Centre for Internet and Society

Aadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool

Admin — 2018-01-18T15:01:48Z

Depending on who you ask, the Aadhaar is either a convenience or a curse.

The article was published by First Post on January 18, 2018.

The ongoing hearing in the Supreme Court is testing the constitutional validity of a scheme that has been around in one shape or another since 2003, ever since the need for an identification project was first felt.

By the government's own estimates, the Aadhaar initiative has covered 98 percent of the adult population in India and, as of 7 September, the Unique Identification Authority of India (UIDAI) has generated cards for 105.11 crore people. So, if you are an Indian adult, chances are that you possess an Aadhaar card by now.

The Aadhaar database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.

What started as a unique identification number to streamline the distribution of welfare to the needy has now turned into an all-pervasive tool that can arm the government with sensitive data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part of the scheme and the many privacy and security concerns generated as a result of it.

The Aadhaar of today, in addition to basic personal information, includes biometric data like your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety feature). This is designed to address the issue of failed biometric authentication, as an alternative for people having difficulty authenticating, due to factors like worn out fingerprints, or changing biometric data due to old age, hard work conditions, accidents and the like.

But what it fails to address is the growing unease among citizens about the scale of the project, its intent, and the actual legality of enabling such an architecture, which could threaten the citizens with the possibility of State surveillance.

The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy.

However, worst fears about Aadhaar have come true after the developments that have happened over the past few weeks. A recent investigation by The Tribune revealed that the details of any of the billion Aadhaar numbers issued in India were accessible for as little as Rs 500.

Since then, the UIDAI and every other government machinery have been in top gear, trying to allay the fears around Aadhaar. It even introduced a flurry of steps to make sure that the database is safe and secure, and that the data is protected. But not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State and that it does not make the State transparent to citizens.

"We warned the government six years ago, but they ignored us," Sunil Abraham, executive director of Bengaluru-based research organisation, Centre for Internet and Society, was quoted by The Hindu Business Line as saying.

According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.

On the other hand, finance minister Arun Jaitley said recently that an Aadhaar card could become the sole identifier for a person in future. "A stage may come that the unique identity will become the only card," Jaitley said. "There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."

Since its inception, the Aadhaar was always pitched as a scheme integral to the modernisation of social welfare in India.

But, according to a Scroll report, state governments are struggling to use Aadhaar-based fingerprint authentication in ration shops. Whereas, at the same time, a rising number of companies are integrating Aadhaar into their databases for private services that have nothing to do with the welfare delivery system.

So, why is the scheme failing at the very job it was created for, while proving useful to private endeavours elsewhere? Why did the BJP, a dispensation critical of Aadhaar in 2014, make a complete u-turn and become a champion for a cause backed by the UPA in its time? Are the security, privacy concerns a small price to pay for better delivery of welfare schemes or is it an instrument of surveillance and a potential goldmine for hackers?

The debate around Aadhaar and the explanations for its need and/or threats are biased, incomplete and solely depend on who you ask. Therefore, it might do well to trace the roots of the Aadhaar mission and retrace its critical moments.

Origins of Aadhaar

According to the Scroll report, India first fiddled with the idea to assign numbers to people in 2003, in the aftermath of the Kargil war.

With rising security concerns, the then BJP government under Atal Bihari Vajpayee wanted every Indian citizen to be accounted for. This desire eventually took the shape of the National Population Register, that aimed to identify citizens amongst the country's residents.

The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR).

The second and major push for an identity project was introduced subsequently by the UPA-1 government in late 2008. With welfare spending on the rise, adds the report, bureaucrats in the erstwhile Planning Commission were worried about leakages.

Thus, the idea of constituting an authority that would aggregate all databases of social welfare programmes to create a mother database emerged.

Such a database would "weed out ghosts and duplicates so that a person who gets the LPG subsidy doesn’t also get the kerosene subsidy," Scroll quoted a former UIDAI official as saying, on conditions of anonymity.

Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Biometric data was not in the picture at this time.

And then, in 2016, the Centre notified the new Aadhaar Act, which gives the unique identity number assigned to each Indian citizen statutory backing. The idea of this Act was to empower Aadhaar with legal backing for the purpose of transferring subsidies and government benefits to beneficiaries through designated bank accounts.

The government said in a notification that the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide “efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals."

Another interesting aspect of the Aadhaar debate is the politics of it all. The Opposition, BJP back then and UPA now, has shaped much of the debate against the use of Aadhaar. But one thing that stands out in this melee is that many in the current dispensation, who are currently the biggest proponents of the scheme, had once opposed it vehemently.

"The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi had famously said when he was the Gujarat chief minister. He had alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.

In 2014, Modi had tweeted: "On Aadhaar, neither the team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick."

So, how was it that one of Aadhaar's most vehement opponents became its biggest proponent?

According to a report in The Hindu Business Line, the destiny of the Aadhaar scheme was shaped by two meetings – between Nilekani and Modi with Jaitley, and the second with Vijay Madan, the UIDAI director general and mission director.

Through the course of these meetings, the potential savings from plugging subsidy leakageswas put across to Modi, a figure of "up to ₹50,000 crore a year".

Modi in his keenness to showcase the arrival of "acche din", the report adds, immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project.

Thus, the current Aadhaar project was born.

Inclusion of biometric data

Although an extension of UPA's idea, the new Aadhaar act had some crucial differences:

- As per the new Act, "any person who has resided in India for 182 days (in the one year preceding the application for Aadhaar)". The UPA's Bill said any person residing in India.

- Further, the new Act says that the number can be used to verify the identity of any person, for any purpose, by any public or private entity. In the UPA's Bill, no such provision was there.

- The new Act stipulated all these identity facets to be maintained: photograph, biometric information (iris scan and fingerprint), demographic information (name, date of birth, address but excludes race, religion, caste, etc.), and Aadhaar number. The authority may specify any other biological and demographic information to be collected.

Data security debate

Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites or its mobile app. The most recent case was when an RTI query pushed UIDAI to reveal that about 210 government websites made the Aadhaar details of people with Aadhaar, public on the internet.

Centre for Internet and Society (CIS) also pointed out that about 130 million Aadhar numbers along with other sensitive data were available on the internet.

The recent Tribune report has only highlighted the deeper, infrastructural fallibility of singular mega-database of sensitive data.

As per this Firstpost piece, the UIDAI's response to such an obvious data breach and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand.

The large-scale collection of data and the binding of said data with almost all services raises a pertinent question: Is the government capable of safeguarding the massive amounts of data collected as part of the Aadhaar project? The answer, again, depends on who you ask.

Concerns over privacy

Apart from the security concerns, Aadhaar has brought up a question of the citizen's privacy, given that access to such sensitive data empowers the government to keep a close scrutiny of a person's financial, personal information.

The Supreme Court had held recently that privacy is a fundamental right under the Constitution with reasonable restrictions. This decision is bound to impact the Aadhaar project in one way or another, as collectively biometric data of citizens can be construed as a violation of said right.

The Supreme Court started hearing the crucial cases related to the constitutional validity of Aadhaar on Wednesday. A five-judge bench heard the arguments of the petitioner, maintaining that the government's mandatory biometric identification project is, in essence, seeking to change a people's Constitution into State's Constitution.

The petitioners made submissions ranging from the Standing Committee's observations, to the precedents as adopted by other nations to pointing out basic moral and administrative defects in amassing biometric data of citizens on such a large scale, perhaps trying to patiently drive the point that the Aadhaar project can never be safely assumed to be leakproof, hence safe, ergo, legal.

The petitioner also argued that Aadhaar could lead to millions of people being denied access to essential services and benefits in violation of their human rights, as he pointed out that biometric details of almost 6.2 crore people have been rejected, mainly due to calloused hands and fingertips, wherein biometric data could not be recorded.

"These are not dishonest people or ghosts," he said. Even the Standing Committee report on Aadhaar points out: "..it has been proven again and again that in the Indian environment, the failure to enrol with fingerprints is as high as 15 percent due to the prevalence of a huge population dependent on manual labour. These are essentially the poor and marginalised sections of the society. So, while the poor do indeed need identity proofs, Aadhaar is not the right way to do that"

In December 2017, the court had extended the deadline for mandatory linking of Aadhaar with various services and welfare schemes till 31 March, 2018. It had also modified its earlier order with regard to linking Aadhaar with mobile services and said the deadline of 6 February, 2018 for this purpose also stood extended till 31 March.

Right to Privacy and its effect on Aadhaar

In August 2017, the Supreme Court in a unanimous 9:0 judgment had declared the Right to Privacy to be a Fundamental Right. It was hailed as a big victory for pro-privacy advocates who could now point to the Constitutional Bench judgment should the right ever be questioned.

However, the judgment only established the theoretical Right to Privacy. It removed the earlier hurdles of the cases of MP Sharma and Kharak Singh which had held Right to Privacy not to be a Fundamental Right. However, the actual freedoms protected by the Right had to be enshrined into in separate judgments.

As far Aadhaar is concerned, the judgment did not invalidate it in any way. However, it did give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no longer say that there is no Right to Privacy.

With 1.08 billion citizens already enrolled, the ‘mandatory vs. voluntary’ debate on Aadhaar is now mostly a thing of the past. What remains to be seen now is how the Supreme Court will rule on the constitutional validity of the Aadhaar and if the government will be willing to reform/modify the current scheme to allay fears over data security and privacy in order to retailer the project to meet its original goal, the timely and secure delivery of welfare to those who need it.

With inputs from agencies

For more details visit https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool

Aadhaar seeding: benefits and concerns

Admin — 2017-11-23T02:02:45Z

Products and services such as bank accounts, life insurance policies and phone connections have to be linked with Aadhaar. But is this of any real help?

The article by Shaikh Zoaib Saleem was published by Livemint on November 14, 2017.

The government has made it mandatory for consumers to link many important services with Aadhaar. You too may be getting frequent reminders to link your banks account, mutual fund and mobile number with Aadhaar. Recently, the Reserve Bank of India also clarified that it is mandatory to link bank accounts with Aadhaar.

The latest addition to this list are insurance policies. In a circular, the Insurance Regulatory and Development Authority of India (Irdai) has stated that linking of Aadhaar number to insurance policies is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017.

The issue is being discussed intensively, with the Supreme Court taking a decision in favour of linking Aadhaar biometrics and the number with a host of services. Several petitions have been filed challenging not just the linking of these services with Aadhaar but also the validity of Aadhaar itself. We spoke to people who support and those who oppose this linking, to understand how either case impacts consumers.

The benefits

According to the Unique Identification Authority of India (UIDAI), government schemes are asking for Aadhaar as it helps to clean out duplications and fakes, and provides accurate data to enable implementation of direct benefit programmes. “Use of Aadhaar reduces the cost of identifying persons and provides increased transparency to the government in implementation of its schemes,” the Authority states under frequently asked questions on its website (read more at: https://uidai.gov.in/your-aadhaar/help/faqs.html) So, when you link your bank account with your Aadhaar, government benefits such as subsidy on LPG cylinders is credited directly to that account. The FAQs, however, do not elaborate how such linking helps an individual who does not get, or does not wish to get, such subsidies. In a tweet, UIDAI had said that verifying a bank account using Aadhaar adds an additional layer of security.

Nakul Saxena, a former banker who now works on policy advocacy at the software think tank iSpirt Foundation, said that linking of Aadhaar with these services will help eradicate fake accounts, fake insurance policies and unauthorised mobile connections. “It is possible that there are many accounts in the system that have been opened using such documents and copied signatures and even the banks may not be aware of it. Some people may not even be aware that an account exists in their name. These accounts need to be verified using Aadhaar now,” he said.

The government claims to have removed millions of fake beneficiaries for government benefits by Aadhaar linking. As reported by Mint in May 2017, over 23 million fake ration cards have been scrapped, potentially saving the government Rs14,000 crore in food subsidy every year. Another Mint report in August says, three states discovered that about 2,72,000 fake students were availing the mid-day meal (MDM) scheme.

However, those who are against linking Aadhaar disagree with these arguments. “Initially, Aadhaar was about delivery of services. But linking everybody’s phone number and bank account is not about that anymore. The real question is, what purpose this linking serves. If the intention is to update the databases, then there can be other means to update those,” said Rahul Narayan, a Supreme Court advocate who is among the lawyers representing petitioners who have challenged Aadhaar linking in court.

The concerns

The fundamental objection to this linking of services is that all information on an individual will be available at a single place, which could make surveillance easier and also increase the risks if this information is hacked. “As of now, your bank knows something about you, your insurance company knows something and your mobile phone company knows something about you. Each of these are different silos of information. When these converge, which is then accessible to a single person, that person knows almost everything about you,” said Narayan.

Moreover, a user’s Aadhaar number and fingerprint are permanent identifiers, and at least the Aadhaar number has been compromised for over 130 million citizens, as per a study by Centre for Internet & Society, said Nikhil Pahwa, co-founder of the SaveTheInternet.in (https://internetfreedom.in) campaign for net neutrality in India. “This leaves the users vulnerable to social hacks, some of which we have already been reading about in the news. To forcefully and mandatorily link Aadhaar to bank accounts means that their finances are at risk,” he said.

Saxena said the data leaks that have been highlighted have been typically about demographic details such as name, date of birth and address “which have been commonly available so far.” However, given the heightened sensitivities in this digital age, customers must ask their service providers to not publish such details, nor provide this information freely, he added.

Grievance redressal and data privacy

Another major concern is the absence of a clear redressal mechanisms for consumers in case of a data leak, misuse or hack. “When things go wrong, consumers need to have access to a proper complaints mechanism. In the case of Aadhaar, such access is to be provided through the establishment of ‘contact centres’ under the Regulation 32 of the UIDAI Enrolment and Update Regulations. To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI,” said Renuka Sane, associate professor at the National Institute of Public Finance and Policy, who has worked on data privacy and security issues.

Apart from this, Section 47 of the Aadhaar Act stipulates that only UIDAI or its authorised officers can file a criminal complaint for violations of the Act, she added.

