Centre for Internet and Society

Raina Roy and Abhiraj Bag - Kolkata’s trans community has been locked out of healthcare and livelihood

Raina Roy and Abhiraj Bag — 2020-08-01T14:54:16Z

Over six months into the outbreak of Covid-19 in India, it has become clear that the pandemic does not affect everybody equally. It has amplified the sufferings of the already-marginalised trans community. Raina Roy spoke to 10 trans persons and trans rights activists in Kolkata over the course of the past few months to better understand the situation. The piece was transcribed by Abhiraj Bag and edited by Kaarika Das and Srravya C, researchers at the Centre for Internet and Society, India. This work is part of a project at CIS on gender, welfare and surveillance, supported by Privacy International, United Kingdom.

Originally published by Scroll on July 28, 2020.

Raina is a founder of Samabhabona (Baishamya Durikaran Samiti), a trans-led organisation in Kolkata working with trans rights since 2013. Abhiraj is a trans rights activist based in Kolkata.

Several members of our community have lost their livelihoods due to the lockdown and remain unemployed for over three months now. Those engaged in sex work and begging have no respite in sight for the foreseeable future. As a community, we are more likely to be unemployed as traditional employment opportunities are inaccessible to us. Our health concerns are also diverse, as we grapple with gender dysphoria alongside other psychosocial issues. Covid-19 has exacerbated these inequalities and effectively locked us out of livelihood as well as healthcare.

An alienating system

When it comes to accessing institutional healthcare, visiting hospitals can be a daunting ordeal for trans men and trans women, as we frequently encounter discrimination and stigmatisation from healthcare providers.

Even in emergency cases such as accidents, medical attention is delayed due to confusion whether the patient should be admitted to the male or female ward. Finding compassionate healthcare providers is difficult, especially in government hospitals. Most often, they are not sensitised to trans-health issues.

Such experiences have alienated us from the healthcare system and left several members of the trans community reluctant to seek medical help.

Access to general healthcare has further worsened with Covid-19, as many are unable to seek emergency medical assistance. With no sustainable source of income and deteriorating health condition, elderly trans persons are hit with a double whammy. Despite their failing health, there is presently no provision for routine health check-up which they can avail. The reluctance to consult a healthcare service provider has increased due to the added risk of infection.

SRS services are city-centric

Many in the community had scheduled their sex reassignment surgery or SRS and started taking the necessary hormonal medication. However, because of Covid-19, they have now had to postpone their surgery indefinitely. This uncertainty further aggravated distress together with issues of hormonal imbalance. Due to loss of income, many are resorting to alternative cheap hormonal medication and without proper medical supervision, its consequence could be harmful.

Those who have undergone SRS or are currently on hormone replacement therapy often experience side effects such as rise in blood pressure and blood sugar levels, urinary tract infection, and other immunity-compromising problems. To treat these side-effects, a patient may need to consult an endocrinologist, gynaecologist or urologist. However, such specialists are only available at district hospitals. At the sub-district level, we may be able to consult a gynaecologist at best. An endocrinologist or urologist would be available only if we travelled to the district hospitals or medical college hospitals.

A lockdown spanning over three months, restrictions on travel and closure of public transport have made the city-centric, SRS-related healthcare systems inaccessible to the transgender persons in smaller towns and villages. Pre-Covid-19, a few NGOs and community-based organisations provided sexual health services. However, they were unable to continue their services during the lockdown. This has adversely impacted the trans community’s access to sexual health services.

So far, two trans women have been tested positive for Covid-19 in Kolkata. Thanks to the intervention from activists and other allies, they were quarantined in the female ward when they tested positive. Both were asymptomatic and are presently self-isolating at home. Within the trans community, there is inadequate awareness about Covid-19 testing protocols and procedures. The saving grace has been the dedicated provisioning of ten beds at the MR Bangur Hospital, specifically reserved for transgender persons.

Community care

The most hard-hitting impact of Covid-19 is undoubtedly on the mental health of our community. Often faced with social stigma and physical abuse, we take refuge in the comfort of each other’s support. In the absence of familial ties, community support is vital for our well-being. However, Covid-19 and the consequent lockdown measures, has distanced us from our only source of support and solace – community interaction and meet-ups.

Although digitally mediated communication has somewhat helped in coping, it is not as effective or cathartic as an in-person conversation. This has increased the susceptibility of substance abuse in the community. Parallelly, there has been a considerable rise in domestic violence cases too. Even under normal circumstances, we are more likely to encounter intimate partner violence, but are skeptical to seek redressal as the law-enforcing institutions – both judiciary and the police – are biased against us.

At hospitals, the constant misgendering that we face at the hands of healthcare professionals can be traumatising. Aparna Banerjee, a trans-person in Kolkata, said that this trauma has only worsened during Covid-19, when frontline healthcare workers are not sensitised about trans health. To escape this trauma, some trans women have resorted to unscientific castration, leading to urinary tract infection and kidney-related problems. Gender dysphoria also puts the trans community at a higher risk of anxiety, depression, self-harm and suicidal tendencies.

The political milieu

Such strains on our mental and physical health come at a time when we are already distressed by the thought of being disenfranchised. The latest National Register of Citizens list in Assam had excluded many trans persons, as they couldn’t establish family ties, for being disowned by their families. And if they were included, their gender was incorrectly stated.

With the 2019 Transgender Person Act coming into force, a District Magistrate is given the authority to recognise a person as trans. This defies the right to self-identify, as upheld in the 2014 NALSA judgement. The current provision also necessitates providing proof of surgery and has no consideration for gender incongruence. The burden of providing proof of surgery is unnerving, especially for someone who has just transitioned.

