The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 11 to 25.
Surveillance Camp IV: Disproportionate State Surveillance - A Violation of Privacy
https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy
<b>This is the fourth in a series of posts mapping global surveillance challenges discussed at EFF's State Surveillance and Human Rights Camp in Rio de Janeiro, Brazil. This article has been co-written with Elonnai Hickok — Centre for Internet and Society India, and a speaker at EFF's Camp.</b>
<hr />
<p>This article by Katitza Rodriguez and Elonnai Hickok was originally <a class="external-link" href="https://www.eff.org/deeplinks/2013/02/disproportionate-state-surveillance-violation-privacy">published by the Electronic Frontier Foundation</a> on February 13, 2013.</p>
<hr />
<p style="text-align: justify; ">States around the world are faced daily with the challenge of protecting their populations from potential and real threats. To detect and respond to them, many governments surveil communication networks, physical movements, and transactional records. Though surveillance by its nature compromises individual privacy, there are exceptional situations where state surveillance is justified. Yet, if state surveillance is unnecessary or overreaching, with weak legal safeguards and a failure to follow due process, it can become disproportionate to the threat—infringing on people's privacy rights.</p>
<p style="text-align: justify; ">Internationally, regulations concerning government surveillance of communications vary in approach and effectiveness, often with <a href="https://www.eff.org/deeplinks/2012/12/2012-in-review-state-surveillance-around-globe" target="_blank">very weak or nonexistent legal safeguards</a>. Some countries have strong regulations for the surveillance of communications, yet these regulations may be largely ineffective or unenforceable in practice. Other countries have no legal safeguards or legal standards differing vastly according to the type of communication data targeted. This is why, EFF organized at the end of last year a <a href="https://www.eff.org/issues/surveillance-human-rights" target="_blank">State Surveillance and Human Rights Camp</a> in Brazil to build upon this discussion and focused on how states are facilitating unnecessary and disproportionate surveillance of communications in ways that lead to privacy violations.</p>
<h3 style="text-align: justify; ">State-Mandated Identity Verification</h3>
<p style="text-align: justify; ">In 2012 the Constitutional Court in South Korea <a href="https://www.nytimes.com/2012/08/24/world/asia/south-korean-court-overturns-online-name-verification-law.html?_r=1&" target="_blank">declared</a> that country's "real-name identification system" unconstitutional. The system had mandated that any online portal with more than 100,000 daily users had to verify the identity of their users.<a href="#fn1" name="fr1">[1]</a>This meant that the individual has to provide their real name before posting comments online. The legal challenge to this system was raised by <a href="https://en.wikipedia.org/wiki/People%E2%80%99s_Solidarity_for_Participatory_Democracy" target="_blank">People's Solidarity for Participatory Democracy</a> (PSPD)'s Public Law Center and <a href="https://en.wikipedia.org/wiki/Korean_Progressive_Network_%28Jinbonet%29%20" target="_blank">Korean Progressive Network</a>—Jinbonet among others.</p>
<p style="text-align: justify; ">Korea University professor Kyung-shin Park, Chair of PSPD's Law Center told EFF that portals and phone companies would disclose identifying information about six million users annually—in a country of only 50 million people. The South Korean Government was using perceived online abuses as a convenient excuse to discourage political criticism, professor Park told EFF:</p>
<p class="callout" style="text-align: justify; ">The user information shared with the police most commonly has been used by the government to monitor the anti-governmental sentiments of ordinary people. All this has gone on because the government, the legislature, and civil society have not clearly understood the privacy implications of turning over identifying information of individuals.</p>
<p style="text-align: justify; ">The decision by the South Korean Constitutional Court to declare the "real identification system" unconstitutional was a win for user privacy and anonymity because it clearly showed that blanket mandates for the disclosure of identifying information, and the subsequent sharing of that data without judicial authorization, are a disproportionate measure that violates the rights of individuals.<a href="#fn2" name="fr2">[2]</a></p>
<h3 style="text-align: justify; ">States Restrict Encryption and Demand Backdoors</h3>
<p style="text-align: justify; ">Some States are seeking to block, ban, or discourage the use of strong encryption and other privacy enhancing tools by requiring assistance in decrypting information. In India service providers are required to ensure that bulk encryption is not deployed. Additionally, no individual or entity can employ encryption with a key longer than 40 bits. If the encryption equipments is higher than this limit, the individual or entity will need prior written permission from the Department of Telecommunications and <a href="https://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf" target="_blank">must deposit</a> the decryption keys with the Department.<a href="#fn3" name="fr3">[3]</a>The limitation on encryption in India means that technically any encrypted material over 40 bits <a href="http://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf" target="_blank">would be accessible</a> by the State. Ironically, the Reserve Bank of India<b> </b><a href="http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0" target="_blank">issued security recommendations</a> that banks should use strong encryption as higher as 128-bit for securing browser.<a href="#fn4" name="fr4">[4]</a>In the United States, under the <a href="http://wiki.surveillancehumanrights.org/Background_on_lawful_interception_mandates_and_government_access_to_encryption_keys" target="_blank">Communications Assistance for Law Enforcement Act</a>, telecommunication carriers are required to provide decryption assistance only if they already possess the keys (and in many communications system designs, there's no reason carriers should need to possess the keys at all). In 2011, the <a href="https://www.eff.org/pages/legal-struggles-over-interception-rules-united-states" target="_blank">US Government proposed a bill</a> that would place new restrictions on domestic development or use of cryptography, privacy software, and encryption features on devices. The bill has not been adopted.</p>
<p style="text-align: justify; ">Allowing only low levels of encryption and requiring service providers to assist in the decryption of communications, facilitates surveillance by enabling States easier access to data and preventing individuals from using crypto tools to protect their personal communications.</p>
<h3 style="text-align: justify; ">States Establish Blanket Interception Facilities</h3>
<p style="text-align: justify; ">In Colombia, telecommunications network and service providers carrying out business within the national territory <a href="https://www.eff.org/pages/mapping-laws-government-access-citizens-data-colombia" target="_blank">must implement</a> and ensure that interception facilities are available at all times to state agencies as prescribed by law. This is to enable authorized state agencies to intercept communications at any point of time. In addition to providing interception facilities, service providers must also retain subscriber data for a period of five years, and provide information such as subscriber identity, invoicing address, type of connection on request, and geographic location of terminals when requested.</p>
<p style="text-align: justify; ">Though Colombia has put in place regulations for the surveillance of communications, these regulations allow for broad surveillance and do not afford the individual clear rights in challenging the same.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The examples above demonstrate that, although state surveillance of communications can be justified in exceptional instances, it leads to the violation of individual privacy when implemented without adequate legal safeguards. Clearly there is a need for international principles articulating critical and necessary components of due process for the surveillance of communications. Those strong legal safeguards are necessary not only in countries that don't have laws in place, but also in countries where laws are lacking and fail to adequately protect privacy. Last year, EFF <a href="https://www.eff.org/deeplinks/2012/12/tackling-state-surveillance-and-human-rights-protecting-universal-freedoms" target="_blank">organized the State Surveillance and Human Rights Camp</a> to discuss a set of <a href="http://necessaryandproportionate.net/" target="_blank">International Principles on State Surveillance of Communications</a>, a global effort led by EFF and Privacy International, to define, articulate, and promote legal standards to protect individual privacy when the state carries out surveillance of communications.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>].Constitutional Court's Decision 2010 Hunma 47, 252 (consolidated) announced August 28, 2012.</p>