“The UIDAI has been given complete discretion in determining if and when to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person is left to rely upon the bonafide actions of the UIDAI,” Sane added. The government is also working towards a data privacy legislation, that is needed to give citizens protection against misuse of their data, and them having some control over who gets their data, how it is used, and where it can be shared. “However, a data privacy legislation and mechanism will not ensure that data remains secure and protected, and that processes are followed. The Act disallowing people from sharing Aadhaar numbers did not prevent government departments from publishing details online,” said Pahwa. He also said that systems can get hacked, which could include the Aadhaar database, the parallel Aadhaar databases with state governments, or eKYC databases held with banks and telecom operators.

Saxena said the UIDAI has clarified that biometric information is not stored with user agencies, and stored biometrics can't be used for Aadhaar authentication or eKYC. “Hence, customers can be assured when using Aadhaar and biometrics with authorized entities,” he said. “The data privacy law will address data privacy and protection in all digital systems, not just Aadhaar. It will equally apply to social media and mobile apps. It should also go into the aspect of ‘right to be forgotten’,” said Saxena.

Pahwa, however, insists that the least that should be done is to give citizens the right to not link their Aadhaar and use other IDs for authentication, plus the ability to change their ID number if the system gets compromised.

What you should do

For now, the deadlines for linking bank accounts with Aadhaar is 31 December 2017, and for mobile phones it is 7 February 2018. In its latest hearing on the matter, the Supreme Court has directed service providers to mention these deadlines in their reminders. “Right now, regardless of what they say, nobody is going to shut down your bank account or disconnect your mobile connection, at least till the deadline. There are several petitions being heard in the Supreme Court. The matter is supposed to be taken up by the Supreme Court in the last week of November. The final word from the court is yet to come and it is quite possible that at least the deadlines gets extended,” said Narayan.

If you have already linked these services with Aadhaar, you are in no trouble. But if you are having second thoughts, the linking cannot be undone. If you are concerned about safety or other aspects, you can wait to get more clarity from the Supreme Court.

For more details visit https://cis-india.org/internet-governance/news/shaikh-zoaib-saleem-livemint-november-14-2017-aadhaar-seeding-benefits-and-concerns

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

pranesh — 2017-04-04T16:10:06Z

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.

The article was published in the Hindustan Times on April 3, 2017.

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.
(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

How Did Aadhaar Change?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

Security Concerns

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham

Aadhaar Card: One Identity, Multiple Disorders

praskrishna — 2017-05-26T00:01:54Z

It is still hazy to see the desperation of the union government to imposing the Aadhaar Card mandatory when matters related to Aadhaar Card are already sub judice.

This was blog post by Gaurav Raj was published by India Saga on May 25, 2017.

The constitutionality of Aadhaar is yet to be decided by the Supreme Court, however, the enrolment of Aadhaar has reached the mark of more than one billion. Recently, the government declared Aadhaar mandatory to file Income Tax Return (ITR) while the Supreme Court is opined not to treat Aadhaar mandatory, but voluntarily. Now it is imperative of the government to confide the citizens that the Aadhaar information- demography and biometrics-are in safe hands, a debate which has been heating up, and the contempt of the court’s decision by the government is for greater good. But the uproar against the speculation of identity revelation threat and possible misuse of Aadhaar details by the government-corporate nexus, plausible reasons to doubt the security of privacy, which is a fundamental right of Indian citizen. Ironically, after the Finance Minister Arun Jaitley defended the ‘Aadhaar Money Bill controversy’ filed by former congress MP Jairam Ramesh in the court, the Supreme Court is in dilemma and yet to decide whether ‘Right to Privacy' is a fundamental right or not.

Why Aadhaar Card Mandatory?

Nandan Nilekani, the co-founder of Infosys and the ideologue of Aadhaar, said that Aadhaar will change the PDS system in India since it ensures no ghost or fake beneficiaries to avail unentitled benefits of the various welfare schemes and subsidies. Nilekani also says that there might be margin of error up to 5 per cent in distributing the subsidies or benefits of various welfare schemes to the masses. The top-honcho technocrat has also defended Aadhaar that any breach of privacy of citizens is not possible as the Unique Identification Authority of India (UIDAI) is efficient to secure the public data under CIDR.

The government claims that the corruption-mounted Public Distribution System (PDS) in India is reformed due to the introduction of the 12 digit unique identification number. More than 40000 crore have been saved in the form of exchequer due to curb of fake and ghost beneficiaries in the PDS system. Now if we believe Nilekani claim of 5% error, then more than 5 crore beneficiaries would be losing their benefits due the error in the biometric identification. The Infosys co-founder later said that if there is a margin of error then ‘One Time Password’ (OTP) comes in. However, he didn’t define what if there is a congestion of network in the remotest Indian villages where phone signals are rare? Standing on the PDS shop waiting for food grains and network, is certainly not an ideal way to avail the benefits of the government welfare schemes. In 2011, activist and writer Ruchika Gupta said in an interview to Tahalka, “The UID cannot address the bulk of delivery problems in the two of the biggest social sectors programmes like MGNREGA and PDS. Linking UID with social sector legislation is completely baseless.”

PAN Card Linked with Aadhaar Card?

The government has directed the Reserve Bank of India to make Aadhaar mandatory for Income Tax Return filing. Currently, there are approximately 24.37 crores PAN holders in India, however 3.8 crore people file income tax return every year. There have been cases of people owned not more than one but 100 PAN Cards with them. PAN cards in India are mostly used by the citizens as a proof of identity. The government believes that PAN card linking with Aadhaar will curb the tax evasion.

How Safe Is Your Data In This Panopticon Model Of Mass Surveillance?

In the late 18th century, the well-known English social reformer and jurist Jeremy Bentham wanted to build a ‘panoptican’ for a mass surveillance of the prisoners in England. He advocated designing an institutional building be used to keep an eye on all the jail inmates by a single watchman. Very similarly, India is witnessing the biggest surveillance program ever under the name of single identity and availing benefits of governments’ schemes. Another logic behind enrolment of Aadhaar is the ‘national security’. National security? How can any government ensure national security backing Aadhaar, when international companies have been hired in consortium to collect residents’ biometric and demography details? In 2010, Accenture, Mahindra-Satyam Morpho and L1 identity solutions were pooled in by UIDAI for leveraging de-duplication exercise of Aadhaar and data collection. L1 Identity Solutions’ top brasses are the former Director CIA George Tenet and former Homeland Security deputy secretary Adm James. With its headquarters in Connecticut, this company is one of the biggest defence contractors specialised in facial recognition and biometrics. L1 Identity Solutions and Accenture work in a close affinity to US intelligence agencies. This is an age of information. Corporate houses and big telecom players are dying to get details of consumers. Obvious are the concerns about the safety and security of the people’s data. It is feared that the database can be used for various marketing and business purposes.

CIDR, A Single Database Of People’s Data

Central Identities Data Repository (CIDR) is a data management and storing agency in India which is initiated for the Aadhaar project. It is regulated by the statutory body of Unique Identification Authority of India (UIDAI). This centralised database is probably one of the biggest repositories on this planet.

In 2010, experts had claimed that more than a thousand government sites and portals were attacked more than 4000 times by China alone in one year. In April 2011, 77 million Sony Playstations and digital media delivery service Qriocity were hacked which resulted into a shutdown of the network for a week. The London School of Economics also reported that a central database of vulnerable to hacking and other terrorist and cyber crime activities. Recently Wannacry Ransomware virus hits the globe. More than 99 countries were affected.

Building one single repository for billions of Aadhaar Card data seems to be a big risk in the most vulnerable country where dat breach is at most.

Data Leak Crisis

UIDAI has so far spent approximately 5982.62 crores for more than a billion enrolments of Aadhaar Cards. 1615.34 crores have been spent between the financial year 2015-2016. Centre for Internet and Society, Bengaluru-based organization (CIS) has learned that data of more than 130 million Aadhaar card holders has been leaked from four government websites. They are National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payments Reports of NREGA. It also includes Bank details and other confidential details of millions of residents.

What is Next?

The Lok Sabha has passed the Aadhaar Bill as Money Bill. Mukul Rohatgi said in the Supreme Court that according to Article 110 of the constitution, there is use of consolidated funds of India so the bill is a Money bill. Chief Justice Khehar said, “Your object might be good but whether it is a ‘Money Bill’ or not is the question.” Justice Ramana referred to a 2014 judgment passed by the Apex court that courts had no jurisdiction over procedurals matters of legislative.” In response P. Chidambram, the counsel for Jairam Ramesh said, “This petition is not about a procedural matter. There has been substantive infraction.”

For more details visit https://cis-india.org/internet-governance/news/the-indiasaga-may-25-2017-aadhaar-card-one-identity-multiple-disorders

Aadhaar Bill fails to incorporate suggestions by the Standing Committee

amber — 2016-03-10T15:58:57Z

In 2011, a standing committee report led by Yashwant Sinha had been scathing in its indictments of the Aadhaar BIll introduced by the UPA government. Five years later, the NDA government has introduced a new bill which is a rehash of the same. I look at the concerns raised by the committee report, none of which have been addressed by the new bill.

The article was published by The Wire on March 10, 2016

In December, 2010, the UPA Government introduced the National Identification Authority of India Bill, 2010 in the Parliament. It was subsequently referred to a Standing Committee on Finance by the Speaker of Lok Sabha under Rule 331E of the the Rules of Procedure and Conduct of Business in Lok Sabha. This Committee, headed by BJP leader Yashwant Sinha took evidence from the Minister of Planning and the UIDAI from the government, as well as seeking the view of parties such as the National Human Rights Commission, Indian Banks Association and researchers like Dr Reetika Khera and Dr. Usha Ramanathan. In 2011, having heard from various parties and considering the concerns and apprehensions about the UID scheme, the Committee deemed the bill unacceptable and suggested a re-consideration of the the UID scheme as well as the draft legislation.

The Aadhaar programme has so far been implemented under the Unique Identification Authority of India, a Central Government agency created through an executive order. This programme has been shrouded in controversy over issues of privacy and security resulting in a Public Interest Litigation filed by Judge Puttaswamy in the Supreme Court. While the BJP had criticised the project as well as the draft legislation when it was in opposition, once it came to power and particularly, after it launched various welfare schemes like Digital India and Jan Dhan Yojna, it decided to continue with it and use Aadhaar as the identification technology for these projects. In the last year, there have been orders passed by the Supreme Court which prohibited making Aadhaar mandatory for availing services. One of the questions that the government has had to answer both inside and outside the court on the UID project is the lack of a legislative mandate for a project of this size. About five years later, the new BJP led government has come back with a rehash of the same old draft, and no comments made by the standing committee have been taken into account.

The Standing Committee on the old bill had taken great exception to the continued collection of data and issuance of Aadhaar numbers, while the Bill was pending in the Parliament. The report said that the implementation of the provisions of the Bill and continuing to incur expenditure from the exchequer was a circumvention of the prerogative powers of the Parliament. However, the project has continued without abeyance since its inception in 2009. I am listing below some of the issues that the Committee identified with the UID project and draft legislation, none of which have been addressed in current Bill.

One of the primary arguments made by proponents of Aadhaar has been that it would be useful in providing services to marginalized sections of the society who currently do not have identification cards and consequently, are not able to receive state sponsored services, benefits and subsidies. The report points that the project would not be able to achieve this as no statistical data on the marginalized sections of the society are being used to by UIDAI to provide coverage to them. The introducer systems which was supposed to provide Aadhaar numbers to those without any form of identification, has been used to enroll only 0.03% of the total number of people registered. Further, the Biometrics Standards Committee of UIDAI has itself acknowledged the issues caused due to a high number of manual laborers in India which would lead to sub-optimal fingerprint scans. A report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. In this manner, the project could actually end up excluding more people.

The Report also pointed to a lack of cost-benefit analysis done before going ahead with scheme of this scale. It makes a reference to the report by the London School of Economics on the UK Identity Project which was shelved due to a) huge costs involved in the project, b) the complexity of the exercise and unavailability of reliable, safe and tested technology, c) risks to security and safety of registrants, d) security measures at a scale that will result in substantially higher implementation and operational costs and e) extreme dangers to rights of registrants and public interest. The Committee Report insisted that such global experiences remained relevant to the UID project and need to be considered. However, the new Bill has not been drafted with a view to address any of these issues.

The Committee comes down heavily on the irregularities in data collection by the UIDAI. They raise doubts about the ability of the Registrars to effectively verify the registrants and a lack of any security audit mechanisms that could identify issues in enrollment. Pointing to the news reports about irregularities in the process being followed by the Registrars appointed by the UIDAI, the Committee deems the MoUs signed between the UIDAI and the Registrars as toothless. The involvement of private parties has been under question already with many questions being raised over the lack of appropriate safeguards in the contracts with the private contractors.

Perhaps the most significant observation of the Committee was that any scheme that facilitates creation of such a massive database of personal information of the people of the country and its linkage with other databases should be preceded by a comprehensive data protection law. By stating this, the Committee has acknowledged that in the absence of a privacy law which governs the collection, use and storage of the personal data, the UID project will lead to abuse, surveillance and profiling of individuals. It makes a reference to the Privacy Bill which is still at only the draft stage. The current data protection framework in the Section 43A rules under the Information Technology Act, 2000 are woefully inadequate and far too limited in their scope. While there are some protection built into Chapter VI of the new bill, these are nowhere as comprehensive as the ones articulated in the Privacy Bill. Additionally, these protections are subject to broad exceptions which could significantly dilute their impact.

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee

Aadhaar assurances fail to assuage privacy concerns

praskrishna — 2017-05-20T06:23:32Z

While Aadhaar may be secure from external attacks, a failsafe system hasn’t been developed to protect it from Edward Snowden-style leakages and hacks.

The article by Anirban Sen was published by Livemint on May 5, 2017. Pranesh Prakash was quoted.

