depicting children in sexually explicit acts should also be blocked.

Same crackdown in 2015

In 2015, the Department of Telecommunications had issued an order to block 857 porn websites. They had asked all the internet service providers to take compliance with the order and block the websites. A lot of people protested against this crackdown by the government. However, after receiving a huge criticism from the people, the government partially lifted the ban. But, following the rule, nothing had happened, and the porn sites were functioning as before, reported The Guardian.

An Indian think tank, Centre for Internet and Society member Pranesh Prakash said “It is illegitimate because it is not as though the government has found these websites unlawful … This is a blanket ban, and the government has not thought through the consequences,” reported by The Guardian.

The Logical Indian Take

Watching or not watching porn is a person’s liberty. India is a democratic nation, and according to our constitution, we are conferred with the freedom of expression and the right to personal liberty. So, this non-confirmed porn ban by Reliance Jio would be getting into the freedom of an individual.

After China, India has the second-largest number of internet users in the world. And, Reliance-Jio is just the third user base in India. The ban would not affect the population much but is definitely a threat to the user rights.

For more details visit https://cis-india.org/internet-governance/news/the-logical-indian-october-27-2018-reliance-jio-users-complain-of-porn-websites-being-blocked

Reliance Jio data leaked on website : report

praskrishna — 2017-07-10T14:53:42Z

Reliance Jio customer data was leaked on independent website magicapk.com, including details such as names, mobile numbers and email IDs , said a report.

The article was published by Livemint on July 10, 2017.

Reliance Jio Infocomm Ltd’s customer data was allegedly leaked on an independent website, magicapk.com, a report said. Jio, which crossed the 100 million mark in February, barely six months after it was launched, ended the financial year with 108.9 million subscribers as of 31 March.

The report, published first in a late-night article on Sunday on Fonearena.com, alleged that “several sensitive details” were exposed, including customers’ first and last names, mobile numbers, email IDs, circles, SIM activation dates and even the Aadhaar numbers. The Aadhaar numbers, however, were redacted on magicapk.

“To my disbelief I found my own details in the database and also couple of my colleagues are affected too,” wrote Varun Krish, the author of the article. However, if you now click on Magicapk.com, it reads: “This Account has been suspended .” The Registrar of the site, according to the whois database, is Godaddy.com, LLC.

When contacted, a Reliance Jio spokesperson said, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”

Fonearena.com, on its site, has responded with a: “We still stand by our story.”

The report assumes significance because the site exposed redacted Aadhaar card details. There are nearly 1.2 billion Aadhaar number holders in the country. Aadhaar aims to plug leakages in the delivery of state benefits, such as subsidized grains to the poor, and aid in generating a savings of about Rs70,000 crore a year for the government. But data breaches have rattled citizens, especially since India does not have a Privacy Act.

In March, the Unique Identification Authority of India (UIDAI) blacklisted a common services centre for 10 years after it shared the Aadhaar details of former cricket captain Mahendra Singh Dhoni. On 25 April, Mint reported that many government departments, including the ministry of drinking water and sanitation, the Jharkhand Directorate of Social Security, and the Kerala government’s pension department, had published Aadhaar numbers of beneficiaries of the schemes they run in violation of the Aadhaar Act .

On 1 May, Bengaluru-based think tank Centre for Internet and Society (CIS) reported that a Central government ministry and a state government may have made public up to 135 million Aadhaar numbers .

Under the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits. However, tagging of the Aadhaar number is being made mandatory by the government for various schemes including PAN (permanent account number) accounts for taxation. On 7 July, the Supreme Court refused to pass any interim order against the mandatory use of Aadhaar for various government schemes. It, instead, suggested that petitioners call for immediate formation of a Constitution bench to decide on the case .

News of the alleged data leak also comes at a time when there have been a spate of cyber hacks.

For instance, just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, a virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs attacked companies, mostly in Ukraine. And while the target primarily appeared to be European countries, the ransomware was also reported to be making inroads in countries like India.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report

Relationship Between Privacy and Confidentiality

vipul — 2014-12-30T14:27:02Z

The laws of breach of confidentiality and breach of privacy at first glance seem very similar to each other. If a doctor releases health information relating to a patient that s/he is treating then such an act would give rise to a claim both under the law of privacy as well as under the law of confidentiality.