<p>[<a href="#fr2" name="fn2">2</a>].The illegality of this practice was proved by a High Court decision handed down 2 months after the Constitutional Court's decision in August 2012. Seoul Appellate Court 2011 Na 19012, Judgment Announced October 18, 2012. This case <a href="http://www.peoplepower21.org/English/955480" target="_blank">was prepared and followed singularly</a> by PSPD Public Interest Law Center.</p>
<p>[<a href="#fr3" name="fn3">3</a>].<a href="http://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf">License Agreement for Provision of Internet Services Section 2.2 (vii)</a></p>
<p>[<a href="#fr4" name="fn4">4</a>].Reserve Bank of India. <a href="http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0" target="_blank">Internet Banking Guidelines</a>. Section (f (2)).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy'>https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-19T12:37:09ZBlog EntryState Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntryStand up for Digital Rights
https://cis-india.org/internet-governance/events/stand-up-for-digital-rights
<b>The Centre for Internet & Society (CIS) invites you to a discussion on a set of recommendations for Ethical Tech, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The event will be held at CIS office in Bangalore on June 15, 2016 from 5 p.m. to 7 p.m.</b>
<p style="text-align: justify; ">The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of recommendations for Ethical Tech. This work is the culmination of a year long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:</p>
<div id="_mcePaste">
<ul>
<li><span>General Human Rights Responsibilities and Private Online Intermediaries</span></li>
<li><span>Expanding Access</span></li>
<li><span>Net Neutrality</span></li>
<li><span>Content Moderation</span></li>
<li><span>Privacy</span></li>
<li><span>Transparency and Informed Consent</span></li>
<li><span>Responding to State Interferences</span></li>
</ul>
</div>
<p>We look forward to meeting you and making this forum for knowledge exchange a success.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/stand-up-for-digital-rights'>https://cis-india.org/internet-governance/events/stand-up-for-digital-rights</a>
</p>
No publisherelonnaiEventInternet GovernanceDigital Rights2016-06-13T15:30:12ZEventShould Ratan Tata be Afforded the Right to Privacy?
https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata
<b>The Ratan Tata case has raised many important questions pertaining to privacy. This note looks at a few of those questions, and the debate that centers around them. </b>
<h3>Introduction</h3>
<p>In 2008 and 2009 conversations between Nira Radia- a professional corporate lobbyist , and many different individuals were intercepted by Income Tax officials. The interception was approved by the Ministry of Home Affairs. The interception was conducted for suspected tax evasion, possible money laundering, and restricted financial practices. The individuals included: A. Raja, the then Cabinet Minister of the Ministry of Communications and Information Technology; Ratan Tata, a client of Nira Radia and Chairman of the Tata group of companies; and various journalists including: Barkha Dutt, NDTV journalist alleged to have lobbied in support of A. Raja’s appointment as minister, and Vir Sanghvi, editor of the Hindustan Times alleged to have edited articles reducing the blame in the Nira Radia tapes. Earlier this year, these conversations were leaked to the media by an unknown source. The leak exposed a scam to manipulate the upcoming auctioning off of the 2G spectrum. In response to his leaked conversations with his consultant Nira Radia, Ratan Tata has filed a petition in the Supreme Court, claiming that his privacy has been invaded. Tata claims that the conversations were private, and that the tapes should be withdrawn from the public. He has not objected to the use of the tapes in court, acknowledging that they were obtained legally. On December 2nd the Supreme Court issued a notice to restrain the unauthorised publication of the intercepted tapes [1].</p>
<h3>Questions of Privacy</h3>
<p>The Nira Radia tapes case raises many important questions about privacy, wiretapping, transparency and ethics. It will be interesting to see how the court rules on different issues as the case progresses. First, it will be meaningful to see how the court responds to Tata’s plea for privacy. Indian courts have seen only a handful of cases that have directly appealed for protection of privacy as a fundamental right [2]. The type of privacy that has been invaded in this situation is unclear. If one looks at the privacy invasion as the data that was improperly protected, thus leading to the leak, the Tax Department may be found to have violated the informational privacy of Tata. If one looks at the invasion of privacy as the fact that personal contents of conversations were made public with the intent to expose the 2G scam, the claim is really one that his personal privacy has been invaded. Because India does not have a specific legislation on privacy, there is no clear definition of what privacy is, and whether or not Tata has had his privacy invaded. The decision by the courts will help to clarify how Indian society defines privacy, and where the line between public and private falls.</p>
<h3>Is the Information Public Knowledge?</h3>
<p>Whether or not the information intercepted in the phone conversations is public knowledge is an important question to answer. Though the 2G spectrum belongs to the people, and the conversations that were intercepted were planning a scam to defraud the Indian exchequer, the conversations were meant to be private. So, does the public have a right to know the content of the conversations, or does Ratan Tata have the right to privacy. The legislation that addresses the release of public information, and defines the categories of information that are considered to be private, is the Right to Information Act 2005. In India in recent years the right to knowledge has become a cornerstone of Indian civil liberties. The Right to Information Act 2005 embodies this liberty. The RTI mandates timely response to a citizen’s request for government information, and in its preamble affirms the policy that “…democracy requires an informed citizenry and transparency of information which are vital to its functioning and also to contain corruption and to hold Governments and their instrumentalities accountable to the governed”[3]. Under the Act, public information about or held by the government must be given to citizens upon request. Unlike in some countries, such as Canada, where the Right to Information is bolstered by a privacy law [4], the Indian legislation only contains sections that detail exceptions of data that cannot be disclosed, and the conditions for third party release. These exceptions are laid out in section 8, and in section 11 release of records to a third party is outlined.</p>
<h3>Are the Conversations Considered Public Knowledge and Would they be Released by an RTI?</h3>
<p>In a recent interview Prashant Bhushan, Supreme Court Advocate responded to a similar question with the following statement [5]:</p>
<p>Bhushan: <em>"Firstly the conversations which have come out in the public domain are not private conversations. They are conversations between Nira Radia with various public servants, with various journalists etc in her official capacity as a paid professional lobbyist and fixer for her principles.Therefore, there is hardly anything personal in these conversations. These are all professional conversations or conversations about deal making, fixing, subverting public policy etc.These conversations would be available to every citizen even under the Right to Information Act because the only objection that one could raise would be on the ground of 81(J) of the Right to Information Act which says - information which relates to personal information, the disclosure of which has no relationship to any public activity or interest. This information has relationship to public activity or interest. It also says - or which would cause unwarranted invasion of the privacy of the individual unless the public authority is satisfied, unless the information officer is satisfied that the larger public interest justifies the disclosure of such an information. In this case there is overwhelming public interest which warrants the disclosure of this information because this shows all kinds of deal making, fixing going on.</em>"</p>