As calls for a privacy and data protection law grow louder with each passing day amid reports of a central government ministry having made up to 130 million Aadhaar numbers public on its website, widespread concerns continue to emerge over loopholes in the security of the unique identification programme, though the man who created the system continues to defend the security and integrity of the system.

Most worryingly, a consensus is emerging among security and privacy experts, who have argued that while the Aadhaar system may be secure from external attacks, a failsafe system has not been developed to protect it from Edward Snowden-style internal leaks or hacks.

“(What has been suggested by the Unique Identification Authority of India and Nandan Nilekani) is that there will never be a data breach like what we saw in the US with the National Security Agency, Central Intelligence Agency, or Office of Personnel and Management breaches (data of federal government personnel, including more than 5.6 fingerprints, was leaked), or in Mexico or Turkey, or even in India when the department of defence was breached for cyber-espionage for multiple years without detection,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“While the system may be secure from external attacks, there is no failsafe system to make it invulnerable to Snowden-style breaches,” he added.

In an interview, former UIDAI chairman and Infosys Ltd co-founder Nandan Nilekani continued to defend the security of the system and said steps are being taken everyday to enhance the failsafe processes surrounding the system.

“I think the Aadhaar system is extremely well-designed. It’s not an online system that is exposed to the Internet. When enrolment happens, the packet is encrypted at source and sent, so that there can’t be a man-in-the-middle attack. And when the authentication happens, that is also encrypted—not compared to the original data, but to a digital minutiae. The point is that the system is very, very secure. So, if the objection is to centralization, then you should not have clouds. Clouds are also centralized,” said Nilekani. He added that Aadhaar was also safe from internal breaches, an assumption that is being challenged by security experts all across.

“Within seven years of its launch, the Aadhaar system has made a remarkable leap in terms of its security and privacy and it will keep improving things. Technology does not come through immaculate conception, where one morning some perfect technology is born. It has to evolve. It’s called learning by doing,” added Nilekani. He added that improving the security of the system is an ongoing process and conceded that a data protection and privacy law needs to be in place to supplement the current Aadhaar law.

“I know the government has sent a notice to everyone. If somebody has done it; they ought not to have done it—there’s a law for that,” said Nilekani when asked about recent instances of Aadhaar numbers being made public by government departments.

“We should have a data protection and privacy law which is an umbrella law, which looks at all these phenomena and certainly Aadhaar should be part of that. That’s perfectly fine—but people are behaving as if Aadhaar is the only reason why we should have a privacy law,” added Nilekani.

The last few weeks and months have witnessed a steady stream of negative news surrounding Aadhaar and three main cases are currently being fought in the Supreme Court, including one challenging the government’s decision to make the 12-digit ID mandatory for filing income tax returns as well as for obtaining and retaining a PAN Card.

Meanwhile, as Mint reported in April, questions are being raised on the Aadhaar biometric authentication failure rate in the rural job guarantee scheme in areas such as Telangana.

The report of Aadhaar numbers being listed on the government ministry website has caused widespread uproar, although a lawyer pointed out that it is not due to a breach in the Aadhaar system.

“It’s a misnomer to say this a leak because this was voluntarily, very actively put up there. A leak is when some information being kept securely gets breached somehow and comes out. Now, why is this information up on government websites? This is the problem of our government’s perception of transparency...The fact that the Aadhaar numbers are on the government website is not a flaw of the Aadhaar system, but it is a flaw of the understanding of what needs to be done to demonstrate transparency,” said Rahul Matthan, partner at Trilegal.

In a column in Mint, Matthan had also pointed out that while Aadhaar has been a transformative project, there remains enough scope of misusing the database.

“There is a legitimate fear that this identity technology will open us all up to discrimination, prejudice and the risk of identity theft,” Matthan wrote. “Aadhaar has given us the tools to harness data in large volumes. If used wisely, this technology can transform the nation. If not, it can cause us untold harm. We need to be prepared for the impending flood of data—we need to build dams, sluice gates and canals in its path so that we can guide its flow to our benefit.”

Even as both sides debate the issue of Aadhaar’s security, calls are getting louder to revamp the unique identification database.

“The point is that the UIDAI knows the device ID of the machine with which the biometric transaction took place along with the time and date, which means that by just using basic data analytics, any one with access to the transaction logs from the UIDAI (which have to be kept for a period of 5 years and 6 months) can have a complete view of a person’s Aadhaar-based interactions that are increasing day by day.”

“Further, the UIDAI has built up a biometric profile of the entire country. This means that courts can order UIDAI to provide law enforcement agencies the biometrics for an entire state (as the Bombay high court did) to check if they match against the fingerprints recovered from a crime scene. This too is surveillance, since it collects biometrics of all residents in advance rather than just that of criminal suspects,” said Prakash of CIS.

“The UIDAI could have chosen to derive unique 16 digit numbers from your Aadhaar number and provide a different one to each requesting entity. That would have prevented much of these fears. But the UIDAI did not opt for that more privacy-friendly design,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-5-2017-anirban-sen-aadhaar-assurances-fail-to-assuage-privacy-concerns

A trust deficit between advertisers and publishers is leading to fake news

sunil — 2018-10-02T06:44:55Z

Transparency regulations is need of the hour. And urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required.

The article was published in Hindustan Times on September 24, 2018.

Traditionally, we have depended on the private censorship that intermediaries conduct on their platforms. They enforce, with some degree of success, their own community guidelines and terms of services (TOS). Traditionally, these guidelines and TOS have been drafted keeping in mind US laws since historically most intermediaries, including non-profits like Wikimedia Foundation were founded in the US.

Across the world, this private censorship regime was accepted by governments when they enacted intermediary liability laws (in India we have Section 79A of the IT Act). These laws gave intermediaries immunity from liability emerging from third party content about which they have no “actual knowledge” unless they were informed using takedown notices. Intermediaries set up offices in countries like India, complied with some lawful interception requests, and also conducted geo-blocking to comply with local speech regulation.

For years, the Indian government has been frustrated since policy reforms that it has pursued with the US have yielded little fruit. American policy makers keep citing shortcomings in the Indian justice systems to avoid expediting the MLAT (Mutual Legal Assistance Treaties) process and the signing of an executive agreement under the US Clout Act. This agreement would compel intermediaries to comply with lawful interception and data requests from Indian law enforcement agencies no matter where the data was located.

The data localisation requirement in the draft national data protection law is a result of that frustration. As with the US, a quickly enacted data localisation policy is absolutely non-negotiable when it comes to Indian military, intelligence, law enforcement and e-governance data. For India, it also makes sense in the cases of health and financial data with exceptions under certain circumstances. However, it does not make sense for social media platforms since they, by definition, host international networks of people. Recently an inter ministerial committee recommended that “criminal proceedings against Indian heads of social media giants” also be considered. However, raiding Google’s local servers when a lawful interception request is turned down or arresting Facebook executives will result in retaliatory trade actions from the US.

While the consequences of online recruitment, disinformation in elections and fake news to undermine public order are indeed serious, are there alternatives to such extreme measures for Indian policy makers? Updating intermediary liability law is one place to begin. These social media companies increasingly exercise editorial control, albeit indirectly, via algorithms to claim that they have no “actual knowledge”.

But they are no longer mere conduits or dumb pipes as they are now publishers who collect payments to promote content. Germany passed a law called NetzDG in 2017 which requires expedited compliance with government takedown orders. Unfortunately, this law does not have sufficient safeguards to prevent overzealous private censorship. India should not repeat this mistake, especially given what the Supreme Court said in the Shreya Singhal judgment.

Transparency regulations are imperative. And they are needed urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required. Anyone should be able to see all public content that has been shared with more than a certain percentage of the population over a historical timeline for any geographic area. This will prevent algorithmic filter bubbles and echo chambers, and also help public and civil society monitor unconstitutional and hate speech that violates terms of service of these platforms. So far the intermediaries have benefitted from surveillance — watching from above. It is time to subject them to sousveillance — watched by the citizens from below.

Data portability mandates and interoperability mandates will allow competition to enter these monopoly markets. Artificial intelligence regulations for algorithms that significantly impact the global networked public sphere could require – one, a right to an explanation and two, a right to influence automated decision making that influences the consumers experience on the platform.

The real solution lies elsewhere. Google and Facebook are primarily advertising networks. They have successfully managed to destroy the business model for real news and replace it with a business model for fake news by taking away most of the advertising revenues from traditional and new news media companies. They were able to do this because there was a trust deficit between advertisers and publishers. Perhaps this trust deficit could be solved by a commons-based solutions based on free software, open standards and collective action by all Indian new media companies.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-sunil-abraham-september-24-2018-a-trust-deficit-between-advertisers-and-publishers-is-leading-to-fake-news

A tale of two Internet campaigns

praskrishna — 2014-03-07T00:19:26Z

Techies supported anti-surveillance campaign, companies backed internet safety.

Deepa Kurup's article was published in the Hindu on February 11, 2014. Sunil Abraham is quoted.

The Internet was the subject of two distinctly different global campaigns, both coinciding on Tuesday. While one is backed by rights groups, civil society organisations and advocates of software and Internet freedom in general, another is run and supported by major tech corporations with a view to creating awareness on being safe online.

Supported by over 5,000 websites globally, including biggies Reddit, Mozilla (makers of Firefox) and the Electronic Frontier Foundation, the ‘Day We Fight Back’ campaign aimed at raising a voice against mass dragnet surveillance by the U.S. government. Despite being a largely U.S.-centric mass campaign attacking the National Security Agency’s spying activities worldwide, groups such as the Free Software Movement of Karnataka (FSMK) and Bangalore-based NGO Centre for Internet and Society have supported it.

On Tuesday, GNU/Linux user groups (known as glugs) in several colleges — coordinated by the FSMK — did classroom-to-classroom campaigns talking to students and creating awareness about surveillance. In some engineering colleges, such as the SJBIT, these glugs are even screening documentaries related to online privacy and mass surveillance over the week. Explaining why the FSMK decided to hold a campaign here, Sarath M.S. of the FSMK said: “While the call for action is directed towards lawmakers in U.S., this affects all of us. It has undermined the sovereignty of nations and privacy of individuals. Given this, it is important to build public opinion among the youth against these surveillance systems, and make them understand the political issues underlying products and services that they use regularly.”

Sunil Abraham of the CIS, an organisation that is listed on the campaign website (www.thedaywefightback.org) as a supporter, says that the global support comes from the fact that people have realised that the idea that the Internet is a democratic medium is not true anymore. “The aftermath of Snowden’s revelations have signalled the end of the Internet as we knew it. This is an attempt by civil society organisations to make a case for the web we want.

Safe Internet Day

Meanwhile, two big companies announced activities as part of the Safe Internet Day, an annual global campaign that promotes safer use of online tech. To mark the occasion, Microsoft Corp released results of the third annual Microsoft Safe Computing Index that found that 20 per cent Indians have been victims of online phishing attacks and 12 per cent have suffered identity theft.

Google India too launched the ‘Good to Know’ campaign on online safety. It announced a partnership with Digital Empowerment Foundation (DEF) and the Voluntary Organisation in the Interest of Consumer Education (VOICE) on this campaign.

For more details visit https://cis-india.org/news/the-hindu-february-11-2014-deepa-kurup-a-tale-of-two-internet-campaigns

A Study of the Privacy Policies of Indian Service Providers and the 43A Rules

elonnai — 2015-01-13T02:37:31Z

Written by Prachi Arya and Kartik Chawla
Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra

Click to download the PDF

Contents
Executive Summary
Introduction
Objective, Methodology, and Scope of the Study
Objective of Research
Methodology
Scope
Criteria for selection of companies being studied
Overview of Company Privacy Policy and Survey Results
Vodafone
Tata Teleservices Limited
Airtel
Aircel
Atria Convergence Technologies
Observations
International Best Practices
Australia
European Union
Recommendations
Annexure 1
Annexure 2

Executive Summary

India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.^{^[1]} With over 164.8 Million people accessing the internet ^{^[2]} in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.^{^[3]}

While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.^{^[4]} Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.

The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.

The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.

Introduction

The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) ^{^[5]} pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. ^{^[6]}

Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a quid pro quo by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.

In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. ^{^[7]} In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.

However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. ^{^[8]} The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,^{^[9]} for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.

Objective, Methodology, and Scope of the Study

Objective of Research

This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.

Methodology

The Privacy Policies^{^[10]} of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.

Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.

Scope

Criteria for selection of companies being studied

For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.

The privacy policies of the following service providers have been analyzed:

1. State Owned Companies^{^[11]}

a. BSNL^{^[12]}: Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, inter alia, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. ^{^[13]} It had a monopoly in India except for Mumbai and New Delhi till 1992.

b. MTNL^{^[14]}: Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, inter alia, Telephone, Mobile, 3G, and Broadband services. ^{^[15]}

2. Multinational Companies

a. Bharti Airtel Ltd:^{^[16]} Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. ^{^[17]} The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.[18]

b. Vodafone^{^[19]}: Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. ^{^[20]} The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994^{^[21]}, and it bought out Essar's share in the same in the year 2007.^{^[22]} As of today, it has the second largest subscriber base in India. After Airtel, ^{^[23]} Vodafone is the largest provider of telecommunications and mobile internet services in India.^{^[24]}

3. Joint Ventures

a. Tata Teleservices^{^[25]} - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. ^{^[26]} Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. ^{^[27]}

b. Aircel^{^[28]}: Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. ^{^[29]} Aircel provides telecommunications and mobile internet services in the aforementioned regions.

4. India based Companies/Domestic Companies -

a. Atria Convergence Technologies (ACT)^{^[30]}: Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.

Overview of Company Privacy Policy and Survey Results

This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.

VODAFONE[31]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of publicly available documents of the body corporate that collect personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Vodafone

Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.

Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.

There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.

The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.

Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.

With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy

Tata Teleservices Limited[32]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Yes
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Yes
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	No
Whether the privacy policy provides the contact information of the grievance officer?	No
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Tata Teleservices Limited

Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.

The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.

The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.

