We are anonymous, we are legion

Privacy Matters, Guwahati — Event Report

praskrishna — 2011-08-26T10:31:08Z

On June 23, a public seminar on “Privacy Matters” was held at the Don Bosco Institute in Karhulli, Guwahati. It was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS and was attended by RTI activists and grass roots NGO representatives from across the North Eastern region: Manipur, Arunachal Pradesh, Tripura, Nagaland, Assam and Sikkim. The event focused on the challenges and concerns of privacy in India.

Unfortunately many of the scheduled invitees had to drop out owing to developments on the Lokpal issue at the Centre, and simultaneously Guwahati was witnessing unrest following an agitation over land rights that left three persons dead.

Welcoming the participants, Prashant Iyengar, lead researcher for Privacy India, gave an introduction to the objectives of Privacy India, and briefed the gathering about the thematic “Privacy Matters” consultations previously held across the country in Kolkata, Bangalore and Ahmedabad. Mr. Iyengar also gave a background to issues that India is facing in concern with privacy, explaining the many contexts that privacy can be found in, and raising questions such as: Why is privacy important? How can it be maintained with the way technology is encroaching upon our lives? And how can we make privacy laws functional?

"Privacy objectives are to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. One of Privacy India’s goals is to build consensus towards the promulgation of a comprehensive privacy legislation in India through consultation with the public, legislators and the legal and academic community."

Prashant Iyengar, Privacy India.

Event Sessions

The structure of the event was one of open discussion, with presentations made by those who wanted to share. Throughout the day, the conversation fell into three main topics including: privacy and the RTI, privacy and the UID, and privacy and surveillance in the context of North East India.

Privacy and the RTI

Prashant Iyengar opened the discussion on privacy and the RTI by highlighting the tension between the need for transparency of the State, and the need to protect the privacy of public figures. For many participants privacy and transparency was a new concept that they had just started thinking about. Participant Rakesh (HRLN, Manipur) spoke on the shortcomings that he saw in the RTI Act noting that though the RTI brings some transparency to society, many citizens still do not understand the extent of their Right to Information as it is protected under the Act. Furthermore, the RTI Act is still not applied equally across the country, and the transparency that the RTI tries to achieve is still in very nascent stages. Lowang, a participant from Aru nachal Pradesh, shared the importance of drawing a line between privacy and transparency when it comes to information related to education and health. Anjuman Azra Begum, a research scholar working on indigenous people rights, noted the irony of the RTI as it is meant to bring transparency to the state, yet all ministers and MLA’s take an oath of secrecy, not transparency. Anjuman also spoke on the fact that the RTI often fails to protect the privacy of sensitive issues, such as sexual balance. She echoed Rakesh’s comment on the inaccessibility of the RTI, sharing that for a common person to exercise his/her rights is a very daunting task. Anthony Debbarmun, a human rights activist from Tripura noted that he felt that the North Eastern states are by and large seen as resource (land) by the centre and has shown no concern for citizens and their well-being. Government is seen as a dictator in this region, hence the question — Transparency for whom?, Privacy for Whom? The distinction between the transparency brought about by the RTI and individual privacy was also made. It was pointed out that the RTI is concerned with transparency of the State, but individual privacy is separate from this concept.

Personal Experiences Shared

Anjuman Azra Begum shared her sister’s experience with the RTI. Her sister had applied for a job in 2008. Their family filed an RTI for details of the procedure, but was denied details by the RTI officer, who said that furnishing details would violate the privacy of other candidates. This example raises questions about when it is appropriate for RTI officers to withhold information in the name of privacy, and what mechanisms can be put in place to ensure that the RTI does not use privacy as a way to deny information. Lowang also shared his experience with the RTI. He had filed an RTI asking for answer sheets because he doubted the appointment of police personnel. He was told that the cost in total would be Rs.2000, when in reality each sheet costs Rs.2 — the misconstruing of facts was another example of how RTI officials restrict access information indirectly. From these examples the concern about RTI officials using privacy as an excuse to deny information was brought to the surface. To highlight the problems with the current implementation of the RTI and the lack of basic knowledge of how to use the RTI Mhao Lotha from the DICE Foundation shared a personal experience of his friend who had filed an RTI against the fishery department, and the RTI official simply shouted at her. L. Rima told a similar story as Mhao Lotha. In her experience the RTI is good in theory, but in practice it has become a commercial platform, where officers pay money to applicants for RTI cases to be taken off.

From the discussion and the shared experiences it was clear that the RTI, although a strong law on paper, still faces many challenges in implementation that a privacy law could also face, and that the fact that if more privacy is brought into the RTI, it will become yet another way for the State to avoid disclosing information.

Questions to Consider

Can a privacy law be made to be functional in the same way that the RTI is functional?
In terms of the RTI who should have more privacy? Who should be more transparent? Can NGOs be held accountable under the RTI?
What mechanism should be established to enforce the balance between privacy and transparency?

Privacy and Security/Law Enforcement in the North East of India

Another important discussion held during the conference was the practices of law enforcement in the North East, security, and privacy. Because the North East is in a state of armed conflict several laws such as the Armed Forces Special Powers Act, Sedition Act and provisions in the IPC give immunity to security forces. This has led to gross violation of citizens’ privacy by law enforcement agencies — as the acts give large amounts

of power to law enforcement agencies with little or no accountability, and the acts are often misused. Furthermore, the security laws that exist in the North East explicitly prohibit access to individual personal information. For example, in the Assam Police Manual, which is followed by police in the North East — no papers can be given out to the public except to the investigation officer — this includes personal information such as medical records and post-mortem reports. Anjuman shared an example of how this rule violates individual privacy. In her example, a victim was not allowed access her own medical report, but her medical records were being circulated among police, doctors, and media. This example highlights how privacy and the right to information can go hand in hand as it was the victim’s right to access her own medical file, and at the same time getting access to her own medical file is an act of personal privacy protection.

Personal Experiences Shared

Participants shared how individual privacy is often violated by the army, as it is allowed to enter and search any space without warrant, if there is any type of “suspicion”. They also shared how phone tapping and random monitoring is a common practice by both the army and civil police. For example, one day the police recorded a conversation by Director of the Police, Wireless who was giving a lecture on how to lead an effective agitation. The transcript was handed to the high court and the director punished. Other examples include policemen frisking women in public, newspapers publishing police frisking women in public, and law enforcement agencies compelling pregnant women to give birth in open in front of people. The discussion surrounding privacy and security/law enforcement highlighted an important way in which privacy is violated in the North East. The unregulated action of law enforcement acts as a very real and dangerous way in which individual privacy is violated on a daily basis.

Questions to Consider

Can privacy legislation regulate the acts of law enforcement agencies?
Will privacy legislation be implemented differently in the North East because of the armed conflict?
Will a privacy law supersede other laws such as the AFSPA?

Privacy and the UID

During the conference the discussion also briefly focused on the UID and privacy. It was shared that there had yet to be UID consultations in the North East of India. The only information individuals had about the UID was that it was going to allow individuals to access BPL benefits more easily.

Questions around the UID included: why is the UID needed for citizens living within their own country? How will the UID impact and help families who send their children to gather rations from the ration shops? What is the connection between the UID and the expected privacy law? What is the connection between the UID and intelligence agencies? What would UID mean to people living in border areas?

Conclusion

Privacy as a Fundamental Right

In the closing discussion Prashant Iyengar shared different examples of privacy in Indian case law, and the various ways in which the Supreme Court has defined privacy as a right that is implicit in the right to life. The participants discussed what privacy means to them, and what they thought a right to privacy should entail. Among the points raised, it was brought up that privacy should be a right that is legally protected for sovereign individuals. The law should also include parameters and limitations in order to protect an individual’s autonomy. Furthermore, privacy should be understood and linked to the concept of human rights and individual rights. From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Property rights and privacy
Privacy rights of minorities
Privacy and the UID
Privacy and law enforcement agencies
Privacy as a fundamental right
The interplay of privacy law and traditional law

Download the Event Report here [PDF, 178 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-guwahati-report

Privacy Matters — Medical Privacy

natasha — 2012-07-10T13:41:26Z

On June 30, 2012, Privacy India in partnership with the Indian Network for People living with HIV/AIDS, Centre for Internet & Society, IDRC, Society in Action Group, with support from London-based Privacy International, held a public discussion on "Medical Privacy" at the Yashwantrao Chavan Academy of Development Administration.

The conversation brought together a cross section of citizens, lawyers, activists, researchers, academia and students.

	Prashant Iyengar, Assistant Professor, Jindal Law University, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the series of ten consultations previously organized across India: Identity & Privacy, Kolkata, January 23, 2011 Internet & Privacy, Bangalore, February 5, 2011 National Security & Privacy, Ahmedabad, March 26, 2011 Transparency & Privacy, Guwahati, June 23, 2011 Telecommunication & Privacy, Chennai, August 6, 2011 Analyzing the Right to Privacy Bill, Mumbai, January 21, 2012 The High Level Privacy Conclave, New Delhi, February 3, 2012 The All India Privacy Symposium, New Delhi, February 4, 2012 Freedom of Expression & Privacy, Goa, June 2, 2012 Securing e-Governance, Ahmedabad, June 16, 2012

Prashant Iyengar, Assistant Professor, Jindal Law University, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the series of ten consultations previously organized across India:

Identity & Privacy, Kolkata, January 23, 2011
Internet & Privacy, Bangalore, February 5, 2011
National Security & Privacy, Ahmedabad, March 26, 2011
Transparency & Privacy, Guwahati, June 23, 2011
Telecommunication & Privacy, Chennai, August 6, 2011
Analyzing the Right to Privacy Bill, Mumbai, January 21, 2012
The High Level Privacy Conclave, New Delhi, February 3, 2012
The All India Privacy Symposium, New Delhi, February 4, 2012
Freedom of Expression & Privacy, Goa, June 2, 2012
Securing e-Governance, Ahmedabad, June 16, 2012

Elonnai Hickok, a member of Privacy India, introduced the draft book Privacy in India: A Policy Guide that Privacy India has been compiling. Focusing on the draft chapter, Medical Privacy, she provided examples of legislation and policy containing safeguards to privacy such as Medical Council of India's Code of Ethics Regulations 2002, and pointed out legislation with missing safeguards such as in the Mental Health Act of 1987. Additionally, she gave many examples of projects being implemented in India that impact health privacy including Save the Baby Girl Project, the Mother and Child Tracking System, the UID, and a cloud based system known as Health Hiway.

Elonnai Hickok, a member of Privacy India, introduced the draft book Privacy in India: A Policy Guide that Privacy India has been compiling. Focusing on the draft chapter, Medical Privacy, she provided examples of legislation and policy containing safeguards to privacy such as Medical Council of India's Code of Ethics Regulations 2002, and pointed out legislation with missing safeguards such as in the Mental Health Act of 1987. Additionally, she gave many examples of projects being implemented in India that impact health privacy including Save the Baby Girl Project, the Mother and Child Tracking System, the UID, and a cloud based system known as Health Hiway.

Medical Privacy in India

	Dr. Dharmesh Lal, MBBS, DHA, MD, DNB, DVLDP, Officiating Dean, IIHMR, Delhi, discussed the correlation between medical privacy and confidentiality. Medical Privacy involves the confidentiality of patient-provider encounters, along with the secrecy and security of information memorialized in physical, electronic and graphic records created as a consequence of patient-provider encounters. Confidentiality involves restricting information to persons belonging to a set of specifically authorized recipients.