<p>As Bushan has pointed out, it is possible to make the argument that the taped conversations should be categorized as public knowledge. They took place between public officials and journalists, and pertain to an issue that deeply impacts the public as a whole. Thus, a preliminary question that should be asked is whether Tata’s conversations would be revealed through an RTI, or whether his conversation would fall under the exemption of personal information found in section 8(j):</p>
<p align="left">“ <em>Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: </em></p>
<p align="left"><em>Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.</em>”</p>
<p>It is interesting to note the structure of this exemption. By the use of the word “or” the legislation suggests that unwarranted invasion of individual privacy may trigger the exemption, even if the information has a relationship to a public activity or interest. But the added caveat says that the larger public interest could justify the release of even purely private information. In addition, what constitutes “personal” information is never defined in the legislation. Thus, whether Tata’s conversations were personal in nature will have to be determined by the courts. Even if the nature of Tata’s wiretapped conversations was deemed not to be personal information, there still is an argument that they could still not be released to the public through an RTI, because Tata is not a Tax Department official, and the RTI requires disclosure of information about the Tax Department or officials in the tax department, not information about individuals who are under investigation by the Tax department.</p>
<h3>Was the Leak of the Tape Legal?</h3>
<p>Though the recording of the tapes by the Tax Department appears to be legal under the Telegraph Act 1885 section 5(2), the leak of the tape was not. Section 5(2) reads:</p>
<p><em>Section 5(2) – (2) On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order:</em></p>
<p><em>Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.</em></p>
<p>Though the Telegraph Act does not lay out specific procedures as to how wiretapped information is to be protected and secured, under section 23 and 24 it is not permitted for any person to illegally obtain the contents of an intercepted telegraph.</p>
<p><em>23. Intrusion into signal-room, trespass in telegraph office or obstruction – If any person –</em></p>
<p><em> 1. without permission of competent authority, enters the signal-room of a telegraph office of the Government, or of a person licensed under this Act, or</em></p>
<p><em> 2. enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or</em></p>
<p><em> 3. refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein,or</em></p>
<p><em> 4. willfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to five hundred rupees.</em></p>
<p><em> 24. Unlawfully attempting to learning the contents of messages – If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.</em></p>
<h3>Is it Important that the Leak was Illegal: A Question About the Public Good</h3>
<p>Clearly, from the above clauses, and in this situation, the Tax Department could argue that firstly they are not responsible for the leak, and that the illegality of the release of the tapes is subservient to the need to protect public safety. But what constitutes the greater good? In the case of Babu Ram 8 Verma Vs. State of Uttar Pradesh (1971) the Supreme Court has interpreted that the expression “public interest” as an act beneficial to the general public and an action taken for public purpose[6]. When considering whether the information is for the public good, the simple answer seems to be yes, the exposure of the 2G scam does benefit the “public interest”, but this should not be the complete answer. The reason that there are laws to regulate the dissemination of information is to protect information from being presented in a way that prejudices a person or discloses information that the public does not have a right to know. It is courts – not individuals – who should decide that the public does have a right to know before the information is disseminated. The information on the tapes could have been brought to the public’s attention by other - legal - means. Namely, the Tax Department could have filed for a new warrant to use the wiretapped information pertaining to the 2G scam, and disclosed the materials in connection with the Comptroller and Auditor General of India.</p>
<h3>Concerns about Privacy and the Right to Information: Not a Balance, but a Partnership</h3>
<p>The concern that privacy will be used to weaken transparency and to conceal crimes and corruption is often voiced as an obstacle to instituting a firm privacy law. Privacy is not a shield, and should not be misunderstood for one. A privacy legislation should bring clarity to the Right to Information. It should create a concise framework and understanding of what information is always acceptable to disclose, and what information is not acceptable to disclose without court authorization. In this situation, a privacy law could have clarified that conversations among private citizens are presumptively private, and that a court must determine otherwise. Though many people believe that the right to privacy and the right to transparency is a balance in which one right will always subordinate the other, this is not necessarily true. For instance if we look at how the two rights are at work when a voter is about to go to the polling stations, it is easy to see how they are related. The right to privacy can be understood, inter alia, as the right to be safe in one’s own identity. This is crucial for voting. If you look at this with focus on the candidate for election, there is a both the need to know as much information about that individual in order to make a informed choice, but if too much, unrelated information is known about a candidate, the election could be compromised.</p>
<h3>Conclusion: Will Ratan Tata be Afforded the Right to Privacy? </h3>
<p>In conclusion, the Nira Radia and Ratan Tata case raises many fundamental questions about privacy. In his white paper on privacy Vakul Sharma pointed out two important cases that could pertain to this situation. The first case is the case of People’s Union for Civil Liberties (PUCL) v. Union of India6, the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India. Right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. The said right cannot be curtailed “except according to procedure established by law”[7]. It will be interesting to see if the courts follow a similar reasoning in this case, because though the tap was legal, the leak was illegal. Or,i f exceptions will be made under the assumption of the greater public good. The second important case was State v. Charulata Joshi, in which the Supreme Court held that “the constitutional right to freedom of speech and expression conferred by Article 19(1)(a) of the Constitution which includes the freedom of the press is not an absolute right. The press must first obtain the willingness of the person sought to be interviewed and no court can pass any order if the person to be interviewed expresses his unwillingness”[8]. Perhaps the courts will instead follow the logic in this case, and rule that the press had no right to publish the recorded and that by doing so, Ratan Tata’s privacy was invaded. No matter what the court’s decision is, it is clear that in light of the Nira Radia case, the UID, and many other arising situations – India needs to come to a decision about whether it wants privacy legislation, and, if so, what a privacy legislation should look like.</p>
<h3>Bibliography:</h3>
<p>1. http://en.wikipedia.org/wiki/2G_spectrum_scam http://economictimes.indiatimes.com/news/politics/nation/On-Tatas-plea-apex-court-sends-notice-to-govt /articleshow /7028580.cms</p>
<p> http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html</p>
<p> http://economictimes.indiatimes.com/news/politics/nation/Phone-taps-should-not-be-leaked-Chidambaram/articleshow/7036765.cm</p>
<p>2.The following are a few cases that pertain to privacy: R. Rajagopal v. State of Tamil Nadu5, People’s Union for Civil Liberties (PUCL) v. Union of India6, Gobind v. State of M.P.</p>
<p>3.The Right to Information Act 2005. Preamble.</p>
<p>4.The Canadian Access to Information Act was created in 1985, and is meant to complement the Privacy Act</p>
<p>5.http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html</p>
<p>6.Chakraborty, B.K. RTI and Protection of Individual Privacy. Tripura Information Commissio</p>
<p>7.Sharma, Vakul. White Paper on Privacy Protection in India. Section 5</p>
<p>8.Sharma, Vakul. White Paper on Privacy Protection in India. Section 3</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata'>https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata</a>
</p>
No publisherelonnai2012-03-21T10:03:20ZBlog EntryShort-term Consultant (IETF)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf
<b>The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.</b>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples or other examples of technical work and CV</p>
<p dir="ltr">Contact: sunil@cis-india.org</p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf</a>
</p>
No publisherelonnaiJobsInternet Governance2018-04-21T15:44:49ZPageShort-term Consultant (Cyber Security)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security
<b>The Centre for Internet & Society is seeking an individual with strong understanding of cyber security to contribute research to its cyber security research under its Internet Governance programme.</b>
<p style="text-align: justify; ">Research topics include economic incentives for cyber security, cross border sharing of data, India’s cyber security framework, and cybersecurity dimensions of e-governance .</p>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples and CV</p>
<p dir="ltr">Contact: <a href="mailto:elonnai@cis-india.org">elonnai@cis-india.org</a></p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security</a>
</p>
No publisherelonnaiInternet Governance2018-04-20T01:27:36ZPageSeventh Privacy Round-table
https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table
<b>On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.</b>
<p style="text-align: justify; ">The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.</p>
<p style="text-align: justify; ">Previous Privacy Round-tables were held in:</p>
<ul>
<li style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting" class="external-link">New Delhi</a>: (April 13, 2013) with 45 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/162t8rU">Bangalore</a>: (April 20, 2013) with 45 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/12ICGYD">Chennai</a>: (May 18, 2013) with 25 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/12fJSvZ">Mumbai</a>, (June 15, 2013) with 20 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/11dgINZ">Kolkata</a>: (July 13, 2013) with 25 participants; and</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/195cWIf">New Delhi</a>: (August 24, 2013) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.</p>
<p style="text-align: justify; ">The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="external-link">the Privacy Protection Bill, 2013</a>, drafted by the Centre for Internet and Society, <a href="https://cis-india.org/internet-governance/blog/strengthening-privacy-protection.pdf" class="external-link">Strengthening Privacy through Co-regulation by the Data Security Council of India</a>, and the <a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy by the Justice A.P. Shah committee</a> were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.</p>
<p style="text-align: justify; ">The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under <a href="https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy" class="external-link">section 43A of the Information Technology Act</a>, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.</p>
<hr />
<p>Presentation: <b>Jacob Kohnstamm</b>, <i>Dutch Data Protection Authority and Chairman of the Article 29 Working Group </i></p>
<hr />
<p style="text-align: justify; ">Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded. <br /><br />Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.<br /><br /> In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.<br /> <br />Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.</p>
<p style="text-align: justify; ">Key Points:</p>
<ul>
</ul>
<ol>
<li style="text-align: justify; ">Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.</li>
<li style="text-align: justify; ">Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data. </li>
<li style="text-align: justify; ">India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.</li>
</ol>
<ul>
</ul>
<hr />
<p>Discussion: <b>National Security, Surveillance and Privacy</b></p>
<hr />
<p style="text-align: justify; ">Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.</p>
<p style="text-align: justify; ">Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.</p>
<p style="text-align: justify; ">While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.</p>
<p style="text-align: justify; ">Key Points:</p>
<ul>
</ul>
<ol>
<li>The Indian surveillance regime currently does not have strong enough safeguards.</li>
<li>The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.</li>
<li>A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.</li>
</ol>
<ul>
</ul>
<hr />
<p>Presentation: <b>Chantal Bernier</b>, <i>Deputy Privacy Commissioner, Canada</i></p>
<hr />
<p style="text-align: justify; ">In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.</p>
<p style="text-align: justify; ">Bernier described three main characteristics of the Canadian privacy regime including:</p>
<ol>
<li style="text-align: justify; ">It is comprehensive and applies to both the public and the private sectors.</li>
<li style="text-align: justify; ">The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.</li>
<li style="text-align: justify; ">The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing. </li>
</ol>
<p style="text-align: justify; ">Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.</p>
<p style="text-align: justify; ">Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.</p>
<p style="text-align: justify; ">Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:</p>
<ol>
<li>The importance of having strong regulators.</li>
<li>Privacy regulators must work and cooperate together.</li>
<li>Privacy has become a condition of trade.</li>
<li>In today’s age, issues around surveillance cannot be underestimated.</li>
<li>Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.</li>
<li>Privacy frameworks must be clear and flexible.</li>
<li>Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments. </li>
</ol>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The Right to Privacy is a fundamental right in Canada.</li>
<li style="text-align: justify; ">The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.</li>
<li style="text-align: justify; ">The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest. </li>
</ol>
<hr />
<p>Discussion: <b>The Data Protection Authority</b></p>
<hr />
<p style="text-align: justify; ">Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.</p>
<p style="text-align: justify; ">When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.</li>
<li style="text-align: justify; ">The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.</li>
<li style="text-align: justify; ">The Data Protection Authority could be established as a small regulator with an appellate body attached. </li>
</ol>
<hr />
<p style="text-align: justify; ">Presentation: <b>Christopher Graham</b>,<i> Information Commissioner, United Kingdom</i></p>
<hr />
<p style="text-align: justify; ">Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the <a class="external-link" href="https://www.gov.uk/data-protection">UK Data Protection Act</a> and the<a class="external-link" href="http://www.legislation.gov.uk/ukpga/2000/36/contents"> Freedom of Information Act</a>. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.</p>
<p style="text-align: justify; ">Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.</p>
<p style="text-align: justify; ">Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.</p>
<p style="text-align: justify; ">Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.</p>
<p style="text-align: justify; ">Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.</li>
<li style="text-align: justify; ">Penalties must be proportionate and scalable to the offense. </li>
<li style="text-align: justify; ">Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective. </li>
</ol>
<hr />
<p style="text-align: justify; ">Discussion: <b>Collection of Data with Consent and Collection of Data without Consent</b></p>
<hr />
<p style="text-align: justify; ">Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.</li>
<li style="text-align: justify; ">The Privacy Protection Bill should explicitly address transfer of information to other countries. </li>
<li style="text-align: justify; ">The Privacy Protection Bill should address consent in the context of changing terms of service. </li>
</ol>
<hr />
<p>Discussion: <b>Penalties and Offences</b></p>
<hr />
<p style="text-align: justify; ">The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.</p>
<p style="text-align: justify; ">The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.</li>
<li style="text-align: justify; ">Instead of levying penalties, the Bill should include incentives to ensure compliance. </li>
<li style="text-align: justify; ">Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach. </li>
</ol>
<hr />
<p>Discussion: <b>Cultural Aspects of Privacy</b></p>
<hr />
<p style="text-align: justify; ">The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.</li>
<li style="text-align: justify; ">Given India’s diversity, a principle based model might not be adequate. </li>
<li style="text-align: justify; ">Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India. </li>
</ol>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table'>https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-11-20T09:58:39ZBlog EntrySecurity, Governments, and Data: Technology and Policy
https://cis-india.org/internet-governance/events/security-governments-data-technology-policy
<b>The Centre for Internet & Society and the Observer Research Foundation invite you to a one day conference on January 8, 2015 in New Delhi. </b>
<h3 style="text-align: justify; "></h3>
<h3 style="text-align: justify; "></h3>
<h3 style="text-align: justify; ">About the Conference</h3>
<p style="text-align: justify; ">The conference will focus on the technologies, policies, and practices around cyber security and surveillance. The conference will reach out to a number of key stakeholders including civil society, industry, government, and academia and explore the present scenario in India to reflect on ways forward.</p>
<h3 align="left" class="western"><strong>Conference </strong><strong>Context</strong></h3>
<p align="justify"><span>Ensuring the security of the India’s cyber space is a complex, challenging, and ever changing responsibility that the government is tasked with. Doing so effectively requires a number of factors to come together in a harmonized strategy including: laws & policies, technical capabilities, markets, and a skilled workforce. It also requires collaboration on multiple levels including with foreign governments, domestic and foreign industry, and law enforcement. The first of these is particularly important given the ability of attackers to penetrate across borders and the global nature of data. Any strategy developed by India must be proactive and reactive – evolving defences to prevent a potential threat and applying tactics to respond to a real time threat. To do so, the government of India must legally have the powers to take action and must have the technical capability to do so. Yet, many of these powers and technical capabilities require a degree of intrusion into the lives of citizens and residents of India through means such as surveillance. Thus, such measures must be considered in light of principles of proportionality and necessity, and legal safeguards are needed to protect against the violation of privacy. Furthermore, a principle of optimization must be considered i.e, how much surveillance achieves the most amount of security and how can this security be achieved with the optimal mix of technology, policy and enforcement.</span></p>
<h3 align="left" class="western">Panel Descriptions</h3>
<p align="left"> </p>
<p align="left"><strong>Challenges & Present Scenario</strong></p>
<p align="left"><strong> </strong><span>Protecting and enhancing the cyber security of India is a complex and dynamic responsibility. The challenge of securing cyber space is magnified by the demarcated nature of the internet, the multiplicity of vulnerabilities that can be exploited at the national level, the magnitude of infrastructure damage possible from a cyber attack, and the complexity of application of a jurisdiction’s law to a space that is technologically borderless. A comprehensive ‘cyber security’ ecosystem is required to address such challenges – one that involves technology, skills, and capabilities – including surveillance capabilities. The Government of India has taken numerous steps to address and resolve such challenges. In July 2013, the National Cyber Security Policy was published for the purpose of creating an enabling framework for the protection of India’s cyber security. In February 2014, the 52</span><sup>nd</sup><span> Standing Committee on Information Technology issued a report assessing the implementation of this policy – in which they found that a number of areas needed strengthening. The Government of India has also proposed the establishment of a number of centres focused on cyber security – such as the National Cyber Coordination Center and the National Critical Information Infrastructure Protection Centre. CERT-IN, under the Department of Electronics and Information Technology is presently the body responsible for overseeing and enforcing cyber security in India, while other bodies such as the Resource Centre for Cyber Forensic and TERM cells under the Department of Telecommunications play critical roles in overseeing and undertaking capabilities related to cyber security.</span></p>
<p align="justify"><strong>Law & Policy</strong></p>
<p align="justify"><span>India has five statutes regulating the collection and use of data for surveillance purposes. These laws define circumstances on which the government is justified in accessing and collecting real time and stored data as well as procedural safeguards they must adhere to when doing so. The Department of Telecommunications has also issued the Unified Access License which, among other things, mandates service providers to provide technical support to enable such collection. The Indian judicial system has also provided a number of Rulings that set standards for the access, collection, and use of data as well as defining limitations and safeguards that must be respected in doing so. The draft Privacy Bill 2011, released by the Department of Personnel and Training, also contained provisions addressing surveillance in the context of interception and the use of electronic video recording devices. In the Report of the Group of Experts on Privacy, the AP Shah Committee found that the legal regime for surveillance in India was not harmonized and lacked safeguards. Furthermore, in the era where the direct collection of large volumes of data is easily possible, there is a growing need to re-visit questions about the legitimate and proportionate collection and use (particularly as evidence) of such data. Questions are also arising about the applicability of standards and safeguards to the state. At a global level, catalyzed by the leaks by Edward Snowden, there has been a strong push for governments to review and structure their surveillance regimes to ensure that they are in line with international human rights standards.</span></p>
<p align="justify"><strong>Architecture & Technology</strong></p>
<p align="justify"><span>India is in the process of architecting a number of initiatives that seek to enable the collection and sharing of intelligence such as the CMS, NATGRID, and NETRA. At a regional level, the Ministry of Home Affairs is in the process of implementing ‘Mega Policing Cities’ which include the instalment of CCTV’s and centralized access to crime related information. Globally, law enforcement and governments are beginning to take advantage of the possibilities created by ‘Big Data’ and ‘open source’ policing. The architecture and technology behind any surveillance and cyber security initiative are key to its success. Intelligently and appropriately designed projects and technology can also minimize the possibility of intrusions into the private lives of citizens. Strong access controls, decentralized architecture, and targeted access are all principles that can be incorporated into the architecture and technology behind a project or initiative. At the same time, the technology or process around a project can serve as the ‘weakest link’ – as it is vulnerable to attacks and tampering. Such possibilities raise concerns about the use of foreign technology and dependencies on foreign governments and companies.</span></p>
<p align="justify"><strong>International and Domestic Markets</strong></p>
<p align="justify"><strong> </strong><span>Globally, the security market is growing – with companies offering a range of services and products that facilitate surveillance and can be used towards enhancing cyber security. In India, the security market is also growing with studies predicting that it will reach $1.06 billion by 2015. Recognizing the potential threat posed by imported security and telecom equipment, India also develops its own technologies through the Centre for Development of Telematics –attached to the Department of Telecommunications, and the Centre for Development of Advanced Computing – attached to the Department of Electronics and Information Technology. At times India has also imposed bans on the import of technologies believed to be compromised. Towards this end, the Government of India has a number of bodies responsible for licensing, auditing, and certifying the use of security and telecommunication equipment. Though India has recognized the security vulnerabilities posed by these technologies, as of yet it has not formally recognized the human rights violations that are made possible. Indeed, though India has submitted a request to be a signing member of the </span><span>Wassenaar agreement, they have yet to be accepted.</span></p>
<h3 style="text-align: justify; ">Agenda</h3>
<table class="plain">
<tbody>
<tr>
<td>11.00</td>
<td>Registration & Tea</td>
</tr>
<tr>
<td>11.30</td>
<td>Key Note Speech</td>
</tr>
<tr>
<td>12.00</td>
<td>Challenges & Present Scenario</td>
</tr>
<tr>
<td>13.00</td>
<td>Law & Policy</td>
</tr>
<tr>
<td>14.00</td>
<td>Lunch</td>
</tr>
<tr>
<td>15.00</td>
<td>Architecture & Technology</td>
</tr>
<tr>
<td>16.00</td>
<td>International & Domestic Markets</td>
</tr>
<tr>
<td>17.00</td>
<td>Tea</td>
</tr>
<tr>
<td>17.30</td>
<td>Conclusion & Closing Remarks</td>
</tr>
</tbody>
</table>
<h3></h3>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/security-governments-data-technology-policy'>https://cis-india.org/internet-governance/events/security-governments-data-technology-policy</a>
</p>
No publisherelonnaiEventInternet Governance2014-12-24T08:06:59ZEventSecurity, Governments and Data: Technology and Policy
https://cis-india.org/internet-governance/blog/security-governments-datat-technology-and-policy
<b>On January 8, 2015, the Centre for Internet and Society, in collaboration with the Observer research foundation, hosted the day long conference "Security, Governments, and Data: Technology and Policy" The conference discussed a range of topics including internet governance, surveillance, privacy, and cyber security. </b>
<p>The full report written and compiled by Lovisha Aggarwal and Nehaa Chaudhari and edited by Elonnai Hickok <a href="https://cis-india.org/internet-governance/blog/security-governments-data-technology-policy.pdf" class="internal-link">can be accessed here</a>.</p>
<hr />
<p style="text-align: justify; ">The conference was focused on the technologies, policies, and practices around cyber security and surveillance. The conference reached out to a number of key stakeholders including civil society, industry, law enforcement, government, and academia and explored the present scenario in India to reflect on ways forward. The conference was a part of CIS’s work around privacy and surveillance, supported by Privacy International.</p>
<h3 style="text-align: justify; ">Welcome Address</h3>
<p style="text-align: justify; ">The welcome address opened with a reference to a document circulated by CIS in 2014 which contained hypothetical scenarios of potential threats to Indian cyber security. This document highlighted the complexity of cyber security and the challenges that governments face in defending their digital borders. When talking about cyber security it is important that certain principles are upheld and security is not pursued only for the sake of security. This approach allows for security to be designed and to support other rights such as the right of access, the right to freedom of expression, and the right to privacy. Indeed, the generation, use, and protection of communications data by the private sector and the government are a predominant theme across the globe today. This cannot be truer for India, as India hosts the third largest population on the internet in the world.</p>
<p style="text-align: justify; ">During the welcome, a brief introduction to the Centre for Internet and Society was given. It was noted that CIS is a 6.5 half year old organization that is comprised of lawyers, mathematicians, sociologists, and computer scientists and works across multiple focus areas including accessibility, internet governance, telecom, openness, and access to knowledge. CIS began researching privacy and surveillance in 2010, and has recently begun to expand their research into cyber security. The purpose of this is to understand the relationship between privacy, surveillance, and security and is the beginning of a learning process for CIS. In 2013 CIS undertook a process to attempt to evolve a legal regime to intelligently and adequately deal with privacy in India. Industry specific requirements are key in the Indian context and this process was meant to try and evolve a consensus on what a privacy law in India should look like by bringing together key stakeholders for roundtables. CIS is now in the final stages of preparing individual legal proposals that will be sent to the Government – to hopefully have an informed Privacy Law in India. This event represents CIS’s first attempt to have a simultaneous dialogue on surveillance, cyber security, and privacy. As part of this event and research CIS is trying to understand the technology and market involved in surveillance and cyber security as these are important factors in the development of policy and law.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/security-governments-datat-technology-and-policy'>https://cis-india.org/internet-governance/blog/security-governments-datat-technology-and-policy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-04-04T05:59:19ZBlog EntrySecurity and Surveillance – Optimizing Security while Safeguarding Human Rights
https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights
<b>The Centre for Internet and Society (CIS) on December 19, 2014 held a talk on “Security and Surveillance – Optimizing Security while Safeguarding Human Rights.</b>
<p style="text-align: justify; ">The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.</p>
<p style="text-align: justify; ">During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.</p>
<p style="text-align: justify; ">Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.</p>
<p style="text-align: justify; ">Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.</p>
<p style="text-align: justify; ">A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - <i>“There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”</i></p>
<p style="text-align: justify; ">The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, <i>“We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights'>https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-02-13T02:41:46ZBlog EntrySCOSTA and UID Comparison not Valid, says Finance Committee
https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid
<b>The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.</b>
<p>On January 6, 2011, CIS had sent an <a href="https://cis-india.org/internet-governance/blog/blog/privacy/letter-to-finance-committee" class="external-link">open letter to the Parliamentary Finance Committee</a> demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.</p>
<p>Sir,</p>
<p>This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.</p>
<h3>CIS View /Suggestion:</h3>
<div> </div>
<p>"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."</p>
<p>In this regard, do you agree with the following view? If not, please justify.</p>
<p>"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.</p>
<p>The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.</p>
<p>UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."</p>
<p>You are requested to email your view by 14 October, 2011 positively.</p>
<p>Standing Committee on Finance Branch<br />Lok Sabha Secretariat</p>
<div> </div>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid'>https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid</a>
</p>
No publisherelonnaiInternet Governance2011-11-22T16:37:43ZBlog EntryRight to Privacy Bill 2010 — A Few Comments
https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010
<b>Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.</b>
<h2>Specific Recommendations</h2>
<div>
<div> </div>
</div>
<p>The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged. </p>
<p>The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory? </p>
<p>Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation. </p>
<h2>Specific Comments to the Bill</h2>
<h3>Misguiding Title</h3>
<p>The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".</p>
<h3><span class="Apple-style-span">Inappropriate Blanket Use of Privacy </span></h3>
<p>The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto." </p>
<p><strong>Comment</strong>: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest. </p>
<h3>Narrow Definition of Public Figures </h3>
<p>Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties</p>
<p><strong>Comment</strong>: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.</p>
<h3>Insufficient Limits to the Right to Privacy</h3>
<p>Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone: </p>
<p>Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.</p>
<p><strong>Comment</strong>: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited? </p>
<h3>Limited Scope of Technology </h3>
<p>Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be. </p>
<p><strong>Comment</strong>: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.</p>
<h2>Overly Complicated Clauses </h2>
<p>Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of: </p>
<div>
<p>Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned. </p>
<p>Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and</p>
<p>Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise. </p>
<p><strong>Comment</strong>: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.</p>
<p>Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010'>https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T06:26:14ZBlog EntryRethinking Privacy Principles
https://cis-india.org/internet-governance/files/rethinking-privacy-principles
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/rethinking-privacy-principles'>https://cis-india.org/internet-governance/files/rethinking-privacy-principles</a>
</p>
No publisherelonnai2017-09-11T02:17:02ZFileRethinking DNA Profiling in India
https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india
<b>DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.</b>
<hr />
<p style="text-align: justify; ">Elonnai Hickok's article was <a class="external-link" href="http://www.epw.in/web-exclusives/rethinking-dna-profiling-india.html">published in Economic & Political Weekly</a>, Vol - XLVII No. 43, October 27, 2012</p>
<hr />
<p style="text-align: justify; ">DNA evidence was first accepted by the courts in India in 1985,<a href="#fn1" name="fr1">[1]</a> and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include</p>
<p class="callout" style="text-align: justify; ">"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.</p>
<p>The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.<a href="#fn3" name="fr3">[3]</a> The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,<a href="#fn5" name="fr5">[5]</a>, along with a number of private labs <a href="#fn6" name="fr6">[6]</a> which analyse DNA samples for crime-related purposes.</p>
<p style="text-align: justify; ">In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of</p>
<p class="callout" style="text-align: justify; ">"enhancing protection of people in the society and the administration of justice."<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.<a href="#fn8" name="fr8">[8]</a> The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.</p>
<p>Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from<a href="#fn9" name="fr9">[9]</a> from DNA samples<a href="#fn10" name="fr10">[10]</a> only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).<a href="#fn11" name="fr11">[11]</a> This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.<a href="#fn12" name="fr12">[12]</a></p>
<p style="text-align: justify; ">The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: <i>crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board</i>.<a href="#fn13" name="fr13">[13]</a> How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.<a href="#fn14" name="fr14">[14]</a> The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.<a href="#fn15" name="fr15">[15]</a> Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.</p>
<p style="text-align: justify; ">Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.<a href="#fn16" name="fr16">[16]</a> Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,<a href="#fn17" name="fr17">[17]</a> but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,<a href="#fn18" name="fr18">[18]</a> it allows for DNA profiles/DNA samples and related information related to be shared for <i>creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms</i>.”<a href="#fn19" name="fr19">[19]</a></p>
<p style="text-align: justify; ">An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."<a href="#fn20" name="fr20">[20]</a> CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.<a href="#fn21" name="fr21">[21]</a> Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?</p>
<p style="text-align: justify; ">Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:</p>
<p class="callout" style="text-align: justify; ">"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."<a href="#fn22" name="fr22">[22]</a></p>
<p style="text-align: justify; ">This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.<a href="#fn24" name="fr24">[24]</a> In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,</p>
<p style="text-align: justify; ">"<i>In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals</i>."<a href="#fn25" name="fr25">[25]</a> Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.<a href="#fn26" name="fr26">[26]</a> And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.<a href="#fn27" name="fr27">[27]</a> These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.</p>
<p style="text-align: justify; ">The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, <i>"DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."</i><a href="#fn28" name="fr28">[28]</a></p>
<p style="text-align: justify; ">This statement ignores the possibility of false matches, cross-contamination, and laboratory error<a href="#fn29" name="fr29">[29]</a> as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime<a href="#fn30" name="fr30">[30]</a> in the French diplomat rape case, the DNA report came out with both negative and positive results;<a href="#fn31" name="fr31">[31]</a> and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.<a href="#fn32" name="fr32">[32]</a> Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.<a href="#fn33" name="fr33">[33]</a></p>
<p style="text-align: justify; ">The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:</p>
<p class="callout" style="text-align: justify; ">"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."<a href="#fn34" name="fr34">[34]</a></p>
<p style="text-align: justify; ">In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.<a href="#fn35" name="fr35">[35]</a> This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.<a href="#fn36" name="fr36">[36]</a> From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.</p>
<p style="text-align: justify; ">Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.<a href="#fn37" name="fr37">[37]</a></p>
<p style="text-align: justify; ">Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.<a href="#fn38" name="fr38">[38]</a> The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.</p>
<p style="text-align: justify; ">The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.<a href="#fn39" name="fr39">[39]</a> These are significant gaps in the proposed legislation as it restricts the rights of the individual.</p>
<p style="text-align: justify; ">In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at:<span> <a href="http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf">http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr2" name="fn2">2</a>]. Section 53. The Criminal Code of Procedure, 1973. Available at: <span><a href="http://www.vakilno1.com/bareacts/crpc/s53.htm">http://www.vakilno1.com/bareacts/crpc/s53.htm</a></span>. Last accessed October 9th 2012.<br />[<a href="#fr3" name="fn3">3</a>]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: <span><a href="http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf">http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf</a></span>. Last Accessed October 9th 2012.<br />[<a href="#fr4" name="fn4">4</a>]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: <span><a href="http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0">http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr5" name="fn5">5</a>]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr6" name="fn6">6</a>]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.<br />[<a href="#fr7" name="fn7">7</a>]. Draft Human DNA Profiling Bill 2012. Introduction.<br />[<a href="#fr8" name="fn8">8</a>]. Id. section 12(a-z)<br />[<a href="#fr9" name="fn9">9</a>]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.<br />[<a href="#fr10" name="fn10">10</a>]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.<br />[<a href="#fr11" name="fn11">11</a>]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.<br />[<a href="#fr12" name="fn12">12</a>]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html">http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr13" name="fn13">13</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))<br />[<a href="#fr14" name="fn14">14</a>]. Id. Section 35<br />[<a href="#fr15" name="fn15">15</a>]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.<br />[<a href="#fr16" name="fn16">16</a>]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.<br />[<a href="#fr17" name="fn17">17</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (5)-
<span class="" id="text-1">
<a class="link-wiki-add" title="Click to add a new page" href="https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india/@@wickedadd?Title=6)(a)-(b&section=text">
6)(a)-(b<sup>[+]</sup></a>
</span>
. Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.<br />[<a href="#fr18" name="fn18">18</a>]. Id. Section 39<br />[<a href="#fr19" name="fn19">19</a>]. Id. Section 40(c)<br />[<a href="#fr20" name="fn20">20</a>]. CDFD. Annual Report 2010-2011. Pg19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr21" name="fn21">21</a>]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: <a href="http://www.cdfd.org.in/servicespages/dnafingerprinting.html" title="http://www.cdfd.org.in/servicespages/dnafingerprinting.html">http://www.cdfd.org.in/servicespages/dnafingerprinting.html</a><br />[<a href="#fr22" name="fn22">22</a>]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: <span><a href="http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf">http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr23" name="fn23">23</a>]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html">http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr24" name="fn24">24</a>]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: <span><a href="http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms">http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr25" name="fn25">25</a>]. BioAxis DNA Research Centre (P) Limited. Website Available at: <span><a href="http://www.dnares.in/dna-databank-database-of-india.php">http://www.dnares.in/dna-databank-database-of-india.php</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr26" name="fn26">26</a>]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:<span><a href="http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank">http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr27" name="fn27">27</a>]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.<br />[<a href="#fr28" name="fn28">28</a>]. Draft DNA Human Profiling Bill 2012. Introduction<br />[<a href="#fr29" name="fn29">29</a>]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr30" name="fn30">30</a>]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: <span><a href="http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957">http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr31" name="fn31">31</a>]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: <span><a href="http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html">http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr32" name="fn32">32</a>]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: <span><a href="http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests">http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr33" name="fn33">33</a>]. Draft Human DNA Profiling Bill 2012. Section 18-27.<br />[<a href="#fr34" name="fn34">34</a>]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: <span><a href="http://dbtindia.nic.in/uniquepage.asp?id_pk=124">http://dbtindia.nic.in/uniquepage.asp?id_pk=124</a></span>. Last accessed: October 10 2012.<br />[<a href="#fr35" name="fn35">35</a>]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr36" name="fn36">36</a>]. CDFD Annual Report 2006-2007.Pg. 13. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2006_07.pdf">http://www.cdfd.org.in/images/AR_2006_07.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr37" name="fn37">37</a>]. Draft Human DNA Profiling Bill 2012. Section 35<br />[<a href="#fr38" name="fn38">38</a>]. Id. Section 41.<br />[<a href="#fr39" name="fn39">39</a>].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india'>https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-29T08:00:01ZBlog EntryReport of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill
https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill
<b>Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill. </b>
<h2>Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill</h2>
<h3>Constitutional Right to Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.</p>
<h3 style="text-align: justify; ">Nine National Privacy Principles</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:</p>
<ul>
<li style="text-align: justify; "><b>Notice</b>: The principle of notice as recommended by the Report of the Group of Experts on Privacy<b> </b>differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects. <br /><br />In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.<br /><br />Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Choice and Consent</b>: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data. <br /><br />Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Collection Limitation:</b> The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Purpose Limitation</b>: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data. </li>
</ul>
<ul>
<li><b>Access and Correction</b>: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Disclosure of Information: </b>The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Security:</b> The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Openness:</b> The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Accountability:</b> The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles. </li>
</ul>
<p style="text-align: justify; "><b>Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material</b>: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).</p>
<p style="text-align: justify; ">With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. <br /><br />With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised. <br /><br />With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.</p>
<h3 style="text-align: justify; ">Additional Protection for Sensitive Personal Data</h3>
<p style="text-align: justify; ">The <b>Report of the Group of Experts on Privacy</b> broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The <b>2014 Privacy Bill</b> incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.</p>
<h3 style="text-align: justify; ">Privacy Officers</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.</p>
<h3 style="text-align: justify; ">Co-regulatory Framework</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.</p>
<h2 style="text-align: justify; ">Recommendations in the Report that are not in the Bill</h2>
<h3>Scope</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.</p>
<h3 style="text-align: justify; ">Exceptions</h3>
<p>The Report of the Group of Experts recommends the following as exceptions to the right to privacy:</p>
<ol>
<li>National security</li>
<li>Public order</li>
<li>Disclosure in the public interest </li>
<li>Prevention, detection, investigation, and prosecution of criminal offenses </li>
<li>Protection of the individual and rights and freedoms of others </li>
</ol>
<p>The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.</p>
<p style="text-align: justify; ">The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:</p>
<ol>
<li>Sovereignty, integrity or security of India or</li>
<li>Strategic, scientific or economic interest of India; or</li>
<li>Preventing incitement to the commission of any offence; or</li>
<li>Prevention of public disorder; or</li>
<li>The investigation of any crime; or</li>
<li>Protection of rights and freedoms others; or</li>
<li>Friendly relations with foreign states; or</li>
<li>Any other legitimate purpose mentioned in this Act.</li>
</ol>
<p style="text-align: justify; ">Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.</p>
<h3 style="text-align: justify; ">Constitution of Infringement of Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.</p>
<h3 style="text-align: justify; ">The Data Protection Authority</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.</p>
<p style="text-align: justify; ">Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.</p>
<p style="text-align: justify; ">The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.</p>
<h3 style="text-align: justify; ">Tribunal and System of Complaints</h3>
<p style="text-align: justify; ">Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.</p>
<h3 style="text-align: justify; ">Penalties and Offenses</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.</p>
<p style="text-align: justify; ">In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.</p>
<ul>
</ul>
<hr />
<p><b>References</b></p>
<ol>
<li><a href="https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011/" class="external-link">Leaked Privacy Bill: 2014 vs. 2011 </a></li>
<li><a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy</a></li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill'>https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill</a>
</p>
No publisherelonnaiFeaturedInternet GovernancePrivacy2014-04-14T06:10:20ZBlog Entry