Centre for Internet and Society

Report on the 4th Privacy Round Table meeting

maria — 2013-07-12T11:04:25Z

This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013.

It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised.

Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection.

The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored.

Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards.

The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over.

The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.

In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts.

Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data.

On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions.

Right to Privacy: Chapter 2

The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill.

Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts.

The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.

Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly.

Protection of Personal Data: Chapter 3

Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data.

Collection of personal data

The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention.

It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill.

Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty.

A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes.

The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill.

In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection.

It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well.

Storage and destruction of personal data

The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data.

In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India.

Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases.

Security of personal data and duty of confidentiality

Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”.

One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India.

Disclosure of personal data

The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to.

It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill.

Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism.

This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided.

Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill.

A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed.

However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed.

Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security.

The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill.

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013.

In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation.

There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future.

The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers.

Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a competitive disadvantage in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security.

As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so.

The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control.

On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations.

When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported.

Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data.

The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on accountability. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached.

On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated.

Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights.

Meeting conclusion

The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting

Report on the 3rd Privacy Round Table meeting

maria — 2013-07-12T11:35:22Z

This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18^th May 2013.

Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´

The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.

The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.

In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers choose to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.

The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.

The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.

The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.

Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.

Co-regulation was once again supported by the DSCI through the argument that customers choose to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of incentives companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter II

The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.

The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.

The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.

Discussion of “Protection of Personal Data”: Chapter III

The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers.

Issue of Consent

The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.

Outsourcing of Data

It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.

Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.

Data Retention

Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.

It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.

Data Processing

The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.

Data Disclosure

The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.

According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.

Discussion of “Interception of Communications”: Chapter IV

The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.

Meeting conclusion

The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting

Report on the 2nd Privacy Round Table meeting

maria — 2013-07-12T11:54:28Z

This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first Privacy Round Table in Delhi, this report entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20^th April 2013.

Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”

The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13^th April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.

DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.

The discussion points brought forward by DSCI were:

What role should government and industry respectively play in developing and enforcing a regulatory framework?
How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?
How can an organization be incentivized to follow the codes of practice under the SRO?
What should be the role of SROs in redressal of complaints?
What should be the business model for SROs?

DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions and preamble: Chapter I & II

The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.

Sensitive Personal Data

The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.

Information vs. Data

During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.

Exemptions

Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.

Discussion of “Protection of Personal Data”: Chapter III

Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.

Data Collection

In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.

Consent

On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they choose to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.

Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.

Data Disclosure

In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.

A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.

Data Destruction

In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.

Data Processing

In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.

However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.

In brief, the following questions with regards to chapter III of the bill were raised during the meeting:

Should consent be required prior to the collection of data?
Should consent be acquired prior and after the disclosure of data?
Should the purpose of data collection be the same as the purpose for the disclosure of data?
Should an executive order or a court order be required to disclose data?
At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?
An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?

Should companies notify individuals when they share their (individuals´) data with international third parties?

In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:

The data subject has to be informed, unless there is a model contract.
The request for consent should depend on the type of data that is to be disclosed.
Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).
The shared data may be considered private data (need of a relevant regulatory framework).
An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.
If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country.
India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.
The problem with disclosure is when there is an exception for certain circumstances
Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability.
Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).
´Data ownership´ should be included in the definitions of the Bill.
What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.

Discussion of “Interception of Communications”: Chapter IV

The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.

Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.

Discussion on self-regulation and co-regulation

The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.

The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.

Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.

Meeting conclusion

The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table

Report on the 1st Privacy Round Table meeting - pdf

maria — 2013-11-07T17:01:33Z

For more details visit https://cis-india.org/internet-governance/blog/report-on-delhi-privacy-round-table.pdf

Report on the 1st Privacy Round Table meeting

maria — 2013-07-30T11:11:11Z

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

Overview of Justice A P Shah Report: Purpose, Principles and Framework

The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.

During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.

Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:

The purpose of the collection of data
The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case
Data is shared with third parties and it is hard to control how long they retain the data for
Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data

Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.

While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.

The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.

The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.

Discussion Highlights:

The pros and cons of self-regulation and co-regulation
The national privacy principles – and how to build in insurance for technology
The role of the Privacy Commissioner
The definition of terms used in the draft Privacy (Protection) Bill 2013

Overview, explanation and discussion on the Privacy (Protection) Bill 2013

The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.

During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.

Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.

As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.

Many participants agreed that India´s proposed Privacy Law should meet global standards in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.

The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.

The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.

The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.

Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.

During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on where it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.

The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.

The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.

Discussion Highlights:

If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills
Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)
If personal data should be distinguished in the private and public sector
If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards
The nuances of consumer consent
Various ways to define ´public figures´
Freedom of expression in the context of the draft Privacy (Protection) Bill 2013
The distinction between exemptions and exceptions

In depth explanation and discussions regarding the Privacy (Protection)

Bill 2013

The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.

The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals choose to disclose a large amount of information.

The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.

Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.

A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.

In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.

In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.

Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.

The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.

The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should not be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.

The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies.

Discussion Highlights:

The different instances of data collection and consumer consent
The nuances of data sharing
The issue of consumer consent and security assurances offered by companies
The pros and cons of having a data retention regulatory framework
How transparency is incorporated into the draft Privacy Protection Bill 2013
What is needed in provisions that speak to data destruction

Meeting conclusion

The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.

Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the Privacy Protection Bill, 2013 based on participants´ feedback, concerns, comments and ideas.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting

Report on Open Standards for GISW2008

pranesh — 2009-01-05T06:52:54Z

In this report, Sunil Abraham lays out the importance and the policy implications of Open Standards.

[PDF copy]

Most computer users today remain “digitally colonised” (Bhattacharya, 2008) due to our unquestioning use of proprietary standards. As users of proprietary standards we usually forget that we lose the right to access our own files the moment the licence for the associated software expires. For example, if I were to store data, information or knowledge in .doc, .xls or .ppt format, my ability to read my own files expires the moment the licence for my copy of Microsoft Office expires.

Definition

Unlike the terms “free software” or “open source software”, the term “open standard” does not have a universally accepted definition. The free and open source software (FOSS) community largely believes that an open standard is:

[S]ubject to full public assessment and use without constraints [royalty-free] in a manner equally available to all parties; without any components or extensions that have dependencies on formats or protocols that do not meet the definition of an open standard themselves; free from legal or technical clauses that limit its utilisation by any party or in any business model; managed and further developed independently of any single vendor in a process open to the equal participation of competitors and third parties; available in multiple complete implementations by competing vendors, or as a complete implementation equally available to all parties (Greve, 2007).