Dr. Dharmesh Lal, MBBS, DHA, MD, DNB, DVLDP, Officiating Dean, IIHMR, Delhi, discussed the correlation between medical privacy and confidentiality. Medical Privacy involves the confidentiality of patient-provider encounters, along with the secrecy and security of information memorialized in physical, electronic and graphic records created as a consequence of patient-provider encounters. Confidentiality involves restricting information to persons belonging to a set of specifically authorized recipients.

He went on to explain that limited financial resources in public hospitals often preclude the separate examination of one patient at a time. “In Government hospitals, large numbers of patients congregate in the doctors office,” he says. Privacy is also related to a patient's financial status and decreases as one goes down the socio-economic ladder.

Additionally, he described the privacy concerns that arise due to infrastructural constraints. India's healthcare infrastructure has not kept up with the development of government health initiatives. For examples, the Janani Suraksha Yojana (JSY) initiative was launched in 2005, under the National Rural Health Mission (NRHM). JSY was implemented with the objective of reducing maternal and neo-natal mortality by promoting institutional delivery among the Poor Pregnant Woman. Financial incentives were provided to mothers. There was a phenomenal increase of institutional delivery. However, there was no proportional increase in infrastructure.

He called for a change in medical education, administration and management, stating, “Privacy protection has to be established as a core value that connects organizational culture. Alarmingly, medical curriculum in India does not have formal component on medical privacy, significant curriculum reforms in undergraduate medical teaching is necessary.

Medical Privacy- Legal Aspects

Mr. Pandit, Advocate, Pandit law Office, discussed the Hippocratic oath, which includes the duty of the caregiver to ‘keep secret’ and ‘never reveal’ ‘all that may come to my knowledge’. In other words, right to medical privacy has to be balanced with right to healthy life of another whose right will be affected unless such information is disclosed to her/him. He described the code of conduct prescribed by Indian Medical Council to its members, as a guideline to be followed is intended to preserve protect and uphold dignity of profession. Physicians should merit the confidence of patients entrusted to their care, rendering to each a full measure of service & devotion.

Mr. Pandit, Advocate, Pandit law Office, discussed the Hippocratic oath, which includes the duty of the caregiver to ‘keep secret’ and ‘never reveal’ ‘all that may come to my knowledge’. In other words, right to medical privacy has to be balanced with right to healthy life of another whose right will be affected unless such information is disclosed to her/him.

He described the code of conduct prescribed by Indian Medical Council to its members, as a guideline to be followed is intended to preserve protect and uphold dignity of profession. Physicians should merit the confidence of patients entrusted to their care, rendering to each a full measure of service & devotion.

Referring to the Dr.Tokugha Yepthomi Vs Appollo Hospital Enterprises Ltd & Anr. III case, he described the Supreme Court’s verdict on the ‘Right to Life’.

The “Right to life” would positively include the right to be told that a person, with whom she was proposed to be married, was a victim of deadly disease, which was sexually communicable, since right of life includes right to lead a healthy life. Moreover where there is a clash of two fundamental rights, The RIGHT which would advance the public morality or public interest, would alone be enforced through the process of Court.

He concluded by asserting that there is considerable force in the argument that there is a need for a comprehensive legislation to protect the interest of poor patients and ordinary citizens who cannot afford to initiate a protracted legal battle to protect their medical privacy.

Supreme Court views on Medical Negligence

	Professor K. Elumalai, Director, School of law, IGNOU, provided numerous Supreme Court verdicts on medical negligence cases. He summarized the cases and discussed their salient features. He discussed the manner in which a Medical professional can be prosecuted for medical negligence under criminal law. It must be shown that the accused did something or failed to do something which in the given facts and circumstances, no medical professional in his ordinary senses and prudence would have done or failed to do.

Professor K. Elumalai, Director, School of law, IGNOU, provided numerous Supreme Court verdicts on medical negligence cases. He summarized the cases and discussed their salient features. He discussed the manner in which a Medical professional can be prosecuted for medical negligence under criminal law. It must be shown that the accused did something or failed to do something which in the given facts and circumstances, no medical professional in his ordinary senses and prudence would have done or failed to do.

Confidentiality and privacy in medical Settigs vis-a-vis PLHIV

Ms. Nitu Sanadhya, Senior Legal Officer, Lawyers Collective, HIV/ AIDS Unit, stressed the importance of a rights-based approach and integrationist legal response to the HIV epidemic. When legislations or policies discriminate or isolate persons living with HIV, for example, through mandatory testing and breach of confidentiality, it drives the epidemic underground.

In India, there is no comprehensive law on HIV. In 2007, the National Aids Control Organization (NACO) released the Operational Guidelines for Integrated Counseling and Testing Centres. She described the salient features of the guideline especially focusing on the privacy provisions. She described the various situations that permit a health practitioner to disclose the HIV status of a patient to a partner and/ or third party. Discriminatory practices that arise out of a breach or confidentiality or privacy violation include stigmatization, denial of access to treatment, loss of employment, etc.

In India, there is no comprehensive law on HIV. In 2007, the National Aids Control Organization (NACO) released the Operational Guidelines for Integrated Counseling and Testing Centres. She described the salient features of the guideline especially focusing on the privacy provisions. She described the various situations that permit a health practitioner to disclose the HIV status of a patient to a partner and/ or third party.

Discriminatory practices that arise out of a breach or confidentiality or privacy violation include stigmatization, denial of access to treatment, loss of employment, etc.

Under the RTI Act, A person’s HIV status is confidential and is protected in law and can only be disclosed to a third person in limited circumstances. The RTI Act specifically exempts the disclosure of personal information which is not of public interest; information which would cause an unwarranted invasion of privacy; and information which has been received in a fiduciary capacity. Therefore, The RTI Act 2005 cannot be used to obtain a person’s HIV report.

Privacy in Practice

	Dr. Anand Philip, Personal Physician at NationWide Primary Healthcare Service Pvt. Ltd., drew from his personal experiences. During his presentation he emphasized how privacy is important, but it is clear that privacy does not happen the way it is theorized by. In fact there are many dichotomies in what we believe privacy is and how it is used. He pointed out that we often take for granted why privacy matters and where it comes from. He discussed how without patient autonomy and patient dignity, privacy cannot

Dr. Anand Philip, Personal Physician at NationWide Primary Healthcare Service Pvt. Ltd., drew from his personal experiences. During his presentation he emphasized how privacy is important, but it is clear that privacy does not happen the way it is theorized by. In fact there are many dichotomies in what we believe privacy is and how it is used. He pointed out that we often take for granted why privacy matters and where it comes from. He discussed how without patient autonomy and patient dignity, privacy cannot

be upheld. Yet, one sees a constant breach of people’s dignities in the medical system. Some people rationalize this violation of dignity by explaining that in India, doctors are used to people who have nothing and thus, dignity is not important. Yet, he argued, dignity is something that is inherent. The lack of dignity practiced in India's medical system shows a problem with how we are trained. Giving an example of how dignity is breached in India, Dr. Philip referred to two people being treated on the same table. He pointed out that the physical aspects of privacy are non-existent. For example, the WHO recommends five feet between beds, but typically two or three feet exist between hospital beds. Furthermore, there are often no curtains in hospitals. He then moved from physical privacy to information physical. In a hospital information flows in all directions, it is not a controlled environment and the patient does not choose who sees his/her information – the hospital decided. Dr. Philip then talked about training. The health care system encompasses a larger team of people from doctors to sweepers. Training is only given to clinical staff. Thus other aspects such as the Indian culture, infrastructure, and training all impact how privacy is carried out in the medical field. In conclusion Dr. Philip re-stated that privacy is a byproduct of autonomy and dignity. He noted that offering a patient dignity was a critical step that must be taken by service providers. Closing his presentation, he challenged the audience with the following questions: Considering how autonomy is not important, how do we reach people with the idea? Since physical privacy is key to other forms of privacy, how do we take it more seriously? What can we do about the medical team's approach to privacy?

Best Practices of Medical Privacy in Various Health Settings

	Sriram Lakshmanan, Head Information Security, UnitedHealth Group Information Systems, spoke about the US health-care market touching on medicare, medicaid, employer-sponsored insurance, and individual insurance plans. He also commented on the EU regime pointing out that most of the laws in the EU have a long list of identifiers indicating when your information counts as being compromised. Canada PIPEDA, is very strict and protects health privacy. In his opinion, the IT Act caters to many aspects of privacy. He also touched upon the eight OECD Privacy Principles and

Sriram Lakshmanan, Head Information Security, UnitedHealth Group Information Systems, spoke about the US health-care market touching on medicare, medicaid, employer-sponsored insurance, and individual insurance plans. He also commented on the EU regime pointing out that most of the laws in the EU have a long list of identifiers indicating when your information counts as being compromised. Canada PIPEDA, is very strict and protects health privacy. In his opinion, the IT Act caters to many aspects of privacy. He also touched upon the eight OECD Privacy Principles and

how they can be adopted for the Indian scenario. A few of the principles included collection limitation principle, data quality principle, purpose specification principle, use limitation principle. For example, if health information for treating malaria is collected, than that information should only be used for that purpose. Closing his presentation, he noted that most of the technologies that we use today for health run on IT, and thus can be used to compromise individual or hospital wide information.

Epidemics and Privacy

Dr. Rajib Dasgupta, Assistant Professor, Center of Social Medicine and Community Heath at Jawaharlal Nehru University, examined conflicts of issues of privacy, confidentiality and the role of the state in the context of epidemics and the provisions within the Epidemic Diseases Act. Epidemics are population-level events in contrast to illnesses that only involve individuals; therein lies the uniqueness of the intersection between medical privacy and public health ethics. The state has unique responsibilities to detect, diagnose, manage and control epidemics. This has local/regional and international ramifications. Also linked to these are limits to the powers, rights of individuals and the extent to which such rights may need to be suspended.

Dr. Rajib Dasgupta, Assistant Professor, Center of Social Medicine and Community Heath at Jawaharlal Nehru University, examined conflicts of issues of privacy, confidentiality and the role of the state in the context of epidemics and the provisions within the Epidemic Diseases Act. Epidemics are population-level events in contrast to illnesses that only involve individuals; therein lies the uniqueness of the intersection between medical privacy and public health ethics. The state has unique responsibilities to detect, diagnose, manage and control epidemics. This has local/regional and international ramifications. Also linked to these are limits to the powers, rights of individuals and the extent to which such rights may need to be suspended.

The exercise of actions within the Act is not necessarily bereft of infringement of privacy and overt discrimination. Certain diseases, as indeed limitations imposed by the state, have elements of stigma that further confound the fuzziness of this debate.

When an epidemic occurs, the need for privacy in the mind of the individual goes down, as they are concerned solely with receiving treatment. He also pointed out that there are contradictory elements during epidemics. For instance an area might not want to be named as having an outbreak of a disease, but at the same time individuals will line up outside hospitals for treatment, exposing the fact that they have the disease. He also spoke about how steps taken to address epidemics can invade privacy. For example, during the SARS outbreak, it was the practice to put the patient in an infectious disease hospital. This was invasive to personal privacy as it created stigma and discrimination. Closing his presentation he explained how the conventional notions of privacy do not necessary hold in the case of epidemics because it is an emergency outbreak. Thus, protocol is established on a case-to-case basis. Despite this he believes that it is possible and valuable to protect privacy in cases of epidemics.