As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.

TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.

Airtel[33]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	Yes
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Yes
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Yes
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	Yes
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	Yes
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the name and contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties?	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Airtel

Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.

While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.

Aircel[34]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	no
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	Yes
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	Yes
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Partially
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Partially
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Partially
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Aircel

Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.

Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.

In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.

In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.

Atria Convergence Technologies[35]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	information not available
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	No
Whether the privacy policy provides the contact information of the grievance officer?	No
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Partially
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	No

Atria Convergence Technologies

Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.

BSNL: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	No
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	No
Whether the privacy policy explicitly states that it is collecting SPD/I?	No
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Partially
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	No

BSNL

BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .

BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.

As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.

With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.

MTNL

MTNL does not provide a publicly available Privacy Policy.

Observations

This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.

1. Access and Location of Privacy Policy

Applicable Rule and Principle: According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.^{^[36]}

Observation : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:

a. Privacy Policy on main website: Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.

b. Privacy Policy not on website : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.

c. Privacy Policy not accessible through main website : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. ^{^[37]}

d. Privacy Policy not included in Customer Application form : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.

e. Collection of personal information before Privacy Policy: In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.

2. Sharing of information with Government

Applicable Rule and Principle: Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.

Observation : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:

a.) Listing circumstances for disclosure to law enforcement : The Privacy Policy of ACT states "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". ^{^[38]} The Privacy Policy of Airtel on the other hand states "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." ^{^[39]} Lastly, TTL states " To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". ^{^[40]}

b.) Listing authorities to whom information will be disclosed to : The privacy policy of Aircel states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".^{^[41]} Similarly, Vodafone states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." ^{^[42]} While BSNL states "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".^{^[43]}

3. Readability of Privacy Policies

Applicable Rule and Principle : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "clear and accessible". Similarly, the Notice Principle requires that the data controller give a " simple-to-understand notice of its information practices to all individuals, in clear and concise language".

Observation : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:

a. Vague terminology: For example, in the Privacy Policy of ACT, it states as a purpose of collection "conduct research" while for the collection and disclosure of information it states ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." ^{^[44]} Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect "any other information collected in relation to your use of our products and services". ^{^[45]}

b. Undefined terminology: On disclosure of information TTL's privacy policy states disclosure is "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" ^{^[46]} Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.

4. Information about security practices

Applicable Rule and Principle: The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.

Observation : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:

a. Comprehensive information about security practices in privacy policy: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.

b. Information about security practice, but not in privacy policy: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.

c. Broad reference to security practices: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only "we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL." ^{^[47]}

d. No information about security practices: Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.

5. Grievance mechanisms

Applicable Rule and Principle: Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.

Observation : It was found that adherence with this requirement varied depending on service provider. For example:

a. No Grievance Officer: ACT and MTNL do not provide details of a grievance officer on their websites.

b. Grievance Officer, but no process details: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.

c. Grievance Officer and details of process: Aircel provides details of the grievance officer and grievance process.

As a note: All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. ^{^[48]} It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.

6. Consent Mechanism

Applicable Rule and Principle : Rules 5 and 6 of the Rules^{^[49]} on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. ^{^[50]} Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules^{^[51]} and the National Privacy Principles ^{^[52]}.

Observation: Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:

a. Obtaining consent: Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.

b. No Consent or choice offered: Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.

c. Consent for limited circumstances: Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.

There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.

7. Transparency mechanism :

Applicable Rule and Principle: The Openness Principle specifically recommends transparency in all activities of the data controller. ^{^[53]} The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.

Observation: All service providers fail in implementing adequate mechanisms for transparency.

8. Scope :

Applicable Rule and Principle : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. "

Observation : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.

International Best Practices

Canada

The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' ^{^[54]} made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). ^{^[55]}

The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.

Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.^{^[56]}

ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.

Australia

The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.^{^[57]} These principles govern the following: collection,^{^[58]} use and disclosure,^{^[59]} data quality,^{^[60]} security,^{^[61]} openness,^{^[62]} access and correction,^{^[63]} identifiers,^{^[64]} anonymity,^{^[65]} trans-border data flows,^{^[66]} and sensitive information. ^{^[67]}

The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, ^{^[68]} but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.

European Union

The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). ^{^[69]} The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.^{^[70]} The Directive differentiates between Personal Data and Sensitive Personal Data, ^{^[71]} with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. ^{^[72]} The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. ^{^[73]}

In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications^{^[74]} and the Data Retention Directive. ^{^[75]} The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.

The established practices considered above have the following principles, relevant to the study at hand, in common:

1. Notice

2. Collection Limitation

3. Use Limitation

4. Access and Corrections

5. Security

6. Data Quality and Accuracy

7. Consent

8. Transparency

And the following principles are common between two of the three regimes discussed above:

1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.

2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act

3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.

Recommendations

Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.

1. Access and location of privacy policy: Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.

2. Scope of privacy policy: The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.

3. Defining consent: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.

4. Clear language: The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.

5. Transparent security practices: The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.

6. Defined and specified third parties: The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.

7. Comprehensive grievance mechanism: The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.

8. Specify laws governing disclosure to governmental agencies and law enforcement: The Privacy Policy should specify under what laws and service providers are required disclose personal information to.

9. Inclusion of data retention practices: The Privacy Policy should include provisions defining the retention practices of the company.

Annexure 1

Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.

The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.

Relevant provisions that pertain to the privacy policy of body corporate

Rule 3: This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:

i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"^{^[76]}.

ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" ^{^[77]}

iii. Physical, physiological and mental health condition

iv. Sexual orientation

v. Medical records and history

vi. Biometric information

The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. ^{^[78]}

The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.

Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person "^{^[79]}

Interpretation: While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.^{^[80]} While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. ^{^[81]} Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.

As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.

On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.

In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.

Rule 4: This rule mandates that a "body corporate that collects, receives possess, stores, deals or handles information of the provider of information". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.

The following details have to be included in the privacy policy -

"(i) Clear and easily accessible statements of its practices and policies;

(ii) Type of personal or sensitive personal data or information collected under rule 3;

(iii) Purpose of collection and usage of such information;

(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;

(v) Reasonable security practices and procedures as provided under rule 8."^{^[82]}

Interpretation : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.

Rule 5: This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. ^{^[83]}

Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -

a. The fact that the information is being collected.

b. The purpose of such collection.

c. Intended recipients of the collected information.

d. Names and addresses of the agency or agencies collecting and retaining information.

Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.

This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.

It also requires that a Grievance Officer be instated to redress the grievance " expeditiously but within one month from the date of receipt of grievance." The Grievance Redressal process has been discussed in more detail later.

Interpretation: Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]

Prima facie , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle ^{^[84]}, Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.

In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.

Rule 6: This rule lays down the conditions and procedure for disclosure of information.^{^[85]} Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -

a. The body corporate is required to obtain prior permission from the provider of the information, or

b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or

c. Disclosure is necessary for the compliance of a legal obligation.

An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.

Interpretation :

The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.

Rule 7 : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.

Interpretation : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.

Rule 8: This Rule details the criteria for reasonable security practices and procedures.^{^[86]} It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "managerial, technical, operational and physical security control measures". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.

Interpretation : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task^{^[87]}. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.

Other Relevant Policies:

Empanelled Information Technology Security Auditors - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.^{^[88]} The empanelled IT security auditing organization is required to, inter alia, conduct a " Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." ^{^[89]} and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.^{^[90]} For this purpose CERT-In maintains a list of IT Security Auditing Organizations^{^[91]}.

Criteria for analysis of company policies based on the 43A Rules

1. Clear and Accessible statements of its practices and policies^{^[92]} -

i. Whether the privacy policy is accessible through the main website of the body corporate?

ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

iii. Whether the privacy policy can be comprehended by persons without legal knowledge?

2. Type and acknowledgment of personal or sensitive personal data/information collected ^{^[93]}-

i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.

ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

3. Option to not provide information and withdrawal of consent^{^[94]} -

i. Whether the Privacy Policy specifies that the user has the option to not provide information?

ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

4. Existence of Grievance Officer -

i. Whether the privacy policy mentions the existence of a grievance officer?

ii. Whether the privacy policy provides details of the grievance redressal mechanism?

iii. Whether the privacy policy provides the names and contact information of the grievance officer?

5. Purpose of Collection and usage of information -

i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

6. Disclosure of Information -

i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?

ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?

7. Reasonable Security practices and procedures -

i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?

Annexure 2

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY

1. Bharti Airtel Ltd.

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: Airtel's Privacy Policy^{^[95]} is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.

2. Type and acknowledgement of personal or sensitive personal data/information collected: Yes

b. Rationale: Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information^{^[96]}, and specifies specific types of personal^{^[97]} and sensitive personal information ^{^[98]} that will be collected.

3. Option to not provide data or information and subsequent withdrawal of consent: Yes

c. Rationale: The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.^{^[99]}

4. Existence of Grievance Officer: Yes

a. Rationale: Airtel provides for the contact details of nodal officers^{^[100]} and appellate authorities ^{^[101]} on its website. Additionally the website provides for the 'Office of the Ombudsperson'^{^[102]}, which is an independent forum for employees and external stakeholders^{^[103]} of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.^{^[104]}

5. Comprehensive disclosure of purpose of collection and usage of information: Partial

Rationale: Airtel's Privacy Policy indicates eight purposes^{^[105]} that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.

6. Disclosure of Information^{^[106]}: Yes

a. Rationale: Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information^{^[107]}, how collected personal information may be collected internally ^{^[108]}, the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract^{^[109]}, the possible transfer of personal information and its purposes^{^[110]}, and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) ^{^[111]}

7. Existence of reasonable security practices and procedures ^{^[112]} : Yes

a. Rationale: Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant ^{^[113]}, that access is restricted to a need to know basis and that employees are bound by codes of confidentiality^{^[114]}, and that Airtel works to ensure that third parties also have strong security procedures in place.^{^[115]} The policy also provides details on the retention^{^[116]} and destruction ^{^[117]} procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.^{^[118]}

1. Tata Telecommunication Services (DoCoMo and Virgin Mobile)

1. Clear and Accessible statements of its practices and policies : Partial

a. Rationale: Though Tata DoCoMo has a comprehensive Data Privacy Policy ^{^[119]} that is applicable to Tata Teleservices Limited's ("TTL") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. ^{^[120]}

2. Type of personal or sensitive personal data/information collected: Partial

a. Rational: TTL defines personal information^{^[121]} but only provides general examples of types of personal information^{^[122]} (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. ^{^[123]}

3. Option to not provide information and withdrawal of consent: N/A

a. Rationale: The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.

4. Existence of Grievance Officer: Yes

a. Rationale: TTL has various methods to lodge complaints and provides for an appellate authority. ^{^[124]} Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.^{^[125]}

5. Purpose of Collection and usage of information: Yes

a. Rationale: In its' Privacy Policy, TTL describes the way in which collected information is used. ^{^[126]} The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, ^{^[127]} and the use of aggregate and anonymized data.^{^[128]}

6. Disclosure of Information: Yes

a. Rationale: In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties^{^[129]}, with law enforcement/governmental agencies^{^[130]}, and with other TTL companies. ^{^[131]} Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. ^{^[132]}

7. Reasonable Security practices and procedures: Partial

a. Rationale: TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. ^{^[133]} Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012^{^[134]}. Information on IT security standards adopted by other circles could not be found on the internet.

2. Vodafone

1. Clear and Accessible statements of its practices and policies: Yes

Rationale: Vodafone's Privacy Policy^{^[135]} is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. ^{^[136]}

2. Collection of personal or sensitive personal data/information: No

Rationale: Type -

a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as 'amongst other things', implying that information other than that which is notified is being collected.^{^[137]}

b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.

4. Existence of Grievance Officer: Yes

a. Rationale: The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.^{^[138]}

5. Purpose of Collection and usage of information: Partial

a. Rationale:

The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, ^{^[139]} but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.

6. Disclosure of Information: Yes

a. Rationale:

The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.^{^[140]} The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. ^{^[141]} Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website ^{^[142]} states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard^{^[143]}.

3. Aircel

1. Clear and Accessible statements of its practices and policies: Yes

Rationale:

The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.^{^[144]}

2. Type of personal or sensitive personal data/information collected: Partial

Rationale: Type -

a. Personal Information

In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. ^{^[145]} The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.

a. Sensitive Personal Data or Information

The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.

3. Option to not provide information and withdrawal of consent - Yes

Rationale : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. ^{^[146]}

4. Existence of Grievance Officer: Yes

a. Rationale:

Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. ^{^[147]}

5. Purpose of Collection and usage of information: Partial

a. Rationale: The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.^{^[148]}

6. Disclosure of Information: Yes

a. Rationale: Though the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. ^{^[149]}

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.^{^[150]}

4. Atria Convergence Technologies Private Limited (ACT)

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.^{^[151]}

2. Type of personal or sensitive personal data/information collected: Partial

a. Rationale:

Type -

a. Personal Information - Yes -

The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. ^{^[152]}

a. Sensitive Personal Data or Information -

The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.

4. Existence of Grievance Officer: No

a. Rationale: No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.^{^[153]}

5. Purpose of Collection and usage of information: Yes

a. Rationale: The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.^{^[154]} The list of purposes for collection given in the Privacy Policy is a very general list.

6. Disclosure of Information: Yes

a. Rationale: The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.^{^[155]} At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.

7. Reasonable Security practices and procedures: No

a. Rationale: - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. ^{^[156]}

[1] . Telecom Regulatory Authority of India, Press Release 143/2012,(< http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf >)

[2] . The Indian Telecom Service Performance Indicators, January-March 2013, Telecom Regulatory Authority of India,. (< http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >)

[3] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece >

[4] . In addition, the Unified Access License Framework which allows for a single license for multiple services such as telecom, the internet and television, provides certain security guidelines. As per the model UIL Agreements, privacy of communications is to be maintained and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. For internet services, the Agreement stipulates the keeping an Internet Protocol Detail Record (IPDR) and copies of packets from customer premises equipment (CPE). Accessed at < http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf>

[5] . See >> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >>

[6] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece > Accessed..