The controversy

Proprietary software manufacturers, vendors and their lobbyists often provide a definition of open standards that is not in line with the above definition on two counts (Nah, 2006).

One, they do not think it is necessary for an open standard to be available on a royalty-free basis as long as it is available under a “reasonable and non-discriminatory” (RAND) licence. This means that there are some patents associated with the standard and the owners of the patents have agreed to license them under reasonable and non-discriminatory terms (W3C, 2002). One example is the audio format MP3, an ISO/IEC [International Organisation for Standardisation/International Electrotechnical Commission] standard where the associated patents are owned by Thomson Consumer Electronics and the Fraunhofer Society of Germany. A developer of a game with MP3 support would have to pay USD 2,500 as royalty for using the standard. While this may be reasonable in the United States (US), it is unthinkable for an entrepreneur from Bangladesh. Additionally, RAND licences are incompatible with most FOSS licensing requirements. Simon Phipps of Sun Microsystems says that FOSS “serves as the canary in the coalmine for the word ‘open’. Standards are truly open when they can be implemented without fear as free software in an open source community” (Phipps, 2007). RAND licences also retard the growth of FOSS, since they are patented in a few countries. Despite the fact that software is not patentable in most parts of the world, the makers of various distributions of GNU/Linux do not include reverse-engineered drivers, codecs, etc., in the official builds for fear of being sued. Only the large corporation-backed distributions of GNU/Linux can afford to pay the royalties needed to include patented software in the official builds (in this way enabling an enhanced out-of-the-box experience). This has the effect of slowing the adoption of GNU/Linux, as less experienced users using community-backed distributions do not have access to the wide variety of drivers and codecs that users of other operating systems do (Disposable, 2004). This vicious circle effectively ensures negligible market presence of smaller community-driven projects by artificial reduction of competition.

Two, proprietary software promoters do not believe that open standards should be “managed and further developed independently of any single vendor,” as the following examples will demonstrate. This is equally applicable to both new and existing standards.

Microsoft’s Office Open XML (OOXML) is a relatively new standard which the FOSS community sees as a redundant alternative to the existing Open Document Format (ODF). During the OOXML process, delegates were unhappy with the fact that many components were specific to Microsoft technology, amongst other issues. By the end of a fast-track process at the ISO, Microsoft stands accused of committee stuffing: that is, using its corporate social responsibility wing to coax non-governmental organisations to send form letters to national standards committees, and haranguing those who opposed OOXML. Of the twelve new national board members that joined ISO after the OOXML process started, ten voted “yes” in the first ballot (Weir, 2007). The European Commission, which has already fined Microsoft USD 2.57 billion for anti-competitive behaviour, is currently investigating the allegations of committee stuffing (Calore, 2007). Microsoft was able to use its financial muscle and monopoly to fast-track the standard and get it approved. In this way it has managed to subvert the participatory nature of a standards-setting organisation. So even though Microsoft is ostensibly giving up control of its primary file format to the ISO, it still exerts enormous influence over the future of the standard.

HTML, on the other hand, is a relatively old standard which was initially promoted by the Internet Engineering Task Force (IETF), an international community of techies. However, in 2002, seven years after the birth of HTML 2.0, the US Department of Justice alleged that Microsoft used the strategy of “embrace, extend, and extinguish” (US DoJ, 1999) in an attempt to create a monopoly among web browsers. It said that Microsoft used its dominance in the desktop operating system market to achieve dominance in the web-authoring tool and browser market by introducing proprietary extensions to the HTML standard (Festa, 2002). In other words, financial and market muscle have been employed by proprietary software companies – in these instances, Microsoft – to hijack open standards.

The importance

There are many technical, social and ethical reasons for the adoption and use of open standards. Some of the reasons that should concern governments and other organisations utilising public money – such as multilaterals, bilaterals, civil society organisations, research organisations and educational institutions – are listed below.

Innovation/competitiveness: Open standards are the bases of most technological innovations, the best example of which would be the internet itself (Raymond, 2000). The building blocks of the internet and associated services like the world wide web are based on open standards such as TCP/IP, HTTP, HTML, CSS, XML, POP3 and SMTP. Open standards create a level playing field that ensures greater competition between large and small, local and foreign, and new and old companies, resulting in innovative products and services. Instant messaging, voice over internet protocol (VoIP), wikis, blogging, file-sharing and many other applications with large-scale global adoption were invented by individuals and small and medium enterprises, and not by multinational corporations.
Greater interoperability: Open standards ensure the ubiquity of the internet experience by allowing different devices to interoperate seamlessly. It is only due to open standards that consumers are able to use products and services from competing vendors interchangeably and simultaneously in a seamless fashion, without having to learn additional skills or acquire converters. For instance, the mail standard IMAP can be used from a variety of operating systems (Mac, Linux and Windows), mail clients (Evolution, Thunderbird, Outlook Express) and web-based mail clients. Email would be a completely different experience if we were not able to use our friends’ computers, our mobile phones, or a cybercafé to check our mail.
Customer autonomy: Open standards also empower consumers and transform them into co-creators or “prosumers” (Toffler, 1980). Open standards prevent vendor lock-in by ensuring that the customer is able to shift easily from one product or service provider to another without significant efforts or costs resulting from migration.
Reduced cost: Open standards eliminate patent rents, resulting in a reduction of total cost of ownership. This helps civil society develop products and services for the poor.
Reduced obsolescence: Software companies can leverage their clients’ dependence on proprietary standards to engineer obsolescence into their products and force their clients to keep upgrading to newer versions of software. Open standards ensure that civil society, governments and others can continue to use old hardware and software, which can be quite handy for sectors that are strapped for financial resources.
Accessibility: Operating system-level accessibility infrastructure such as magnifiers, screen readers and text-to-voice engines require compliance to open standards. Open standards therefore ensure greater access by people with disabilities, the elderly, and neo-literate and illiterate users. Examples include the US government’s Section 508 standards, and the World Wide Web Consortium’s (W3C) WAI-AA standards.
Free access to the state: Open standards enable access without forcing citizens to purchase or pirate software in order to interact with the state. This is critical given the right to information and the freedom of information legislations being enacted and implemented in many countries these days.
Privacy/security: Open standards enable the citizen to examine communications between personal and state-controlled devices and networks. For example, open standards allow users to see whether data from their media player and browser history are being transmitted along to government servers when they file their tax returns. Open standards also help prevent corporate surveillance.
Data longevity and archiving: Open standards ensure that the expiry of software licences does not prevent the state from accessing its own information and data. They also ensure that knowledge that has been passed on to our generation, and the knowledge generated by our generation, is safely transmitted to all generations to come.
Media monitoring: Open standards ensure that the voluntary sector, media monitoring services and public archives can keep track of the ever-increasing supply of text, audio, video and multimedia generated by the global news, entertainment and gaming industries. In democracies, watchdogs should be permitted to reverse-engineer proprietary standards and archive critical ephemeral media in open standards.

Policy implications

Corporations have a right to sell products based on proprietary standards just as consumers have a right to choose between products that use open standards, proprietary standards, or even a combination of such standards. Governments, however, have a responsibility to use open standards, especially for interactions with the public and where the data handled has a direct impact on democratic values and quality of citizenship. In developing countries, governments have greater responsibility because most often they account for over 50% of the revenues of proprietary software vendors. Therefore, by opting for open standards, governments can correct an imbalanced market situation without needing any additional resources. Unfortunately, many governments lack the expertise to counter the campaigns of fear, uncertainty and doubt unleashed by proprietary standards lobbyists with unlimited expense accounts.

Most governments from the developing world do not participate in international standard-setting bodies. On the other hand, proprietary software lobbyists like the Business Software Alliance (BSA) and Comptia attend all national meetings on standards. This has forced many governments to shun these forums and exacerbate the situation by creating more (totally new) standards. Therefore, governments need the support of academic and civil society organisations in order to protect the interests of the citizen. For example, the Indian Institute of Technology in Kanpur (IIT-K) helped the government of India develop the open standard Smart Card Operating System for Transport Applications (SCOSTA) for smart card-based driving licences and vehicle registration documents. Proprietary vendors tried to jettison the move by saying that the standard was technically not feasible. IIT-K developed a reference implementation on FOSS to belie the vendor's claims. As a consequence, the government of India was able to increase the number of empanelled smart-card vendors from four to fifteen and reduce the price of a smart card by around USD 7 each (UNDP, 2007a). This will hopefully result in enormous savings during the implementation of a national multi-purpose identification card in India.

In some instances, proprietary standards are technically superior or more universally supported in comparison to open standards. In such cases the government may be forced to adopt proprietary and de facto standards in the short and medium term. But for long-term technical, financial and societal benefits, many governments across the world today are moving towards open standards. The most common policy instruments for implementation of open standards policy are government interoperability frameworks (GIFs). Governments that have published GIFs include the United Kingdom, Denmark, Brazil, Canada, the European Union, Malaysia, Hong Kong, Malaysia, New Zealand, and Australia (UNDP, 2007b).

While challenges to the complete adoption of open standards in the public sector and civil society remain, one thing is certain: the global march towards openness, though slow, is irreversible and inevitable.

References

Bhattacharya, J. (2008) Technology Standards: A Route to Digital Colonization. Open Source, Open Standards and Technological Sovereignty. .
Available at:
knowledge.oscc.org.my/practice-areas/‌government‌/oss-seminar-putrajaya-2008/technology-standards-a-route-to-digital/at_download/file

Calore, M. (2007) Microsoft Allegedly Bullies and Bribes to Make Office an International Standard. Wired, 31 August.
Available at: www.wired.com/software/coolapps/news/2007/08/ooxml_vote

Disposable (2004) Ubuntu multimedia HOWTO.
Available at: www.oldskoolphreak.com/tfiles/‌hack/‌ubuntu.txt

Festa, P. (2002) W3C members: Do as we say, not as we do. CNET News, 5 September.
Available at: news.cnet.com/2100-1023-956778.html

Greve, G. (2007) An emerging understanding of open standards.
.
Available at: www.fsfe.org/‌fellows‌/greve/freedom_bits/an_emerging_understanding_of_open_standards

Nah, S.H. (2006) FOSS Open Standards Primer. New Delhi: UNDP-APDIP.
Available at: www.iosn.net/open-standards/foss-open-standards-primer/foss-openstds-withnocover.pdf

Phipps, S. (2007) Roman Canaries..
Available at: blogs.sun.com/webmink/entry/‌roman_canaries‌

Raymond, E.S. (2000) The Magic Cauldron.
Available at: www.catb.org/~esr/writings/‌cathedral-‌bazaar/‌magic-‌cauldron/‌index.html

Toffler, A. (1980) The Third Wave. New York: Bantam.

UNDP (United Nations Development Programme) (2007a) e-Government Interoperability: A Review of Government Interoperability Frameworks in Selected Countries.
Available at: www.apdip.net/projects/gif/gifeprimer

UNDP (2007b) e-Government Interoperability: Guide.
Available at: www.apdip.net/projects/gif/GIF-Guide.pdf

US DoJ (Department of Justice) (1999) Proposed Findings of Fact – Revised.
Available at: www.usdoj.gov/‌atr/‌cases/‌f2600/v-a.pdf

W3C (World Wide Web Consortium) (2002) Current patent practice.
Available at: www.w3.org/TR/patent-practice#def-RAND

Weir, R. (2007) How to hack ISO.
Available at: www.robweir.com/blog/2007/09/how-to-hack-iso.html

For more details visit https://cis-india.org/openness/publications/standards/report-on-open-standards-for-gisw2008

Report on Open Standards for GISW 2008

pranesh — 2011-08-23T02:57:53Z

A report on Open Standards prepared by Sunil Abraham, for the Global Information Society Watch 2008. As on their site, GISWatch focuses on monitoring progress made towards implementing the World Summit on the Information Society (WSIS) action agenda and other international and national commitments related to information and communications. It also provides analytical overviews of institutions involved in implementation.

For more details visit https://cis-india.org/publications-automated/cis/sunil/Open-Standards-GISW-2008.pdf

Report of the Group of Experts on Privacy

praskrishna — 2012-11-06T09:39:43Z

The report covers international privacy principles, national privacy principles, rationale and emerging issues along with an analysis of relevant legislations/bills from a privacy perspective.

For more details visit https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf

Report - State of Consumer Digital Security in India

pranav — 2021-07-05T10:56:49Z

For more details visit https://cis-india.org/internet-governance/report-state-of-consumer-digital-security-in-india

Remove misinformation, but be transparent please!

TorShark — 2020-06-29T11:46:56Z

The Covid-19 pandemic has seen an extensive proliferation of misinformation and misleading information on the internet - which in turn has highlighted a heightened need for online intermediaries to promptly and effectively deploy its content removal mechanisms. This blogpost examines how this necessity may affect the best practices of transparency reporting and obligations of accountability that these online intermediaries owe to their users, and formulates recommendations to allow preservation of information regarding Covid-19 related content removal, for future research.

This article first appeared in the CyberBrics. The author would like to thank Gurshabad Grover for his feedback and review.

Introduction

We are living through, to put it mildly, strange times. The ongoing pandemic has pinballed into a humanitarian crisis, revealing and deepening the severe class inequalities that exist today. The crisis has been exacerbated by an ‘infodemic’, as the World Health Organization (WHO) notes: a massive abundance of information - occasionally inaccurate - has reduced the general perception of trust and reliability of online sources regarding the disease.

As a response to this phenomenon, in March, the Ministry of Electronics and Information Technology (MeitY) issued an advisory to all social media platforms, asking them to “take immediate action to disable/remove [misinformation on Covid-19] hosted on their platforms on priority basis.” This advisory comes at a time when several prominent online platforms, including Google, Twitter and Facebook are also voluntarily stepping up to remove ‘harmful’ and misleading content relating to the pandemic. In the process, these intermediaries have started to increasingly rely on automated tools to carry out these goals, since their human moderator teams had to be sent home on lockdown norms.

While the intention behind these decisions is understandable, one must wonder how this new-found speed to remove content, prompted by the bid to rid the social media space of ‘fake news’ may affect the best practices of transparency reporting and obligations of accountability that these online intermediaries owe to their users. In this piece, we explore these issues in a little more detail.

What is transparency reporting?

Briefly speaking, transparency reports, in the context of online intermediaries and social media companies, are periodic (usually annual or half-yearly) reports that map different policy enforcement decisions the company has taken regarding, among other things, surveillance and censorship. These decisions are either carried out unilaterally by the company, by third-party notices (in case of content that is infringing copyright, for instance), or at the behest of state authorities. For instance, Google’s page on transparency reporting describes the process as “[s]haring data that sheds light on how the policies and actions of governments and corporations affect privacy, security, and access to information.”x

To gauge the importance of transparency reporting in today’s age of the internet, it is perhaps potent to consider their history. In the beginning of the past decade, Google was one of the only online intermediaries providing any kind of information regarding government requests for user data, or requests for removal of content.

Then, in 2013, the Snowden Leaks happened. This was a watershed moment in the internet’s history, inasmuch as it displayed that these online intermediaries were often excessively pliant with government requests for user information, allowing them backdoor surveillance access. Of course, all of these companies denied these allegations.

However, from this moment onwards, online intermediaries began to roll out transparency reports in a bid to fix their damaged goodwill, and till last year, it was noted that these reports continued to be more detailed, at least in the context of data and content related to users located in the US. A notable exception to this rule was the tech giant Amazon, whose reports are essentially a PDF document of three pages, with no nuance regarding any of the verticals mentioned.

Done well, these reports are invaluable sources of information about things like the number of legal takedowns effectuated by the intermediary, the number of times the government asked for user information from the intermediary for law enforcement purposes, and so on. This in turn becomes a useful way of measuring the breadth of government and private censorship and surveillance. For instance, this report shows that the government emergency reports sent to Facebook have doubled since 2019, which is concerning, since it is not clear what does the company mean by an ‘emergency’ request, and whether its understanding matches up with that provided under the Indian law. Which means that it becomes difficult, in turn, to ascertain the nature of information that the company is handing over to the government.

Best practices and where to find them

While transparency reports are great repositories to gauge the breadth of government censorship and surveillance, one early challenge has been the lack of standardized reporting. Since these reports were mostly autonomous initiatives by online intermediaries, each of them had taken their own forms. This in turn, had made any comparison between them difficult.

This has since been addressed by a number of organizations, including Electronic Frontier Foundation (EFF), New America and Access Now, all creating their own metrics for measuring transparency reports. More definitively, in the context of content removal in 2018, a group of academicians, organizations and experts had collaborated to form the ‘Santa Clara Principles on Transparency and Accountability in Content Moderation’ which have since received the endorsement of around seventy human rights groups. Taken together, these standards and methodologies of analysing transparency reports present a considerable body of work, against which content removals can be mapped.

Content takedown in the time of pandemic

In some of our previous research, we have argued how the speed of removal, or the time taken by an intermediary to remove ‘unlawful’ content, says nothing about the accuracy of the said action. Twitter, for instance, can say that it took some ‘action’ against 584,429 reports of hateful conduct for a specified period; this does not always mean that all the action it took was accurate, or fair, since very little publicly available information is there to comprehensively gauge how effective or accurate are the removal mechanisms deployed by these intermediaries. The heightened pressure to deal with harmful content related to the pandemic, can contribute further to one, removal of perfectly legitimate content (as examples from Facebook shows, and as YouTube has warned in blogs), and two, towards increasing and deepening the information asymmetry regarding accurate data around removals.

Given the diverse nature of misinformation and conspiracy theories relating to the pandemic currently present on the internet, this offers a critical time to study the relation between online information and the outcomes of a public health crisis. However, these efforts stand to be thwarted if reliable information around removals relating to the pandemic continue to be unavailable.

How to map removals in these times?

One, as the industry body IAMAI notes, while positive, collaborative steps between social media companies and the government to curb misinformation are welcome, any form of takedown at the behest of the state must take the correct legal path, as mandated by the provisions of the Information Technology (IT) Act. Additionally, all information regarding content takedowns to remove fake news related to Covid-19 must be preserved and collected separately by these companies, and subsequently represented in their transparency reports.

Two, if the recent case of Twitter fact-checking Donald Trump’s tweet on electoral ballots is any indication, an online intermediary’s suo motu enforcement of its internal speech norms may take different shapes, apart from the usual takedown/leave up binary, including fact-checking and showing warning labels for conspiratorial content (Facebook for instance, has taken to adopt measures that would connect verified sources of information to users interacting with Covid-19 related misinformation). Accordingly, information regarding these additional measures must be mapped, including the efficacy of these steps, and should be presented in the transparency reports.

Additionally, several of these companies have stepped up to use automated moderation tools and systems for quick response against the spread of disinformation on their platforms. However, as YouTube’s Creator Blog warns its users, some of these removals may be erroneous, and the users would accordingly have to appeal these decisions. Therefore, while information regarding removals prompted by the use of these tools must be preserved, and represented separately, these numbers should also be expanded to include the error rates of these automated tools, and the rate at which posts removed by error are reinstated.

Three, as previous research on transparency reporting has shown, there is a substantive bridge between the information provided by these companies for users based in the US, and those based out of other countries. This is problematic on several counts. Due to the expansive issues with the laws relating to content removal in India, this inadequate representation of information makes it impossible to gauge the practical ramifications of the opaque legal system, and accordingly, makes reforms difficult. In the current times, this lack of information may also paint an imperfect picture of government censorship. After all, the Indian government has, on multiple occasions, the dubious reputation of sending flawed legal takedown notices and forcing intermediaries to censor content nevertheless.

Therefore, this continued refusal to provide more nuanced information in the context of India would continue to facilitate these practices, and only increase the breadth of censorship of digital expression.

While the need to remove harmful information from social media platforms in this stage of the crisis might be necessary, such need must not circumvent the adherence to the minimum standards of transparency and accountability. If the Snowdean leaks are any indication, online companies can be made to change their policies during watershed moments in history. The current Covid-19 crisis is one such moment, both offline and online, and the need is more pressing than ever, for these companies to step up and do better.

Shared under Creative Commons BY-SA 4.0 license

For more details visit https://cis-india.org/internet-governance/blog/remove-misinformation-but-be-transparent-please-1

Regulating the Internet: The Government of India & Standards Development at the IETF

Aayush Rathi, Gurshabad Grover and Sunil Abraham — 2019-01-22T07:29:39Z

The institution of open standards has been described as a formidable regulatory regime governing the Internet. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.

This brief was authored by Aayush Rathi, Gurshabad Grover and Sunil Abraham. Click here to download the policy brief.

Executive Summary

The institution of open standards has been described as a formidable regulatory regime governing the Internet. As the Internet has moved to facilitate commerce and communication, governments and corporations find greater incentives to participate and influence the decisions of independent standards development organisations.

While most such bodies have attempted to systematise fair and transparent processes, this brief highlights how they may still be susceptible to compromise. Documented instances of large private companies like Microsoft, and governmental instrumentalities like the US National Security Agency (NSA) exerting disproportionate influence over certain technical standards further the case for increased Indian participation.

The debate around Transport Layer Security (TLS) 1.3 at the Internet Engineering Task Force (IETF) forms an important case for studying how a standards body responded to political developments, and how the Government of India participated in the ensuing discussions. Lasting four years, the debate ended in favour of greater communications security. One of the security improvements in TLS 1.3 over its predecessor is that is makes less information available to networking middleboxes. Considering that Indian intelligence agencies and government departments have expressed fears of foreign-manufactured networking equipment being used by foreign intelligence to eavesdrop on Indian networks, the development is potentially favourable for the security of Indian communication in general, and the security of military and intelligence systems in particular. India has historically procured most networking equipment from foreign manufacturers. While there have been calls for indigenised production of such equipment, achieving these objectives will necessarily be a gradual process. Participating in technical standards can, then, be an effective interim method for intelligence agencies, defence wings and law enforcement for establishing trust in critical networking infrastructure sourced from foreign enterprises.

Outlining some of the existing measures the Indian government has put in place to build capacity for and participate in standard setting, this brief highlights that while these are useful starting points, they need to be harmonised and strengthened to be more fruitful. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.

Click here to download the policy brief.

Note: The recommendations in the brief were updated on 17 December 2018 to reflect the relevance of technical standard-setting in the recent discussions around Indian intelligence concerns about foreign-manufactured networking equipment.

For more details visit https://cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf

Regulating the Internet

gurshabad — 2018-12-20T00:29:06Z

For more details visit https://cis-india.org/internet-governance/files/regulating-the-internet

Recommendations for EU cyber diplomacy

basu — 2020-09-19T13:32:36Z

Written statement by Arindrajit Basu delivered at the EU Cyber Direct Civil Society Forum 2020

1.Key issues for EU cyber diplomacy

There are two key issues that the EU should take the lead on. Extra-territorial surveillance by several countries, in partnership with private actors continues with aplomb. In Schrems II, the Court of Justice of the European Union has already dealt a decisive victory for civil society actors campaigning against US law and surveillance policy, and protected the rights of EU citizens by doing so. Channelising the rich human rights jurisprudence in the European Convention on Human Rights, the court was able to highlight how existing US law and policy do not comply with the principle of proportionality in the ECHR..While the courts are an important avenue of resistance, other countries targeted by illegal and illegitimate surveillance often do not have judicial recourse or the clout to effectively counter surveillance practices.In line with the accepted principles of international law, the EU must engage in diplomatic posturing calling for reining in the use of extra-territorial surveillance,which includes surveillance enhancing technologies, mass dragnet surveillance, and surveillance by private actors.

The second key issue is that of ‘data sovereignty’-or a recognition that notwithstanding the significance of cross-border data flows, the ultimate responsibility of guaranteeing citizen rights in the digital sphere lie with the state enforcing laws in that jurisdiction. Undoubtedly, this responsibility must be discharged in conjunction with the principles of international law but the policy space itself should be sovereign, and not be dictated by other states or private actors. This sovereign space includes the right to regulate private actors such as technology companies through taxation, anti-trust laws, and impose on them key human rights obligations. It also includes an obligation to protect citizen interests against foreign adversaries.Sovereignty must not be conflated with brazen technology nationalism that involves restrictions on foreign technology or investment that harms the economic welfare or civil liberties of a state’s own citizens.

Several jurisdictions including the EU are grappling with the precise contours of ‘data sovereignty’ and what it means in today’s increasingly fractured geo-political climate. However, as it set the ball rolling with privacy enhancing diplomacy across the world, the EU has an opportunity to work with several key partners, including emerging economies such as India, Brazil and South Africa to ensure that these debates culminate in digital ecosystems that preserve the rule of law while also increasing digital accessibility and reducing inequality.

2. Multi-stakeholder coalitions

The EU has signed up for multilateral coalitions such as the Global Partnership on Artificial Intelligence and EU countries have signed onto multi-stakeholder digital agreements such as the Paris Call for Trust and Security in Cyberspace. While coalitions have been dismissed (incorrectly I believe) as talking shops, often efficient coalitions can attain key goals and promote core democratic values. Through these coalitions, the EU should look to attract as vast an array of stakeholders as possible-both states and private actors.However, that should happen once the key principles, objectives and mechanisms of engagement have been charted out by the coalition. Attracting too many stakeholders without having these clearly charted out allows for the agenda to be hijacked or limited.

3. Engagement with civil society abroad

The EU has to some extent successfully engaged civil society actors from various parts of the world. The Closing the Gap Conference held successfully by EU Cyber Direct in July showcased quality scholarship from all around the world and enabled dialogue between participants that we do not see often. The dialogue we are having today is a critical form of engagement.The EU should also consider supporting and providing resources for transnational movements such as the #Keepiton coalition that is advocating against internet shutdowns around the world and other civil society consortiums that are upholding values the EU also believes in around the world. Further, it is clear that European policy innovations-be it the GDPR or the European Data Strategy deeply impacts the future of global digital spaces. Therefore, robust consultative mechanisms should be deployed to ensure that academics and civil society participants from all over the world have a meaningful opportunity to shape these policies, keeping in mind the resources available for organisations, specially those in the global south to do the same.

17th September 2020.

(Remarks delivered via video-conferencing)

(Note: This write-up is not meant to be an exhaustive representation of all recommendations for EU cyber diplomacy but captures the statement made by Arindrajit at the Civil Society Forum)

For more details visit https://cis-india.org/internet-governance/blog/recommendations-for-eu-cyber-diplomacy

Reclaiming the right to privacy: Researching the intersection of privacy and gender

Ambika Tandon and Aayush Rathi — 2021-01-25T10:42:51Z

It was our privilege to be supported by Privacy International, UK, during 2019-2020, to undertake a research project focusing on reproductive health and data surveillance, and to engage on related topics with national civil society groups. Our partner organisations who led some of the research as part of this project are grassroots actors - Domestic Workers Rights Union, Migrant Workers Solidarity Network, Parichiti, Samabhabona, Rainbow Manipur, and Right to Food Campaign. Here we are compiling the various works supported by this project co-led by Ambika Tandon, Aayush Rathi, and Sumandro Chattapadhyay at the Centre for Internet and Society, India.

Previous research conducted by CIS on the subject of sexual and reproductive health (SRH) services in India observes that there is a complex web of surveillance, or ‘dataveillance’, around each patient as they avail of SRH services from the state. [1] In this project on ‘researching the intersection of privacy and gender’, we aimed to map the ecosystem of surveillance around SRH services as their provision becomes increasingly ‘data-driven’, and explore its implications for patients and beneficiaries.

Through this project, we were interested in documenting the roles played by both the public and the private sector actors in this ecosystem of health surveillance. We understand the role of private sector actors as central to state provision of sexual and reproductive health services, especially through the institutionalisation of data-driven health insurance models, as well as through extensive privatisation of public health services.

We supported studies on a range of topics that constitute the experience of sexual and gender minorities and women when accessing public health and welfare systems, including the treatment of trans persons by law and welfare systems in India, access to abortion and maternity benefits for low income women, access to ART treatments by PLHIV, and so on.

We found that many respondents had no information about welfare schemes despite being eligible, while many others were excluded from them because they did not have Aadhaar cards and other ID documents, or because of errors and inconsistencies in the same. Direct benefit transfer schemes also required mobile phone linkage and active Aadhaar-seeded bank accounts, which added another layer of requirements and excluded vulnerable populations. We also found that respondents had very little information about the storage and sharing of their data, which raises questions about the possibility of implementing complex consent architectures for digitised health data as imagined by the Indian government through policies such as the Non Personal Data Governance Framework. We found that populations that carry stigma are most likely to be excluded from health and welfare access as a result of data collection, including trans groups, PLHIV, and single women or adolescent girls seeking abortion.

Please find below the various works undertaken as part of this project. We hope these works will be useful for civil society organisations, grassroots organisations, and reproductive rights organisations.

Article

Raina Roy. (July 18, 2020). Coronavirus: Kolkata’s trans community has been locked out of healthcare and livelihood. Scroll.in. https://scroll.in/article/968182/coronavirus-kolkatas-trans-community-has-been-locked-out-of-healthcare-and-livelihood

Rosamma Thomas. (November 02, 2020). Citizen data and freedom: The fears of people living with HIV in India. GenderIT. https://www.genderit.org/articles/citizen-data-and-freedom-fears-people-living-hiv-india

Sameet Panda. (November 25, 2020). One ration card, many left behind. Indian Express. https://indianexpress.com/article/opinion/one-ration-card-many-left-behind/

Sameet Panda (January 11, 2020). One Nation One Ration Card in Odisha - Only Pain, No Gain. Sanchar, page 6. https://sancharodisha.com/

Santa Khurai. (June 18, 2020). 'I feel the pain of having nowhere to go': A Manipuri trans woman recounts her ongoing lockdown ordeal. Firstpost. https://www.firstpost.com/india/i-feel-the-pain-of-having-nowhere-to-go-a-manipuri-trans-woman-recounts-her-ongoing-lockdown-ordeal-8494321.html

Shreya Ila Anasuya. (December 21, 2020). How India’s Healthcare System Lets Down Trans Men. Go Mag. http://gomag.com/article/heres-what-its-like-to-be-a-trans-man-in-india/

Policy Response

Aayush Rathi, Aman Nair, Ambika Tandon, Pallavi Bedi, Sapni Krishna, and Shweta Mohandas. (September 13, 2020). Inputs to the Report on the Non-Personal Data Governance Framework. The Centre for Internet and Society. https://cis-india.org/raw/inputs-to-report-on-non-personal-data-governance-framework/

Report

Anchita Ghatak. (December 30, 2020). Domestic Workers’ Access to Secure Livelihoods in West Bengal. Parichiti. https://cis-india.org/raw/parichiti-domestic-workers-access-to-secure-livelihoods-west-bengal

Endnotes

[1] Aayush Rathi, Is India's Digital Health System Foolproof? (2019)
Aayush Rathi and Ambika Tandon, Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention? (2019)
Ambika Tandon, Feminist Methodology in Technology Research: A Literature Review (2018)
Ambika Tandon, Big Data and Reproductive Health in India: A Case Study of the Mother and Child Tracking System (2019)

For more details visit https://cis-india.org/raw/reclaiming-the-right-to-privacy-researching-the-intersection-of-privacy-and-gender

Read Our Annual Reports and Audit Reports

Admin — 2025-12-29T14:02:33Z

Click on the links below to access our annual and audit reports.

Centre for Internet & Society Audit Reports 2024-2025 Quarterly receipt of Foreign contribution - Q1 (April - June 2024) Quarterly receipt of Foreign contribution - Q2 (July - September 2024) Quarterly receipt of Foreign contribution - Q3 (October - December 2024) Consolidated Audited Financials (FY 2024 - 2025) Centre for Internet & Society Audit Reports 2023-2024 Quarterly receipt of Foreign contribution - Q1 (April - June 2023) Quarterly receipt of Foreign contribution - Q2 (July - September 2023) Quarterly receipt of Foreign contribution - Q3 (October - December 2023) Quarterly receipt of Foreign contribution - Q4 (January - March 2024) Consolidated Audited Financials (FY 2023 - 2024) Centre for Internet & Society Audit Reports 2022-2023 Consolidated Financials (FY 2022 - 2023 + Audit Report) Quarterly receipt of Foreign contribution - Q1 (April - June 2022) Quarterly receipt of Foreign contribution - Q2 (July - September 2022) Quarterly receipt of Foreign contribution - Q3 (October - December 2022) Quarterly receipt of Foreign contribution - Q4 (January - March 2023) Centre for Internet & Society Audit Reports 2021-2022 Quarterly receipt of Foreign contribution - Q1 (April - June 2021) Quarterly receipt of Foreign contribution - Q2 (July - September 2021) Quarterly receipt of Foreign contribution - Q3 (October - December 2021) Quarterly receipt of Foreign contribution - Q4 (January - March 2022) CIS Signed Consolidated Audited Financials (FY 2021-22 + Audit Report) Centre for Internet & Society Audit Report 2020-2021 Download Audit Report (2020-21), (PDF, 926 KB) Quarterly receipt of Foreign contribution - Q1 (April - June 2020) Quarterly receipt of Foreign contribution - Q2 (July - September 2020) Quarterly receipt of Foreign contribution - Q3 (October - December 2020) Quarterly receipt of Foreign contribution - Q4 (January - March 2021) Centre for Internet & Society Annual Report 2020-21 Download Programmatic Annual Report (April 2020 - March 2021) Centre for Internet & Society Audit Reports 2019-2020 Download Audit Report (2019-20), (PDF, 1060 KB) Quarterly receipt of Foreign contribution - Q1 (April - June 2019) Quarterly receipt of Foreign Contributions - Q3 (October - December 2019) Quarterly receipt of Foreign Contributions - Q4 (January - March 2020)
Centre for Internet & Society Audit Report 2018-19 Download Annual Report Download Audit Report Quarterly receipt of Foreign contribution - Q3(Oct - Dec) 2018
Centre for Internet & Society Annual Report 2019-20 Download Annual Report (2019-20)
Centre for Internet & Society Annual Report 2017-18 Download Annual Report (2017-18), (PDF, 4809 Kb) Download Consolidated Financial Statements (2017-18)
Centre for Internet & Society Annual Report 2016-17 Download Annual Report (2016-17), (PDF, 1327 Kb) Download Consolidated Financial Statements (2016-17)
Centre for Internet & Society Annual Report 2015-16 Download Annual Report (2015-16) (PDF, 3559 Kb) Download Audit Report (2015-16), (PDF, 1907 Kb)
Centre for Internet & Society Annual Report 2014-15 CIS in partnership with the Office of the Chief Commissioner for Persons with Disabilities and the Centre for Law and Policy Research compiled the National Compendium of Laws, Policies, Programmes for Persons with Disabilities. During the year CIS signed memorandum of understandings with Mysore University (for converting to Unicode and re-releasing their encyclopaedia under Creative Commons License); Shri Dharmasthala Manjunatheshwara College (to introduce Indian Language Wikipedias in the Indian Under-Graduate and Post Graduate Classroom); Andhra Loyola College (for 5 years to enhance Telugu Wikipedia through increased contributions to Wikipedia and make it available under free license); and Nirmala Institute of Education, Goa (to enhance digital literacy in Konkani in the education sector across Goa). CIS also conducted an empirical study of five separate and diverse banks (State Bank of India, Central Bank of India, ICICI Bank, IndusInd Bank, and Standard Chartered Bank) to gain a practical perspective on the existing banking practices and policies in India, and published a Banking Policy Guide. Further CIS took part in the WIPO-SCCR meetings. India became the first country to ratify the Marrakesh Treaty and the Accessible Books Consortium was launched. Download Annual Report (2014-15) (PDF, 1 Mb) Download Audit Report (2014-15) (PDF, 527 Kb)
Centre for Internet & Society Annual Report 2013-14 CIS celebrated five years of existence with an exhibition showcasing its works and accomplishments since it was founded in 2008. Along with CLPR, CIS published a report on making the General Elections of 2014 participatory and accessible for voters with disablities. CIS signed a memorandum of understanding with Christ University, Bangalore, Tata Institute of Social Sciences, Mumbai, KIIT University and Kalinga Institute of Social Sciences for furthering the growth of Indian languages on Wikipedia. CIS is working with Privacy International on the Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project and as part of the work drafted the Privacy Protection Bill. CIS hosted the second Institute on Internet and Society at Pune from February 11 to 17, 2014. The Knowledge Repository was compiled and presented to the participants. Download Annual Report (2013-14) (PDF, 1.3 Mb) Download Audit Report (2013-14) (PDF, 7174 Kb)
Centre for Internet & Society Annual Report 2012-13 CIS is working on two projects: Creating a National Kit of Laws, Policies and Programmes for Persons with Disabilities and Developing an open source screen reading software solution “NVDA” to handle Indian languages and text-to-speech software in 15 Indian languages with the Hans Foundation. CIS published a report on Accessibility of Government Websites in India with the Hans Foundation and the Consumers International IP Watchlist 2012 — India Report with Consumers International. Wikimedia Foundation awarded a two-year grant to support and develop free knowledge in India and consequently, CIS got a new office in Delhi. Pranesh Prakash's preliminary analysis on blocked websites was featured in leading publications like Wall Street Journal, Hindu, Outlook, etc., and as part of the Google Policy Fellowship, brought out a report on Intermediary Liability in India, and initiated a project on The Internet Institute with the Ford Foundation. Download Annual Report (2012-13) (PDF, 2211 Kb) Download Audit Report (2012-13) (PDF, 2813 Kb)
Centre for Internet & Society Annual Report 2011-12 CIS published a new improved edition of the Web Accessibility Policy Making: An International Perspective with G3ict and Hans Foundation, prepared a report on Making Mobile Phones and Services Accessible for Persons with Disabilities with ITU and G3ict, negotiated meetings at WIPO and with the Third World Network conducted an Analysis of WIPO Treaty for the Print Disabled, published a report on the state of Open Government Data in India with the Transparency & Accountability Initiative, published outputs on IT Act, Limitations, Copyright, Internet Protocol, Media, Sexual Minorities, and UID with Privacy International, UK and Society in Action Group, Gurgaon, produced a report titled Intermediary Liability in India: Chilling Effects on Free Expression on the Internet 2011 with Google and released five monographs: Archives and Access, Porn: Law, Video & Technology, The Last Cultural Mile, Re:Wiring Bodies and Internet, Society and Space in Indian Cities. Download Annual Report (2011-12) (PDF, 1956 Kb) Download Audit Report (2011-12) (PDF, 21,313 Kb)
Centre for Internet & Society Annual Report 2010-11 CIS distributed for peer five monographs titled Re: Wiring Bodies, Pornography and the Law, Archive and Access, The Last Cultural Mile and Internet, Society and Space in Indian Cities for peer review, published a Position Paper in collaboration with Hivos and organised workshops on Digital Natives with a Cause in Taipei, Johannesburg, and Santiago, the e-Accessibility Policy Handbook for Persons with Disabilities with G3ict and ITU, a report on Open Government Data with Transparency & Accountability Initiative, a report on Online Video Environment in India with iCommons and Open Video Alliance and two workshops on Privacy Matters in Kolkata and Bangalore in partnership with Privacy India and Society in Action Group. Download Annual Report (2010-11) (PDF, 1872 Kb) Download Audit Report (2010-11) (PDF, 14823 Kb)
Centre for Internet & Society Annual Report 2009-10 CIS and the Institute of Network Cultures entered into a collaboration to produce a Reader on the Wikipedia, in partnership with Hivos published a report, Digital Natives with a Cause?, entered into research collaborations with the Centre for Study of Culture and Society for the Networked Higher Education Initiative, taught courses at Centre for Media and Cultural Studies, the Tata Institute of Social Sciences, Mumbai, Women’s Studies Centre, Pune University, Christ University, Bangalore, Mudra Institute of Communications, Ahmedabad, Shanghai University and the New Media Lab, Jadavpur University, co-organised a nationwide Right to Read Campaign in Chennai, Kolkata, Delhi and Mumbai, prepared the India Country Report for Consumers International and organised the Maps for Making Change workshops in Delhi and Ahmedabad. Download Annual Report for 2009-10 (PDF, 1952 Kb) Download Audit Report for 2009-10 (PDF, 9.5 Mb)
Centre for Internet & Society Annual Report 2008-09 CIS drafted a policy on web accessibility for the National Informatics Centre, worked on a comparative study of major international web and ATM accessibility policies for the Ministry of Communication and Information Technology, worked with the Council for Scientific and Industrial Research to formulate recommendations to make research publications open access.entered into partnership with LexUM for the Free Access to Law project and signed contracts with researchers for producing monographs on Re: Wiring Bodies, Archive and Access, Pornography and the Law, and The Last Cultural Mile. Download Annual Report (2008-09) (PDF, 561 Kb) Download Audit Report (2008-09) (PDF, 7.05 Mb)

For more details visit https://cis-india.org/about/reports/annual-reports

Centre for Internet and Society

Report on the 4th Privacy Round Table meeting

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

Right to Privacy: Chapter 2

Protection of Personal Data: Chapter 3

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

Meeting conclusion

Report on the 3rd Privacy Round Table meeting

Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter II

Discussion of “Interception of Communications”: Chapter IV

Meeting conclusion

Report on the 2nd Privacy Round Table meeting

Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions and preamble: Chapter I & II

Sensitive Personal Data

Information vs. Data

Exemptions

Discussion of “Protection of Personal Data”: Chapter III

Data Collection

Consent

Data Disclosure

Data Destruction

Data Processing

Discussion of “Interception of Communications”: Chapter IV

Discussion on self-regulation and co-regulation

Meeting conclusion

Report on the 1st Privacy Round Table meeting - pdf

Report on the 1st Privacy Round Table meeting

Overview of Justice A P Shah Report: Purpose, Principles and Framework

Discussion Highlights:

Overview, explanation and discussion on the Privacy (Protection) Bill 2013

Discussion Highlights:

In depth explanation and discussions regarding the Privacy (Protection)

Bill 2013

Discussion Highlights:

Meeting conclusion

Report on Open Standards for GISW2008

Definition

The controversy

The importance

Policy implications

References

Report on Open Standards for GISW 2008

Report of the Group of Experts on Privacy

Report - State of Consumer Digital Security in India

Remove misinformation, but be transparent please!

Introduction

What is transparency reporting?

Best practices and where to find them

Content takedown in the time of pandemic

How to map removals in these times?

Regulating the Internet: The Government of India & Standards Development at the IETF

Executive Summary

Regulating the Internet

Recommendations for EU cyber diplomacy

Reclaiming the right to privacy: Researching the intersection of privacy and gender

Article

Policy Response

Report

Endnotes

Read Our Annual Reports and Audit Reports

Centre for Internet & Society Audit Reports 2024-2025

Centre for Internet & Society Audit Reports 2023-2024

Centre for Internet & Society Audit Reports 2022-2023

Centre for Internet & Society Audit Reports 2021-2022

Centre for Internet & Society Audit Report 2020-2021

Centre for Internet & Society Annual Report 2020-21

Centre for Internet & Society Audit Reports 2019-2020

Centre for Internet & Society Audit Report 2018-19

Centre for Internet & Society Annual Report 2019-20

Centre for Internet & Society Annual Report 2017-18

Centre for Internet & Society Annual Report 2016-17

Centre for Internet & Society Annual Report 2015-16

Centre for Internet & Society Annual Report 2014-15

Centre for Internet & Society Annual Report 2013-14

Centre for Internet & Society Annual Report 2012-13