HIV/ AIDS and Privacy

	KK Abraham, President of Indian Network for People Living with HIV/AIDS, described how privacy could be understood as a luxury, in some cases it can be understood as a right, and in other cases it is understood of responsibility. Regarding HIV patients, Mr. Abraham emphasized the need for privacy to be understood as a right. Mr. Abraham also pointed out that as trends are changing in India, and more services are becoming available, that this is the right time to talk about privacy. Closing his presentation Mr. Abraham called for a greater understanding of patients' privacy needs and the negative effect of stigma.

KK Abraham, President of Indian Network for People Living with HIV/AIDS, described how privacy could be understood as a luxury, in some cases it can be understood as a right, and in other cases it is understood of responsibility. Regarding HIV patients, Mr. Abraham emphasized the need for privacy to be understood as a right. Mr. Abraham also pointed out that as trends are changing in India, and more services are becoming available, that this is the right time to talk about privacy. Closing his presentation Mr. Abraham called for a greater understanding of patients' privacy needs and the negative effect of stigma.

HIPPA with reference to Applicability to Patient Privacy and Clinical Data Confidentiality in India

Dr. Lavanian Dorairaj, MD, CEO at HCIT Consultants, described how IT is a powerful tool for health care, despite the fact that health care has been hesitant to use IT. He explained that IT can help reduce errors in health care; it can help increase accessibility of patient data, improve diagnosis, treatment, and prognosis. Healthcare IT has great advantages but needs to be handled with great responsibility. He also pointed out that IT can lead to privacy violations if inappropriate access to patient records takes place. He argued that though India has recognized the need for privacy, it still needs to find a way to implement privacy protections and police the implementation of the guidelines. Drawing on examples from HIPPA, he argued that India would benefit from establishing privacy standards and security standards for health information. He explained further that HIPPA is a flexible rule, which obligates relevant entities to comply. The Rule is designed to be flexible. Entities regulated by the rules are obligated to comply.

Dr. Lavanian Dorairaj, MD, CEO at HCIT Consultants, described how IT is a powerful tool for health care, despite the fact that health care has been hesitant to use IT. He explained that IT can help reduce errors in health care; it can help increase accessibility of patient data, improve diagnosis, treatment, and prognosis. Healthcare IT has great advantages but needs to be handled with great responsibility. He also pointed out that IT can lead to privacy violations if inappropriate access to patient records takes place. He argued that though India has recognized the need for privacy, it still needs to find a way to implement privacy protections and police the implementation of the guidelines. Drawing on examples from HIPPA, he argued that India would benefit from establishing privacy standards and security standards for health information. He explained further that HIPPA is a flexible rule, which obligates relevant entities to comply. The Rule is designed to be flexible. Entities regulated by the rules are obligated to comply.

Presentations

Click to download the presentation files. [Zip files, 2184 Kb]

For more details visit https://cis-india.org/internet-governance/blog/medical-privacy-conference-report

Privacy Matters — Consumer Privacy

praskrishna — 2012-07-31T10:55:30Z

Privacy India, in partnership with the Centre for Internet & Society, International Development Research Centre, Society in Action Group and Privacy International, invites you to a public conference focused on discussing the challenges and concerns to consumer privacy in India. The event will be held at the Indian International Centre, New Delhi on Saturday, July 7, 2012, from 9 a.m. to 5 p.m.

According to the Consumer Protection Act, 1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors.

Consumer privacy is concerned with accuracy of how a consumers information is collected and used. Because a consumers relationship with another entity is based on an exchange along consented terms, a breach in consumer privacy can be constituted as an action that was not agreed to. In the age of data collection – a breach in privacy occurs when information is used in different ways than was intended. Consumer privacy in India is determined at the sectoral level, and differs depending on the services that is provided for.

As corporations sell data banks, ISP's expose consumer habits, or ones personal information falls in the wrong hands – the consequences are far reaching, and can result in spamming, unwanted marketing, theft, or the violation can impact an individual's ability to buy a home, potential employment opportunities, or gain access to credit.

In India, the right to privacy has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. - people who most need to know that sensitive information is protected.

Since June 2010, Privacy India in collaboration with Privacy International, based in London, has been conducting workshops and engaging in public awareness. Participants include policy makers, researchers, sectoral experts, NGOs, and the public to discuss and deliberate different questions of privacy, its intersections and its implications with our everyday life. The discussions have ranged from topics of online privacy to minority rights and privacy and e-Governance initiatives privacy. The workshops have been organized in different cities - Bangalore, Guwahati, Mumbai, Delhi, Kolkata, Ahmedabad, Chennai, Goa, etc.

Click here for the agenda

Please confirm your participation with natasha@cis-india.org

Download the invite here [PDF, 160 Kb]

Download our research here [PDF, 178 Kb]

For more details visit https://cis-india.org/internet-governance/consumer-privacy-delhi

Privacy Matters — Analyzing the Right to "Privacy Bill"

natasha — 2012-02-15T04:27:28Z

On January 21, 2012 a public conference “Privacy Matters” was held at the Indian Institute of Technology in Mumbai. It was the sixth conference organised in the series of regional consultations held as “Privacy Matters”. The present conference analyzed the Draft Privacy Bill and the participants discussed the challenges and concerns of privacy in India.

The conference was organized by Privacy India in partnership with the Centre for Internet & Society, International Development Research Centre, Indian Institute of Technology, Bombay, the Godrej Culture Lab and Tata Institute of Social Sciences. Participants included a wide range of stakeholders that included the civil society, NGO representatives, consumer activists, students, educators, local press, and advocates.

Comments to the Right to Privacy Bill

Welcome

Prashant Iyengar was the Lead Researcher with Privacy India, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the five “Privacy Matters” series previously organised across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011 and in Chennai on August 6, 2011.

Keynote Address

Na. Vijayashankar (popularly known as Naavi), a Bangalore based e-business consultant, delivered the key note address on the quest of a good privacy law in India.

He described the essential features of good privacy legislation. In analyzing the Draft Privacy Bill’s definition of the right to privacy, he suggested it should be defined through the “right to personal liberty” rather than through what constitutes “infringements”. Mr. Vijayashankar went on to explain that the “privacy right” should be taken beyond “information protection” and defined as a “personal privacy or a sense of personal liberty without constraints by the society”. He explained the various classifications and levels of protection associated with the availability and disclosure of data. He expressed concerns regarding monitoring of data processors and suggested that data controllers have contractual agreements between data processors, so as to ensure an obligation of data security practices. He also called for the simplification and division of offences and suggested numerous reasons as to why the Cyber Appellate Tribunal would not be an ideal monitoring mechanism or authority. See Naavi's presenation here

Session I: Privacy and the Legal System

Dr. Sudhir Krishnaswamy, Assistant Professor at the National Law School of India

Dr. Krishnaswamy started off the presentation by questioning the normative assumptions the Draft Privacy Bill makes. He referred to the controversy of Newt Gingrich's second marriage, to question the range of moral interests that were involved. The Bill falls short in accounting for dignity in relation to privacy.

He described the Draft Privacy Bill as a reasonable advance, given where privacy laws were before. Although, he feels that it does fall short, in terms of a narrow position, on what privacy law should do. He also questioned if it satisfies constitutional standards. He stressed the importance of philosophical work around the Draft Privacy Bill considering that the nature of privacy is not neat and over-arching.

Privacy and the Constitutional Law

N S Nappinai, Advocate, High Court, Mumbai,

Nappinai spoke on the constitutional right to privacy. She explained the substantial development of Article 21 of the Constitution of India to include the ‘right to privacy’ with regards to its interpretation and application. She described the different shift of the application of the right to privacy in the West in comparison to India. The West has moved from the right to privacy pertaining to property to the right to privacy concerning personal rights, whereas India moved from personal rights to property rights. She outlined three aspects of privacy: dignity, liberty and property rights.

Ms. Nappinai dissected the Bill in its major components: interception, surveillance, method and manner of personal data, health information, collection, processing and use of personal data. Using these components, she questioned what precedence exists? What should be further protected or reversed? What lessons should legislators draw from?

Shortcomings of the Draft Right to Privacy Bill falls include:

The objects and reasons section in the Draft Privacy Bill declares the right to privacy to every citizen as well as delineates the collection and dissemination of data. Nappinai dismisses the need for this delineation on the grounds that data protection is an inherent part of the right to privacy, it is not exclusive.
Large focus on transmission of data. The provisions do not account for property rights pertaining to the right to privacy. Therefore, the ‘knock-and-enter’ rule, the ‘right to be left alone’ and the ‘right to happiness’ should be included.
Applicability of the Bill should extend to all persons as well as data residing within the territory. It would be self-defeating if it only includes citizens, considering that the Constitution extends to all persons within the territory.
The right to dignity is unaccounted for.

See Nappinai's presentation here

Session II: Privacy and Freedom of Expression

Apar Gupta, Advocate, Delhi

Apar Gupta is an advocate based in Delhi who specializes in IP and electronic commerce law, spoke predominantly on the interplay between privacy and freedom of expression. He used the example of an advocate tweeting about his criticism of a judges’ ruling, to illustrate how different realms of online anonymity enable freedom of speech. He went beyond the traditional realm of journalistic architecture such as television channels or newspapers and explained online community disclosure.

Mr. Gupta provided a practical example of Indian Kanoon, a popular online database of Indian court decisions. Because Indian Kanoon is linked to the Google search engine, many individuals involved in civil and criminal matters have requested Indian Kanoon to remove the court judgments, under privacy claims. This particularly occurs with individuals involved in matrimonial cases. However, as court judgment constitute public records India Kanoon only removes court judgments when requested by a court order.

He described the several ways legislators can define privacy and freedom of expression. Considering that the privacy of an individual may border upon freedom of speech and expression, he questioned whether or not privacy should override the right to freedom of speech and expression. In addition, Mr. Gupta discussed the debate on whether or not the Privacy Bill should override all existing provisions in other laws.

Additionally, he analyzed the provisions of the Draft Privacy Bill using three judgments. In these judgments, different entities sought of various forms of speech to be blocked under privacy claims. He spoke about the dangers of a statutory right for privacy that does not safeguard freedom of speech and expression. Considering that the privacy statute may allow for a form of civil action permitting private parties to approach courts to stop certain publications, he stressed the importance for legislators to ensure balanced privacy legislation inclusive of freedom of speech and expression.

Sexual Minorities and Privacy

Danish Sheikh, researcher at Alternative Law Forum

Danish examined the status of sexual minorities in the light of privacy framework in India. The tag of decriminalization has served to greatly alter the way institutions approach the question of privacy when it comes to sexual minorities. He used the Naz Foundation judgment as a chronological marker to map the developments in the right to privacy and sexual minorities over the years.

He outlined four key effects on the right to privacy due to the Naz Foundation judgment:

Prepared the understanding of privacy as a positive right and placed obligations on the state,
Discussed privacy as dealing with persons and not just places, it took into account decisional privacy as well as zonal privacy,
Connected privacy with dignity and the valuable worth of individuals, and
Included privacy on one’s autonomous identity.

He described various incidents that took place before the Naz Foundation judgment, pre-Naz, that altered the way we conceived of queer rights in general and privacy in particular, including the Lucknow incidents, transgender toilets, passport forms, the medical establishment and lesbian unions. Post-Naz, he described two incidents including the Allahabad Muslim University sting operation as well as the TV9 “Expose” that captured public imagination.

He concluded by asking: “What do these stories tell us about privacy?” The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs display the institutionalized disrespect for privacy and that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Session III: Privacy and National Security

Menaka Guruswamy, Advocate, Supreme Court of India

Menaka explored national security and its relationship to privacy. In her presentation, she compared the similar manner in which the courts approach national security and privacy issues. The courts feel national security and privacy issues are too complex to define, therefore, they take a case-by-case approach.

Ms. Guruswamy described three incidents that urged her to question national security and privacy. First, she was interested in the lack of regulation surrounding intelligence agencies and was involved in the introduction of the Regulations of Intelligence Agencies Bill as a private members bill. Second, national security litigation between the Salwa Judum judgment and the State of Chhattisgarh is an example of how national security triumphs constitutional rights and values. Third, privacy in the context of the impending litigation of Naz Foundation in the Supreme Court. She described the larger conversation of national security focus on values of equality and privacy. She discussed the following questions that serve in advancing certain conception of rights:

How do we posit privacy which necessarily, philosophically as well as judicially, is carved out as the right of an individual to be left alone?
What are the consequences when national security, which is posited as the rights of the nation, is in conflict with the right of the individual to be left alone?
Considering that constitutional rights are posited as a public facet of citizenship how does a right to privacy play in that context?

Privacy and UID

R. Ramakumar, professor at the Tata Institute of Social Sciences

Prof. Ramakumar spoke on UID, its collection of information and the threat to individual privacy. First, he provided a historical trajectory of national security that has led to increased identity card schemes. He described the concrete connection between UID and national security.

He briefed the gathering on the objectives of the UID project. He described several false claims as proposed by the UIDAI. He explicitly disproved the UIDAI claim that Aadhaar is voluntary. He did this by comparing various legislations associated with the National Population Registrar that had provisions mandating the inclusion of the UID number.

He went on to explain that the misplaced emphasis of technology to handle large populations remains unproven. He described two specific violations of privacy inherent in the UID system: convergence of information and consent. The UID database makes it possible for the linking or convergence of information across silos. In addition, consent is unaccounted for in the UID system. The UID enrollment form requires consent from a person to share their information. However, the software of the enrollment form automatically checks ‘yes’, therefore you are not asked. Even if you disagree, it automatically checks ‘yes’. Default consent raises the important question, “to what extent are we the owners of our information?” and “what are the privacy implications?”

Mr. Ramakumar was once asked, by Yashwant Sinha in a Parliamentary Standing Committee meeting, “Is the Western concept of privacy important in developing country like India?”. Using this question posed to him, he stressed the importance of privacy to be understood as a globally valued right, entitlement and freedom. He also referred to Amartya Sen’s work on individual freedoms.

Conclusion

During the daylong consultation numerous questions and themes relating to privacy were discussed:

How is the right to privacy defined?
How can the Draft Privacy Bill redefine the right to privacy?
How can reasonable deterrence mechanisms be included?
Does duplication of the right to privacy exists in different statutes?
Is the Cyber Appellate Tribunal an ideal monitoring mechanism or authority?
What are the circumstances under which authorized persons can exercise the Right of privacy invasion?
How can the Draft Privacy Bill account for the right to dignity?
How much information should the State be allowed to collect?
How can citizens become more informed about the use of their information and the privacy implications involved?
What would be the appropriate balance or trade-off between security and civil liberties?
What are the dangers with permitting the needs of national security to trump competing values?
What are the consequences for the homosexual community, when faced with institutionalized disregard for privacy?

For more details visit https://cis-india.org/internet-governance/privacy-matters-analyzing-the-right-to-privacy-bill

Privacy Matters — Analyzing the "Right to Privacy Bill"

Natasha Vaz — 2012-04-28T04:10:12Z

Privacy India in partnership with International Development Research Centre, Canada, Indian Institute of Technology, Bombay, the Godrej Culture Lab, Tata Institute of Social Sciences, Mumbai and the Centre for Internet and Society, Bangalore is organising "Privacy Matters", a public conference at IIT, Bombay on 21 January 2012.

The conference will focus on the questions and dilemmas posed by privacy in India today, with a concentration on the "Right to Privacy Bill". The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. — people who most need to know that sensitive information is protected.

Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

The event will focus on discussing the challenges and concerns to privacy in India. We invite you to attend the meeting and contribute your views. Please confirm your participation by getting in touch with Natasha (natasha@cis-india.org). We sincerely hope that you will be able to attend and look forward to your participation.

Agenda

09:30- 10:00	Registration
10:00- 10:30	Welcome- Privacy in India Prashant Iyengar is a practicing lawyer and lead researcher for Privacy India. He will present who Privacy India is, and the objectives of Privacy India's research. His presentation will focus on discussing privacy in India.
10:30- 11:15	Key Note Address- Draft Privacy Bill Critique Na. Vijayashankar is an e-business consultant. He established the premier Cyber Law information portal in India. He is the founder secretary of Cyber Society of India, Founder Trustee of International Institue of Information Technology Law, and Founder Chairman of Digital Society Foundation. He will present a critique of the Draft Privacy Bill.
11:15- 11:30	Tea Break
11:30- 12:15	Session I Privacy and the Legal System Sudhir Krishnaswamy is an Assistant Professor at the National law School of India University and is currently writing a Doctoral Thesis at the Faculty of Law, Oxford University on ‘The Basic Structure Doctrine in Indian Constitutional Adjudication’. His presentation will look at the trajectory of privacy through the years from a legal perspective.
12:15- 13:00	Privacy and Constitutional Law N. Nappinai is an advocate who specializes in IP and technology laws. She is a founder member of Technology Law Forum (TLF). She has spearheaded and driven several initiatives of TLF with various organization including NASSCOM, FICCI, IMC etc., and has also conducted several workshops and training sessions for the Mumbai Police, Public Prosecutors & Industry verticals in Cyber Laws. Her presentation will define the scope of Article 21 under the Indian Constitution, which protects the right to privacy.
13:00- 13:15	Discussion
13:15- 14:00	Lunch Break
14:00- 14:45	Session II Privacy and Freedom of Expression Apar Gupta is an advocate who specializes in intellectual property, electronic commerce law and technology media and telecoms. He holds a master from Columbia Law School and has authored a Commentary on the Information Technology Act, 2000. His presentation will focus on the limits of a privacy right when it competes and conflicts with the freedom of speech and expression. He will examine certain provisions of the Draft Privacy Bill questioning how privacy arguments may be used to stifle debate or disclosure made in the public interest.
14:45- 15:30	Sexuality Minorities and Privacy Danish Sheikh graduated from Nalsar University of Law with a B.A., LL.B. (Hons.). Currently, he is a researcher at the Alternative Law Forum in Bangalore. He will examine the status of sexual minorities in the light of privacy framework in India. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he will bring to light the privacy violations being committed by both individuals as we all state authorities.
15:30- 15:45	Discussion
15:45- 16:30	Session III Privacy and National Security Menaka Guruswamy practices law at the Supreme Court of India. She was a Rhodes Scholar at Oxford University, a Gammon Fellow at Harvard Law School, and a gold medalist from the National Law School of India and has law degrees from all three schools. Menaka has advised the United National Development Program and the United Nations Development Fund for Women. She will discuss the relationship between national security and privacy, from the perspective of surveillance by the state etc.
16:30- 17:15	Privacy and UID R. Ramkumar is a Professor at the Tata Institute of Social Sciences. He is advocate as well as a patent and trademark attorney. His presentation will focus on what standards of privacy are afforded within the UID system.
17:15- 17:30	Tea Break
17:30- 18:00	Discussion and Questions

	Organizers
	Privacy India Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.
	Privacy International (https://www.privacyinternational.org/) Privacy International’s mission is to defend the right to privacy across the world, and to fight surveillance and other intrusions into private life by governments and corporations. PI has been providing citizens and policy-makers with the tools and perspectives to enable them to hold to account those who threaten privacy since 1990. PI has active associates and networks in 46 countries.
	The International Development Research Centre (www.idrc.ca/) Canada’s International Development Research Centre (IDRC) is one of the world’s leading institutions in the generation and application of new knowledge to meet the challenges of international development. They help developing countries use science and technology to find practical, long-term solutions to the social, economic, and environmental problems they face.
	The Centre for Internet & Society (http://cis-india.org/) The Centre for Interenet & Society brings together a team of practitioners, theoreticians, researchers and artists to work on the emerging field of Internet and Society to critically engage with concerns of digital pluralism, public accountability and pedagogic practices, with particular emphasis on South-South dialogues and exchange.
	Partners
	The Godrej India Culture Lab (www.godrej.com) The Godrej India Culture Lab is an interdisciplinary space which aims to build knowledge networks and interpret the changes rapidly taking place in contemporary India by bringing together the best minds from global academia, business and the creative worlds working on different aspects of Indian society.
	IIT, Bombay (www.iitb.ac.in/) Established in 1958, IIT is recognised worldwide as a leader in the field of engineering education and research. It is reputed for the quality of its faculty and the outstanding calibre of students graduating from its undergraduate and postgraduate programmes. Over the years, there has been dynamic progress at IIT Bombay in all academic and research activities, and a parallel improvement in facilities and infrastructure, to keep it on par with the best institutions in the world.
	Tata Institute of Social Sciences (http://www.tiss.edu/) Tata Institute of Social Sciences (TISS) offers higher professional education in the field of human service and applied social science research. The institute has gone beyond the initial concern of social work education, since its inception in 1936, to consistently contribute to the promotion of sustainable, participatory development and social justice. Through its work, the Institute facilitates strong linkages between education, research, field action and policy advocacy.

Speakers

1. Apar Gupta

2. Danish Sheikh, Alternative Law Forum

3. NA Vijayashankar, E-Business Consultant, Founder Secretary of Cyber Society of India, Founder Trustee of International Institute of Information Technology Law, and Founder Chairman of Digital Society Foundation

4. N S Nappinai, Advocate and Founder Member of Technology Law Forum

5. Prashanth Iyengar, Assistant Professor & Assistant Director, Centre for Intellectual Property Rights Studies, Lead Researcher with Privacy India, Bangalore; Legal Aid Manager with Rural Development Institute, Hyderabad; Researcher & Lawyer with Alternative Law Forum

6. R. Ramkumar, Assistant Professor, School of Social Sciences, Tata Institute of Social Sciences

7. Shishir Jha, Project Lead at Creative Commons India and Associate Professor at Indian Institute of Technology, Bombay

8. Menaka Guruswamy, practices law at the Supreme Court of India.

9. Sudhir Krishnaswamy, is an Assistant Professor at the National law School of India University.

Download the invitation [PDF, 988 kb]

Download the event poster [PDF, 2155 kb]
IIT Bombay Map http://www.iitb.ac.in/campus/howto/howtoget.html

VIDEOS

For more details visit https://cis-india.org/internet-governance/right-to-privacy-bill-conference

Privacy Matters - A Public Conference in Ahmedabad

praskrishna — 2011-04-04T07:14:41Z

On behalf of Privacy India, and in partnership with the Research Foundation for Governance in India and Society in Action Group, the Centre for Internet and Society invites you to “Privacy Matters” a public conference focused on discussing the challenges and concerns to privacy in India. The event will be held at the Ahmedabad Management Association. We would be honored if you would attend the meeting and contribute your views.

The conference will focus on the questions and dilemmas posed by privacy in India today, with a concentration on security, national surveillance, prisoners rights and privacy. The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities,prisoners, etc. – people who most need to know that sensitive information is protected. Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India.