[7] . Starting with Kharak Singh v. State of UP 1963 AIR SC 1295, the right to privacy has been further confirmed and commented on in other cases, like Govind v.State of M.P (1975) 2 SCC 148: 1975 SCC (Cri) 468. A full history of the development of the Right to Privacy can be found in B.D. Agarwala, Right to Privacy: A Case-By-Case Development, (1996) 3 SCC (Jour) 9, available at http://www.ebc-india.com/lawyer/articles/96v3a2.htm.

[8] . White Paper on EU Adequacy Assessment of India, 3, ("Based on an overall

analysis against the identifiable principles under Article 25, the 2010 Report concludes that India does not at present provide adequate protection to personal data in relation to any sector or to the whole of its private sector or to the whole of its public sector. ") available at < https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf >

[9] . Planning Commission, Report of the Group of Experts on Privacy, 2012, (< http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>)

[10] . Though a company's Privacy Policy was the main document analysed for this research, when applicable a company's Terms of Service wavas also reviewed.

[11] . BSNL and MTNL are government companies as defined under section 617, Indian Companies Act, 1956, incorporated under the Indian Companies Act, 1956. Under section 43 A (i) of the Act, a 'body corporate' has been broadly defined as "any company…sole proprietorship or other association of individuals engaged in commercial or professional activities". Therefore, for the purpose of this survey, BSNL and MTNL are recognized as bodies corporate.

[12] . Documents Reviewed: http://portal.bsnl.in/portal/privacypolicy.html

[13] . A full list of its services are available here: < http://bsnl.co.in/opencms/bsnl/BSNL/services/>

[14] . The MTNL website does not provide access to a privacy policy

[15] . A full list of its services are available here <<http://mtnldelhi.in>>

[16] . Documents Reviewed: http://www.airtel.in/forme/privacy-policy , http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp, http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp , http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office

[17] . A full list of services provided by Bharti Airtel is available here: <www.airtel.in>

[18] . http://submarinenetworks.com/stations/asia/india/chennai-bharti

[19] . Documents Reviewed: http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker , http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html

[20] . See < http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html. >

[21] . Vodafone International Holdings v Union of India, WP 1325/2010, Bombay High Court

[22] . 'Vodafone to Buy Additional Essar India Stake for $5 Billion',(Bloomberg, March 31, 2011) < http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html >Accessed 26 May 2014

[23] . See <https://www.vodafone.in/pages/aboutus.aspx?cid=ker.>

[24] . Vodafone, supra note 13.

[25] . Documents Reviewed:http://www.tatadocomo.com/downloads/data-privacy-policy.pdf, http://www.tatateleservices.com/t-customercare.aspx, http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf

[26] . 'Japan's Docomo acquires 26% stake in Tata Tele'(The Hindu Business Line, November 13 2008) < http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm .>

[27] . Further details are available at: < http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx>

[28] . Documents Reviewed

http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 , http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page , http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf

[29] . See < http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book. >

[30] . Documents Reviewed: http://www.acttv.in/index.php/privacy-policy

[31] . https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker

[32] . http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[33] . http://www.airtel.in/forme/privacy-policy

[34] .http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061

[35] . http://www.acttv.in/index.php/privacy-policy

[36] . In 2012, the Minister of State for Communications & Information Technology informed the Rajya Sabha that " (a)ny change in the privacy policy is not within the purview of amended Information Technology Act, 2000",, while discussing changes to Google's privacy policy. Even though the Minister noted that the EU has reported its dissatisfaction with the changed policy, finding that the policy " makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service ", he argued that the Act and Rules therein merely stipulate the publication of a privacy policy which provide " information to the end users as to how their personal information is collected, for which it is collected, processed and secure". Further, when asked how changes to privacy policy affect end users the Minister shifted the responsibility on end users, stating that " (t)he end users… need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services ".( < http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22 >).

[37] . Available at http://portal.bsnl.in/portal/privacypolicy.htm, the privacy policy was found through a search engine and not through a link from the website. An RTI request was submitted to BSNL for a copy of its privacy policy as applicable to all its products, services and websites. BSNL responded by submitting a copy of this privacy policy even though the text of the policy does not clarify the scope.

[38] . See, <http://www.acttv.in/index.php/privacy-policy>

[39] . See <http://www.airtel.in/forme/privacy-policy>

[40] . See <www.tataindicom.com/Download/data-privacy-policy.pdf>

[41] . See <<www.aircel.com/AircelWar/appmanager/aircel/delhi?_nfpb=true&_pageLabel=P26400194591312373872061>>

[42] . See <https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar>

[43] . See<< http://portal.bsnl.in/portal/privacypolicy.htm>>

[44] . See <http://www.acttv.in/index.php/privacy-policy>

[45] . See <https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar>

[46] . See <http://www.tataindicom.com/Download/data-privacy-policy.pdf>

[47] . Ibid

[48] . The complaint center details are available here: < http://www.tccms.gov.in/Queries.aspx?cid=1>

[49] . Rules 5 and 6

[50] . Principle 2, Principle 3, Personal Information Protection and Electronic Documents Act 2000. Available at: << http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html>>

[51] . Rule 5(7),

[52] . Principle 2

[53] . P. 21

[54] . Telecom Regulatory Policy CRTC 2009-657, Review of the Internet traffic management practices of Internet service providers << www.crtc.gc.ca/eng/archive/2009/2009-657.htm>>

[55] . Alex Cameron,CRTC Imposes Super-PIPEDA Privacy Protections for Personal Information Collected by ISPs, Privacy and Information Protection Bulletin, Fasken Martineau, << http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf . >> Accessed 21 May 2014

[56] . Bram D. Abramson, Grant Buchanan, Hank Intven, CRTC Shapes Canadian "Net Neutrality" Rules, McCarthy Tetrault. < http://www.mccarthy.ca/article_detail.aspx?id=4720 > Accessed 21 May 2014

[57] . The Privacy Act, 1988, Part III, available at << http://www.comlaw.gov.au/Series/C2004A03712.>>

[58] . Id, note 28, Schedule 3, 1.

[59] . Id, schedule 3, 2.

[60] . Id, schedule 3, 3.

[61] . Id, schedule 3, 4.

[62] . Id, schedule 3, 5.

[63] . Id, schedule 3, 6.

[64] . Id, schedule 3, 7.

[65] . Id, schedule 3, 8.

[66] . Id, schedule 3, 9.

[67] . Id, schedule 3, 10.

[68] . Telecommunications Act, Part 13 (Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.)

[69] . Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[70] . Id, article 3.

[71] . Id, article 8.

[72] . Id, article 2, (d). (" (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; ")

[73] . European Commission-IP-12/46, 25 January 2012, < http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.>

[74] . Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[75] . Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

[76] . Rule 2 (h)

[77] . Rule 3 (ii)

[78] . Rule 3 (vii) and (viii)

[79] . Rule 2 (i)

[80] . Rule 4(iii), (iv)

[81] . Section 2(v) of the Act defines 'information'

[82] . Rule 4 (1).

[83] . Rule 5 (5)

[84] . Defined by Venkatarama Aiyar, J as: "The rule of construction is well settled that when there are in an enactment two provisions which cannot be reconciled with each other, they should be so interpreted that, if possible, effect could be given to both" in Venkataramana Devaru v. State of Mysore, AIR 1958 SC 255, p. 268: G. P. Singh, Principles of Statutory Interpretation, 1th ed. 2010, Lexisnexis Butterworths Wadhwa Nagpur. The principle was applied to interpret statutory Rules in A. N. Sehgal v. Raje Ram Sheoram, AIR 1991 SC 1406.

[85] . Rule 6

[86] . Rule 8

[87] . 52^nd Report, Standing Committee on Information Technology, 24, available at < http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf. >

[88] . Panel Of Information Security Auditing Organisations, CERT-IN < http://www.cert-in.org.in/PDF/background.pdf>

[89] . Section 1, Guidelines for applying to CERT-In for Empanelment of IT Security Audition Organisation, < http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf>

[90] . Section 2.0, Guidelines for auditee organizations, Version 2.0, IT Security

Auditing Assignment, http://www.cert-in.org.in/PDF/guideline_auditee.pdf

[91] . See <http://www.cert-in.org.in/PDF/Empanel_org.pdf>

[92] . Rule 4

[93] . Rule 4

[94] . Rule 5 (7)

[95] . See << http://www.airtel.in/forme/privacy-policy>>

[96] . 'Information that can be used by itself to uniquely identify, contact or locate a person, or can be used with information available from other sources to uniquely identify an individual. For the purpose of this policy, sensitive personal data or information has been considered as a part of personal information.' Accessed at << http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >>

[97] . Subscriber's name, father's name, mother's name, spouse's name, date of birth, current and previous addresses, telephone number, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Information related to your utilization of our services which may include your call details, your browsing history on our website, location details and additional information provided by you while using our services. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

[98] . Password, Financial information -details of Bank account, credit card, debit card, or other payment instrument detail s, Physical, physiological and mental health condition.

[99] . Airtel states that if a customer does not provide information or consent for usage of personal information or subsequently withdraws consent, Airtel reserves the right to not provide the services or to withdraw the services for which the said information was sought, Avaliable at: < http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >

[100] . See <www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp>

[101] . See << http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp >

[102] . See << http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office>>

[103] . Stakeholders are defined as: employee, associate, strategic partner, vendor

[104] . See << http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf >>

[105] . Verification of customer's identity; Complete transactions effectively and bill for products and service; Respond to customer requests for service or assistance; Perform market analysis, market research, business and operational analysis; Provide, maintain and improve Airtel products and services; Anticipate and resolve issues and concerns with Airtel products and services; Promote and market Airtel products and services which it may consider of interest and benefit to customers; and, Ensure adherence to legal and regulatory requirements for prevention and detection of frauds and crimes.

[106] . See << http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0 >>

[107] . "Airtel may obtain a customer's consent for sharing personal information in several ways, such as in writing, online, through "click-through" agreements; orally, including through interactive voice response; or when a customer's consent is part of the terms and conditions pursuant to which Airtel provides a service."

[108] . Airtel and its employees may utilize some or all available personal information for internal assessments, measures, operations and related activities…"

[109] . Airtel may at its discretion employ, contract or include third parties external to itself for strategic, tactical and operational purposes. Such agencies though external to Airtel, will always be entities which are covered by contractual agreements. These agreements in turn include Airtel's guidelines to the management, treatment and secrecy of personal information

[110] . Airtel may transfer subscriber's personal information or other information collected, stored, processed by it to any other entity or organization located in India or outside India only in case it is necessary for providing services to a subscriber or if the subscriber has consented (at the time of collection of information) to the same. This may also include sharing of aggregated information with them in order for them to understand Airtel's environment and consequently, provide the subscriber with better services. While sharing personal information with third parties, adequate measures shall be taken to ensure that reasonable security practices are followed at the third party."

[111] . Airtel may share subscribers' personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences.

[112] . See<< http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0 >>

[113] . Airtel adopts reasonable security practices and procedures, in line with international standard IS/ISO/IEC 27001, to include, technical, operational, managerial and physical security controls in order to protect a customer's personal information from unauthorized access, or disclosure while it is under our control.

[114] . Airtel's security practices and procedures limit access to personal information on need-only basis. Further, its employees are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal information.

[115] . Airtel takes adequate steps to ensure that its third parties adopt reasonable level of security practices and procedures to ensure security of personal information.

[116] . Airtel may retain a subscriber's personal information for as long as required to provide him/her with services or if otherwise required under any law.

[117] . When Airtel disposes of its customers' personal information, it uses reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media)."

[118] . Airtel maintains the security of its internet connections, however for reasons outside of its control, security risks may still arise. Any personal information transmitted to Airtel or from its online products or services will therefore be at a customer's own risk. It observes reasonable security measures to protect a customer's personal information against hacking and virus dissemination.

[119] . See <<http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[120] . Information that customers provide to non-TTL companies is not covered by TTL's Policy. For example: When customers download applications or make an online purchase from a non-TTL company while using TTL's Internet or wireless services, the information collected by the non-TTL company is not subject to this Policy. When you navigate to a non-TTL company from TTL websites or applications (by clicking on a link or an advertisement, for example), information collected by the non-TTL company is governed by its privacy policy and not TTL's Privacy Policy. If one uses public forums - such as social networking services, Internet bulletin boards, chat rooms, or blogs on TTL or non-TTL websites, any Personal Information disclosed publicly can be read, collected, or used by others. Once one chooses to reveal Personal Information on such a site, the information is publicly available, and TTL cannot prevent distribution and use of that information by other parties. Information on a wireless Customer 's location, usage and numbers dialed, which is roaming on the network of a non-TTL company will be subject to the privacy policy of the non-TTL company, and not TTL's Policy.

[121] . "Personal Information" is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

[122] . Personal Information - Some general examples -TTL may collect Confidential Data in different forms such as Personal and other Information based on a customer's use of its products and services. Some examples include, Contact Information that allows us to communicate with you -- including your name, address, telephone number, and e-mail address; Billing information-- including payment data, credit history, credit card number, security codes, and service history.Equipment, Performance, TTL Website Usage, Viewing and other Technical Information about use of TTL's network, services, products or websites.

Technical & Usage Information is clarified in the FAQ's as information related to the services provided, use of TTL's network, services, products or websites. Examples of the Technical & Usage Information collected include: Equipment Information that identifies the equipment used on TTL's network, such as equipment type, IDs, serial numbers, settings, configuration, and software. Performance Information about the operation of the equipment, services and applications used on TTL's network, such as IP addresses, URLs, data transmission rates and latencies, location information, security characteristics, and information about the amount of bandwidth and other network resources used in connection with uploading, downloading or streaming data to and from the Internet. TTL Website Usage Information about the use of TTL websites, including the pages visited, the length of time spent, the links or advertisements followed and the search terms entered on TTL sites, and the websites visited immediately before and immediately after visiting one of TTL's sites.TTL also may collect similar information about a customer's use of its applications on wireless devices. Viewing Information about the programs watched and recorded and similar choices under Value added TTL services and products.