Similar is the case with financial information released by a bank, etc. This makes one wonder exactly where and how it is that the law of breach of privacy intersects with that of the law of confidentiality. An enquiry into such a complex question of law requires a deeper appreciation of the relationship between these two different principles of law which require a better understanding of the origins and evolutions of these principles.

In this paper we shall try to explore the origins of both the law of privacy as well as confidentiality as they have evolved in the field of tort law in India. Although our primary focus is Indian law, however in order to understand the evolution of these principles it is necessary to discuss their evolution in three common law jurisdictions, viz. the United States of America, the United Kingdom and India. The reason for an analysis of these three jurisdictions will become clear as the reader goes further into this paper, however for ease of reference it would be better if the reason is clarified here itself. The concept of a right against breach of confidentiality has existed in English common law for a very long time, however the concept of a claim for breach of privacy originated only in American law, other than some statutory protection granted in the last couple of decades, has still not been granted recognition in English common law.

After a discussion of the evolution of these principles in both American and English law, we will then discuss these principles as they exist in Indian law. This discussion will (or should) at once become easier to understand and digest because of the deeper understanding of the interplay between these two principles gained from a reading of the first two chapters.

Privacy Torts: American Origins

Looking at the origins of privacy law it has been argued by many academics that the law of privacy in common law has its origins in an article published by Samuel Warren and Louis Brandies in the Harvard Law Review in 1890.[1] Warren and Brandeis suggested that one could generalise certain cases on defamation, breach of copyright in unpublished letters, trade secrets and breach of confidence as all based upon the protection of a common value which they called privacy.[2] The authors relied upon the existing body of cases relating to the law of confidentiality and interpreted it in a way so as to create a "right to privacy" which has evolved into a right quite different from the common understanding of confidentiality.

Although there are certain criticisms of the article by Warren and Brandeis, the background in which the article was written and the lacuna that these two scholars were trying to fill in the law of confidentiality as it existed at that time gives some context to the reasons why they felt the need to move away from the existing principles and propose a new principle of law. Samuel Warren and Louis Brandies were both worried about the invasion of personal space by the advent of the news and print media which was experiencing a boom during the late 19^th century. [3] Warren and Brandeis were worried that although the existing body of law on confidentiality would protect a person from having their picture put on a postcard by their photographer without their consent,[4] however if there was no relationship between the two persons there would be no remedy available to the aggrieved party. [5]

One of the criticisms of Warren and Brandeis' article is that to propose the existence of a right to privacy they relied heavily on the English case of Prince Albert v. Strange[6]. It has been proposed by some academics that this was a case which dealt with confidentiality and literary property which was characterized by Warren and Brandeis as a privacy case. [7] In this case Prince Albert sought to restrain publication of otherwise unpublished private etchings and lists of works which were made by Queen Victoria. The etchings appeared to have been removed surreptitiously from the private printer to whom these etchings were given and came into the possession of one Mr. Strange who wanted to print and sell the etchings. The case specifically rejected the existence of a right to privacy in the following words:

"The case is not put by the Plaintiff on any principle of trust or contract, but on property; there is nothing to show contract or confidence. It cannot be maintained that privacy constitutes property, or that the Court will interfere to protect the owner in the enjoyment of it; Chadler v. Thompson (3 Camp. 80). In William Aldred's case (9 Rep. 58 b.), Wray C. J. said, "The law does not give an action for such things of delight"."

Infact the case mentioned the term "privacy" only once, but that statement was made in the context of whether a delay in granting an injunction in such cases would defeat the entire purpose of the suit and was not preceeded or followed by any discussion on a distinct right to privacy:

"In the present case, where privacy is the right invaded, postponing the injunction would be equivalent to denying it altogether. The interposition of this Court in these cases does not depend upon any legal right, and to be effectual, it must be immediate."

However, Warren and Brandeis interpreted this case in a different manner and came to the conclusion that the "principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality".[8]

The article further incorporated the language of Judge Cooley's treatise (Cooley on Torts)[9] which used the phrase "the right to be let alone". They said that identifying this common element should enable the courts to declare the existence of a general principle which protected a person's appearance, sayings, acts and personal relations from being exposed in public. [10] However it has been argued by some scholars that this phrase was not used by Judge Cooley with as much import as has been given by Warren and Brandeis in their article. The phrase was used by Judge Cooley in mere passing while discussing why tort law protected against not only batteries but also assaults with no physical contact, and had no connection with privacy rights. [11]

Warren and Brandeis' article started getting almost immediate attention and some amount of recognition from various quarters,[12] though it cannot be said that it was universally well received. [13] However over time this tort of privacy slowly started getting recognized by various Courts throughout the United States and got a huge boost when it was recognized in a brief section in the First Restatement of Torts published in 1939. The right to privacy in American jurisprudence got another boost and became fully entrenched later on specially with the endorsement of Dr. William Prosser who discussed privacy in his treatise on the law of torts, the subsequent editions of which had a more and more elaborate discussion of the tort of privacy. This development of the law was further enhanced by Dr. Prosser's position as a reporter of the Second Restatement of Torts, which imported a four part taxonomy of the privacy tort which had been suggested by Dr. Prosser in his previous works.[14]

Thus we see how, beginning with the article by Warren and Brandeis in 1890, the privacy tort in American jurisprudence developed over the years and became further entrenched due to the influence of William Prosser and his works on the tort of privacy.

Privacy Torts in England: An Elaborate Principle of Confidentiality

The law of confidentiality in English law, as applied in certain specific contexts such as attorney client privileges, [15] doctor patient confidentiality,[16] etc. has been applied since hundreds and even though cases relating to the breach of confidentiality had already existed, however the case of Prince Albert v. Strange,[17] be it due to the interesting facts or the fame of the parties involved, is still considered as the clearest and most well established precedent for the tort of breach of confidence.[18] Similar cases relying upon this tort kept being decided by the English Courts but the tort of confidentiality was further cemented in English common law by the case of Saltman Engineering Co. v. Campbell Engineering Co.,[19] which expanded the application of the principle by holding that the obligation to respect confidence is not limited to only instances where parties have a contractual relationship.

The seminal case on the tort of breach of confidentiality in English law was that of Coco v. A.N Clark (Engineers) Ltd., [20] where an inventor enjoined a moped manufacturer from using design ideas communicated by the inventor during failed contractual negotiations with the manufacturer.[21] In this case Megarry J., held that a case of breach of confidence normally requires three elements to succeed, apart from contract, (i) the information itself must have the necessary quality of confidence about it, (ii) that information must have been imparted in circumstances importing an obligation of confidence, and (iii) there must be an unauthorised use of that information to the detriment of the party communicating it.

Relying on the principles enunciated in the above cases and developed by subsequent decisions, English law relating to the tort of breach of confidentiality developed into a robust and flexible body of law protecting personal and commercial information from disclosure. Infact by the late 1990s, English law was very broad and gradually expanding in its scope of the tort of breach of confidentiality and Courts had stretched the idea of an obligation of confidence so as to include cases where there was not even any communication between the parties, such as secret photography and wiretapping. Further since third parties had already been reposed with an obligation of confidence when they knowingly received confidential material even if they did not have any relationship with the plaintiff, therefore the law of confidence could be extended to parties outside the relationship in which the confidence was initially made. This, although was not as broad and overarching as the American privacy tort, still had the ability to cover a wide range of cases. [22]

While English Courts on the one hand kept trying to expand the scope of the confidentiality tort, they also categorically rejected the existence of a privacy tort on the lines developed under American jurisprudence. The suggestion of the existence of such a privacy tort in English law was most recently rejected by the House of Lords in the case of Wainwright v. Home Office,[23] by Lord Bingham in the following words:

"What the courts have so far refused to do is to formulate a general principle of "invasion of privacy" (I use the quotation marks to signify doubt about what in such a context the expression would mean) from which the conditions of liability in the particular case can be deduced."

In this case the plaintiffs made a claim against the prison authorities for strip searching them before they went to meet an inmate and since the incident occurred before the coming into force of the Human Rights Act, 1998 of the UK had not yet come into force, so the plaintiffs also argued that there was an existing tortuous remedy based on a breach of privacy in common law. While discussing whether English Courts were amenable to or had ever recognized such a common law tort of privacy, the House of Lords cited decisions such as Malone v Metropolitan Police Comr, [24] and R v Khan (Sultan),[25] in both of which the courts refused to recognize a general right to privacy in the context of tapping of telephones.

The absence of any general cause of action for invasion of privacy was also acknowledged by the Court of Appeal in the context of a newspaper reporter and photographer invading into a patient's hospital bedroom in an effort to purportedly interview him and taking photographs, in the case of Kaye v Robertson.[26]

Thus relying on the above line of cases the House of Lords concluded that a general right to privacy does not exist in English common law:

"All three judgments are flat against a judicial power to declare the existence of a high-level right to privacy and I do not think that they suggest that the courts should do so. The members of the Court of Appeal certainly thought that it would be desirable if there was legislation to confer a right to protect the privacy of a person in the position of Mr Kaye against the kind of intrusion which he suffered, but they did not advocate any wider principle."

Thus it is clear that English Courts have time and again denied the existence of an American style right to privacy as emanating from common law. The Courts have instead tried to expand and widen the scope of the tort of confidentiality so as to cover various situations which may arise due to the pervasiveness of technology and which the traditional interpretation of the law of confidentiality was not equipped to deal with.

Therefore it is now a little clearer that the reason for the existence of the confusion between the torts of privacy and confidentiality is that the right to privacy had its origins in the common law precedents but the right to privacy developed as a distinct and separate right in America, primarily due to the influence of Warren and Brandeis's article as well as the works of William Prosser, whereas the Courts in England did not adopt this principle of privacy and instead favored a much more elaborate right to confidentiality. In the Indian context, this has led to some amount of confusion because, Indian case laws, as will be seen in the following chapter, borrowed heavily from American jurisprudence when discussing the right to privacy and not all cases have been able to clearly bring out the difference between the principles of privacy and confidentiality.

Indian Law

Tort of Breach of Privacy

Any analysis of the right to privacy in India, be it in the realm of constitutional law or tort law almost always includes within its ambit a discussion of the two celebrated cases of Kharak Singh v. Union of India[27] and Govind v. State of M.P.,[28] which elevated the right to privacy to the pedestal of a fundamental right under Indian law. However, an unintended consequence of this has been that pretty much every commentator on Indian law includes a discussion of these two cases when discussing the right to privacy, be it under constitutional law or under tort law. However, there is one problem with such an analysis of the right to privacy, viz. these two cases were dealing with a pure constitutional law question and relied upon American case laws to read into Article 21 an inbuilt right to privacy. However from a strictly tort law perspective, these cases are not relevant at all, and the seminal case for the tort of breach of privacy would have to be the Apex Court decision in R. Rajagopal v. State of Tamil Nadu, [29] which specifically recognized this distinction and stated that the right to privacy has two different aspects, (i) the constitutional right to privacy, and (ii) the common law right to privacy.

The facts of the R. Rajagopal case revolve around the publishing of the autobiography written by the prisoner Auto Shankar, who had been placed in jail for committing multiple murders. The autobiography contained proof of involvement of many IAS, IPS officers in his crimes. Although Shankar had initially requested that the magazine print his autobiography, he later requested that his story not be published. The publishers held that it was their right to publish the autobiography while the IPS and IAS officers on the other hand claimed that Auto Shankar was trying to defame them and wanted to ban its publication. The Supreme Court in this case, implicitly accepts the existence of a right to privacy under Indian tort law when

"21.The question is how far the principles emerging from the United States and English decisions are relevant under our constitutional system. So far as the freedom of press is concerned, it flows from the freedom of speech and expression guaranteed by Article 19(1)(a). But the said right is subject to reasonable restrictions placed thereon by an existing law or a law made after the commencement of the Constitution in the interests of or in relation to the several matters set out therein. Decency and defamation are two of the grounds mentioned in clause (2). Law of torts providing for damages for invasion of the right to privacy and defamation and Sections 499/500 IPC are the existing laws saved under clause (2). "

Discussing the distinction between the two aspects of the right to privacy, the Court held:

"The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized. This right has two aspects which are but two faces of the same coin (1) the general law of privacy which affords a tort action for damages resulting from an unlawful invasion of privacy and (2) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful governmental invasion. The first aspect of this right must be said to have been violated where, for example, a person's name or likeness is used, without his consent, for advertising or non-advertising purposes or for that matter, his life story is written whether laudatory or otherwise and published without his consent as explained hereinafter. In recent times, however, this right has acquired a constitutional status."

After a discussion of the various arguments presented by the parties (a number of which are not relevant for the purposes of this paper), the Supreme Court laid down the following principles regarding freedom of the press and the right to privacy:

(1) The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.

(2) The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

(3) There is yet another exception to the rule in (1) above - indeed, this is not an exception but an independent rule. In the case of public officials, it is obvious, right to privacy, or for that matter, the remedy of action for damages is simply not available with respect to their acts and conduct relevant to the discharge of their official duties. This is so even where the publication is based upon facts and statements which are not true, unless the official establishes that the publication was made (by the defendant) with reckless disregard for truth. In such a case, it would be enough for the defendant (member of the press or media) to prove that he acted after a reasonable verification of the facts; it is not necessary for him to prove that what he has written is true. Of course, where the publication is proved to be false and actuated by malice or personal animosity, the defendant would have no defence and would be liable for damages. It is equally obvious that in matters not relevant to the discharge of his duties, the public official enjoys the same protection as any other citizen, as explained in (1) and (2) above. It needs no reiteration that judiciary, which is protected by the power to punish for contempt of court and Parliament and legislatures protected as their privileges are by Articles 105 and 104 respectively of the Constitution of India, represent exceptions to this rule."

The above principles have ruled the roost on the issue of privacy and freedom of the press under Indian law, with certain minimal additions. It has been held by the Delhi High Court that even though a claim for damages may be made under tort law for breach of privacy, the Court may even grant a pre-publication injunction to prevent a breach of privacy.[30] The principles laid down inR. Rajagopal were further clarified in the case of Indu Jain v. Forbes Incorporated, [31] where a case was filed by Indu Jain in the Delhi High Court to stop Forbes magazine from featuring her family in the Forbes List of Indian Billionaires. After a discussion of the various authorities and cases on the issue the Court summarized the principles relating to privacy and freedom of the press and applying those principles rejected the claim of the plaintiff. However for the purposes of our discussion these principles are extremely useful, and have been listed below:

"(V) Public or general interest in the matter published has to be more than mere idle curiosity.

(VI) Public figures like public officials play an influential role in ordering society. They have access to mass media communication both to influence the policy and to counter-criticism of their views and activities. The citizen has a legitimate and substantial interest in the conduct of such persons and the freedom of press extends to engaging in uninhibited debate about the involvement of public figures in public issues and events. (Ref. (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others Para 18).

(VII) Right to privacy that rests in an individual may be waived by him by express or implied consent or lost by a course of conduct which estops its assertions. Such implication may be deduced from the conduct of the parties and the surrounding circumstances.

(VIII) A public person or personage is one who by his standing, accomplishment, fame, mode of life or by adopting a profession or calling which gives the public a legitimate interest in his doings, affairs and character has so become a public figure and thereby relinquishes at least a part of his privacy.

(IX) The standard to be adopted for assessing as to whether the published material infracts the right to privacy of any individual is that of an ordinary man of common sense and prudence and not an out of ordinary or hyper-sensitive man. (Ref. (2007) 1 SCC 143 Ajay Goswami v. UOI & Ors.).

(X) Even though in this country, the freedom of press does not have presumptive priority as in some other jurisdictions including the United States of America, however the importance of a free media of communication to a healthy democracy has to receive sufficient importance and emphasis.

(XI) In evaluating a relief to be granted in respect of a complaint against infraction of the right to privacy, the court has to balance the rights of the persons complaining of infraction of right to privacy against freedom of press and the right of public to disclosure of newsworthy information. Such consideration may entail the interest of the community and the court has to balance the proportionality of interfering with one right against the proportionality of impact by infraction of the other.

(XII) The publication has to be judged as a whole and news items, advertisements and published matter cannot be read without the accompanying message that is purported to be conveyed to public. Pre-publication censorship may not be countenanced in the scheme of the constitutional framework unless it is established that the publication has been made with reckless disregard for truth, publication shall not be normally prohibited. (Ref.: (2007) 1 SCC 143 Ajay Goswami Vs. UOI & Ors.; (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others and AIR 2002 Delhi 58 Khushwant Singh & Anr. Vs. Maneka Gandhi)."

Thus we see that the right to privacy in Indian law, even in the realm of tort law has had an inextricable connection with constitutional principles and constitutional cases have had a very huge impact on the development of this right in India. However a perusal of these cases shows that the right to privacy is available only insofar as information which is personal in nature, however in situations where the information is non-personal in nature the right to privacy may not be as useful and this is where, as we shall see below, the tort of breach of confidentiality comes in to fill the void.

Tort of Breach of Confidentiality

While there have been a number of landmark cases in India on the issue of breach of confidence in a contractual or a statutory setting, these cases are not very relevant for a discussion on the tort of breach of confidentiality. This is not to say that the tort of breach of confidentiality is non-existent in Indian law, the Courts here have time and again accepted that there does exist such a tortuous remedy in certain situations. We shall now try to examine the contours of this principle of torts by discussing some of the landmark cases on the topic.

In the case of Petronet LNG Ltd. v. Indian Petro Group and Another, ^{^[32]} the Delhi High Court considered a claim by a corporation seeking to prevent a news and media group from reporting its confidential negotiations and contracts with counterparties. The claim was based upon both the right to privacy as well as the right to confidentiality but in this case the court, looking at the fact that the plaintiff was a corporation and also the type of information involved denied the claim on the right to privacy. However, it did allow the injunction claimed by the corporation based on the right to confidentiality. Summarizing its discussion of the right to confidentiality, the Court stated thus:

"49. It may be seen from the above discussion, that originally, the law recognized relationships- either through status (marriage) or arising from contract (such as employment, contract for services etc) as imposing duties of confidentiality. The decision in Coco (1969) marked a shift, though imperceptibly, to a possibly wider area or zone. Douglas noted the paradigm shift in the perception, with the enactment of the Human Rights Act; even before that, in Attorney General (2) (also called the Spycatcher case, or the Guardian case) the Court acknowledged that there could be situations -where a third party (likened to a passerby, coming across sensitive information, wafting from the top of a building, below) being obliged to maintain confidentiality, having regard to the nature and sensitivity of the information….."

While discussing the factors that the Court would have to consider while deciding a claim based on the breach of confidentiality, the Delhi High Court relied upon and quoted from English judgments as follows:

"50. Even while recognizing the wider nature of duty - in the light of the Human Rights Act, 1998, and Articles 8 and 10 of the European Convention, it was cautioned that the court, in each case, where breach of confidentiality, is complained, and even found- has to engage in a balancing process; the factors to be weighed while doing so, were reflected in A v. B Plc [2003] QB 195; the latest judgment in H.R.H. Prince of Wales indicates that the court would look at the kind of information, the nature of relationship, etc, and also consider proportionality, while weighing whether relief could be given:

"The court will need to consider whether, having regard to the nature of the information and all the relevant circumstances, it is legitimate for the owner of the information to seek to keep it confidential or whether it is in the public interest that the information should be made public….

..In applying the test of proportionality, the nature of the relationship that gives rise to the duty of confidentiality may be important."

Holding that the principles discussed in the English cases given in the context of individual rights of confidentiality would also hold good in the case of corporations, the Court held that:

"51. Though the reported cases, discussed above, all dealt with individual right, to confidentiality of private information (Duchess of Argyll;Frazer; Douglas; Campbell and H.R.H. Prince of Wales) yet, the formulations consciously approved in the Guardian, and Campbell, embrace a wider zone of confidentiality, that can possibly be asserted. For instance, professional records of doctors regarding treatment of patients, ailments of individuals, particulars, statements of witnesses deposing in investigations into certain types of crimes, particulars of even accused who are facing investigative processes, details victims of heinous assaults and crimes, etc, may, be construed as confidential information, which, if revealed, may have untoward consequences, casting a corresponding duty on the person who gets such information - either through effort, or unwittingly, not to reveal it. Similarly, in the cases of corporations and businesses, there could be legitimate concerns about its internal processes and trade secrets, marketing strategies which are in their nascent stages, pricing policies and so on, which, if prematurely made public, could result in irreversible, and unknown commercial consequences. However, what should be the approach of the court when the aggrieved party approaches it for relief, would depend on the facts of each case, the nature of the information, the corresponding content of the duty, and the balancing exercise to be carried out. It is held, therefore, that even though the plaintiff cannot rely on privacy, its suit is maintainable, as it can assert confidentiality in its information."

Apart from privacy, the law of confidentiality has been used in cases where there has been a definite harm to one side but none of the other laws provide for any relief. This was the situation in the case of Zee Telefilms Limited v. Sundial Communications Pvt Ltd, [33] where a company which developed television and media programming had discussed their concept of a new show with a network during negotiations which could not be finalized. The network however subsequently tried to start a new show which was based on the same concept and idea as the one presented by the plaintiff company. The plaintiff sued the network, inter alia on a claim for breach of confidential information and asked that the network be prevented from airing its show. In this case the plaintiff's claim based on copyright was rejected because copyright only subsists on the expression of an idea and not the idea itself, therefore the tort of breach of confidentiality had to be resorted to in order to give relief to the plaintiffs. Discussing the difference between confidentiality and copyright, the Division Bench of the Bombay High Court held:

"10. The law of the confidence is different from law of copyright. In paragraph 21.2 (page 721), [of Copinger and Skone-James on Copyright (13th Edn.)] the learned author has pointed out that right to restrain publication of work upon the grounds, that to do so would be breach of trust of confidence, is a broader right than proprietary right of copyright. There can be no copyright of ideas or information and it is not infringement of copyright to adopt or appropriate ideas of another or to publish information received from another, provided there is no substantial copying of the form in which those ideas have, or that information has, been previously embodied. But if the ideas or information have been acquired by a person under such circumstances that it would be a breach of good faith to publish them and he has no just case or excuses for doing so, the court may grant injunction against him. The distinction between the copyright and confidence may be of considerable importance with regard to unpublished manuscripts / works submitted, and not accepted, for publication or use. Whereas copyright protects material that has been reduced to permanent form, the general law of confidence may protect either written or oral confidential communication. Copyright is good against the world generally while confidence operates against those who receive information or ideas in confidence. Copyright has a fixed statutory time limit which does not apply to confidential information, though in practice application of confidence usually ceases when the information or ideas becomes public knowledge. Further the obligation of confidence rests not only on the original recipient, but also on any person who received the information with knowledge acquired at the time or subsequently that it was originally given in confidence."

A similar view, in a similar fact situation Single Judge Bench of the Delhi High Court had also came to a similar conclusion in the case of Anil Gupta v. Kunal Das Gupta.[34]

The law of confidentiality has also come to the rescue of employers in attempting to prevent important business and client information from being taken or copied by the employees for their personal gain. In the case of Mr. Diljeet Titus, Advocate v. Mr. Alfred A. Adebare, [35] the Delhi High Court had to decide a claim based on breach of confidentiality when some ex-employees of a law firm tried to take away client lists and drafts of legal agreements and opinions from their earlier employer-law firm. Discussing the importance of preventing employees or former employees from away which such actions, the Court held as follows:

"81. I am in full agreement with the views expressed in Margaret, Duchess of Argyll (Feme Sole) v. Duke of Argyll and Ors. (1965) 1 All ER 611, that a Court must step in to restrain a breach of confidence independent of any right under law. Such an obligation need not be expressed but be implied and the breach of such confidence is independent of any other right as stated above. The obligation of confidence between an advocate and the client can hardly be re-emphasised. Section 16 of the Copyright Act itself emphasizes the aspect of confidentiality de hors even the rights under the Copyright Act. If the defendants are permitted to do what they have done it would shake the very confidence of relationship between the advocates and the trust imposed by clients in their advocates. The actions of the defendants cause injury to the plaintiff and as observed by Aristotle: 'It makes no difference whether a good man defrauds a bad one, nor whether a man who commits an adultery be a good or a bad man; the law looks only to the difference created by the injury."

The Court allowed the claim of the law firm holding that the relationship between a law firm and its attorneys is of a nature where information passed between them would be covered by the law of confidence and would not be allowed to be copied or used by the attorneys for their individual gain.

Recently, in 2009, the principles relating to breach of confidentiality under Indian law were very succinctly summarized by the Bombay High Court in the case of Urmi Juvekar Chiang v. Global Broadcasting News Limited,[36] where in a fact situation similar to the ones in Zee Telefilms case and the Anil Gupta case, the Court discussed a number of previous cases on breach of confidentiality and laid down the following principles:

"8. The principles on which the action of breach of confidence can succeed, have been culled out as

(i) he (Plaintiff) had to identify clearly what was the information he was relying on;

(ii) he (Plaintiff) had to show that it was handed over in the circumstances of confidence;

(iii) he (Plaintiff) had to show that it was information of the type which could be treated as

confidential; and

(iv) he (Plaintiff) had to show that it was used without licence or there was threat to use it…… It is further noted that at interlocutory stage, the Plaintiff does not have to prove (iii) and (iv) referred to above, as he will at the trial. But the Plaintiff must address them and show that he has atleast seriously arguable case in relation to each of them."

From the above discussion on Indian law it is clear that the Courts in India have tried to incorporate the best of both worlds, in the sense that it has taken and adopted the principle of a right to privacy, a breach of which would give rise to an action in torts, from American jurisprudence while rejecting the stand taken by English Courts in rejecting such a right to privacy. However, Indian Courts have often referred to the decisions given by English Courts as well as American Courts in interpreting the principle of the right to confidentiality. Therefore on an overall examination it would appear that insofar as the rights to privacy and confidentiality are concerned, Indian jurisprudence has more in common with American law rather than English law.

Conclusion

The law of privacy does not seem to have existed as a recognizable principle of law before it was propounded in the article by Warren and Brandeis in the Harvard Law Review in 1890. It slowly gained traction in American jurisprudence over the twentieth century but was rejected outright by the Courts in England, which preferred to follow the principle of confidentiality rather than privacy and tried to expand that old principle to fit newer and newer situations. Since Indian law borrows heavily from English law and to a smaller extent also from American law, the Courts in India have accepted both, the principle of a right to privacy as well as a right to confidentiality. This is not to say that the Courts in America do not recognize a right to confidentiality and only accept a right to privacy. Infact American Courts, just like their Indian counterparts, recognize both a right to confidentiality as well as a right to privacy.

Since Indian courts accept both the concept of breach of privacy as well as breach of confidentiality, one should not try to figure out if a particular circumstance is more appropriate for the one over the other, but actually use both principles to supplement one another for achieving the same objective. For example in situations where the conditions required for the application of the law of confidentiality do not exist such as disclosure of personal information by a person who did not receive it in a confidential capacity, one could apply the principle of privacy to prevent such information being disclosed or claim a remedy after disclosure. On the other hand if the information to be disclosed is not of a personal nature then one could try to utilize the law of confidentiality to prevent disclosure or claim damages.

[1] Harry Kalven, Jr., Privacy in Tort Law-Were Warren and Brandeis Wrong?, "31 Law & Contemp. Problems". 326, 327 (1966). Elbridge L. Adams, The Right of Privacy, and Its Relation to the Law of Libel, 39 AM. L. REV. 37 (1905).

[2] Wainwright v. Home Office, 2003 UKHL 53.

[3] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 at 128 and 132 (2007).

[4] Pollard v. Photographic Co., (1888) 40 Ch. D. 345.

[5] It is also said that this concern arose out of the personal experience of Samuel Warren, whose wedding announcement as well as the report on his sister-in-law's death in the newspapers did not go down well with him. http://www.english.illinois.edu/-people-/faculty/debaron/380/380powerpoint/privacy.pdf

[6] (1848) 41 Eng. Rep. 1171 (Ch.).

[7] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[8] Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, "4 Harvard Law Review", 193 at 207 (1890).

[9] Thomas M. Cooley, The Law Of Torts, 2^nd Ed., 1888, p. 29.

[10] Wainwright v. Home Office, 2003 UKHL 53.

[11] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[12] As early as in 1891, the case of Schuyler v. Curtis, 45 NYS 787 (Sup. Ct., 1891) involving the erection of a statue of a dead person, recognized the principle proposed in Warren and Brandeis' article.

[13] Most famously the case of Robertson v. Rochester folding Box Co., 64 NE 442 (NY 1902) where the New York Court of appeals specifically rejected a the existence of a right to privacy as proposed by Warren and Brandeis.

[14] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[15] Bredd v. Lovelace, (1577) 21 Eng. Rep. 33 (Ch.)

[16] For doctor patient confidentiality we need look no further than the Hippocratic Oath itself which states "Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret".

[17] (1848) 41 Eng. Rep. 1171 (Ch.).

[18] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[19] [1948] 65 RPC 203.

[20] [1969] RPC 41 (UK).

[21] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[22] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[23] 2003 UKHL 53.

[24] [1979] Ch 344.

[25] [1997] AC 558.

[26] [1991] FSR 62

[27] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641 .

[28] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014 .

[29] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212 .

[30] Phoolan Devi v. Shekhar Kapoor and others, http://indiankanoon.org/doc/793946/.

[31] http://lobis.nic.in/dhc/GM/judgement/25-01-2010/GM12102007S21722006.pdf

[32] http://lobis.nic.in/dhc/SRB/judgement/25-04-2009/SRB13042009S11022006.pdf

[33] http://indiankanoon.org/doc/603848/ .

[34] http://indiankanoon.org/doc/1709727/ .

[35] http://delhicourts.nic.in/may06/DILJEET%20TITUS%20VS.%20ALFED%20A.%20ADEBARE.htm .

[36] http://indiankanoon.org/doc/582634/ .

For more details visit https://cis-india.org/internet-governance/blog/relationship-between-privacy-and-confidentiality