One of our goals is to build consensus towards the promulgation of a comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Please confirm your participation with:

elonnai@privacyindia.org, or
jsree.t@gmail.com

Agenda

Privacy Matters

March 26th 10:30 – 4:30 pm

Ahmedabad Management Association
Core-AMA Management House
Torrent-AMA Management Centre
ATIRA Campus, Dr. Vikram Sarabhai Marg
Ahmedabad 380 015, Gujarat, INDIA
Phone: +91-79-263086

Time	Session
10:00 to 10:30	Registration and Welcome Prashant Iyengar Prashant Iyengar is a practicing lawyer and lead researcher for Privacy India. He will present who Privacy India is, and the objectives of Privacy India's research. Lastly he will outline the present scenario of Privacy in India.
10:30 to 11:15	Keynote Address Usha Ramanathan Dr. Usha Ramanathan is an internationally recognized expert on law and poverty. Her research interests include human rights, displacement, torts and environment. Ms. Ramanathan will speak about the coerced decline of privacy. National security, corruption, pragmatism, and the emergence of technologies that often work to establish that privacy is an irrelevant notion. She will look at links not often made between privacy and personal security, between data bases and national security, and the centrality of dislodging privacy in projects of social control are, perhaps deliberate.
11:15 to 11:30	Tea break
11:30 to 1:00	Opinions on Privacy Justice J N Bhatt, Mr. Ajay Tomar, Renu Pokharna In this session key officials from Gujarat will share their experiences and opinions on privacy in the context of India. Speakers include: Justice J N Bhatt is the former Chief Justice of Gujarat and Bihar, and currently the head of the Gujarat State Law Commission. He has had ad successful career including having: joined the Office of the Government Pleader, at Jamnagar in 1976, worked as Central Government Counsel in special matter of Armed Forces and Labour Cases, and has authored more than 50 Articles on Jurisprudence, Constitution, International Law, A.D.R, Legal Aid and Lok Adalat and Judicial Reforms Renu Pokharna, a member of the Chief Minister's Office, State of Gujarat, has spent her career working towards the betterment of society, especially the poor and the hungry through policy and not charity. For example she is a part of the project “Gujarat Skill Development Mission”. The project tries to achieve convergence of skill training programs to make them more effective. Mr. Ajay Tomar is the chief of the Anti-Terrorism Squad in Gujarat. He has worked on cracking down on many cases involving national security and surveillance including the “Pepsi Bomber”.
1:00 to 2:00	Lunch Break
2:00 to 2:30	Privacy, Minority Identities, and Security Bobby Kuhnu Bobby Kuhnu is a lawyer, social activist, and writer. Mr. Kuhnu will examine the ideological underpinnings of the discourse on privacy and its bearings on socially marginalized identities particularly in the context of the Indian state and the constitutional right to privacy.
2:30 to 3:00	Privacy and National Security Mathew Thomas Mathew Thomas is a management consultant and activity leader for development centers. Mathew has held top positions in the Indian Army, and the Defense Research and Development Organization, where he headed the missile manufacturing facility. His presentation will focus on national security and privacy.
3:00 to 3:15	Tea Break
4:00 to 4:30	Open discussion and summary

Other Distinguished Participants

Justice Madhukar

Former Judge, Trial Courts, Gujarat

Kanan Divatia

Lawyer and Professor of Law, L A Shah Law College

Professor Amal Dhru

Visiting Professor, Indian Institute of Management, Ahmedabad

Madhusudan Agarwal

Founder, Ma'am movies

Gaurang Raval

Drishti Media

Rahul Chimanbhai Mehta

Independent Candidate, IIT Delhi Alumnus

Madhusudan Agarwal

Founder, Ma'am movies

For more details visit https://cis-india.org/events/privacy-matters-ahmedabad

Privacy matters

praskrishna — 2011-04-04T07:22:24Z

Privacy India invites individuals to attend “Privacy Matters”, a one-day conference on 23 January 2011 at the WB National University of Juridical Sciences (NUJS) Law School in Kolkata. Privacy India, Society in Action Group and the Centre for Internet & Society have joined hands to organize this.

The conference will focus on discussing the challenges to privacy that India is currently facing. The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, e.g., the TRAI Act for telephony or RBI Guidelines for Banks, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. This lack of uniformity has led to ironically imbalanced results. In India today one has a stronger right to privacy over telephone records than over one’s own medical records. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. – people who most need to know that sensitive information is protected.

The emergence of information and communications technologies over the past two decades has radically transformed the speed and costs of access to information. However, this enhanced climate of access to information has been a mixed blessing. Whilst augmenting our access to knowledge, this new networked information economy has also now made it much easier, quicker, and cheaper to gain access to intimate personal information about individuals than ever before. As people expose more and more of their lives to others through the use of social networks, reliance on mobile phones, global trade, etc., there has emerged a heightened risk of privacy violations in India. As privacy continues to be a growing concern for individuals, nations, and the international community, it is critical that India understands and addresses the questions, challenges, implications and dilemmas that violations of privacy pose.

Who We Are

Privacy India was set up in collaboration with the Centre for Internet & Society (CIS), Bangalore and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies and the media and the public in a number of countries (see www.privacyinternational.org). Its Advisory Board is made up of distinguished intellectuals, academicians, thinkers and activists such as Noam Chomsky, the late Harold Pinter, and others, and it has collaborated with organizations such as the American Civil Liberties Union (ACLU).

Download the poster

" Privacy Matters" Conference Agenda

Time	Item
10:30 11:00	Welcome: Rajan Gandhi a. Who is PI b. What are our objectives c. Why is privacy important in India
11:00 11:30	Keynote: Sudhir Krishnaswamy
11:30 11:45	Tea Break
11:45 1:00	Session I: Prashant Iyengar and Elonnai Hickok a. Personal privacy: Violations and Indian legislation that addresses these violations Case study: Nira Radia and wiretapping b. Informational privacy: Violations and Indian legislation that addresses these violations Case study: The proposed data protection legislation in India c. What is the existing vacuum in Indian legislation concerning privacy
1:00 2:00	Lunch
2:00 3:30	Session II: Prashant Iyengar, Deva Prasad, Amba Kak a. Identity and privacy: why does it matter b. International approaches to identity c. The UID and privacy
3:30 3:45	Tea Break
3:45 4:30	Open discussion and opinion sharing

VIDEOS

For more details visit https://cis-india.org/events/privacy-matters

Privacy laws: Alternatives to consent

Admin — 2017-08-23T00:00:32Z

As changes in technology have made it near impossible to obtain informed consent, the solution may lie in an accountability-based standard for privacy protection.

The article was published in the Livemint on August 11, 2017. Pranesh Prakash was quoted.

On 1 August, the government set in motion the process of drafting a new data protection law by setting up a panel under the guidance of former Supreme Court judge B.N. Srikrishna. The panel has been asked to suggest the principles to be considered while framing a data protection law. Most lawmakers around the world resort to consent as the default model to protect personal privacy. But is consent really the best and only way to provide meaningful control and to protect the individual?

In an earlier article in this series we discussed the various reasons why consent is no longer the best way to protect personal privacy. Today, traditional point-to-point transfers of data have been replaced with data flows through distributed systems, making it difficult for individuals to know which organizations are processing their data and for what purposes. This context makes it impossible to obtain valid individual consent. Machine learning systems do not need explicit programming and can teach themselves from mountains of data. This makes consent particularly inappropriate, as given the fraud prevention purposes for which these tools are used, seeking consent would prejudice the very purpose of processing.

Europe’s new General Data Protection Regulation (GDPR), which will come into force in May 2018, seems to suggest that accountability will become the new basis for compliance. According to experts, the transition period until the new rules come into force will be all about getting data controllers to adopt accountability measures to ensure greater security and trust around processing.

The new rules “advocate a risk-based approach with the data subject at its centre, so controllers will need to assess any risks to individuals posed by their processing activities and what measures they need to take to address them. The requirements also identify common factors for controllers to take into account when making those assessments, like the state of the art, the cost of implementation and the nature, scope and purposes of data processing,” according to a paper by Irish law firm Matheson.

In India, a paper by Rahul Matthan, a fellow at the Bengaluru-based policy think tank Takshashila Institute, bats for the adoption of a similar model that would hold data controllers and processors accountable for any harm caused to data subjects, irrespective of the consent they may have obtained. Instead of requiring data controllers to obtain consent for the collection and subsequent use of personal data, Matthan suggests the implementation of a rights-based model for data privacy that will impute a set of data rights for everyone rather than look to specific terms and conditions that they have entered into with each site they sign up to.

The accountability model will have the greatest impact on companies that deal with personal data, increasing their obligations to ensure that their actions do not, even inadvertently, result in breach of the privacy of their subscribers. What do these firms think about a new model where privacy is not based so much on the specific policies that their users agree to, but on a much broader obligation to be accountable for their actions?

“When we think about new products, we design them from the ground up with privacy in mind,” a Facebook Inc. spokesperson said in an emailed response. “We complete thorough privacy reviews of our products so that innovation does not come at the expense of choice and control. We integrate tools people can use to control their information and make personal privacy choices.”

A Twitter Inc. spokesperson did not directly address the question of accountability but pointed to its updated privacy policy, new privacy tools and past efforts in advocacy of privacy.

In general, corporations are likely to find accountability to be an easy standard to comply with. Most already adhere to this higher standard of care as, regardless of the specific terms of their privacy policies, the public relations fallout that would result from a privacy breach due to their negligence will have a huge impact on subscriber confidence in their services.

To that extent, most companies already think of themselves as being responsible for the personal privacy of their users above and beyond the specific terms and conditions of their privacy policy.

But can accountability totally replace consent? Opinions are divided.

“Substituting accountability for consent is neither simple nor easy,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank. “With current consent models, one doesn’t necessarily need to prove specific harm, whereas accountability models might require it, and that would be difficult, and especially impossible given the current state of courts.”

Secondly, while a rights/fiduciary model brings flexibility for data controllers data users, it comes at the cost of uncertainty, he argued.

“Consent brings in some amount of inflexibility but with the benefit of certainty,” he said. “If we move to a rights and fiduciary duty model, that would mean the entity using your data cannot do anything against your best interests, just as your accountant, or your doctor, or your lawyer owe you a high standard of care. But with that increased duty, there comes the added flexibility in terms of using data anonymously, in a way that doesn’t cause much harm while providing benefits.”

“I agree that consent, in theory, provides greater certainty,” counters Matthan, “However, it is questionable whether we can actually benefit from that certainty. In today’s context, it is impossible to obtain truly informed consent. We must, therefore, find an alternative mechanism to protect the privacy of our citizens. Accountability shifts the responsibility of determining whether or not a particular use of data will harm an individual away from that person, who has little or no ability to accurately decide that for himself, to the data controller, who has a far greater ability to do so.”

Others, such as advocate and cyber law expert N.S. Nappinai, say that it should not be a question of either/or and that both consent and accountability are needed for a robust data protection law.

“A huge loophole in the laws across the world, including the very robust GDPR, which will come into effect in 2018, is the sharing of third-party data, as in social media,” said Nappinai. “Data protection laws address the need for consent of the user who is sharing content. Many times, the user isn’t sharing sensitive or personal information only about themselves; it can be about a much larger audience or set of data subjects. When one is dealing with that kind of data, which a third party has shared about a data subject, it is not enough to have only accountability or consent but also vesting of responsibility.”

“For now the least threshold of protection that the GDPR offers—i.e., of the ‘right to be forgotten’—ought to at least be codified in other jurisdictions including India to ensure protection of such third-party data that is shared, in effect without their consent,” she added.

Models for a new privacy protection framework

There are alternative mechanisms in the privacy toolkit and existing legal regimes that, in the appropriate contexts, are able to deliver privacy protection and meaningful control more effectively than consent. Though these mechanisms already exist, they must be better understood, further developed and more broadly accepted, suggest researchers at the International Association of Privacy Professionals (IAPP). Here are a few examples of such mechanisms.

• Legitimate-interest processing: This is particularly relevant, according to IAPP, as it provides the necessary flexibility to face future technology and business process changes, while requiring organizations to be proactive, think hard and consider and mitigate risks and harmful impacts on individuals as they process personal data.

Legitimate-interest processing can legitimize many ordinary business uses of data, such as improving and marketing a company’s own products or services, or ensuring information and network security.

It also plays an increasingly significant role in the context of Big Data, the Internet of Things and machine learning by enabling beneficial uses of data where consent is not feasible and the benefits of the proposed uses outweigh any privacy risks or other harmful impact on individuals.

• Focus on risk and impact on individuals: This approach, IAPP has said, puts individuals firmly at the centre of an organization’s information management practices and results in better protection and compliance for individuals, especially in contexts where individual consent is neither required nor feasible.

• Individuals’ rights to access and correction: The ability of individuals to have access to their data and be able to correct inaccurate or obsolete data is an essential mechanism of control that should be made available as widely as possible.

Access and correction are also intrinsically related to transparency and organizations may be able to innovate here too, IAPP researchers have noted.

• Fair processing: Fair processing is a standalone data protection principle in many data privacy laws in Europe and beyond. Over the years, practitioners and regulators have equated fairness with providing privacy notices to individuals. Fair processing, however, goes beyond privacy notices and IAPP researchers believe the time has come to resurrect this principle back into practice.

This is the third of a four-part series on privacy. Read the first part here and the second part here.

For more details visit https://cis-india.org/internet-governance/news/livemint-august-11-2017-privacy-laws-alternatives-to-consent

Privacy Law Must Fit the Bill

sunil — 2013-09-12T06:25:35Z

The process of updating Indian privacy policy has gained momentum ever since the launch of the UID project and also the leak of the Radia tapes. The Department of Personnel and Training has lead the drafting of privacy bill for the last three years. This bill will ideally articulate privacy principles and establish the office of the privacy commissioner and most importantly have an over-riding effect over 50 odd existing laws, rules and policies with privacy implications.

The article was published in the Deccan Chronicle on September 9, 2013.

Given the harmonizing impact of the proposed privacy bill, we must ensure that rigorous debate and discussion happens before the bill is finalized otherwise there may be terrible consequences.

Here is a short list of what can possibly go wrong:

One, the privacy bill ignores the massive power asymmetry in Indian societies undermining the right to information – in other jurisdictions referred to as freedom of information and access to information. The power asymmetry is addressed via a public interest test. The right to privacy would be the same for everyone except when public interest is at stake. This enables protection of the right to privacy to be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power. In other words, the poor would have greater privacy than a middle-class citizens who in turn would have greater privacy than political and economic elites. And transparency requirements would be greatest for economic and political elites and lower for middle-class citizens and lowest for the poor. If this is not properly addressed in the language of the bill – privacy activists would have undone the significant accomplishments of the right to information or transparency movement in India over the last decade.

Two, the privacy bill has chilling effect on free speech. This can happen either by denying the speaker privacy, or by affording those who are spoken about too much privacy. For the speaker - Know Your Customer (KYC) and data retention requirements for telecom and internet infrastructure necessary to participate in the networked public sphere can result in the death of anonymous and pseudonymous speech. Anonymous and pseudonymous speech must be protected as it is a necessary for good governance, free media, robust civil society, and vibrant art and culture in a democracy. For those spoken about - privacy is clearly required in certain cases to protect the victims of certain categories of crimes. However, the right to privacy could be abused by those occupying public office and those in public life to censor speech that is in the public interest. If for example a sport person does not publicly drink the aerated drink that he or she endorses in advertisements then the public has a right to know.

Three, the privacy bill has a limited scope. Jurisprudence in India derives the right to privacy from the right to life and liberty through several key judgments including Naz Foundation v. Govt. of NCT of Delhi decided by the Delhi High Court. The right to life and liberty or Article 21 unlike other constitutionally guaranteed fundamental rights does not distinguish between citizens and non-citizens. As a consequence the privacy bill must also protect residents, visitors and other persons who may never visit India, but whose personal information may travel to India as part of the global outsourcing phenomena. Also the obligations and safeguards under the privacy bill must equally apply to both the state and the private sector entities that could potentially infringe upon the individual's right to privacy. Different levels of protection may be afforded to citizens, residents, visitors and everybody else. Government and private sector data controllers may be subject to different regulations – for ex. an intelligence agency may not require 'consent' of the data subject to collect personal information and may only provide 'notice' after the investigation has cleared the suspect of all charges.

Four, the privacy bill is expected to fix poorly designed technology. There are two diametrically opposite definitions of projects like NATGRID, CMS and UID. The government definition is that all these systems will allow only for targeted interception and surveillance, however the majority of civil society believes that these system will be used for blanket surveillance. If these systems are indeed built in a manner that supports blanket surveillance then legal band-aid in the form of a new law or provision that prohibits blanket surveillance will be a complete failure. The principle of 'privacy by design' is the only way to address this. For ex. shutters of digital cameras are silent and this allows for a particular form of voyeurism called upskirt. Almost a decade ago, the Korean government enacted a law that requires camera and mobile phone manufacturers to ensure that audio recording of a mechanical shutter is played every time the camera function is used. It is also illegal for the user to circumvent or disable this feature. In this example, the principle of notice is hardwired within the technology itself. To remix Spiderman's motto – with great power comes great temptation. We know that a rogue NTRO official installed a spy camera in the office toilet to make recording female colleagues and most recently that NSA officers confessed to spying on their love interests. If the technology can be abused it will be abused. Therefore legal safeguards are a poor substitute for technological safeguards. We need both simultaneously.

Five, the bill does not require compliance with internationally accepted privacy principles including the ones discussed so far 'consent', 'notice' and 'privacy by design'. Apart from human rights considerations – the most important imperative to modernize India privacy laws is trade. We have a vibrant ITES, BPO and KPO sector which handles personal information of foreigners mostly from the North American and European continents. The Justice AP Shah committee in October 2012 identified privacy principle that required for India - notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. A privacy bill that does include all these principles will increase the regulatory compliance overhead for Indian enterprise with foreign clients and for multinationals operating in India. There is also the risk that privacy regulators in these jurisdictions will ban outsourcing to Indian firms because our privacy laws are not adequate by their standards.

To conclude, it is not sufficient for India to enact a privacy law it is essential that we get it right so that there are no unintended consequences on other equally important rights and dimensions of our democracy.

For more details visit https://cis-india.org/internet-governance/blog/deccan-chronicle-september-9-2013-sunil-abraham-privacy-law-must-fit-the-bill

Privacy law mooted to protect people against misuse of info

praskrishna — 2012-10-22T10:25:53Z

A government-appointed expert group today suggested enactment of a law to protect individuals against misuse of information collected through telephone tapping, videography or any other method.

Read the original published in the Business Standard on October 18, 2012.

The group headed by former Delhi High Court Chief Justice A P Shah recommended setting up of a regulatory framework comprising Privacy Commissioners at the Centre and regional levels to deal with privacy issues and mandatory destruction of telephone conversation after a specified period.

As regards the specific issue of phone tapping, it said "interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days".

The group, set up by Minister of State for Planning Ashwani Kumar in September 2011, suggested that the records of the conversation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

The proposed law seeks to protect individuals from misuse of data collected by agencies, whether in private or public sector. It said the data of individuals should be used only for the purpose for which it was collected.

The issues concerning privacy of individuals assume significance in view of the collection of data by multiple agencies, government as well as private, for different purposes. At present, data is being collected under programmes like Aadhar, Know Your Customer (KYC) norms, recordings of telephone conversation, DNA profiling, brain mapping, etc.

The group, Kumar said, "has evaluated what is happening in the other country and what is the constitutional position in India... How imperatives of national security and right to privacy of individual can be harmonised".

Note: The Centre for Internet & Society was part of the expert committee even though it is not explicitly mentioned.

For more details visit https://cis-india.org/news/business-standard-october-18-2012-privacy-law-mooted-to-protect-people-against-misuse-of-info

Privacy law mooted to protect people against misuse of info

praskrishna — 2012-10-22T06:35:42Z

A government-appointed expert group on Thursday suggested enactment of a law to protect individuals against misuse of information collected through telephone tapping, videography or any other method.

Published in Zee News on October 18, 2012.

The group, set up by Minister of State for Planning Ashwani Kumar in September 2011, suggested that the records of the conservation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned here.

For more details visit https://cis-india.org/news/zee-news-october-22-2012-privacy-law-mooted-to-protect-people-against-misuse-of-info

Privacy Law in India: A Muddled Field - I

bhairav — 2014-05-05T06:17:06Z

The absence of a statute expressing the legislative will of a democracy to forge a common understanding of privacy is a matter of concern, says BHAIRAV ACHARYA in the first of a two part series.

The article was published in the Hoot on April 15, 2014.

Privacy evades definition and for this reason sits uneasily with law. The multiplicity of everyday privacy claims and transgressions by ordinary people, and the diversity of situations in which these occur, confuse any attempt to create a common meaning of privacy to inform law. Instead, privacy is negotiated contextually, and the circumstances that permit a privacy claim in one situation might form the basis for its transgression in another.

It is easy to understand privacy when it is claimed in relation to the body; it is beyond argument that every person has a right to privacy in relation to their bodies, especially intimate areas. It is also accepted that homes and private property secure to their owners a high degree of territorial privacy. But what of privacy from intrusive stares, or even from camera surveillance, when in a public place? Or of biometric privacy to protect against surreptitious fingerprint capturing or DNA collection from the things we touch and the places we visit every day? Or the privacy of a conversation in a restaurant from other patrons? Clearly, there are multiple meanings of privacy that are negotiated by individuals all the time.

Law has, where social custom has demanded, clothed some aspects of human activity with an expectation of privacy. In relation to bodily privacy, this is achieved by both ordinary common law without reference to privacy at all, such as the offences of battery and rape; and, by special criminal law that is premised on an expectation of privacy, such as the discredited offences regarding women’s modesty in sections 354 and 509 of the Indian Penal Code, 1860 (IPC), and the new offences of voyeurism and stalking contained in sections 354C and 354D of the IPC.

The law also privileges communications that are made through telephones, letters, and emails by regulating the manner of their interception in special circumstances. Conditional interception provisions with procedural safeguards – which, for several reasons, are flawed and ineffective – exist to protect the privacy of such communications in section 5(2) of the Indian Telegraph Act, 1885, section 26 of the Indian Post Office Act, 1898, and section 69 of the Information Technology Act, 2000.

Territorial privacy, which is afforded by possession of private property, is ordinarily protected by the broad offence of trespass – in India, these are the offences of criminal trespass, house trespass, and lurking house-trespass contained in sections 441 to 443 of the IPC – and house-breaking, which is akin to the offence of breaking and entering in other jurisdictions, in section 445 of the IPC.

Some measure of protection is provided to biometric information, such as fingerprints and DNA, by limiting their lawful collection by the state: sections 53, 53A, and 54 of the Code of Criminal Procedure, 1973 permit collections of biometric information from arrestees in certain circumstances; this is in addition to a colonial-era collection regime created by the Identification of Prisoners Act, 1920. However, nothing expressly prohibits the police or anybody else from non-consensually developing DNA profiles from human material that is routinely left behind by our bodies, for instance, saliva on restaurant cutlery or hair at the barbershop.

Physical surveillance, by which a person is visually monitored to invade locational privacy, is also inadequately regulated. Besides man-on-woman stalking, which was criminalised only one year ago, no effective measures exist to otherwise protect locational privacy. Indian courts regularly employ their injunctive power but have been loath to issue equitable remedies such as restraining orders to secure privacy. Police surveillance, which is usually covert, is an executive function that is practised with wide latitude under every state police statute and government-issued rules and regulations thereunder with little or no oversight. The risk of misuse of these powers is compounded by the increasingly widespread use of surveillance cameras sans regulation.

Other technologies too compromise privacy: GPS-enabled mobile phones offer precise locational information, presumably consensually; cell-tower tracking, almost always non-consensually, is ordered by Indian police without any procedurally built-in safeguards; radio frequency identification to locate vehicles is sought to be made mandatory; and, satellite-based surveillance is available to intelligence agencies, none of which are registered or regulated unlike in other liberal democracies.

No uniform privacy standard in law

None of these laws applies a uniform privacy standard nor are they measured against a commonly understood meaning of privacy. The lack of a statutory definition is not the issue; the lack of a statute that expresses the legislative will of a democracy to forge a common understanding of privacy to inform all kinds of human activity is the concern. Ironically, the impetus to draft a privacy law has come from abroad. Foreign senders of personal information – credit card data, home addresses, phone numbers, and the like – to India’s information technology and outsourcing industry demand institutionalised protection for their privacy.

Pressure from the European Union, which has the world’s strongest information privacy standards and with which India is currently negotiating a free trade agreement, to enact a data protection regime to address privacy has not gone unanswered. The Indian government – specifically, the Department of Personnel and Training, the same department that administers the Right to Information Act, 2005 – is currently drafting a privacy law to govern data protection and surveillance. At stake is the continued growth of India’s information technology and outsourcing sectors that receive significant amounts of European personal data for processing, which drives national exports and gross domestic product.

An inferred right

For its part, the Supreme Court has examined more than a few privacy claims to find, intermittently and unconvincingly, that there is a constitutional right to privacy, but the contours of this right remain vague. In 1962, the Supreme Court rejected the existence of a privacy right in Kharak Singh’s case which dealt with intrusive physical surveillance by the police.

The court was not unanimous; the majority of judges expressly rejected the notion of locational privacy while declaring that privacy was not a constituent of personal liberty, a lone dissenting judge found the opposite to be true and, furthermore, held that surveillance had a chilling effect on freedom. In 1975, in the Gobind case that presented substantially similar facts, the Supreme Court leaned towards, but held short of, recognising a right to privacy. It did find that privacy flowed from personal autonomy, which bears the influence of American jurisprudence, but subjected it to the interests of government; the latter prevailed.

However, in the PUCL case of 1997 that challenged inadequately regulated wiretaps, the Supreme Court declared that phone conversations were protected by a fundamental right to privacy that flowed from Article 21 of the Indian Constitution. To intrude upon this right, the court said, a law was necessary that is just, fair, and reasonable. If this principle were to be extended beyond communications privacy to, say, identity cards, the Aadhar project, which is being implemented without the sanction of an Act of Parliament, would be judicially stopped.

But what does “law” mean? Is it only the law of our Constitution and courts? What of the law that governed Indian societies before European colonisation brought the word ‘privacy’ to our legal system? Classical Hindu law – distinct from colonial and post-independence Hindu law – also recognises and enforces expectations of privacy in different contexts. It recognised the sanctity of the home and family, the autonomy of the community, and prescribed penalties for those who breached these norms. So, too, does Islamic law: all schools of Islamic jurisprudence – ‘fiqh’ – recognise privacy as an enforceable right.

Different words and concepts are used to secure this right, and these words have meanings and connotations of their own. But, the hermeneutics of privacy notwithstanding, this belies the common view that privacy is not an Indian value. Privacy may or may not be a cultural norm, but it has existed in India and South Asia in different forms for millennia.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-bhairav-acharya-april-15-2014-privacy-law-in-india-a-muddled-field-1

Privacy Issues with DRM

Jalaj Pandey — 2016-05-03T02:41:15Z

This post has been written by Jalaj Pandey interning at CIS. It elaborates upon the various privacy issues with the Digital Rights Management. The author talks about the various ways in which content producers use DRM as a tool to infringe the privacy of the end users.

Nehaa Chaudhari provided inputs and also edited the blog post. Click to download the File.

The ubiquity of internet in today's world has made content and information sharing an easy task. A certain media file can be shared and made public with hardly any technical obstacles. Issues like hacking, unauthorized copying and publication, unlicensed usage have become concerns for content producers, who have employed Digital Rights Management (hereafter DRM) measures to address some of them.

Several instances of the online privacy intrusion by the content producers have been recorded. In such a scenario the balancing the rights of the content producers and the end users becomes an important one. It is imperative to find a common ground to safeguard the interests of both the parties involved. In the recent past DRM has been receiving a lot of flak because of the privacy issues contented by the users.

In the most rudimentary form privacy can be explained as any information about an individual which he/she does not want to be made public. It is important to mention that this information is seen from the perspective of an ordinary reasonable person. The UN Declaration of Human Rights, 1948, defines privacy as a fundamental right of every human. The functioning of the DRM is based on restricting the usage or distribution of the content. Since this restriction is only possible after there is a formal identification of the end user, the content producers end up collecting information about the users. For example: a DRM for a music file might work in a manner where it can only be accessed by one computer from which the user accesses and registers for the first time. DRMs initially identify the IP addresses of the system and make the file functioning on only that IP address. In this way the producer ends up collecting information about the end user. Different DRM models take different ways to collect information of their user. While collecting IP addresses in one of them the other way is tracking the user information via download, browsing activities, subscription service, etc. The usage log of the users is generated and becomes a valuable asset to assess and predict the preferences of the users

Two contentions of privacy have been raised on the privacy issues of DRM -

a) What is the accountability of this process and

b) Whether it puts the content producers in a position where they can control the users.

The information collected is under the control of content producers, who mostly store this information in the form database. BEUC (European Consumer Organization) claimed that the DRM systems technologically enable content providers to monitor private consumption of content, create reports of consumption, and profile users.

The information is at the disposal of the content producers. An assessment of DRM applications under Canadian Privacy showed that the firms did not even recognise privacy issues of the customers as a priority. In fact the firms failed to provide the information that was stored in their databases. This gives an idea about the lack of transparency that exists in collecting the information about users. The question whether users are aware of what information is being collected and to what extent they are being tracked online remains unanswered. The CEN/ISSS (European Committee for Standardization/ Information Society Standardisation System) pointed out that DRMs have a large potential to transmit, generate personal information about users. It has also been characterized by unprecedented levels of monitoring by various content producers.

Further the principled level argumentation to this is on lines of collection of information without any authentication from the user herself/himself. It is essential that if any information is collected or saved by the producers it should only be after taking consent of the user. Surveillance and compelled disclosure of information about intellectual consumption threaten rights to personal integrity.

DRMs take away the anonymity of the consumption. Since the producers can practically monitor the content usage of the user, this has led to wide scale of price discrimination. This means that producers would monitor and assess the preferences of the user and subsequently raise the prices of that particular class of products. In the report of FIPR (Foundation of Information Policy and Research) it was found that Microsoft had been trying to implement their DRM systems in their products using a similar approach to gain a monopoly position as in their strategy of browser implementation.

The Sony BMG copy protection rootkit scandal in 2005 brought much criticism to DRM. It was found out that Sony BMG had introduced illegal and harmful copy protection measure in its CDs. The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. Further more than just the DRM part of it the software also made the user's system open to a number of malwares and created vulnerabilities in the system. Sony was eventually made to compensate consumer costs, etc on the same. However the question of whether the database in the hands of companies can be used in arbitrary manner was intensely discussed after this.

It is essential that an effective framework is brought into effect which caters to privacy interests of the users. Privacy is the basic human right and it is the onus of the State to protect and safeguard this right. It is essential that the State does not compromise and support mechanisms which promote the welfare of the content producers over the users. The balance of users and producers becomes all the more important in a developing country like ours. The lack the awareness and the knowledge coupled with increasing usage of internet can lead to the exploitation of many. It is essential that the States see through these problems and collectively find an all encompassing solution to it.

K. G. Coffman and A. M. Odlyzko, Growth of the Internet, AT&T Labs - Research, July 6, 2001, available at, ( www.dtc.umn.edu/~odlyzko//doc/oft.internet.growth.pdf) (hereinafter Growth).

The Daily Source, The Growing Impact of the Internet, April 4, 2016, available at (https://www.dailysource.org/about/impact).

Corryne Mcsherry, Adobe Spyware Reveals (Again) The Price Of DRM: Your Privacy And Security, Electronic Frontier Foundation, October 17, 2014, available at,

(https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security).

Digital Rights Management: A failure in the developed world, a danger to the developing world, Electronic Frontier Foundation, March 23, 2005, available at,

(https://www.eff.org/wp/digital-rights-management-failure-developed-world-danger-developing-world).

R. Subramanya and Byung k. Yi, Digital Rights Management, available at, ( https://www.academia.edu/8054608/Digital_Rights_Management) (hereinafter Digital Rights Management).

Global internet liberty campaign, privacy and human rights, An International Survey of Privacy Laws and Practice, available at, (http://gilc.org/privacy/survey/intro.html).

Ann Cavoukian, Privacy and Digital Rights Management (DRM): An Oxymoron, Information and Privacy Commissioner Ontario, available at, ( https://www.ipc.on.ca/images/Resources/up-1drm.pdf ) (hereinafter Oxymoron)

Varian, H.R. (1985) 'Price discrimination and social welfare', American Economic Review, Vol. 75, available at, (http://www.economics-ejournal.org/economics/journalarticles/2007-1/references/Varian1985).

Privacy and Digital Rights Management,A position paper for the W3C workshop on Digital Rights Management, January 2001, available at, ( www.w3.org/2000/12/drm-ws/pp/hp-poorvi.html).

Growth supra note, 1.

Digital Rights Management supra note, 5.

Thierry Rayna, Privacy or piracy, why choose? Two solutions to the issues of digital rights management and the protection of personal information, Intellectual Property Management, Vol. X, No. Y, available at,

(www.inderscienceonline.com/doi/abs/10.1504/IJIPM.2008.021138).

Oxymoron supra note, 7.

BEUC, Consumentenbond, and CLCV at DRM Working Group 1 (2002), available at, (https://privacy.org.nz/assets/Files/4558510.pdf).

Natali Helberger and Kristo´f Ker´enyi and Bettina Krings, Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations, available at (citeseerx.ist.psu.edu/showciting?cid=733532).

Knud Bohle, Indicare, Research into unfriendly DRM : A Review, December, 2004,available at, (citeseerx.ist.psu.edu/showciting?cid=733532) (hereinafter Indicare).

European Committee for Standardization/Information Society Standardisation System (CEN/ISSS) DRM Report, 2003.

Indicare supra note, 16.

News Release, "Forrester Technographics Finds Online Consumers Fearful of Privacy Violations" (October 27, 1999 available at, (www.forrester.com/ER/Press/Release/0,1769,177,FF.html).

Julia E. Cohen, Georgetown Law Faculty Publications, DRM and Privacy, January 2010, available at,

(https://www.academia.edu/2164013/DRM_and_Privacy).

Moe, W. and Fader, P. (2004) 'Dynamic conversion behavior at e-commerce sites', Management Science, Vol. 50, available at,

(https://www.researchgate.net/publication/227447618_Dynamic_Conversion_Behavior_at_E-Commerce_Sites).

Privacy or piracy supra note, 21.

Sismeiro, C. and Bucklin, R. (2004) 'Modeling purchase behavior at an e-commerce web site: a task completion approach', Journal of Marketing Research, available at, (citeseerx.ist.psu.edu/showciting?cid=906878).

Ross Anderson, Foundation of Information Policy and Research Consultation Response to DRM (2004), available at, (www. fipr.org/APIG_DRM_submission.pdf).

Otto Helweg, Sony, Rootkits and Digital Rights Management Gone Too Far, Oct, Oct. 31, 2014, available at (https://blogs.technet.microsoft.com/markrussinovich/2005/10/31).

Sony BMG Litigation Info, Electronic Frontier Foundation, available at, (https://www.eff.org/cases/sony-bmg-litigation-info).

For more details visit https://cis-india.org/internet-governance/blog/privacy-issues-with-drm

Privacy issues exist even without Aadhaar

Admin — 2017-11-23T16:12:11Z

There is a critical need for a data privacy regulator to penalize unauthorized disclosure of personal information.

The article by Ronald Abraham was published by Livemint on November 15, 2017.

In part I, I argued that while Aadhaar can be a tool to infringe upon our right to privacy, it is merely one such; there exist other tools that can be similarly exploited. This becomes evident when you analyse each privacy issue related to Aadhaar using the National Privacy Principles framework, and compare Aadhaar’s data privacy risks to other national ID systems. We need an independent data privacy regulator, backed by a robust law, to safeguard against the risks.

Here, we explore two such data privacy issues: data disclosure and voluntariness (database linking was analysed in part I).

Data disclosure

According to the National Privacy Principle on data disclosure, “a data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure”.

On paper, the Aadhaar Act appears compliant with this principle as Section 29 prohibits the disclosure of personal information. Exceptions exist for courts to request demographic data, and for joint secretaries and higher ranks to request biometric data; the latter on the grounds of “national security”. However, greater clarity is required on whether individuals will be informed of data disclosures.

In practice, however, data disclosures well beyond these exceptions have taken place. A study by the Centre for Internet and Society found that nearly 130 million Aadhaar numbers had been published online by four government departments. In many cases, these were published along with information on “caste, religion, address, photographs and financial information”. If someone manages to steal these individuals’ fingerprints as well (which is becoming less difficult), one possibility is that Aadhaar-linked bank accounts can be cleaned out using micro-ATMs.

Demographic data disclosure, however, is not limited to Aadhaar. For transparency reasons, state election commission websites disclose the personal information of every person registered to vote online. Agencies scrape these databases and sell them.

Like database linking, the onus of abiding by the principle of data disclosure is on the “data controller”. The four government agencies that disclosed Aadhaar data—not the Unique Identification Authority of India (UIDAI)—are the relevant data controllers in this case. However, UIDAI has not pressed charges against them; under the Aadhaar Act, it is solely authorized to do so. Given UIDAI’s role of working with the government to enable and encourage the use of Aadhaar, it should not also be responsible for regulating them. Additionally, the Election Commission’s data disclosure norms demonstrate that the issue is bigger than Aadhaar.

This, therefore, points to the critical need for a data privacy regulator to investigate and penalize unauthorized disclosure of sensitive personal information. A strong regulator, with a clear law, will also serve as an effective deterrent for negligent disclosure practices.

Voluntariness

The ability to voluntarily opt in and out of data systems, based on informed consent, is central to the National Privacy Principle of “Choice and Consent”. Once an individual opts in, the principle clarifies that they “also have an option to withdraw (their) consent given earlier to the data controller”.

With regard to opting in, UIDAI has maintained that Aadhaar enrolment is voluntary. However, Section 7 of the Aadhaar Act and various orders by government agencies require Aadhaar to access basic services. Though exceptions are allowed, in practice they are implemented inconsistently, making Aadhaar near-mandatory.

To be sure, the choice principle states that data controllers can choose not to provide services if an individual doesn’t consent to provide data, “if such information is necessary for providing the goods or services”. However, we need more explicit guidelines on what features satisfy this condition, something that can be defined in a data privacy law.

With regard to opting out, no such UIDAI provision exists. One argument is that more data increases UIDAI’s capability to establish the uniqueness of new enrollees. However, it is unclear why this is the case because even if millions opt out of Aadhaar, UIDAI’s ability to guarantee the uniqueness of new enrollees compared to existing enrollees doesn’t diminish.

While voluntariness is actively discussed with Aadhaar, the same is not true for other IDs and data initiatives. For example, fingerprints are collected to issue Indian passports, but the use of this is not clear—raising concerns around voluntariness as well as purpose limitation.

Through this analysis, it becomes clear that data privacy issues exist even without Aadhaar. To tackle the risks to privacy, India requires a strong, competent and independent data privacy regulator, backed by a robust law.

With the recent Supreme Court judgement and upcoming hearings, we have a unique opportunity to strengthen our institutional ability to manage future risks. We must seize this opportunity to try and secure a privacy-protected future.

Ronald Abraham is a partner at IDinsight and co-author of ‘State of Aadhaar’ report 2016-17.

Research contributions from Shreya Dubey and Akash Pattanayak.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar

Privacy is now a right in India. Here's what that means for the tech industry

Admin — 2017-08-31T14:35:45Z

India's top court has put tech companies on notice.

The blog post by Rishi Iyengar was published by CNN Tech on August 29, 2017.

In ruling that privacy is a fundamental right, the country's Supreme Court singled out tech firms for gathering huge amounts of data: Facebook knows who we are friends with, the justices wrote, while Alibaba studies our shopping habits and Airbnb tracks our travel.

"This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford," the court said last week. "There is an unprecedented need for regulation regarding [how] such information can be stored, processed and used."

Indian internet activists hailed the decision, but warned that the debate about how tech giants collect and use data is only just beginning.

"These companies must brace for [legal action]," said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "Individuals who are unhappy with the treatment of their personal information can now take them to court, because it is an infringement of a fundamental right."

The UN Conference on Trade and Development said that while the United States, European Union, China and other nations have established similar protections, roughly 60 developing countries have no rules that govern how the tech industry should collect and use personal data.

Activists say legal protections are needed to keep tech firms from irresponsibly harvesting data. Internet giants including Facebook and Google have built their business models around aggregating information about their users, and then marketing it to retailers. Some firms sell the data to third parties.

The global battle lines are being drawn: The U.S. government recently asked the Supreme Court to compel Microsoft (MSFT, Tech30) to hand over user data stored overseas, and the U.K. has proposed legislation that would allow users to ask platforms to delete their posts. The EU has taken several tech firms to task over privacy concerns.

Now the debate is heating up in the world's largest democracy. Nikhil Pahwa, an internet activist and founder of tech website MediaNama, said the Indian court's ruling gives campaigners a major tool in the fight to keep data private.

"We've now been given a right which allows us to argue for our rights against practices of different companies," Pahwa said.

The ruling could even cause problems for the Indian government, which is pushing its own controversial biometric ID card program. Nearly 1.2 billion people -- 92% of India's population -- have registered for the Aadhaar scheme, which links their fingerprints and iris scans to a unique 12-digit number.

The program is designed to make welfare payments and medical services much more efficient. But skeptics have bristled at recent orders that seek to make the biometric ID mandatory when opening a bank account or filing taxes.

"I don't want an Aadhaar number," Pahwa said. "I want to have the right to live in my country ... in a manner that I'm not being surveilled and watched."

Activists are also worried about how their data may be used and protected by third parties. Microsoft, for example, announced in July that it had integrated the biometric program with Skype Lite, a low-bandwidth version of the communications app made for the Indian market.

"If ... your fingerprints are your passwords -- and they're passwords that you can't change -- once they're gone they're gone forever," Pahwa said or potential data leaks.

The Indian government, which argued before the Supreme Court that privacy was not a fundamental right, said following the ruling that it was working on a stringent data protection law. Technology minister Ravi Shankar Prasad told local media that the new rules would be in place by December.

The National Association of Software and Services Companies, which represents India's tech industry, welcomed the Supreme Court's verdict.

"This landmark judgment will ensure that protection of citizen's privacy is a cardinal principle in our growing digital economy," NASSCOM president R Chandrashekhar said in a statement. "It will enhance citizens' trust in digital services."

Microsoft (MSFT, Tech30), Google (GOOGL, Tech30), Facebook (FB, Tech30) and Uber, which all operate in India, did not respond to requests for comment. Local tech players including Ola and Flipkart also did not respond. Amazon (AMZN, Tech30), which is investing heavily in the country, said that it complies with local laws and "has a high bar" for data protection and privacy.

Abraham, from the Centre for Internet and Society, said that "regulatory innovation" is needed to rein in large firms without making life difficult for Indian startups.

"We need to prevent the internet giants from dancing around the regulations with large legal teams, and we need to prevent onerous regulations from crushing emerging firms," he said. "If our lawmakers and parliament are innovative, we can leapfrog straight to the age of big data."

For more details visit https://cis-india.org/internet-governance/news/cnn-tech-august-29-2017-rishi-iyengar-privacy-is-now-a-right-in-india

We are anonymous, we are legion

Privacy Matters, Guwahati — Event Report

Event Sessions

Privacy and the RTI

Privacy and Security/Law Enforcement in the North East of India

Privacy and the UID

Conclusion

Privacy as a Fundamental Right

Privacy Matters — Medical Privacy

Medical Privacy in India

Medical Privacy- Legal Aspects

Supreme Court views on Medical Negligence

Confidentiality and privacy in medical Settigs vis-a-vis PLHIV

Privacy in Practice

Best Practices of Medical Privacy in Various Health Settings

Epidemics and Privacy

HIV/ AIDS and Privacy

HIPPA with reference to Applicability to Patient Privacy and Clinical Data Confidentiality in India

Presentations

Privacy Matters — Consumer Privacy

Privacy Matters — Analyzing the Right to "Privacy Bill"

Welcome

Keynote Address

Session I: Privacy and the Legal System

Privacy and the Constitutional Law

Session II: Privacy and Freedom of Expression

Sexual Minorities and Privacy

Session III: Privacy and National Security

Privacy and UID

Conclusion

Privacy Matters — Analyzing the "Right to Privacy Bill"

Agenda

Session I

Session II

Session III

Organizers

Partners

Speakers

Privacy Matters - A Public Conference in Ahmedabad

Agenda

Privacy Matters

March 26th 10:30 – 4:30 pm

Other Distinguished Participants

Privacy matters

Who We Are

" Privacy Matters" Conference Agenda

Privacy laws: Alternatives to consent

Privacy Law Must Fit the Bill

Privacy law mooted to protect people against misuse of info

Privacy law mooted to protect people against misuse of info

Privacy Law in India: A Muddled Field - I

No uniform privacy standard in law

An inferred right

Privacy Issues with DRM

Privacy issues exist even without Aadhaar

Privacy is now a right in India. Here's what that means for the tech industry