[123] . Ways in which TTL collects information: On the purchase or interaction about a TTL product or service provided; Automatically collected when one visits TTL's websites or use its products and services; Other sources, such as credit agencies.

[124] . See <http://www.tatateleservices.com/t-customercare.aspx>

[125] .See< http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf >

[126] . To provide the best customer experience possible; Provide the services a customer purchases, respond to customer questions; Communicate with customers regarding service updates, offers, and promotions; Deliver customized content and advertising that may be of interest to customers; Address network integrity and security issues; Investigate, prevent or take action regarding illegal activities, violations of TTL's Terms of Service or Acceptable Use Policies

[127] . Site functionality -Cookies and other tracking tools are used to help TTL analyze, manage and improve websites and storing customer preferences. Advertising TTL and its advertising partners, including Yahoo! and other advertising networks, use anonymous information gathered through cookies and other similar technologies, as well as other information TTL or its advertising networks may have, to help tailor the ads a customer sees on its sites.

[128] . TTL collects some Information on an anonymous basis. TTL also may anonymize the Personal Information it collects about customers. It may obtain aggregate data by combining anonymous data that meet certain criteria into groups.

[129] . In Other Circumstances: TTL may provide Personal Information to non-TTL companies or other third parties for purposes such as: To assist with identity verification, and to prevent fraud and identity theft; Enforcing its agreements and property rights; Obtaining payment for products and services that appear on customers' TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; and to comply to legal and regulatory requirements. TTL shares customer Personal Information only with non-TTL companies that perform services on its behalf, and only as necessary for them to perform those services. TTL requires those non-TTL companies to protect any Personal Information they may receive in a manner consistent with this policy. TTL does not provide Personal Information to non-TTL companies for the marketing of their own products and services without a customer's consent. TTL may share aggregate or anonymous Information in various formats with trusted non-TTL entities, and may work with those entities to do research and provide products and services.

[130] . TTL provides Personal Information to non-TTL companies or other third parties (for example, to government agencies, credit bureaus and collection agencies) without consent for certain purposes, such as: To comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims, To obtain payment for products and services that appear on customer TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; To enforce its agreements, and protect our rights or property; To assist with identity verification, and to prevent fraud and identity theft; To prevent unlawful use of TTL's services and to assist in repairing network outages; To provide information regarding the caller's location to a public safety entity when a call is made to police/investigation agencies, and to notify the public of wide-spread emergencies; To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay; To display name and telephone number on a Caller ID device;

[131] . Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI), the TTL companies may share your Personal Information with each other to make sure your experience is as seamless as possible, and you have the benefit of what TTL has to offer.

[132] . Customers and Users should be aware that TTL affiliates and non-TTL companies that perform services on behalf of TTL may be located outside the country where customers access TTL's services. As a result, when customer Personal Information is shared with or processed by such entities, it may be accessible to government authorities according to the laws of those jurisdictions.

[133] . TTL has implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL. It has established electronic and administrative safeguards designed to secure the information it collects, to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately. Some examples of those safeguards include: All TTL employees are subject to the internal Code of Business Conduct. The TTL Code requires all employees to follow the laws, rules, regulations, court and/or commission orders that apply to TTL's business such as legal requirements and company policies on the privacy of communications and the security and privacy of Customer records. Employees who fail to meet the standards embodied in the Code of Business Conduct are subject to disciplinary action, up to and including dismissal. TTL has implemented technology and security features and strict policy guidelines to safeguard the privacy of customer Personal Information. TTL has implemented encryption or other appropriate security controls to protect Personal Information when stored or transmitted by it; TTL limits access to Personal Information to those employees, contractors, and agents who need access to such information to operate, develop, or improve its services and products; TTL requires caller/online authentication before providing Account Information so that only the customer or someone who knows the customer's account Information will be able to access or change the information.

[134] . See << http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf >>

[135] . See << https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker >>

[136] . "We have created this Privacy Policy to help you understand how we collect, use and protect your information when you visit our web and WAP sites and use our products and services."

[137] . Vodafone may hold information relating to customers that have been provided (such as on an application or registration form) or that it may has obtained from another source (such as its suppliers or from marketing organisations and credit agencies).

This information may include, amongst other things, a customer's name, address, telephone numbers, information on how a customer uses Vodafone's products and services (such as the type, date, time, location and duration of calls or messages, the numbers called and how much a customer spends, and information on his/her browsing activity when visiting one of Vodafone's group companies' websites), the location of a customer's mobile phone from time to time, lifestyle information and any other information collected in relation to his/her use of Vodafone's products and services ("information").

It may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts with its website, and web-related products and services.

It may use a persistent cookie to record details such as a unique user identity and general registration details on your PC. Vodafone states that most browser technology (such as Internet Explorer, Netscape etc) allows one to choose whether to accept cookies or not - a customer can either refuse all cookies or set their browser to alert them each time that a website tries to set a cookie.

[138] . In case of any concerns the privacy officer can be contacted at privacyofficer@vodafone.com. Additionally details of the Grievance Redressal Officers is provided via the TRAI website. (TRAI website: http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf _

[139] . The information that Vodafone collects from customers is held in accordance with applicable laws and regulations in India. It may be used by us for a number of purposes connected with its business operations and functions, which include:

2.1 Processing customer orders or applications;

2.2 Carrying out credit checking and scoring (unless Vodafone have agreed otherwise);

2.3 Providing the customer with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering his/her account;

2.4 Billing

2.5 Settling accounts with those who provide related services to Vodafone;

2.6 Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes;

2.7 Carrying out market and product analysis and marketing Vodafone and its group companies' products and services generally;

2.8 Contacting a customer (including by post, email, fax, short text message (SMS), pager or telephone) about Vodafone and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to customers (unless a customer asks us in writing not to). Electronic marketing messages may not include a marketing facility.

2.9 Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that a customer may have in respect of our and our group companies' schemes.

2.10 inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party (subject to any objection or preference a customer may have indicated to us in writing);

2.11 carrying out any activity in connection with a legal, governmental or regulatory requirement on Vodafone or in connection with legal proceedings, crime or fraud prevention, detection or prosecution;

2.12 carrying out activities connected with the running of Vodafone's business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Vodafone's business with respect to a customer or a potential customer.

[140] . In the need for disclosure to third parties, the personal information will only be disclosed to the third parties below:

3.1 Vodafone's group companies who may in India use and disclose your information for the same purposes as us;

3.2 those who provide to Vodafone or its group companies products or services that support the services that we provide, such as our dealers and suppliers;

3.3 credit reference agencies (unless Vodafone has agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Vodafone makes against a customer's name;

3.4 if someone else pays a customer's bill, such as a customer's employer, that person;

3.5 those providing telephone and similar directories or directory enquiry services

3.6 anyone Vodafone transfers business to in respect of which a person is a customer or a potential customer;

3.7 anyone who assists Vodafone in protecting the operation of the Vodafone India networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;

3.8 persons to whom Vodafone may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services;

3.9 any person or organisation as authorised by laws and regulations applicable in India.

If a customer has opted in to receiving marketing material from Vodafone, it may also provide customer's personal information to carefully selected third parties who we reasonably believe provide products or services that may be of interest to customers and who have contracted with Vodafone India to keep the information confidential, or who are subject to obligations to protect your personal information.

To opt-out of receiving Vodafone marketing materials,customers can send a 'Do Not Disturb' message to Vodafone. If a customer wishes to use Vodafone products or services abroad, his/her information may be transferred outside India to that country. Vodafone's websites and those of its group companies may also be based on servers located outside of India.

[141] . Vodafone takes reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, modification or disclosure.

Vodafone makes every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to it or from its online products or services will be at a customer's own risk, however, it will use its best efforts to ensure that any such information remains secure. Vodafone cannot protect any information that a customer makes available to the general public - for example, on message boards or in chat rooms.

Vodafone may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts.

[142] . See <http://www.vodafone.com>

[143] . See < http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html >

[144] . http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 (Scope - This Privacy Policy has been created to help customer's understand how Aircel collects, uses and protects customer information when one visits its web and WAP sites and use its products and services.)

[145] . This information may include, amongst other things, customer's name, father's name, mother's name, spouse's name, date of birth, address, telephone numbers, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Aircel may also hold information related to utilization of its services. This may include customer call records, browsing history while surfing Aircel's website, location details and additional information provided by customer while using our services.

Aircel may keep a log of the activities performed by a customer on its websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with Aircel's website, and web-related products and services

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on customer's Personal Computers.

[146] . In case a customer does not provide information or consent for usage of personal information or later on withdraw consent for usage of the personal information so collected, Aircel reserves the right to discontinue the services for which the said information was sought.

[147] . In case of any feedback or concern regarding protection of personal information, customers can contact Aircel's Circle Care ID. Alternatively, one may also direct your privacy-related feedback or concerns to the Circle Nodal Officer. (e.g. - Delhi Circle Nodal details are as mentioned below):

1. Name: Moushumi De

Contact Number: 9716199209

E-mail: nodalofficer.delhi@aircel.co.in

Further it provides for a general customer grievance redressal mechanism

Additionally details of the Grievance Redressal Officers is provided via the TRAI website.

To resolve all concerns, Aircel has established a 2-tier complaint handling mechanism. Level I: Our Customer Touch Points As an Aircel customer you have the convenience to contact at Customer Interface Points via email, post or telephone. Level II - Appellate AuthorityDespite the best efforts put by Aircel's executive, if a customer is still not satisfied with the resolution provided then he/she may submit his/her concern to the Appellate Authority of the circle. Comments - However this information contradicts the mechanism provided under Aircel's Manual of Practice for handling Consumer Complaints which provides for a 3-tier complaint handling mechanism.

[According to the DoT - The earlier three-tier complaint redressal mechanism - Call center, Nodal Center and Appellate Authority, has been replaced by a two-tier one by doing away with the level of Nodal Officer. This is because the Complaint Centres are essentially registration and response centres and do not deal with the resolution of complaints. They only facilitate registration of consumer complaint and the level at which a problem is resolved within a company depends upon the complexity of the issue involved.]

[148] . It may be used by us for a number of purposes connected with our business operations and functions, which include:

1. Processing customer orders or applications.

2. Carrying out credit checking and scoring (unless agreed otherwise).

3. Providing customers with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering a customer's account.

4. Billing (unless there exists another agreed method).

5. Settling accounts with those who provide related services to Aircel.

6. Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes.

7. Carrying out market and product analysis and marketing our and our group companies' products and services generally.

8. Contacting customers (including by post, email, fax, short text message (SMS), pager or telephone) about Aircel and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to a customer (unless a customer says 'no' in writing). Electronic messages need not have an unsubscribe facility.

9. Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that customers may have in respect of Aircel and its group companies' loyalty or reward programmes and other similar schemes.

10. Inclusion in any telephone or similar directory or directory enquiry service provided or operated by Aircel or by a third party (subject to any objection or preference a customer may have indicated in writing).

11. Carrying out any activity in connection with a legal, governmental or regulatory requirement on Aircel or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.

12. Carrying out activities connected with the running of business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Aircel's business with respect to a customer or potential customer. Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with our website, and web-related products and services, to:

● Understand what a customer likes and uses about Aircel's website.

● Provide a more enjoyable, customised service and experience

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on your Personal Computer.

[149] . Where Aircel needs to disclose your information to third parties, such third parties will be:

1. Group companies who may use and disclose your information for the same purposes as us.

2. Those who provide to Aircel or its group companies products or services that support the services that we provide, such as our dealers and suppliers.

3. Credit reference agencies (unless we have agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Aircel make against your name.

4. If someone else pays a customer's bill, such as an employer.

5. Those providing telephone and similar directories or directory enquiry services.

6. Anyone Aircel transfers its business to in respect of which you are a customer or a potential customer.

7. Anyone who assists Aircel in protecting the operation of the Aircel networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities.

8. Persons to whom Aircel may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services. If a customer has opted in to receiving marketing material from Aircel, it may also provide personal information to carefully selected third parties who it reasonably believes to provide products or services that may be of interest to customers and who have contracted with Aircel to keep the information confidential, or who are subject to obligations to protect customer personal information.

[150] . We adopt reasonable security practices and procedures to include, technical, operational, managerial and physical security control measures in order to protect your personal information from unauthorized access, or disclosure while it is under our control.Our security practices and procedures limit access to personal information on need to know basis. Further, our employees, to the extent they may have limited access to your personal information on need to know basis, are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal informationWe take adequate steps to ensure that our third parties adopt reasonable level of security practices and procedures to ensure security of personal information

We may retain your personal information for as long as required to provide you with services or if otherwise required under any law. We, however assure you that Aircel does not disclose your personal information to unaffiliated third parties (parties outside Aircel corporate network and its Strategic and Business Partners) which could lead to invasion of your privacy

When we dispose off your personal information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media).

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.

We make every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk, however we will use our best efforts to ensure that any such information remains secure.

[151] . http://www.acttv.in/index.php/privacy-policy

[152] . "When you register, we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests.

The Company collects information about your transactions with us and with some of our business partners, including information about your use of products and services that we offer."

[153] . Not provided for on the TRAI website as ACT is not a telecom.

[154] . The Company can use information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.

The Company collects personal information when you register with the Company, when you use the Company products or services, when you visit the Company pages or the pages of certain partners of the Company. The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you.

[155] . Aircel provide the information to trusted partners who work on behalf of or with the Company under confidentiality agreements. These companies may use customer personal information to help the Company communicate about offers from the Company and marketing partners.

Aircel believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Company's terms of use, or as otherwise required by law.

Aircel transfer information about a customer if the Company is acquired by or merged with another company under a different management. In this event, the Company will notify a customer before information about a customer is transferred and becomes subject to a different privacy policy.

The Company plans to display targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click on targeted ads meet the targeting criteria - for example, women ages 18-24 from a particular geographic area.