As such, the cumulative impact of the 2019 Transgender Person Act and the Citizenship Amendment Act-National Register of Citizen mandate could lead to a significant part of the community being disenfranchised. In resisting this coercive pronouncement, we staged a protest in Kolkata earlier this year.

What can be done

The health and well-being of the trans community has suffered decades of institutional neglect and the Covid-19 pandemic has intensified this suffering. Remedial policy measures have been long due and cannot be delayed any further. Shelter homes have been one of our long-standing demands, to ensure safety and care for the transgender community, particularly the elderly. It is important that such shelter homes are democratic spaces, and not religious centres, that are welcoming of trans persons from different walks of life.

Secondly, healthcare systems, both public and private, need to be more trans-friendly – doctors, nurses and other staff in hospitals and healthcare centres need to be sensitised and trained to identify and understand the healthcare needs of transmen and transwomen. Recruitment of more transgender people as health workers would go a long way in treating transgender patients more humanely, with support and care.

Measures to contain the spread of the pandemic should include increased testing of transgender persons, and tracking the testing and infection rates among trans persons. Relief measures aimed at addressing the economic crisis need to acknowledge the loss of livelihood in the trans community and provide adequate financial support and compensation. Finally, it is important that governments, both at the centre- and state-level, pay heed to our demands and include representatives from the trans community while formulating policies that impact our lives in significant ways.

For more details visit https://cis-india.org/raw/raina-roy-abhiraj-bag-transgender-community-kolkata-covid19-healthcare-livelihood

Q&A to the Report of the Group of Experts on Privacy

elonnai — 2012-11-09T10:20:48Z

In January 2012 Justice A.P. Shah formed a committee consisting of a group of experts to contribute to and create a report of recommendations for a privacy legislation in India. The committee met a total of seven times from January to September 2012. The Centre for Internet and Society (CIS) was a member of the committee creating the report. This blog post is CIS’s attempt to answer questions that have arisen from media coverage on the report, based on our understanding.

Executive Summary

The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.

Q: What are the salient features of the committee’s recommendations?

A: In its report the committee recommended that any privacy legislation passed should:

Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted.
Recognize the multiple dimensions of privacy including physical and informational privacy.
Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy.
Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors.
Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners.

Chapter 1: Constitutional Basis for Privacy

This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.

Q: What are the contexts of the cases covered?

A: This chapter covers cases that speak to the:

Right to privacy in the context of surveillance by the State
Balancing the ‘right to privacy’ against the ‘right to free speech’
The ‘right to privacy’ of HIV patients
Prior judicial sanctions for tapping telephones
The ‘search and seizure’ powers of revenue authorities

Chapter 2: International Privacy Principles

This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.

Q: Privacy principles from which countries were reviewed by the Committee?

A: The Committee reviewed privacy principles from the following countries and international organizations.

EU Regulations of January 2012
US Consumer Privacy Bill of Rights
OECD Privacy Principles
APEC Privacy Framework
Australia
Canada

Chapter 3: National Privacy Principles, Rationales, and Emerging Issues

This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.

Q: What could the principles apply to?

A: The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.

Q: Who could be brought under the scope of the principles?

A: The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.

Q: How could the National Privacy Principles impact individuals?

A: The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.

Q: Would the National Privacy Principles be binding for every data controller?

A: Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.

Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective

This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.

Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?

A: When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.

Q: How does the report understand the relationship between the freedom of expression and privacy?

A: Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.

Chapter 5: The Regulatory Framework

This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.

Q: Who are the main actors in the regulatory framework?

A: The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.

Q: What are the salient features of the regulatory framework?

A: The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act

Q: What are exceptions to the right to privacy? Are these blanket exceptions?

A: National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy

Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.

Q: What are the powers and responsibilities of the privacy commissioners?

A: The powers and responsibilities of the Privacy Commissioners are the following:

Responsibilities:

Enforcement of the Act
Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.
Evaluate and approve privacy principles developed by SRO’s
Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations

Powers:

Order privacy impact assessments on organisations
Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary )
Fine non-compliant data controllers

Q: How does Co-regulation work?

A: The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.

Q: What are data controllers? What are privacy officers? What are ombudsmen?

A: A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector. Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.

Q: When can an individual issue a complaint? Which body should individuals issue complaints to?

A: An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.

Q: Can an individual receive compensation for a violation of privacy:

A: Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.

Q: What offences does the report reccomend?

A: The following constitutes as an offence under the Act:

Non-compliance with the privacy principles
Unlawful collection, processing, sharing/disclosure, access, and use of personal data
Obstruction of commissioner
Failure to comply with notification issued by commissioner
- Processing data after receiving a notification
- Failure to appear before commissioner
- Failure to produce documents requested by commissioner
- Sending report to commissioner with false or misleading information

Chapter 6: The Multiple Dimensions of Privacy

This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.

Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?

A: No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice, and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.

Summary of Recommendations

This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.

Q: Are the recommendations in this chapter different from chapters above?

A: No. The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act including:

The Act should define and harmonize with existing laws in force.
The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India.
The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.
The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked.
If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply.

Report of the Group of Experts on Privacy [PDF, 1270 Kb]

For more details visit https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy

Pushing the Boundaries in Open Governance: Insights from OGP Asia Pacific Regional Conference in Bali, Indonesia (Day 1)

praskrishna — 2014-05-27T11:16:06Z

Sunil Abraham is quoted. He said that open governance is more about citizens checking on what government leaders are doing than on government coding its citizens to exercise surveillance.

This post originally appeared on the Open Data Research Network and has been republished with permission from the author. For the republished post on OGP website, see here.

The plenary room of Bali Nusa Dua Convention Center was jam-packed at 845 in the morning, with representatives from different countries in the Asia-Pacific region and all over the globe joining the first regional conference on open data hosted by the Government of Indonesia. The conference stage backdrop depicts a million colourful cranes moving in one direction towards the OGP logo, perhaps signalling an unprecedented wave of aspirations, commitments, plans, and actions towards a more ‘open’ governance within the region. Then a few minutes later, President Yudhoyono arrived and the two-day gathering (6-7 May 2014) of roughly 500 people started.

The program was impressive. It tried to cater to the different voices of what ideally should make an open government community – government leaders, journalists, right-to-information activists, business representatives, academia, researchers, civil-society groups, funding agencies, programmers, among others. The over-arching theme of the conference “Unlocking Innovative Openness: Impetus to Greater Citizen Engagement” speaks to both the supply side and the demand side of open data where governments can make openness more innovative to which citizens can proactively engage. The people in attendance reflected this multi-dimensionality and the kind of discussions on open governance that happened in Day 1 reflects the several, differentiated, yet somehow united view and interests of the many people that were there.

The first day of the conference brings me to four main realisations, prompted by the excellent presentations of the speakers and the lively discussion at the break-out session that I attended.

Openness is not an option but an imperative. Aruna Roy, founder of Mazdoor Kisan Shakti Sangathanaof India, and considered one of the most influential thinkers of this decade put it more vividly using her organization’s slogan – “right to know, right to live”. While bureaucrats, like Minister Francis Maude of the UK argued that openness improve transparency, enhance public service, and stimulate growth, civil society groups claimed that openness is not something the government can do, but must do, to benefit right holders by ensuring that they are not only aware of what the government is doing but by ensuring that government leaders, to whom citizens entrust sovereignty, execute the will of the governed.
Open governance is about relations, about people, not just about technology, transparency, or data provision. Ms. Nwe Zin Win, of Myanmar National NGOs Network emphasized that as Myanmar moves towards Open Government Partnership (OGP) membership, the process should create a space for civil society groups to proactively participate. In his remarks, Director General Yoon Soon-Gu of the Republic of Korea emphasized that when his government embarked on the process of crafting Gov 3.0 as a development agenda, with the end-goal of making Koreans live a happy life, citizen consultations were conducted all across government to ensure that this plan is responsive and relevant and reflects the people’s aspirations. Anne Jellema, CEO of World Wide Web Foundation highlighted the fact that open governance is not only good for vertical accountability (government-governed) but also about horizontal accountability (agencies within the same government) and ensures that systems are working with government – judiciary, legislative, audit, executing agencies – for the common good. Open governance then, is about building that relationship of trust between government and citizens, between business and government, and between agencies in the government.
Open government has many challenges, but these are not insurmountable. Malou Mangahas of the Philippine Center for Investigative Journalism emphasized five “I”s in her plenary speech that she said are the main challenges to the open government story in the Philippines and in the region – implementation, inclusiveness, information, institutionalisation, and interconnectedness. In the area of inclusiveness, one of the challenges is on how to ensure that people can participate in a context when there is a large digital divide, where internet penetration is low, and broadband speed is slow to a crawl. Mr. Samadhi of the Government of Indonesia emphasized that there are many examples in his country where government information is translated to accessible formats by infomediaries so that citizens without internet connection became aware, informed, and knowledgeable. In one of the coffee breaks, Redempto Parafina of the Affiliated Network for Social Accountability in East Asia and the Pacific shared to me that non-government organizations, concerned individuals, and universities translate information in the CheckmySchool portal to information materials for distribution and use by communities without internet.
Open governance narrative should focus on making governments more responsive and accountable. President Yudhoyono uses Facebook and Twitter, apart from the traditional media as text and snail mail, to listen to the demands of his constituents. The Government of New Zealand, according to Minister Peter Dunne, sets goals on basic public services as health, education, and employment and demands regular public reporting on these goals; reports that can be accessed and challenged by the people to whom the services are intended. Sunil Abraham of the Centre for Internet and Society argued that open governance should not veer away from this narrative. He made an example regarding India’s Unique Identification System, where the implementation is couched within the open data narrative. He believed that open governance is more about citizens checking on what government leaders are doing than on government coding its citizens to exercise surveillance.

It was a productive day. I am thankful that I was afforded the opportunity to attend the conference. One message that profoundly affected me was Aruna Roy’s exhortation at the end of her presentation – that we should make truth powerful, and that we should make power truthful.

For more details visit https://cis-india.org/news/open-government-partnership-michael-canares-may-6-2014-pushing-the-boundaries-in-open-governance

Public Interest Litigation for Protection of Indian Internet Data, Action Against Foreign Internet Providers

praskrishna — 2013-07-15T04:19:26Z

For more details visit https://cis-india.org/internet-governance/blog/pil.pdf

Proposed Intermediary Liability Rules threat to privacy and free speech, global coalition tells MeitY

Zaheer Merchant — 2019-03-20T15:56:51Z

“We respectfully call on you to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules in December. As published, the draft amendments would erode digital security and undermine the exercise of human rights globally.”

The blog post by Zaheer Merchant was published by Medianama on March 18, 2019.

A global coalition of 31 civil society organizations and technology experts has called on MeitY to reconsider the proposed amendments to the Intermediary Liability Rules, terming them a threat to privacy and free speech. In a letter to the ministry dated March 15, the coalition said that the proposed amendments “would harm fundamental rights and the space for a free internet, without necessarily addressing the problems that the ministry aims to resolve.” Some of the signatories are Centre for Internet and Society, SFLC.in, Internet Freedom Foundation, Government Accountability Project and Human Rights Watch, among others (A copy of the letter is attached at the bottom). The letter breaks down its reasons for opposing the proposed amendments:

1. Traceability would undermine security, lead to surveillance

Under the proposed guidelines, intermediaries would have to ensure ‘traceability’ of messages by providing information related to its originator and receivers. This, the letter argues, would force intermediaries to undermine the security of of their platforms and create a surveillance regime. “Undermining security features to ensure traceability would affect all users of that platform, not just those that are the subjects of the information request,” the letter reads. “… such wide and ambiguous powers… on interception of communications would directly harm the fundamental right to privacy of Indians and facilitate unchecked surveillance.”

2. Data retention antithetical to privacy, must go

The letter also states that the data retention mandate included in the draft guidelines is antithetical to privacy. The guidelines state that intermediaries must preserve content requested by law enforcement for 180 days or longer. This open-ended data retention, the letter argues, contradicts the principle of ‘Storage Limitation’ recommended by the Srikrishna Committee. “Provisions regarding storage limitation and data retention must not be included within the fold of the Intermediary Guidelines, and should be subject to parliamentary law-making,” the letter reads.

3. Proactive monitoring contradicts SC’s Shreya Singhal judgment, would result in censorship

The letter also criticizes the requirement that intermediaries proactively monitor and automatically delete ‘unlawful content’. “[This] would directly conflict with the legal standard laid down by the Supreme Court of India in the Shreya Singhal judgment, which holds that intermediaries should only be legally compelled to take down content on the basis of court orders or legally empowered government agencies,” the letter reads. It could also cause intermediaries to err in favor of takedowns, resulting in unnecessary censorship.

“With the upcoming General Elections in India and the imposition of the Model Code of Conduct on new policy decisions in place, we urge the government to not push through these amended regulations given their impact on fundamental rights and secure communications,” the letter concludes.

The proposed amendments to Intermediary Liability Rules

Released at the end of December 2018, the proposed amendments to the Intermediary Guidelines would modify guidelines under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:

Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]

For more details visit https://cis-india.org/internet-governance/news/medianama-march-18-2019-zaheer-merchant-proposed-intermediary-liability-rules-threat-privacy-and-free-speech

Privacy, speech at stake in cyberspace

praskrishna — 2012-02-03T11:27:58Z

Internet censorship is becoming a trend, with many countries around the world filtering the Web in varying degrees, writes Leslie D’Monte in Livemint on February 3, 2012.

Privacy and freedom of expression are gradually being compromised in cyberspace, say advocacy groups, with social networking sites and Internet companies buckling under pressure from governments to monitor and block “objectionable” content.

Take the case of Twitter Inc., which on 26 January posted on its official blog that “...starting today, we give ourselves the ability to reactively withhold content from users in a specific country—while keeping it available in the rest of the world”. While Twitter reasoned that as it continues to grow internationally, it will have to deal with “countries that have different ideas about the contours of freedom of expression”, activists and bloggers cautioned that the new censorship policies could muffle online freedom.

“The decision of Twitter to censor its content based on the political masters’ wishes in each country is an indication that commercial interests are always higher than democratic interests for these companies. The move of the Indian government to arm-twist the major intermediaries is, therefore, expected to succeed in due course once the initial resistance wears off,” cautioned Na. Vijayashankar, a Bangalore-based e-business consultant and founder secretary of the Cyber Society of India.

In December, minister for communications and information technology (IT) Kapil Sibal said in New Delhi that the Centre had no option but to “evolve guidelines” to ensure that “blasphemous content on the Internet or television is not allowed”, since Internet and social networking sites such as Google Inc., Microsoft Corp., Twitter, Yahoo Inc., and Facebook Inc. failed “to respond to and cooperate with” the government’s request to keep “objectionable” content off their sites.

A few days later, Sibal clarified that “...this government (of the United Progressive Alliance) does not believe in censorship”. And in an interview to Mint on 1 February, Gulshan Rai—head of the elite Indian Computer Emergency Response Team and coordinator of a committee on cyberlaw—said, inter alia, “We value the freedom of speech. We do not interfere there.”

Internet censorship is a rising trend, with approximately 40 countries filtering the Web in varying degrees, including democratic and non-democratic governments. YouTube and Gmail (both from Google), BlackBerry maker Research In Motion Ltd, WikiLeaks, Twitter and Facebook have all been censored, at different times, in China, Iran, Egypt and other countries.

“The clampdown on online free speech and the roll-out of a multi-tiered blanket surveillance regime via the draconian IT Act and its associated rules in India is part of a global trend,” said Sunil Abraham, executive director of the Centre for Internet and Society. “Big brother tendencies with the government have found common cause with powerful rights-holders, who are keen to crack down on intellectual property rights infringements. This, combined with the dramatic growth of the surveillance industry, has resulted in civil liberties being undermined across the world for a variety of pretexts ranging from child porn, obscenity, hate speech, organized crime, terrorism and piracy.”

Transparency Report website—which logs content removal requests it receives from governments—the Internet company received 67 requests from the Indian government for the removal of 282 content items (such as videos critical of politicians) from YouTube and blogs during July-December 2010. Google said it complied with 22% of the requests. For the January-June 2011 (latest data available) period, Google received 68 content removal requests for 358 items from Indian government agencies. Google complied in 51% cases.

Entangling the user

Even as they face pressure from governments, companies such as Google and Facebook are tweaking their policies to allow for sharing of user data across multiple product offerings. They claim it will give their users a more “intuitive” experience, but advocacy groups say the policies are being altered to give advertisers more bang for the buck at the expense of user privacy.

Google, for instance, is making changes to its privacy policies and terms of service, which take effect from 1 March. “Regulators globally have been calling for shorter, simpler privacy policies—and having one policy covering many different products is now fairly standard across the Web,” said Alma Whitten, Google’s director of privacy, product and engineering, on the official company blog. Google has begun notifying users of these changes since 24 January.

For example, a search for restaurants in Mumbai may throw up Google+ posts or photos that people have shared with other users, or that are in their albums. Usability can be enhanced, for instance, by allowing memos from Google Docs to be read in Gmail, or adding a Gmail contact to a meeting in Google Calendar. Google, according to Whitten, does not sell personal information nor share it externally without permission “except in very limited circumstances like a valid court order”.

Facebook, on its part, introduced its “Timeline” feature in December, which digs up a user’s past and displays it, but does not allow opting out of the service. The feature is being introduced for all 800 million users, around 40 million of whom are in India. Those not accustomed to checking their privacy settings will have a hard time going through the hundreds of messages they’ve posted over the last few years (Facebook was founded in 2004).

The Electronic Privacy Information Center said the launch of Timeline forces more privacy setting changes on Facebook users, “which flies in the face of both privacy and a settlement reached between the firm and the US Federal Trade Commission (FTC)”. On 29 November, Facebook agreed to an FTC order that bars it from “deceiving” consumers about privacy practices and requires it to submit to monitoring for 20 years.

“Privacy is certainly a very serious concern for Internet users. Some of the big brands like Facebook and Google simply have access to too much information about the life of their users, and this information could easily be misused by the brand or wilfully by someone else. Our guidance to consumers and clients is that first and foremost, they should be very conscious of these privacy challenges. If we put out any communication on a social network, it is akin to broadcast communication. By default, choose the tightest privacy setting and then gradually loosen up instead of accepting the default privacy setting of Facebook or Google. Don’t give out information like cellphone number, date of birth...or even names of close relations on social networks,” said Hareesh Tibrewala, joint chief executive officer of Social Wavelength, a company that advises clients on social media strategies.

Mahesh Murthy, founder of digital marketing firm Pinstorm, acknowledged that “in reality, there is virtually no privacy online. Governments and companies try to assure apprehensive citizens about privacy, while at the same time doing everything to destroy it in reality”.

He advises marketers to be upfront about their data collection and management policies, and declare them prominently on their online properties. On an individual level, Murthy takes comfort “in the fact that I could just be one of those 3 billion+ Internet users worldwide with my data a small part of the swarm out there that no one might take a special interest in”.

Electronic police state?

India has a history of exerting pressure on companies for access to communications data. According to Cryptohippie Inc., a provider of communication security services, India ranked 26 among the most policed states in the world in 2010—“one in which every surveillance camera recording, every email sent, every Internet site surfed, every post made, every check written, every credit card swipe, every cellphone ping…are all criminal evidence, and all are held in searchable databases”, according to the company that discontinued the report in 2011, stating that “…most people are defending their ignorance; not much good will come from us repeating ourselves”.

Currently, the Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), give the government the power to monitor, intercept and even block online conversations and websites. Moreover, under section 79 of the IT Intermediary (Rules and Guidelines), 2011, intermediaries—telcos, Internet services providers, network services providers, search engines, cyber cafes, Web-hosting companies, online auction portals and online payment sites—are mandated to exercise “due diligence” and advise users not to share/distribute information violative of the law or a person’s privacy and rights. Intermediaries are expected to act on a complaint within 36 hours of receiving it, and remove such content when warranted. In case the intermediary doesn’t find the content objectionable, the matter will have to be contested in a court of law.

“The Indian government can, and should, monitor conversations and websites if it believes the content can harm the security, defence, sovereignty and integrity of the country,” maintained Pavan Duggal, a Supreme Court lawyer and a cyberlaw expert, but wondered how it would go about implementing the task of monitoring conversation on an unstructured Internet. “The intention is good, but the path is not clear,” said Duggal, who envisions a lot of cases being filed against misuse of these laws.

“While the affected party can lodge a complaint with the intermediary, removal has to follow a due process, which should include suitable documentary evidence placed by the party. There should be a process of examination through an ombudsman, a process of arbitration where the request is disputed or a court order as may be required on a case to case basis,” said Vijayashankar of the Cyber Society of India.

The original was published in Livemint on 3 February 2012. Sunil Abraham was quoted in it.

For more details visit https://cis-india.org/news/privacy-speech-at-stake-in-cyberspace-1

Privacy, security and surveillance: tackling international dilemmas and dangers in the digital realm

praskrishna — 2014-12-15T12:56:49Z

Pranesh Prakash was a panelist in the session "Beyond the familiar: how do other countries deal with security and surveillance oversight?" The event was organized by Wilton Park between November 17 and 19, 2014.

Complete details of the programme can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/wilton-park-november-17-19-privacy-security-surveillance

Privacy worries cloud Facebook's WhatsApp Deal

sunil — 2014-03-20T05:59:28Z

Privacy activists in the United States have asked the competition regulator or the Federal Trade Commission to put on hold Facebook's acquisition of WhatsApp. Why have they done this when Facebook has promised to leave WhatsApp untouched as a standalone app?

Read the original published in the Economic Times on March 14, 2014

Activists have five main concerns.

Facebook has a track record of not keeping its promises to users.
The ethos of both companies when it comes to privacy is diametrically opposite.
The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
Facebook slurping WhatsApp's large repository of phone numbers.
Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-march-14-2014-sunil-abraham-privacy-worries-cloud-facebook-whatsapp-deal

Privacy vs. Transparency: An Attempt at Resolving the Dichotomy

sunil — 2015-03-08T06:26:21Z

The right to privacy has been articulated in international law and in some national laws. In a few countries where the constitution does not explicitly guarantee such a right, courts have read the right to privacy into other rights (e.g., the right to life, the right to equal treatment under law and also the right to freedom of speech and expression).

With feedback and inputs from Sumandro Chattapadhyay, Elonnai Hickok, Bhairav Acharya and Geetha Hariharan. I would like to apologize for not providing proper citation to Julian Assange when the first version of this blog entry was published. I would also like to thank Micah Sifry for drawing this failure to his attention. The blog post originally published by Omidyar Network can be read here. Also see http://newint.org/features/2015/01/01/privacy-transparency/

In other countries where privacy is not yet an explicit or implicit right, harm to the individual is mitigated using older confidentiality or secrecy law. After the Snowden affair, the rise of social media and the sharing economy, some corporations and governments would like us to believe that “privacy is dead”. Privacy should not and cannot be dead, because that would mean that security is also dead. This is indeed the most dangerous consequence of total surveillance as it is technically impossible to architect a secure information system without privacy as a precondition. And conversely, it is impossible to guarantee privacy without security as a precondition.

The right to transparency [also known as the right to information or access to information] – while unavailable in international law – is increasingly available in national law. Over the last twenty years this right has become encoded in national laws – and across the world it is being used to hold government accountable and to balance the power asymmetry between states and citizens. Independent and autonomous offices of transparency regulators have been established. Apart from increasing government transparency, corporations are also increasingly required to be transparent as part of generic or industry specific regulation in the public interest. For instance, India’s Companies Act, 2013, requires greater transparency from the private sector. Other areas of human endeavor such as science and development are also becoming increasingly transparent though here it is still left up to self-regulation and there isn’t as much established law. Within science and research more generally, the rise of open data accompanied the growth of the Open Access and citizen science movement.

So the question before us is: Are these two rights – the right to transparency and the right to privacy – compatible? Is it a zero-sum game? Do we have to sacrifice one right to enforce the other? Unfortunately, many privacy and transparency activists think this is the case and this has resulted in some conflict. I suggest that these rights are completely compatible when it comes to addressing the question of power. These rights do not have to be balanced against one another. There is no need to settle for a sub-optimal solution. Rather this is an optimization problem and the solution is as follows: privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power.[*]

In most privacy laws, the public interest is an exception to privacy. If public interest is being undermined, then an individual privacy can be infringed upon by the state, by researchers, by the media, etc. And in transparency law, privacy is the exception. If the privacy of an individual can be infringed, transparency is not required unless it is in the public interest. In other words, the “public interest” test allows us to use privacy law and transparency law to address power asymmetries rather than exacerbate them. What constitutes “public interest” is of course left to courts, privacy regulators, and transparency regulators to decide. Like privacy, there are many other exceptions in any given transparency regime including confidentiality and secrecy. Given uneven quality of case law there will be a temptation by the corrupt to conflate exceptions. Here the old common-law principle of “there is no confidence as to the disclosure of iniquity” – which prevents confidentiality law from being used to cover malfeasance or illegality – can be adopted in appropriate jurisdictions.

Around 10 years ago, the transparency movement gave birth to yet another movement – the open government data movement. The tension between privacy and transparency is most clearly seen in the open government data movement. The open government data movement in some parts of the world is dominated by ahistorical and apolitical technologists, and some of them seem intent on reinventing the wheel. In India, ever since the enactment of the Right to Information Act, 2003, 30 transparency activists are either killed, beaten or criminally intimidated every year. This is the statistic from media coverage alone. Many more silently suffer. RTI or transparency is without a doubt one of the most dangerous sectors within civil society that you could choose to work in. In contrast, not a single open data activist has ever been killed, beaten or criminally intimidated. I suspect this is because open data activists do not sufficiently challenge power hierarchies. Let us look a little bit closely at their work cycle. When a traditional transparency activist asks a question, that is usually enough to get them into trouble. When an open data activist publishes an answer [a dataset nicely scrubbed and machine readable, or a visualization, or a tool] they are often frustrated because nobody seems interested in using it. Often even the activist is unclear what the question is. This is because open data activist works where data is available. Open data activists are obsessed with big datasets, which are easier to find at the bottom of the pyramid. They contribute to growing surveillance practices [the nexus between Internet giants, states, and the security establishment] rather that focusing on sousveillance [citizen surveillance of the state, also referred to as citizen undersight or inverse surveillance]. They seem to be obsessed only with tools and technologies, rather than power asymmetries and injustices.

Finally, a case study to make my argument easier to understand – Aadhaar or UID, India’s ambitious centralized biometric identity and authentication management system. There are many serious issues with its centralized topology, proprietary technology, and dependence on biometrics as authentication factors – all of which I have written about in the past. In this article, I will explain how my optimization solution can be applied to the project to make it more effective in addressing its primary problem statement that corruption is a necessary outcome of power asymmetries in India.

In its current avatar – the Aadhaar project hopes to assign biometric-based identities to all citizens. The hope is that, by doing authentication in the last mile, corruption within India’s massive subsidy programmes will be reduced. This, in my view, might marginally reduce retail corruption at the bottom of the pyramid. It will do nothing to address wholesale corruption that occurs as subsidies travel from the top to the bottom of the pyramid. I have advocated over the last two years that we should abandon trying to issue biometric identities to all citizens, thereby making them more transparent to the state. Let us instead issue Aadhaar numbers to all politicians and bureaucrats and instead make the state more transparent to citizens. There is no public interest in reducing privacy for ordinary citizens – the powerless – but there are definitely huge public interest benefits to be secured by increasing transparency of politicians and bureaucrats, who are the powerful.

The Indian government has recently introduced a biometric-based attendance system for all bureaucrats and has created a portal that allows Indian citizens to track if their bureaucrats are arriving late or leaving early. This unfortunately is just bean counting [for being corrupt and being punctual are not mutually exclusive] and public access to the national portal was turned off because of legitimate protests from some of the bureaucrats. What bureaucrats do in office, who they meet, and which documents they process is more important than when they arrive at or depart from work. The increased transparency or reduced privacy was not contributing to the public interest.

Instead of first going after small-ticket corruption at the bottom of the pyramid, maximization of public interest requires us to focus on the top, for there is much greater ROI for the anti-corruption rupee. For example: constructing a digital signature based on audit trails that track all funds and subsidies as they move up and down the pyramid. These audit trails must be made public so that ordinary villagers can be supported by open data activists, journalists, social entrepreneurs, and traditional civil society in verification and course correction.

I hope open data activists, data scientists, and big data experts will draw inspiration from the giants of the transparency movement in India. I hope they will turn their attention to power, examine power asymmetries and then ask how the Aadhaar project can be leveraged to make India more rather than less equal.

Videos

Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights

Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector

The videos can also be watched on Vimeo:

[*].http://prospect.org/article/real-significance-wikileaks “Transparency should be proportional to the power that one has.”

Read the presentation on Risky Business: Transparency, Technology, Security and Privacy made at the Pecha Kucha session here. (ODP File, 35 kb)

Disclaimer: The views, opinions, and positions expressed by the author(s) of this blog are theirs alone, and do not necessarily reflect the views, opinions, or positions of Omidyar Network. We make no representations as to accuracy, completeness, timeliness, suitability or validity of any information presented by individual authors of the blogs and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use.

For more details visit https://cis-india.org/openness/blog-old/privacy-v-transparency

Privacy Protection Bill 2013

praskrishna — 2013-04-07T04:58:43Z

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf

Privacy Protection Bill (September 2013)

praskrishna — 2013-09-27T14:03:52Z

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-september-2013.pdf

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

elonnai — 2012-10-25T10:23:50Z

CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained.

The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.

An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.[1] This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.

To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.

Current Status of the Shack Policy

This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1^st through May 31^st, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.[2] Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.

Inside the policy:

Application Requirements

To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.[3] These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.

Operational Requirements

The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack[4] and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.[5]

The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,[6] shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,[7] and the proper disposal of trash and waste water will be the responsibility of the shack owner.[8] Furthermore, foreigners working in the shacks must have a work visa,[9] and loud music is not allowed to be played after 10:30 p.m.[10]

As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. [11] But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.

Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.[12]Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.

Enforcement

The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.[13]The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. [14] If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.[15] Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.[16]

Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.

Other practices around security and identification in Goa

In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.[17]

The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.

Will the 2012 – 2013 Beach Shack Policy have new implications?

In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.

The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.

At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.

For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.[18] Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.[19]

The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.[20] The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.[21]

Conclusion

In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.

Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.

Notes
[1].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: http://bit.ly/Xk18NH. Last accessed: October 24th 2012.
[2]. Id. Section 2.
[3]. Id. Application Requirements 1-8. Pg 1&2.
[4]. Section 33.
[5].A part of the affidavit
[6].Id. Section 4.
[7]. Id. Section 17.
[8].Id. Section 28.
[9]. Id. Section 35.
[10].Id. Section 37.
[11]. Id. Section 38.
[12]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf
[13]. Beach Shack Policy 2012 - 2013, Section 16.
[14]. Id. Section 18.
[15]. Id. Section 22.
[16]. Id. Section 32.
[17]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: http://bit.ly/TbUO4S
[18]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28^th 2012. Available at: http://bit.ly/RXtgBg. Last Accessed: October 24th 2012.
[19]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20^th 2011. Available at: http://bit.ly/VHwCzd. Last accessed: October 24th 2012.
[20]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: http://bit.ly/VqzKtr. Last accessed: October 24th 2012.
[21]. Id. pg. 61-62.

For more details visit https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy

Privacy Newsletter April 2017

praskrishna — 2017-07-20T14:03:37Z

For more details visit https://cis-india.org/internet-governance/files/privacy-newsletter-april-2017.pdf

Privacy Meeting: Brussels – Bangalore

praskrishna — 2013-09-12T07:56:53Z

The Centre for Internet and Society, Bangalore welcomes you to a talk on privacy by Gertjan Boulet and Dariusz Kloza on August 14, 2013, 5.00 p.m. to 8.00 p.m.

Slides from the talk can be accessed here.

Draft Agenda

Time	Detail
17.00 17.15	Brief presentation of the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel (VUB), Belgium
17.15 18.15	Session on "new tools" to protect privacy and personal data. A case-study on (European) approach to privacy impact assessment This session will provide an overview to the main findings of the projects carried out by VUB-LSTS (predominantly) with regard to privacy impact assessments (PIA), starting with the EU co-funded PIAF (“A Privacy Impact Assessment Framework for data protection and privacy rights”; 2011-2012), which reviewed existing PIA frameworks worldwide, surveyed opinions of national data protection authorities (DPAs) on an optimal PIA policy and, finally, provided a set of recommendations for PIA policy-makers and practitioners. This session will be concluded by proposing adaptation of the so-called environmental democracy to the needs and reality of privacy. The points in this session will be contrasted with the experience of India.
18.15 18.45	Session on co-operation of data protection authorities "Improving Practical and Helpful cooperation between Data Protection Authorities", 2013-15. This session will provide a preliminary analysis of the (legal) factors that pose as obstacles to and/or encourage co-operation between DPAs worldwide in enforcing privacy and data protection laws. Such an analysis aims at creating a 'wish-list', i.e. at identifying what measures could be taken to reduce barriers and to further foster co-operation. This session will be concluded by discussing what DPAs' can learn about co-operation from European and international competition law. The points in this session will be contrasted with the experience of India.
18.45 19.00	Break
19.00 19.15	Small session on big data The focus of this session will be on the challenges posed to sovereignty by cross-border law enforcement access to big data. The Belgian Yahoo-case will be discussed as it is emblematic of a reality with broad national claims to access data in a trans-border context. Indian perspectives on this topic will be taken into account.
19.15 20.00	Open discussion

Materials

Wright, David, Kush Wadhwa, Paul De Hert, and Dariusz Kloza, A Privacy Impact Assessment Framework for Data Protection and Privacy Rights, 2011. http://piafproject.eu/ref/PIAF_D1_21_Sept2011Revlogo.pdf
Hosein, Gus, and Simon Davies, Empirical Research of Contextual Factors Affecting the Introduction of Privacy Impact Assessment Frameworks in the Member States of the European Union, 2012. http://piafproject.eu/ref/PIAF_deliverable_d2_final.pdf
De Hert, Paul, Dariusz Kloza, and David Wright, Recommendations for a Privacy Impact Assessment Framework for the European Union, 2012. http://piafproject.eu/ref/PIAF_D3_final.pdf
Kloza Dariusz, Moscibroda Anna, Boulet Gertjan, “Improving Co-operation Between Data Protection Authorities: First Lessons from Competition Law.” in Jusletter IT. Die Zeitschrift für IT und Recht, published by Weblaw AG. http://jusletter-it.weblaw.ch/issues/2013/20-Februar-2013/2128.html
Kloza Dariusz, “Public voice in privacy governance: lessons from environmental democracy”, in Erich Schweighofer (ed.), KnowRight 2012 conference proceedings [forthcoming].

Other resources

PHAEDRA project: http://www.phaedra-project.eu

PIAF project: http://piafproject.eu
PIAw@tch, the PIA observatory: http://piawatch.eu

The Speakers

Gertjan Boulet

Gertjan Boulet holds a joint LL.M/MPhil (2010) from Leuven University (Belgium) and Tilburg University (the Netherlands) where he successfully completed a Research Master of Laws programme focused on legal methods and interdisciplinary research. He started to work as a doctoral researcher at the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel in January 2013 for the EU-funded research project 'Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities' (PHAEDRA). Before, he was a freelance researcher at VUB, and became a member of the programming committee of the annual conference 'Computers, Privacy & Data Protection' (CPDP). Prior to joining the Vrije Universiteit Brussel, Gertjan worked for the Brussels Airport Company (2010) and the law firm DLA Piper (2011). He also completed internships at the Belgian Public Prosecutor (2007), the Constitutional Court of Belgium (2012) and the Belgian Privacy Commission (2013).

Gertjan Boulet

Dariusz Kloza

Dariusz (Darek) Kloza is a doctoral researcher at the Research Group on Law, Science, Technology, and Society (LSTS) and the Institute for European Studies (IES) at Vrije Universiteit Brussel (VUB). He holds both an LL.M. in Law and Technology (2010) from the Tilburg Institute for Law, Technology, and Society (TILT) at Tilburg University (with distinction) and a master degree in law from University of Białystok (2008). He was also an exchange student at University of Copenhagen (2007-2008). His research is focused on fundamental rights in the digital era (especially privacy and data protection), liability of intermediary service providers and private international law. His doctoral research focuses on positive procedural obligations for privacy and data protection from the European perspective.

He has been involved in researching privacy and data protection issues in a number of EU co-funded projects, such as PIAF (Privacy Impact Assessment Framework for data protection and privacy rights), PHAEDRA (Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities) and ADVISE (Advanced Video Surveillance archives search Engine for security applications). He has also contributed to the work of the European Commission’s Task Force for Smart Grids, aimed at ensuring high level of privacy and personal data protection in smart grids/metering.

Dariusz Kloza

For more details visit https://cis-india.org/internet-governance/events/privacy-meeting-brussels-bangalore

Privacy Meet

praskrishna — 2013-11-20T05:13:57Z

Bhairav Acharya was invited by Yahoo's Director of International Privacy, Laura Juanes Micas, to a dinner meeting on privacy at the Oberoi in New Delhi.

The meeting was attended by Justice A.P. Shah, Dr. Gulshan Rai, Dr. Kamlesh Bajaj and others. At this event, Bhairav spoke about the need to develop laws to regulate surveillance and personal data in India. Bhairav further spoke about both the commercial benefits that will accrue from data protection law as well as the national benefit from surveillance regulation and security law. Bhairav also spoke of the need to create a procedure that is just, fair and reasonable and, he highlighted the point that these laws would have to survive constitutional scrutiny by the Supreme Court of India. He also pointed out that meaningful protections lay in creating procedural law that allowed individuals the protection of natural justice and identified magistrates to authorise data collections and interceptions. He further made it clear that India's distinct security situation, both internal and external, warranted a robust surveillance framework that enables law enforcement and strengthens the criminal justice system in manner consistent with the rule of law.

Timings	Agenda
19.00 19.25	Handshakes and Introduction
19.25 19.30	Welcome Remarks by Laura Juanes Micas, Director – International Privacy, Yahoo Inc
19.30 19.35	Address by Manoj Joshi, Joint Secretary, Deptt of Personnel and Training
19.35 19.40	Address by Dr. Gulshan Rai, Director General, CERT-IN
19.40 19.45	Address by Dr. Kamlesh Bajaj, CEO – Data Security Council of India (DSCI)
19.45 19.50	Address by Bhairav Acharya, Legal Adviser, Centre for Internet and Society (CIS)
19.50 19.55	Address by Rajan Mathews, Director General, Cellular Operators Association of India (COAI)
19.55 20.00	Address by Justice A P Shah, Former Chief Justice, Delhi High Court and Chairman, Group of Experts
20.00 20.05	Address by Pavan Duggal, Advocate, Supreme Court
20.05 20.10	Address by Chinmayi Arun, Research Director – Centre for Communication Governance, National Law University - Delhi
20.10 20.15	Address by Prasanth Sugathan, Counsel, Software Freedom Law Centre (SFLC.IN)
20.15 20.20	Address by Dr. Subho Ray, President, Internet and Mobile Association of India (IAMAI)
20.20	Discussions (Along with Sit – Down Dinner)

For more details visit https://cis-india.org/news/privacy-meet-october-7-2013