The Company will not provide any personal information to the advertiser when customers interact with or view a targeted ad. However, by interacting with or viewing an ad a customer consents to the possibility that the advertiser will make the assumption that he/she meets the targeting criteria used to display the ad.

[156] . Rule 8.

For more details visit https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules

A Review of the Policy Debate around Big Data and Internet of Things

elonnai — 2015-08-17T08:36:18Z

This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.

Defining and Connecting Big Data and Internet of Things

The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the velocity at which data is generated, the volume of data that is generated, and the variety of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.

General Implications of Big Data and Internet of Things

Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.

At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article "Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon" propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " The Societal Impact of the Internet of Things" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]

Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]

Regulation of Big Data and Internet of Things

The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article "Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article "Big Data's Disparate Impact" explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]

The Impact of Big Data and IoT on Data Protection Principles

In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:

Collection Limitation: As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]
Consent: As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]
Data Minimization: As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]
Notice: As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]
Purpose Limitation: As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]
Necessity: As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]
Access and Correction: As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]
Opt In and Opt Out Choices: Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]
PI: As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]
Data Controller: In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]

Possible Technical and Policy Solutions

In a Report titled "Internet of Things: Privacy & Security in a Connected World" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:

Automatically delete data after a specified period of time [21] (addressing concerns of data retention)
Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)
Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)
Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)
Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)
Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)
Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)
Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)

Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]

Experts have also suggested that more emphasis should be placed on the principles and practices of:

Transparency,
Access and correction,
Use/misuse
Breach notification
Remedy
Ability to withdraw consent

Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]

Possible Regulatory Frameworks

To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]

Conclusion

A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.

Answering the 'how do we regulate Big Data” question requires re-conceptualization of data ownership and realities. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of critical national infrastructure of a nation, and accorded the security, protections, and legal backing thereof to prevent the misuse of the resource by the private or public sectors, local or foreign governments. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.

In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a National Data Archive with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.

[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf

[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/

[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf. Accessed: July 2^nd 2015.

[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564

[5] Danah Boyd, Kate Crawford. CRITICAL QUESTIONS FOR BIG DATA. Information, Communication & Society Vol. 15, Iss. 5, 2012. Available at: http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878. Accessed: July 2^nd 2015.

[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[7] ARTICLE 29 Data Protection Working Party. (2014). Opinion 8/2014 on the on Recent Developments on the Internet of Things. European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784

[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899

[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.

[13] Omer Tene and Jules Polonetsky, Big Data for All: Privacy and User Control in the Age of Analytics, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).

[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf

[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16^th 2014. Available at: h ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14^th 2013. Available at: http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf. Accessed: July 2^nd 2015.

[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2nd 2015.

[20] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[21] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[22] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[23] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[24] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2nd 2015.

[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[31] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[33] Federal Trade Commission. (2015). Internet of Things: Privacy & Security in a Connected World. Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16^th 2014. Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf. Accessed: July 2^nd 2015.

[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1^st 2014. Available at: http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr. Accessed: July 2^nd 2015.

[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf

[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25^th 2015. Available at: http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/. Accessed: August 8^th 2015.

[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7^th 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415

[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10^th 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/

For more details visit https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things

A judicial overreach into matters of regulation

gurshabad — 2019-08-28T01:28:52Z

A PIL on Aadhaar sheds light on some problematic trends

The article by Gurshabad Grover was published in the Hindu on August 27, 2019.

The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.

The first issue is how the courts, as Anuj Bhuwania has argued in the book Courting the People, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?

After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.

Government’s support

Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.

Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.

Problems of investigation

That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.

To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.

(Disclosure: The CIS is a recipient of research grants from Facebook.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation

A Guide to Personal Data Protection Bill, 2019 Compliance - Privacy Policy

shweta — 2021-09-17T14:37:52Z

For more details visit https://cis-india.org/internet-governance/guide-to-personal-data-protection-bill.pdf

A Guide to Navigating Your Digital Rights

Anamika Kundu, Radhika, Shruti Trikanad, Torsha Sarkar — 2024-07-01T08:18:17Z

The Digital Rights Guide gives practical guidance on the laws and procedures that affect internet freedoms. It covers the following topics:

Internet Shutdowns
Content Takedown
Surveillance
Device Seizure

The Digital Rights Guide can be viewed here.

For more details visit https://cis-india.org/internet-governance/blog/digital-rights-guide-1

A Critique of Consent in Information Privacy

Amber Sinha and Scott Mason — 2016-01-18T02:20:10Z

The idea of informed consent in privacy law is supposed to ensure the autonomy of an individual in any exercise which involves sharing of the individual's personal information. Consent is usually taken through a document, a privacy notice, signed or otherwise agreed to by the participant.

Notice and Consent as cornerstone of privacy law
The privacy notice, which is the primary subject of this article, conveys all pertinent information, including risks and benefits to the participant, and in the possession of such knowledge, they can make an informed choice about whether to participate or not.

Most modern laws and data privacy principles seek to focus on individual control. In this context, the definition by the late Alan Westin, former Professor of Public Law & Government Emeritus, Columbia University, which characterises privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other," ^{^[1]} is most apt. The idea of privacy as control is what finds articulation in data protection policies across jurisdictions beginning from the Fair Information Practice Principles (FIPP) from the United States. ^{^[2]} Paul Schwarz, the Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology, called the FIPP the building blocks of modern information privacy law. ^{^[3]} These principles trace their history to a report called 'Records, Computers and Rights of Citizens'^{^[4]} prepared by an Advisory Committee appointed by the US Department of Health, Education and Welfare in 1973 in response to the increasing automation in data systems containing information about individuals. The Committee's mandate was to "explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number."^{^[5]} The most important legacy of this report was the articulation of five principles which would not only play a significant role in the privacy laws in US but also inform data protection law in most privacy regimes internationally^{^[6]} like the OECD Privacy Guidelines, the EU Data Protection Principles, the FTC Privacy Principles, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which are reflected in the Privacy Bill, 2014 in India. Fred Cate, the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, effectively summarises the import of all of these privacy regimes as follows:

"All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals' expressed preferences"^{^[7]}

This makes the individual empowered and allows them to weigh their own interests in exercising their consent. The allure of this paradigm is that in one elegant stroke, it seeks to "ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns."^{^[8]} This system was originally intended to be only one of the multiple ways in data processing would be governed, along with other substantive principles such as data quality, however, it soon became the dominant and often the only mechanism.^{^[9]} In recent years however, the emergence of Big Data and the nascent development of the Internet of Things has led many commentators to begin questioning the workability of consent as a principle of privacy. ^{^[10]} In this article we will look closely at the some of issues with the concept of informed consent, and how these notions have become more acute in recent years. Following an analysis of these issues, we will conclude by arguing that today consent, as the cornerstone of privacy law, may in fact be thought of as counter-productive and that a rethinking of a principle based approach to privacy may be necessary.

Problems with Consent

To a certain extent, there are some cognitive problems that have always existed with the issue of informed consent such as long and difficult to understand privacy notices,^{^[11]} although, in recent past with these problems have become much more aggravated. Fred Cate points out that FIPPs at their inception were broad principles which included both substantive and procedural aspects. However, as they were translated into national laws, the emphasis remained on the procedural aspect of notice and consent. From the idea of individual or societal welfare as the goals of privacy, the focus had shifted to individual control.^{^[12]} With data collection occurring with every use of online services, and complex data sets being created, it is humanly impossible to exercise rational decision-making about the choice to allow someone to use our personal data. The thrust of Big Data technologies is that the value of data resides not in its primary purposes but in its numerous secondary purposes where data is re-used many times over. ^{^[13]} In that sense, the very idea of Big Data conflicts with the data minimization principle.^{^[14]} The idea is to retain as much data as possible for secondary uses. Since, these secondary uses are, by their nature, unanticipated, its runs counter to the the very idea of the purpose limitation principle. ^{^[15]} The notice and consent requirement has simply led to a proliferation of long and complex privacy notices which are seldom read and even more rarely understood. We will articulate some issues with privacy notices which have always existed, and have only become more exacerbated in the context of Big Data and the Internet of Things.

1. Failure to read/access privacy notices

The notice and consent principle relies on the ability of the individual to make an informed choice after reading the privacy notice. The purpose of a privacy notice is to act as a public announcement of the internal practices on collection, processing, retention and sharing of information and make the user aware of the same.^{^[16]} However, in order to do so the individual must first be able to access the privacy notices in an intelligible format and read them. Privacy notices come in various forms, ranging from documents posted as privacy policies on a website, to click through notices in a mobile app, to signs posted in public spaces informing about the presence of CCTV cameras. ^{^[17]}

In order for the principle of notice and consent to work, the privacy notices need to be made available in a language understood by the user. As per estimates, about 840 million people (11% of the world population) can speak or understand English. However, most privacy notices online are not available in the local language in different regions.^{^[18]} Further, with the ubiquity of smartphones and advent of Internet of Things, constrained interfaces on mobile screens and wearables make the privacy notices extremely difficult to read. It must be remembered that privacy notices often run into several pages, and smaller screens effectively ensure that most users do not read through them. Further, connected wearable devices often have "little or no interfaces that readily permit choices." ^{^[19]} As more and more devices are connected, this problem will only get more pronounced. Imagine in a world where refrigerators act as the intermediary disclosing information to your doctor or supermarket, at what point does the data subject step in and exercise consent.^{^[20]}

Another aspect that needs to be understood is that unlike earlier when data collectors were far and few in between, the user could theoretically make a rational choice taking into account the purpose of data collection. However, in the world of Big Data, consent often needs to be provided while the user is trying to access services. In that context click through privacy notices such as those required to access online application, are treated simply as an impediment that must be crossed in order to get access to services. The fact that the consent need to be given in real time almost always results in disregarding what the privacy notices say.^{^[21]}

Finally, some scholars have argued that while individual control over data may be appealing in theory, it merely gives an illusion of enhanced privacy but not the reality of meaningful choice.^{^[22]} Research demonstrates that the presence of the term 'privacy policy' leads people to the false assumption that if a company has a privacy policy in place, it automatically means presence of substantive and responsible limits on how data is handled.^{^[23]} Joseph Turow, the Robert Lewis Shayon Professor of Communication at the Annenberg School for Communication, and his team for example has demonstrated how "[w]hen consumers see the term 'privacy policy,' they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information."^{^[24]} In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. Most people tend to ignore privacy policies.^{^[25]} Cass Sunstein states that our cognitive capacity to make choices and take decisions is limited. When faced with an overwhelming number of choices to make, most of us do not read privacy notices and resort to default options.[26] The requirement to make choices, sometimes several times in a day, imposes significant burden on the consumers as well the business seeking such consent. ^{^[27]}

2. Failure to understand privacy notices

FTC chairperson Edith Ramirez stated: "In my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice."^{^[28]} Privacy notices often come in the form of long legal documents much to the detriment of the readers' ability to understand them. These policies are "long, complicated, full of jargon and change frequently."^{^[29]} Kent walker list five problems that privacy notices typically suffer from - a) overkill - long and repetitive text in small print, b) irrelevance - describing situations of little concern to most consumers, c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored, d) non-comparability - simplification required to achieve comparability will lead to compromising accuracy, and e) inflexibility - failure to keep pace with new business models.^{^[30]} Erik Sherman did a review of twenty three corporate privacy notices and mapped them against three indices which give approximate level of education necessary to understand text on a first read. His results show that most of policies can only be understood on the first read by people of a grade level of 15 or above. ^{^[31]} FTC Chairperson Timothy Muris summed up the problem with long privacy notices when he said, "Acres of trees died to produce a blizzard of barely comprehensible privacy notices." ^{^[32]}

Margaret Jane Radin, the former Henry King Ransom Professor of Law Emerita at the University of Michigan, provides a good definition of free consent. It "involves a knowing understanding of what one is doing in a context in which it is actually

possible for or to do otherwise, and an affirmative action in doing something, rather

than a merely passive acquiescence in accepting something."^{^[33]} There have been various proposals advocating a more succinct and simpler standard for privacy notices,^{^[34]} or multi-layered notices^{^[35]} or representing the information in the form of a table. ^{^[36]} However, studies show only an insignificant improvement in the understanding by consumers when privacy policies are represented in graphic formats like tables and labels. ^{^[37]} It has also been pointed out that it is impossible to convey complex data policies in simple and clear language.^{^[38]}

3. Failure to anticipate/comprehend the consequences of consent

Today's infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most have no understanding of what happens to their data once they have uploaded it - Where it goes? Whom it is held by? Under what conditions? For what purpose? Or how might it be used, aggregated, hacked, or leaked in the future? For the most part, the above operations are "invisible, managed at distant centers, from behind the scenes, by unmanned powers."^{^[39]}

The perceived opportunities and benefits of Big Data have led to an acceptance of the indiscriminate collection of as much data as possible as well as the retention of that data for unspecified future analysis. For many advocates, such practices are absolutely essential if Big Data is to deliver on its promises.. Experts have argued that key privacy principles particularly those of collection limitation, data minimization and purpose limitation should not be applied to Big Data processing.^{^[40]} As mentioned above, in the case of Big Data, the value of the data collected comes often not from its primary purpose but from its secondary uses. Deriving value from datasets involves amalgamating diverse datasets and executing speculative and exploratory kinds of analysis in order to discover hidden insights and correlations that might have previously gone unnoticed.^{^[41]} As such organizations are today routinely reprocessing data collected from individuals for purposes not directly related to the services they provide to the customer. These secondary uses of data are becoming increasingly valuable sources of revenue for companies as the value of data in and of itself continues to rise. ^{^[42]}

Purpose Limitation

The principle of purpose limitation has served as a key component of data protection for decades. Purposes given for the processing of users' data should be given at the time of collection and consent and should be "specified, explicit and legitimate". In practice however, reasons given typically include phrases such as, 'for marketing purposes' or 'to improve the user experience' that are vague and open to interpretation. ^{^[43]}

Some commentators whilst conceding the fact that purpose limitation in the era of Big Data may not be possible have instead attempted to emphasise the notion of 'compatible use' requirements. In the view of Working Party on the protection of individuals with regard to the processing of person data, for example, use of data for a purpose other than that originally stated at the point of collection should be subject to a case-by-case review of whether not further processing for different purpose is justifiable - i.e., compatible with the original purpose. Such a review may take into account for example, the context in which the data was originally collected, the nature or sensitivity of the data involved, and the existence of relevant safeguards to insure fair processing of the data and prevent undue harm to the data subject.^{^[44]}

On the other hand, Big Data advocates have argued that an assessment of legitimate interest rather than compatibility with the initial purpose is far better suited to Big Data processing.^{^[45]} They argue that today the notion of purpose limitation has become outdated. Whereas previously data was collected largely as a by-product of the purpose for which it was being collected. If for example, we opted to use a service the information we provided was for the most part necessary to enable the provision of that service. Today however, the utility of data is no longer restricted to the primary purpose for which it is collected but can be used to provide all kinds of secondary services and resources, reduce waste, increase efficiency and improve decision-making.^{^[46]} These kinds of positive externalities, Big Data advocates insist, are only made possible by the reprocessing of data.

Unfortunately for the notion of consent the nature of these secondary purposes are rarely evident at the time of collection. Instead the true value of the data can often only be revealed when it is amalgamated with other diverse datasets and subjected to various forms of analysis to help reveal hidden and non-obvious correlations and insights.^{^[47]} The uncertain and speculative value of data therefore means that it is impossible to provide "specific, explicit, and legitimate" details about how a given data set will be used or how it might be aggregated in future. Without this crucial information data subjects have no basis upon which they can make an informed decision about whether or not to provide consent. Robert Sloan and Richard Warner argue that it is impossible for a privacy notice to contain enough information to enable free consent. They argue that current data collection practices are highly complex and that these practices involve collection of information at one stage for one purpose and then retain, analyze, and distribute it for a variety of other purposes in unpredictable ways. ^{^[48]} Helen Nissenbaum points to the ever changing nature of data flow and the cognitive challenges it poses. "Even if, for a given moment, a

snapshot of the information flows could be grasped, the realm is in constant flux, with new firms entering the picture, new analytics, and new back end contracts forged: in other words, we are dealing with a recursive capacity that is indefinitely extensible." ^{^[49]}

Scale and Aggregation

Today the quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, 'creating countless new digital puddles, lakes, tributaries and oceans of information'.^{^[50]} In 2011 it was estimated that the quantity of data produced globally would surpass 1.8 zettabytes , by 2013 that had grown to 4 zettabytes , and with the nascent development of the Internet of Things gathering pace, these trends are set to continue. ^{^[51]} Big Data by its very nature requires the collection and processing of very large and very diverse data sets. Unlike other forms scientific research and analysis which utilize various sampling techniques to identify and target the types of data most useful to the research questions, Big Data instead seeks to gather as much data as possible, in order to achieve full resolution of the phenomenon being studied, a task made much easier in recent years as a result of the proliferation of internet enabled devices and the growth of the Internet of Things. This goal of attaining comprehensive coverage exists in tension however with the key privacy principles of collection limitation and data minimization which seek to limit both the quantity and variety of data collected about an individual to the absolute minimum. ^{^[52]}

The dilution of the purpose limitation principle entails that even those who understand privacy notices and are capable of making rational choices about it, cannot conceptualize how their data will be aggregated and possibly used or re-used. Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, in his book, "The Digital Person", calls it the aggregation effect. He argues that the ingenuity of the data mining techniques and the insights and predictions that could be made by it render any cost-benefit analysis that an individual could make ineffectual. ^{^[53]}

4. Failure to opt-out

The traditional choice against the collection of personal data that users have had access to, at least in theory, is the option to 'opt-out' of certain services. This draws from the free market theory that individuals exercise their free will when they use services and always have the option of opting out, thus, arguing against regulation but relying on the collective wisdom of the market to weed out harms. The notion that the provision of data should be a matter of personal choice on the part of the individual and that the individual can, if they chose decide to 'opt-out' of data collection, for example by ceasing use of a particular service, is an important component of privacy and data protection frameworks. The proliferation of internet-enabled devices, their integration into the built environment and the real-time nature of data collection and analysis however are beginning to undermine this concept. For many critics of Big Data, the ubiquity of data collection points as well as the compulsory provision of data as a prerequisite for the access and use of many key online services, is making opting-out of data collection not only impractical but in some cases impossible. ^{^[54]}

Whilst sceptics may object that individuals are still free to stop using services that require data. As online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less of a genuine choice. ^{^[55]} Information flows not only from the individuals it is about but also from what other people say about them. Financial transactions made online or via debit/credit cards can be analysed to derive further information about the individual. If opting-out makes you look anti-social, criminal, or unethical, the claims that we are exercising free will seems murky and leads one to wonder whether we are dealing with coercive technologies.

Another issue with the consent and opt-out paradigm is the binary nature of the choice. This binary nature of consent makes a mockery of the notion that consent can function as an effective tool of personal data management. What it effectively means is that one can either agree with the long privacy notices, or choose to abandon the desired service. "This binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected." ^{^[56]}

Conclusion: 'Notice and Consent' is counter-productive

There continues to be an unwillingness amongst many privacy advocates to concede that the concept of consent is fundamentally broken, as Simon Davies, a privacy advocate based in London, comments 'to do so could be seen as giving ground to the data vultures', and risks further weakening an already dangerously fragile privacy framework.^{^[57]} Nevertheless, as we begin to transition into an era of ubiquitous data collection, evidence is becoming stronger that consent is not simply ineffective, but may in some instances might be counter-productive to the goals of privacy and data protection.

As already noted, the notion that privacy agreements produce anything like truly informed consent has long since been discredited; given this fact, one may ask for whose benefit such agreements are created? One may justifiably argue that far from being for the benefit and protection of users, privacy agreement may in fact be fundamentally to the benefit of data brokers, who having gained the consent of users can act with near impunity in their use of the data collected. Thus, an overly narrow focus on the necessity of consent at the point of collection, risks diverting our attention from the arguably more important issue of how our data is stored, analysed and distributed by data brokers following its collection. ^{^[58]}

Furthermore, given the often complicated and cumbersome processes involved in gathering consent from users, some have raised concerns that the mechanisms put in place to garner consent could themselves morph into surveillance mechanisms. Davies, for example cites the case of the EU Cookie Directive, which required websites to gain consent for the collection of cookies. Davies observes how, 'a proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming''. Thus in many instances there exists a fundamental tension between the requirement placed on companies to gather consent and the equally important principle of data minimization. ^{^[59]}

Given the above issues with notice and informed consent in the context of information privacy, and the fact that it is counterproductive to the larger goals of privacy law, it is important to revisit the principle or rights based approach to data protection, and consider a paradigm shift where one moves to a risk based approach that takes into account the actual threats of sharing data rather than relying on what has proved to be an ineffectual system of individual control. We will be dealing with some of these issues in a follow up to this article.

^{^[1]} Alan Westin, Privacy and Freedom, Atheneum, New York, 2015.

^{^[2]} FTC Fair Information Practice Principles (FIPP) available at https://www.it.cornell.edu/policies/infoprivacy/principles.cfm.

^{^[3]} Paul M. Schwartz, "Privacy and Democracy in Cyberspace," 52 Vanderbilt Law Review 1607, 1614 (1999).

^{^[4]} US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, available at http://www.justice.gov/opcl/docs/rec-com-rights.pdf

^{^[5]} https://epic.org/privacy/ppsc1977report/c13.htm .

^{^[6]} Marc Rotenberg, "Fair Information Practices and the Architecture of Privacy: What Larry Doesn't Get," available at https://journals.law.stanford.edu/sites/default/files/stanford-technology-law-review/online/rotenberg-fair-info-practices.pdf

^{^[7]} Fred Cate, The Failure of Information Practice Principles, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972

^{^[8]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[9]} Fred Cate, Viktor Schoenberger, Notice and Consent in a world of Big Data, available at http://idpl.oxfordjournals.org/content/3/2/67.abstract

^{^[10]} Daniel Solove, Privacy self-management and consent dilemma, 2013 available at http://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2093&context=faculty_publications

^{^[11]} Ben Campbell, Informed consent in developing countries: Myth or Reality, available at https://www.dartmouth.edu/~ethics/docs/Campbell_informedconsent.pdf ;

^{^[12]} Supra Note 7.

^{^[13]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013 at 153.

^{^[14]} The Data Minimization principle requires organizations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required.

^{^[15]} Omer Tene and Jules Polonetsky, "Big Data for All: Privacy and User Control in the Age of Analytics," SSRN Scholarly Paper, available at http://papers.ssrn.com/abstract=2149364

^{^[16]} Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[17]} Daniel Solove, The Digital Person: Technology and Privacy in the Information Age, NYU Press, 2006.

^{^[18]} http://www.ethnologue.com/statistics/size

^{^[19]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[20]} http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[21]} Supra Note 10.

^{^[22]} Supra Note 7.

^{^[23]} Chris Jay Hoofnagle & Jennifer King, Research Report: What Californians Understand

About Privacy Online, available at http://ssrn.com/abstract=1262130

^{^[24]} Joseph Turrow, Michael Hennesy, Nora Draper, The Tradeoff Fallacy, available at https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf

^{^[25]} Saul Hansell, "Compressed Data: The Big Yahoo Privacy Storm That Wasn't," New York Times, May 13, 2002 available at http://www.nytimes.com/2002/05/13/business/compressed-data-the-big-yahoo-privacy-storm-that-wasn-t.html?_r=0

[26] Cass Sunstein, Choosing not to choose: Understanding the Value of Choice, Oxford University Press, 2015.

^{^[27]} For example, Acxiom, processes more than 50 trillion data transactions a year. http://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-database-marketing.html?pagewanted=all&_r=0

^{^[28]} Opening Remarks of FTC Chairperson Edith Ramirez Privacy and the IoT: Navigating Policy Issues International Consumer Electronics Show Las Vegas, Nevada January 6, 2015 available at https://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

^{^[29]} L. F. Cranor. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law, 10:273, 2012, available at http://jthtl.org/content/articles/V10I2/JTHTLv10i2_Cranor.PDF

^{^[30]} Kent Walker, The Costs of Privacy, 2001 available at https://www.questia.com/library/journal/1G1-84436409/the-costs-of-privacy

^{^[31]} Erik Sherman, "Privacy Policies are great - for Phds", CBS News, available at http://www.cbsnews.com/news/privacy-policies-are-great-for-phds/

^{^[32]} Timothy J. Muris, Protecting Consumers' Privacy: 2002 and Beyond, available at http://www.ftc.gov/speeches/muris/privisp1002.htm

^{^[33]} Margaret Jane Radin, Humans, Computers, and Binding Commitment, 1999 available at http://www.repository.law.indiana.edu/ilj/vol75/iss4/1/

^{^[34]} Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[35]} The Center for Information Policy Leadership, Hunton & Williams LLP, "Ten Steps To Develop A Multi-Layered Privacy Notice" available at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Ten_Steps_whitepaper.pdf

^{^[36]} Allen Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, Interagency Notice Project, available at https://www.sec.gov/comments/s7-09-07/s70907-21-levy.pdf

^{^[37]} Patrick Gage Kelly et al., Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach available at https://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-00037/544506-00037.pdf

^{^[38]} Howard Latin, "Good" Warnings, Bad Products, and Cognitive Limitations, 41 UCLA Law Review available at https://litigation-essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&srctype=smi&srcid=3B15&doctype=cite&docid=41+UCLA+L.+Rev.+1193&key=1c15e064a97759f3f03fb51db62a79a5

^{^[39]} Jonathan Obar, Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management, Big Data and Society, 2015, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239188

^{^[40]} Viktor Mayer Schoenberger and Kenneth Cukier, Big Data: A Revolution that will transform how we live, work and think" John Murray, London, 2013.

^{^[41]} Supra Note 15.

^{^[42]} Supra Note 40.

^{^[43]} Article 29 Working Party, (2013) Opinion 03/2013 on Purpose Limitation, Article 29, available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

^{^[44]} Ibid.

^{^[45]} It remains unclear however whose interest would be accounted, existing EU legislation would allow commercial/data broker/third party interests to trump those of the user, effectively allowing re-processing of personal data irrespective of whether that processing would be in the interest of the user.

^{^[46]} Supra Note 40.

^{^[47]} Supra Note 10.

^{^[48]} Robert Sloan and Richard Warner, Beyong Notice and Choice: Privacy, Norms and Consent, 2014, available at https://www.suffolk.edu/documents/jhtl_publications/SloanWarner.pdf

^{^[49]} Helen Nissenbaum, A Contextual Approach to Privacy Online, available at http://www.amacad.org/publications/daedalus/11_fall_nissenbaum.pdf

^{^[50]} D Bollier, The Promise and Peril of Big Data. The Aspen Institute, 2010, available at: http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/The_Promise_and_Peril_of_Big_Data.pdf

^{^[51]} Meeker, M. & Yu, L. Internet Trends, Kleiner Perkins Caulfield Byers, (2013), http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013 .

^{^[52]} Supra Note 40.

^{^[53]} Supra Note 17.

^{^[54]} Janet Vertasi, My Experiment Opting Out of Big Data Made Me Look Like a Criminal, 2014, available at http://time.com/83200/privacy-internet-big-data-opt-out/

^{^[55]} Ibid.

^{^[56]} http://www.techpolicy.com/NoticeConsent-inWorldBigData.aspx

^{^[57]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

^{^[58]} Supra Note 10.

^{^[59]} Simon Davies, Why the idea of consent for data processing is becoming meaningless and dangerous, available at http://www.privacysurgeon.org/blog/incision/why-the-idea-of-consent-for-data-processing-is-becoming-meaningless-and-dangerous/

For more details visit https://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy