Centre for Internet and Society

Reclaiming AI Futures: Call for Contributions and Provocations

Divij Joshi — 2020-11-18T09:04:25Z

CIS is pleased to share this call for contributions by Mozilla Fellow Divij Joshi. CIS will be working with Divij to edit, collate, and finalise this publication. This publication will add to Divij’s work as part of the AI observatory. The work is entirely funded by Divij Joshi.

Please visit this link for the full call, and details on how to apply.

For more details visit https://cis-india.org/internet-governance/blog/reclaiming-ai-futures-call-for-contributions-and-provocations

Rebuttal of DIT's Misleading Statements on New Internet Rules

pranesh — 2012-07-11T13:18:04Z

The press statement issued on May 11 by the Department of Information Technology (DIT) on the furore over the newly-issued rules on 'intermediary due diligence' is misleading and is, in places, plainly false. We are presenting a point-by-point rebuttal of the DIT's claims.

In its press release on Wednesday, May 11, 2011, the DIT stated:

The attention of Government has been drawn to news items in a section of media on certain aspects of the Rules notified under Section 79 pertaining to liability of intermediaries under the Information Technology Act, 2000. These items have raised two broad issues. One is that words used in Rules for objectionable content are broad and could be interpreted subjectively. Secondly, there is an apprehension that the Rules enable the Government to regulate content in a highly subjective and possibly arbitrary manner.

There are actually more issues than merely "subjective interpretation" and "arbitrary governmental regulation".

The Indian Constitution limits how much the government can regulate citizens’ fundamental right to freedom of speech and expression. Any measure afoul of the constitution is invalid.
Several portions of the rules are beyond the limited powers that Parliament had granted the Department of IT to create interpretive rules under the Information Technology Act. Parliament directed the Government to merely define what “due diligence” requirements an intermediary would have to follow in order to claim the qualified protection against liability that Section 79 of the Information Technology Act provides; these current rules have gone dangerously far beyond that, by framing rules that insist that intermediaries, without investigation, has to remove content within 36-hours of receipt of a complaint, keep records of a users' details and provide them to law enforcement officials.

The Department of Information Technology (DIT), Ministry of Communications & IT has clarified that the Intermediaries Guidelines Rules, 2011 prescribe that due diligence need to be observed by the Intermediaries to enjoy exemption from liability for hosting any third party information under Section 79 of the Information Technology Act, 2000. These due diligence practices are the best practices followed internationally by well-known mega corporations operating on the Internet. The terms specified in the Rules are in accordance with the terms used by most of the Intermediaries as part of their existing practices, policies and terms of service which they have published on their website.

We are not aware of any country that actually goes to the extent of deciding what Internet-wide ‘best practices’ are and actually converting those ‘best practices’ into law by prescribing a universal terms of service that all Internet services, websites, and products should enforce.
The Rules require all intermediaries to include the government-prescribed terms in an agreement, no matter what services they provide. It is one thing for a company to choose the terms of its terms of service agreement, and completely another for the government to dictate those terms of service. As long as the terms of service of an intermediary are not unlawful or bring up issues of users’ rights (such as the right to privacy), there is no reason for the government to jump in and dictate what the terms of service should or should not be.
The DIT has not offered any proof to back up its assertion that 'most' intermediaries already have such terms. Google, a ‘mega corporation’ which is an intermediary, does not have such an overarching policy. Indiatimes, another ‘mega corporation’ intermediary, does not either. Just because a company like Rediff and Blizzard's World of Warcraft have some of those terms does not mean a) that they should have all of those terms, nor that b) everyone else should as well.

In attempting to take different terms of service from different Internet services and products—the very fact of which indicate the differing needs felt across varying online communities—the Department has put in place a one-size-fits-all approach. How can this be possible on the Internet, when we wouldn't regulate the post-office and a book publisher under the same rules of liability for, say, defamatory speech.
There is also a significant difference between the effect of those terms of service and that of these Rules. An intermediary-framed terms of service suggest that the intermediary may investigate and boot someone off a service for violation, while the Rules insist that the intermediary simply has to mandatorily remove content, keep records of users' details and provide them to law enforcement officials, else be subject to crippling legal liability.

So to equate the effect of these Rules to merely following ‘existing practices’ is plainly wrong. An intermediary—like the CIS website—should have the freedom to choose not to have terms of service agreements. We now don’t.“In case any issue arises concerning the interpretation of the terms used by the Intermediary, which is not agreed to by the user or affected person, the same can only be adjudicated by a Court of Law. The Government or any of its agencies have no power to intervene or even interpret. DIT has reiterated that there is no intention of the Government to acquire regulatory jurisdiction over content under these Rules. It has categorically said that these rules do not provide for any regulation or control of content by the Government.”

The Rules are based on the presumption that all complaints (and resultant mandatory taking down of the content) are correct, and that the incorrectness of the take-downs can be disputed in court. Why not just invert that, and presume that all complaints need to be proven first, and the correctness of the complaints (instead of the take-downs) be disputed in court?

Indeed, the courts have insisted that presumption of validity is the only constitutional way of dealing with speech. (See, for instance, Karthikeyan R. v. Union of India, a 2010 Madras High Court judgment.)

Further, only constitutional courts (namely High Courts and the Supreme Court) can go into the question of the validity of a law. Other courts have to apply the law, even if it the judge believes it is constitutionally invalid. So, most courts will be forced to apply this law of highly questionable constitutionality until a High Court or the Supreme Court strikes it down.

What the Department has in fact done is to explicitly open up the floodgates for increased liability claims and litigation - which runs exactly counter to the purpose behind the amendment of Section 79 by Parliament in 2008.

“The Government adopted a very transparent process for formulation of the Rules under the Information Technology Act. The draft Rules were published on the Department of Information Technology website for comments and were widely covered by the media. None of the Industry Associations and other stakeholders objected to the formulation which is now being cited in some section of media.”

This is a blatant lie.

Civil society voices, including CIS, Software Freedom Law Centre, and individual experts (such as the lawyer and published author Apar Gupta) sent in comments. Companies such as Google, E2E Networks, and others had apparently raised concerns as well. The press has published many a cautionary note, including editorials, op-ed and articles in the Hindu, the Hoot, Medianama.com, and Kafila.com, well before the new rules were notified. We at CIS even received a 'read notification' from the email account of the Group Coordinator of the DIT’s Cyber Laws Division—Dr. Gulshan Rai—on Thursday, March 3, 2011 at 12:04 PM (we had sent the mail to Dr. Rai on Monday, February 28, 2011). We never received any acknowledgement, though, not even after we made an express request for acknowledgement (and an offer to meet them in person to explain our concerns) on Tuesday, April 5, 2011 in an e-mail sent to Mr. Prafulla Kumar and Dr. Gulshan Rai of DIT.

The process can hardly be called 'transparent' when the replies received from 'industry associations and other stakeholders' have not been made public by the DIT. Those comments which are public all indicate that serious concerns were raised as to the constitutionality of the Rules.

The Government has been forward looking to create a conducive environment for the Internet medium to catapult itself onto a different plane with the evolution of the Internet. The Government remains fully committed to freedom of speech and expression and the citizen’s rights in this regard.

The DIT has limited this statement to the rules on intermediary due diligence, and has not spoken about the controversial new rules that stifle cybercafes, and restrict users' privacy and freedom to receive information.

If the government is serious about creating a conducive environment for innovation, privacy and free expression on the Internet, then it wouldn’t be passing Rules that curb down on them, and it definitely will not be doing so in such a non-transparent fashion.

For more details visit https://cis-india.org/internet-governance/blog/rebuttal-dit-press-release-intermediaries

RBI Directions on Account Aggregators

Vipul Kharbanda and Elonnai Hickok — 2016-10-21T15:25:01Z

The Reserve Bank of India's (RBI) Directions for account aggregator services in India seem to lay great emphasis on data security by allowing only direct access between institutions and do away with data scraping techniques.

These days’ people have access to various financial services and manage their finances in a diverse manner while dealing with a large number of financial service providers, each providing one or more services that the user may need such as banking, credit card services, investment services, etc. This multiplicity of financial service providers could make it inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place. This problem is sought to be solved by the account aggregators by providing all the financial data of the user at a single place. Account aggregation is the consolidation of online financial account information (e.g., from banks, credit card companies, etc.) for online retrieval at one site. In a typical arrangement, an intermediary (e.g., a portal) agrees with a third party service provider to provide the service to consumers, the intermediary would then generally privately label the service and offer consumers access to it at the intermediary’s website.[1] There are two major ways in which account aggregation takes place, (i) direct access: wherein the account aggregator gets direct access to the data of the user residing in the computer system of the financial service provider; and (ii) scraping: where the user provides the account aggregator the username and password for its account in the different financial service providers and the account aggregator scrapes the information off the website/portal of the different financial service providers.

Since account aggregation involves the use and exchange of financial information there could be a number of potential risks associated with it such as (i) loss of passwords; (ii) frauds; (iii) security breaches at the account aggregator, etc. It is for this reason that on the advice of the Financial Stability and Development Council,[2] the Reserve Bank of India (“RBI”) felt the need to regulate this sector and on September 2, 2016 issued the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 to provide a framework for the registration and operation of Account Aggregators in India (the “Directions”). The Directions provide that no company shall be allowed to undertake the business of account aggregators without being registered with the RBI as an NBFC-Account Aggregator. The Directions also specify the conditions that have to be fulfilled for consideration of an entity as an Account Aggregator such as:

the company should have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify;
the company should have the necessary resources and wherewithal to offer account aggregator services;
the company should have adequate capital structure to undertake the business of an account aggregator;
the promoters of the company should be fit and proper individuals;
the general character of the management or proposed management of the company should not be prejudicial to the public interest;
the company should have a plan for a robust Information Technology system;
the company should not have a leverage ratio of more than seven;
the public interest should be served by the grant of certificate of registration; and
Any other condition that made be specified by the Bank from time to time.[3]

The Direction further talk about the responsibilities of the Account Aggregators and specify that the account aggregators shall have the duties such as: (a) Providing services to a customer based on the customer’s explicit consent; (b) Ensuring that the provision of services is backed by appropriate agreements/ authorisations between the Account Aggregator, the customer and the financial information providers; (c) Ensuring proper customer identification; (d) Sharing the financial information only with the customer or any other financial information user specifically authorized by the customer; (e) Having a Citizen's Charter explicitly guaranteeing protection of the rights of a customer.[4]

The Account Aggregators are also prohibited from indulging in certain activities such as: (a) Support transactions by customers; (b) Undertaking any other business other than the business of account aggregator; (c) Keeping or “residing” with itself the financial information of the customer accessed by it; (d) Using the services of a third party for undertaking its business activities; (e) Accessing user authentication credentials of customers; (f) Disclosing or parting with any information that it may come to acquire from/ on behalf of a customer without the explicit consent of the customer.[5] The fact that there is a prohibition on the information accessed from actually residing with the Account Aggregator will ensure greater security and protection of the information.

Consent Framework

The Directions specify that the function of obtaining, submitting and managing the customer’s consent should be performed strictly in accordance with the Directions and that no information shall be retrieved, shared or transferred without the explicit consent of the customer.[6] The consent is to be taken in a standardized artefact, which can also be obtained in electronic form,[7] and shall contain details as to (i) the identity of the customer and optional contact information; (ii) the nature of the financial information requested; (iii) purpose of collecting the information; (iv) the identity of the recipients of the information, if any; (v) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (vi) Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI.[8] The account aggregator is required to inform the customer of all the necessary attributes to be contained in the consent artefact as well as the customer’s right to file complaints with the relevant authorities.[9] The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.[10]

Comments: While the Directions have specific provisions regarding how the financial data shall be dealt with, it is pertinent to note that the actual consent artefact also has personal information and it is not clear whether Account Aggregators are allowed disclose that information to third parties are not.

Disclosure and sharing of financial information

Financial information providers such as banks, mutual funds, etc. are allowed to share information with account aggregators only upon being presented with a valid consent artifact and also have the responsibility to verify the consent as well as the credentials of the account aggregator.[11] Once the verification is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real time, as per the terms of the consent.[12] In order to ensure smooth flow of data, the Directions also impose an obligation on financial information providers to:

implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and enable secure flow of financial information;
adopt means to verify the consent including digital signatures;
implement means to digitally sign the financial information; and
maintain a log of all information sharing requests and the actions performed pursuant to such requests, and submit the same to the Account Aggregator.[13]

Comments: The Directions provide that the Account Aggregator will not support any transactions by the customers and this seems to suggest that in case of any mistakes in the information the customer would have to approach the financial information provider and not the Account Aggregator.

Use of Information

The Directions provide that in cases where financial information has been provided by a financial information provider to an Account Aggregator for transferring the same to a financial information user with the explicit consent of the customer, the Account Aggregator shall transfer the same in a secure manner in accordance with the terms of the consent artefact only after verifying the identity of the financial information user.[14] Such information, as well as information which may be provided for transferring to the customer, shall not be used or disclosed by the Account Aggregator or the Financial Information user except as specified in the consent artefact.[15]

Data Security

The Directions specify that the business of an Account Aggregator will be entirely Information Technology (IT) driven and they are required to adopt required IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users.[16] This technology should also be scalable to cover any other financial information or financial information providers as may be specified by the RBI in the future.[17] The IT systems should also have adequate safeguards to ensure they are protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.[18] Information System Audit of the internal systems and processes should be in place and be conducted at least once in two years by CISA certified external auditors whose report is to be submitted to the RBI.[19] The Account Aggregators are prohibited from asking for or storing customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the financial information providers and their access to customer’s information will be based only on consent-based authorisation (for scraping).[20]

Grievance Redressal

The Directions require the Account Aggregator to put in place a policy for handling/ disposal of customer grievances/ complaints, which shall be approved by its Board and also have a dedicated set-up to address customer grievances/ complaints which shall be handled and addressed in the manner prescribed in the policy.[21] The Account Aggregator also has to display the name and details of the Grievance Redressal Officer on its website as well as place of business.[22]

Supervision

The Directions require the Account Aggregators to put in place various internal checks and balances to ensure that the business of the Account Aggregator does not violate any laws or regulations such as constitution of an Audit Committee, a Nomination Committee to ensure the “fit and proper” status of its Directors, a Risk Management Committee and establishment of a robust and well documented risk management framework.[23] The Risk Management Committee is required to (a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities; and b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.[24] Further the RBI also has the power to inspect any Account Aggregator at any time.[25]

Penalties

The Directions themselves do not provide for any penalties for non compliance, however since the Directions are issued under Section 45JA of the Reserve Bank of India Act, 1934 (“RBI Act”), this means that any contravention of these directions will be punishable under Section 58B of the RBI Act which provides for an imprisonment of upto 3 years as well as a fine for any contravention of such directions.

Conclusion

The Directions by the RBI provide a number of regulations and checks on Account Aggregators with the view to ensure safety of customer financial data. These Directions appear to be quite trendsetting in the sense that in most other jurisdictions such as the United States or even Europe there are no specific regulations governing Account Aggregators but their activities are mainly being governed under existing privacy or consumer protection legislations.[26]

The entire regulatory regime for Account Aggregators seems to suggest that the RBI wants Account Aggregators to be like funnels to channel information from various platforms right to the customer (or financial information user) and it does not want to take a chance with the information actually residing with the Account Aggregators. Further, by prohibiting Account Aggregators from accessing user authentication credentials, the RBI is trying to eliminate the possibility of this information being leaked or stolen. Although this may make it more onerous for Account Aggregators to provide their services, it is a great step to ensure the safety and security of customer data.

In recent months the RBI has been trying to actively engage with the various new products being introduced in the financial sector owing to various technological advancements, be it the circular informing the public about the risks of virtual currencies including Bitcoin, the consultation paper on P2P lending platforms or these current guidelines on Account Aggregators. These recent actions of the RBI seem to suggest that the RBI is well aware of various technological advancements in the financial sector and is keeping a keen eye on these technologies and products, but appears to be taking a cautious and weighted approach regarding how to deal with them.

[1] Ann S. Spiotto, Financial Account Aggregation: The Liability Perspective, Fordham Journal of Corporate & Financial Law, 2006, Volume 8, Issue 2, Article 6, available at http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1181&context=jcfl

[2] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=34345

[3] Clause 4.2.2 of the Directions.

[4] Clause 5 of the Directions.

[5] Clause 5 of the Directions.

[6] Clauses 6.1 and 6.2 of the Directions.

[7] Clause 6.4 of the Directions.

[8] Clause 6.3 of the Directions.

[9] Clause 6.5 of the Directions.

[10] Clause 6.6 of the Directions.

[11] Clauses 7.1 and 7.2 of the Directions.

[12] Clauses 7.3 and 7.4 of the Directions.

[13] Clause 7.5 of the Directions.

[14] Clause 7.6.1 of the Directions.

[15] Clause 7.6.2 of the Directions.

[16] Clause 9(a) of the Directions.

[17] Clause 9(c) of the Directions.

[18] Clause 9(d) of the Directions.

[19] Clause 9(f) of the Directions.

[20] Clause 9(b) of the Directions.

[21] Clauses 10.1 and 10.2 of the Directions.

[22] Clause 10.3 of the Directions.

[23] Clauses 12.2, 12.3 and 12.4 of the Directions.

[24] Clause 12.4 of the Directions.

[25] Clause 15 of the Directions.

[26] http://www.canadiancybersecuritylaw.com/2016/07/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/

For more details visit https://cis-india.org/internet-governance/blog/rbi-directions-on-account-aggregators

Public Consultation for the First Draft of 'Government Open Data Use License - India' Announced

sinha — 2016-06-30T09:41:07Z

The first public draft of the open data license to be used by Government of India was released by the Department of Legal Affairs earlier this week. Comments are invited from general public and stakeholders. These are to be submitted via the MyGov portal by July 25, 2016. CIS was a member of the committee constituted to develop the license concerned, and we contributed substantially to the drafting process.

Please read the call for comments here.

The PDF version of the draft license document can be accessed here.

Comments are to be submitted by July 25, 2016.

Government Open Data Use License - India

National Data Sharing and Accessibility Policy

Government of India

1. Preamble

Structured data available in open format and open license for public access and use, usually termed as “Open Data,” is of prime importance in the contemporary world. Data also is one of the most valuable resources of modern governance, sharing of which enables various and non-exclusive usages for both commercial and non-commercial purposes. Licenses, however, are crucial to ensure that such data is not misused or misinterpreted (for example, by insisting on proper attribution), and that all users have the same and permanent right to use the data.

The open government data initiative started in India with the notification of the National Data Sharing and Accessibility Policy (NDSAP), submitted to the Union Cabinet by the Department of Science and Technology, on 17th March 2012 [1]. The NDSAP identified the Department of Electronics & Information Technology (DeitY) as the nodal department for the implementation of the policy through National Informatics Centre, while the Department of Science and Technology continues to be the nodal department on policy matters. In pursuance of the Policy, the Open Government Data Platform India [2] was launched in 2012.

While, the appropriate open formats and related aspects for implementation of the Policy has been defined in the “NDSAP Implementation Guidelines” prepared by an inter- ministerial Task Force constituted by the National Informatics Centre [3], the open license for data sets published under NDSAP and through the OGD Platform remained unspecified till now.

2. Definitions

a. “Data” means a representation of Information, numerical compilations and observations, documents, facts, maps, images, charts, tables and figures, concepts in digital and/or analog form, and includes metadata [4], that is all information about data, and/or clarificatory notes provided by data provider(s), without which the data concerned cannot be interpreted or used [5].

b. “Information” means processed data [6].

c. “Data Provider(s)” means person(s) publishing and providing the data under this license.

d. “License” means this document.

e. “Licensor”means any data provider(s) that has the authority to offer the data concerned under the terms of this licence.

f. “User” means natural or legal persons, or body of persons corporate or incorporate, acquiring rights in the data (whether the data is obtained directly from the licensor or otherwise) under this licence.

g. “Use” includes lawful distribution, making copies, adaptation, and all modification and representation of the data, subject to the provisions of this License.

h. “Adapt” means to transform, build upon, or to make any use of the data by itsre-arrangement or alteration [7].

i. “Redistribute” means sharing of the data by the user, either in original or in adapted form (including a subset of the original data), accompanied by appropriate attribute statement, under the same or other suitable license.

j. “Attribution Statement” means a standard notice to be published by all users of data published under this license, that contains the details of the provider, source, and license of the data concerned [8].

k. “Personal Information” means any Information that relates to a natural person,which, either directly or indirectly, in combination with other Information available or likely to be available with a body corporate, is capable of identifying such person [9].

3. Permissible Use of Data

Subject to the conditions listed under section 7, the user may:

a. Access, use, adapt, and redistribute data published under this license for all lawful and non-exclusive purposes, without payment of any royalty or fee;

b. Apply this license worldwide, and in perpetuity;

c. Access, study, copy, share, adapt, publish, redistribute and transmit the data in any medium or format; and

d. Use, adapt, and redistribute the data, either in itself, or by combining it with other data, or by including it within a product/application/service, for all commercial and/or non-commercial purposes.

4. Terms and Conditions of Use of Data

a. Attribution: The user must acknowledge the provider, source, and license of data by explicitly publishing the attribution statement, including the DOI (Digital Object Identifier), or the URL (Uniform Resource Locator), or the URI (Uniform Resource Identifier) of the data concerned.

b. Attribution of Multiple Data: If the user is using multiple data together and/or listing of sources of multiple data is not possible, the user may provide a link to a separate page/list that includes the attribution statements and specific URL/URI of all data used.

c. Non-endorsement: The User must not indicate or suggest in any manner that the data provider(s) endorses their use and/or the user.

d. No Warranty: The data provider(s) are not liable for any errors or omissions, and will not under any circumstances be liable for any direct, indirect, special, incidental, consequential, or other loss, injury or damage caused by its use or otherwise arising in connection with this license or the data, even if specifically advised of the possibility of such loss, injury or damage. Under any circumstances, the user may not hold the data provider(s) responsible for: i) any error, omission or loss of data, and/or ii) any undesirable consequences due to the use of the data as part of an application/product/service (including violation of any prevalent law).

e. Permanent Disclosure and Versioning: The data provider(s) will ensure that a data package once published under this license will always remain publicly available for reference and use. If an already published data is updated by the provider, then the earlier appropriate version(s) must also be kept publicly available with accordance with the archival policy of the National Informatics Centre.

f. Continuity of Provision:The data provider(s) will strive for continuously updating the data concerned, as new data regarding the same becomes available. However, the data provider(s) do not guarantee the continued supply of updated or up-to-date versions of the data, and will not be held liable in case the continued supply of updated data is not provided.

5. Template for Attribution Statement

Unless the user is citing the data using an internationally accepted data citation format [10], an attribution notice in the following format must be explicitly included:

“Data has been published by [Name of Data Provider] and sourced from Open Government Data (OGD) Platform of India: [Name of Data]. ([date of Publication: dd/mm/yyyy]) .[DOI / URL / URI]. Published under Open Government Data License - India: [URL of Open Data License – India].”

For example, “Data has been published by Ministry of Statistics and Programme Implementation and sourced from Open Government Data (OGD) Platform of India: Overall Balance of Payments. (08/09/2015). https://data.gov.in/catalog/overall-balance-payments. Published under Open Government Data License - India: [URL of Open Data License - India].”

6. Exemptions

The license does not grant the right to access, use, adapt, and redistribute the following kinds of data:

a. Personal information;

b. Data that the data provider(s) is not authorised to licence;

c. Names, crests, logos and other official symbols of the data provider(s);

d. Data subject to other intellectual property rights, including patents, trade-marks and official marks;

e. Military insignia;

f. Identity documents; and

g. Any data publication of which may violate section 8 of the Right to Information Act, 2005 11.

7. Termination

a. Failure to comply with stipulated terms and conditions will cause the user’s rights under this license to end automatically.

b. Where the user’s rights to use data have terminated under the aforementioned clauses or any other Indian law, it reinstates:

i. automatically, as of the date the violation is cured, provided it is cured within 30 days of the discovery of the violation; or

ii. upon express reinstatement by the Licensor.

c. For avoidance of doubt, this section does not affect any rights the licensor may have to seek remedies for violation of this license.

8. Dispute Redressal Mechanism

This license is governed by Indian law, and the copyright of any data shared under this license vests with the licensor, under the Indian Copyright Act.

9. Endnotes

[1] Ministry of Science and Technology. 2012. National Data Sharing and Accessibility Policy (NDSAP) 2012. Gazette of India. March 17. http://data.gov.in/sites/default/files/NDSAP.pdf.

[2] See: https://data.gov.in/.

[3] See section 3.2 of the Implementation Guidelines for National Data Sharing and Accessibility Policy (NDSAP) Version 2.2. https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf.

[4] See section 2.1 of NDSAP 2012.

[5] See section 2.6 of NDSAP 2012.

[6] See section 2.7 of NDSAP 2012.

[7] See section 2 (a) of Indian Copyright Act 1957. http://copyright.gov.in/Documents/CopyrightRules1957.pdf.

[8] The template of the attribution statement is given in section 5 of the license.

[9] See section 2 (i) of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[10]For example, those listed in the DOI Citation Formatter tool developed by DataCite, CrossRef and others: http://crosscite.org/citeproc/.

[11] See: http://rti.gov.in/webactrti.htm.

For more details visit https://cis-india.org/openness/public-consultation-for-the-first-draft-of-government-open-data-use-license-india-announced

Privacy vs. Transparency: An Attempt at Resolving the Dichotomy

sunil — 2015-03-08T06:26:21Z

The right to privacy has been articulated in international law and in some national laws. In a few countries where the constitution does not explicitly guarantee such a right, courts have read the right to privacy into other rights (e.g., the right to life, the right to equal treatment under law and also the right to freedom of speech and expression).

With feedback and inputs from Sumandro Chattapadhyay, Elonnai Hickok, Bhairav Acharya and Geetha Hariharan. I would like to apologize for not providing proper citation to Julian Assange when the first version of this blog entry was published. I would also like to thank Micah Sifry for drawing this failure to his attention. The blog post originally published by Omidyar Network can be read here. Also see http://newint.org/features/2015/01/01/privacy-transparency/

In other countries where privacy is not yet an explicit or implicit right, harm to the individual is mitigated using older confidentiality or secrecy law. After the Snowden affair, the rise of social media and the sharing economy, some corporations and governments would like us to believe that “privacy is dead”. Privacy should not and cannot be dead, because that would mean that security is also dead. This is indeed the most dangerous consequence of total surveillance as it is technically impossible to architect a secure information system without privacy as a precondition. And conversely, it is impossible to guarantee privacy without security as a precondition.

The right to transparency [also known as the right to information or access to information] – while unavailable in international law – is increasingly available in national law. Over the last twenty years this right has become encoded in national laws – and across the world it is being used to hold government accountable and to balance the power asymmetry between states and citizens. Independent and autonomous offices of transparency regulators have been established. Apart from increasing government transparency, corporations are also increasingly required to be transparent as part of generic or industry specific regulation in the public interest. For instance, India’s Companies Act, 2013, requires greater transparency from the private sector. Other areas of human endeavor such as science and development are also becoming increasingly transparent though here it is still left up to self-regulation and there isn’t as much established law. Within science and research more generally, the rise of open data accompanied the growth of the Open Access and citizen science movement.

So the question before us is: Are these two rights – the right to transparency and the right to privacy – compatible? Is it a zero-sum game? Do we have to sacrifice one right to enforce the other? Unfortunately, many privacy and transparency activists think this is the case and this has resulted in some conflict. I suggest that these rights are completely compatible when it comes to addressing the question of power. These rights do not have to be balanced against one another. There is no need to settle for a sub-optimal solution. Rather this is an optimization problem and the solution is as follows: privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power.[*]

In most privacy laws, the public interest is an exception to privacy. If public interest is being undermined, then an individual privacy can be infringed upon by the state, by researchers, by the media, etc. And in transparency law, privacy is the exception. If the privacy of an individual can be infringed, transparency is not required unless it is in the public interest. In other words, the “public interest” test allows us to use privacy law and transparency law to address power asymmetries rather than exacerbate them. What constitutes “public interest” is of course left to courts, privacy regulators, and transparency regulators to decide. Like privacy, there are many other exceptions in any given transparency regime including confidentiality and secrecy. Given uneven quality of case law there will be a temptation by the corrupt to conflate exceptions. Here the old common-law principle of “there is no confidence as to the disclosure of iniquity” – which prevents confidentiality law from being used to cover malfeasance or illegality – can be adopted in appropriate jurisdictions.

Around 10 years ago, the transparency movement gave birth to yet another movement – the open government data movement. The tension between privacy and transparency is most clearly seen in the open government data movement. The open government data movement in some parts of the world is dominated by ahistorical and apolitical technologists, and some of them seem intent on reinventing the wheel. In India, ever since the enactment of the Right to Information Act, 2003, 30 transparency activists are either killed, beaten or criminally intimidated every year. This is the statistic from media coverage alone. Many more silently suffer. RTI or transparency is without a doubt one of the most dangerous sectors within civil society that you could choose to work in. In contrast, not a single open data activist has ever been killed, beaten or criminally intimidated. I suspect this is because open data activists do not sufficiently challenge power hierarchies. Let us look a little bit closely at their work cycle. When a traditional transparency activist asks a question, that is usually enough to get them into trouble. When an open data activist publishes an answer [a dataset nicely scrubbed and machine readable, or a visualization, or a tool] they are often frustrated because nobody seems interested in using it. Often even the activist is unclear what the question is. This is because open data activist works where data is available. Open data activists are obsessed with big datasets, which are easier to find at the bottom of the pyramid. They contribute to growing surveillance practices [the nexus between Internet giants, states, and the security establishment] rather that focusing on sousveillance [citizen surveillance of the state, also referred to as citizen undersight or inverse surveillance]. They seem to be obsessed only with tools and technologies, rather than power asymmetries and injustices.

Finally, a case study to make my argument easier to understand – Aadhaar or UID, India’s ambitious centralized biometric identity and authentication management system. There are many serious issues with its centralized topology, proprietary technology, and dependence on biometrics as authentication factors – all of which I have written about in the past. In this article, I will explain how my optimization solution can be applied to the project to make it more effective in addressing its primary problem statement that corruption is a necessary outcome of power asymmetries in India.

In its current avatar – the Aadhaar project hopes to assign biometric-based identities to all citizens. The hope is that, by doing authentication in the last mile, corruption within India’s massive subsidy programmes will be reduced. This, in my view, might marginally reduce retail corruption at the bottom of the pyramid. It will do nothing to address wholesale corruption that occurs as subsidies travel from the top to the bottom of the pyramid. I have advocated over the last two years that we should abandon trying to issue biometric identities to all citizens, thereby making them more transparent to the state. Let us instead issue Aadhaar numbers to all politicians and bureaucrats and instead make the state more transparent to citizens. There is no public interest in reducing privacy for ordinary citizens – the powerless – but there are definitely huge public interest benefits to be secured by increasing transparency of politicians and bureaucrats, who are the powerful.

The Indian government has recently introduced a biometric-based attendance system for all bureaucrats and has created a portal that allows Indian citizens to track if their bureaucrats are arriving late or leaving early. This unfortunately is just bean counting [for being corrupt and being punctual are not mutually exclusive] and public access to the national portal was turned off because of legitimate protests from some of the bureaucrats. What bureaucrats do in office, who they meet, and which documents they process is more important than when they arrive at or depart from work. The increased transparency or reduced privacy was not contributing to the public interest.

Instead of first going after small-ticket corruption at the bottom of the pyramid, maximization of public interest requires us to focus on the top, for there is much greater ROI for the anti-corruption rupee. For example: constructing a digital signature based on audit trails that track all funds and subsidies as they move up and down the pyramid. These audit trails must be made public so that ordinary villagers can be supported by open data activists, journalists, social entrepreneurs, and traditional civil society in verification and course correction.

I hope open data activists, data scientists, and big data experts will draw inspiration from the giants of the transparency movement in India. I hope they will turn their attention to power, examine power asymmetries and then ask how the Aadhaar project can be leveraged to make India more rather than less equal.

Videos

Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights

Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector

The videos can also be watched on Vimeo:

[*].http://prospect.org/article/real-significance-wikileaks “Transparency should be proportional to the power that one has.”

Read the presentation on Risky Business: Transparency, Technology, Security and Privacy made at the Pecha Kucha session here. (ODP File, 35 kb)

Disclaimer: The views, opinions, and positions expressed by the author(s) of this blog are theirs alone, and do not necessarily reflect the views, opinions, or positions of Omidyar Network. We make no representations as to accuracy, completeness, timeliness, suitability or validity of any information presented by individual authors of the blogs and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use.

For more details visit https://cis-india.org/openness/blog-old/privacy-v-transparency

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback)

elonnai — 2013-07-12T10:50:22Z

In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.

Click to download the Privacy Protection Bill, 2013 with latest amendments (PDF, 196 Kb).

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback

Privacy Matters — Conference Report

praskrishna — 2011-01-27T10:22:55Z

A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.

Introduction

The conference was held to discuss elements of the privacy legislation that has been proposed to the Parliament of India, and the UID Bill and project. The conference focused on the tensions between privacy and society that exist in India today, and acted as a space for opinion sharing and discussion. Privacy India which was formed under the auspices of Privacy International, a UK based organization that works to protect the right of privacy around the world, the Centre for Internet and Society (CIS), an NGO based in Bangalore, and Society in Action Group (SAG), an NGO based in Delhi joined hands to host this event.

Rajan Gandhi, founder of SAG opened the conference with an explanation of the mandate of Privacy India, the objective of which is of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of Privacy India's goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Keynote

The keynote speech was delivered by Dr. Sudhir Krishnaswamy professor of law and governance. Dr. Krishnaswamy began by outlining the present situation of privacy in India. The right to privacy has been read into Sections 19 and 21 of the Constitution of India through case law, which has defined privacy — among other things — as the right to personal autonomy, the right against unreasonable search and seizure, and as a fundamental right that is critical to the person, but does not supersede public or national interest. Dr. Krishnaswamy also raised many intriguing questions including: what does privacy mean to India — is it linked to a person’s dignity and their honour? Or is it purely concerned with misappropriation of information, and further is privacy in India an issue of the individual or an issue of the family and the community? He also described the philosophical groundings of privacy as being in the right to dignity, the right to autonomy, and the misappropriation of information.

Privacy Challenges

The conference was spread into three sessions. In the first session Prashant Iyengar, head researcher of the project at Privacy India, spoke about the challenges that India specifically is facing in shaping a privacy legislation including: the need to balance the right to information/transparency and privacy, the need to create a definition of privacy that does not exclude lower classes and is not a negative right, but instead a positive right, and the problem of ubiquitous surveillance that is happening in society today. Elonnai Hickok, policy analyst at Privacy India, spoke specifically on wire tapping, and the Nira Radia tapes. In her presentation she first outlined other countries definitions of privacy which include: the right to be left alone, the protection from unauthorized searches, and the right to control information about oneself through consent. Using the case study of Nira Radia and Ratan Tata she spoke about the rising concern of wire tapping in the country as being indicative of a social change and relationship of the state and government. Elonnai also raised questions concerning whether privacy should be made inversely proportional to public figures, and if public interest will always supersede the private right of individuals.

UID and Privacy

The second session of the conference focused on the UID Bill and privacy. Presentations from NUJS student Amba Kak and Sai Vinod raised concerns about the UID project and privacy. Their presentation also compared and contrasted identity schemes of other countries with the UID. A few similarities that they found amongst all scheme were: the collection of data, the processing of data, and the storing of data. Deva Prasad from the National Law School of Bangalore presented on constitutional elements of the UID scheme ranging from loopholes in the Bill to connections that can be made when the UID Bill is placed in the larger picture. Sri Manoj Bhattacharya (MP) from RSP voiced his concerns of the UID, and emphasized that by giving an individual a number which acts as their fundamental identity which they use to function in society, the government in fact is eroding an individual’s actual identity, and that is an invasion of privacy. Sri Nilotpal Basu (MP) from CPI (M) spoke out strongly against the UID, voicing that his greatest concern with the UID is that it will be a way for corporate bodies to target individuals as consumers, and that privacy legislation could be used as a way for corporate bodies to hide from the public eye.

Conclusion

In the concluding session the floor was opened up to the public for questions and opinion sharing. Many participants shared what they believed needed to be included in privacy legislation, and what issues a privacy legislation needs to address. A few of these include: privacy rights and the media, privacy and the right to information, the privacy rights of minorities, and the privacy rights of the government. Also types of regulatory models for privacy were discussed. For instance, should privacy in India be represented and protected through a data protection law, or should privacy be seen as a fundamental right to privacy? Should privacy be represented through a broad framework, or through sector specific statutes? What should the redressal and enforcement mechanisms look like?

As seen from the presentations and the comments at the conference one thing which is clear is that privacy is an issue that concerns every person in India. Over the next six months Privacy India will be conducting ten more conferences in different Indian cities to engage the public in dialogues of privacy and raise awareness around the issues of privacy. The next workshop will be held on 5 February 2011 in Bangalore.

Download the conference summary here

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary

Privacy Matters — Analyzing the Right to "Privacy Bill"

natasha — 2012-02-15T04:27:28Z

On January 21, 2012 a public conference “Privacy Matters” was held at the Indian Institute of Technology in Mumbai. It was the sixth conference organised in the series of regional consultations held as “Privacy Matters”. The present conference analyzed the Draft Privacy Bill and the participants discussed the challenges and concerns of privacy in India.

The conference was organized by Privacy India in partnership with the Centre for Internet & Society, International Development Research Centre, Indian Institute of Technology, Bombay, the Godrej Culture Lab and Tata Institute of Social Sciences. Participants included a wide range of stakeholders that included the civil society, NGO representatives, consumer activists, students, educators, local press, and advocates.

Comments to the Right to Privacy Bill

Welcome

Prashant Iyengar was the Lead Researcher with Privacy India, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the five “Privacy Matters” series previously organised across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011 and in Chennai on August 6, 2011.

Keynote Address

Na. Vijayashankar (popularly known as Naavi), a Bangalore based e-business consultant, delivered the key note address on the quest of a good privacy law in India.

He described the essential features of good privacy legislation. In analyzing the Draft Privacy Bill’s definition of the right to privacy, he suggested it should be defined through the “right to personal liberty” rather than through what constitutes “infringements”. Mr. Vijayashankar went on to explain that the “privacy right” should be taken beyond “information protection” and defined as a “personal privacy or a sense of personal liberty without constraints by the society”. He explained the various classifications and levels of protection associated with the availability and disclosure of data. He expressed concerns regarding monitoring of data processors and suggested that data controllers have contractual agreements between data processors, so as to ensure an obligation of data security practices. He also called for the simplification and division of offences and suggested numerous reasons as to why the Cyber Appellate Tribunal would not be an ideal monitoring mechanism or authority. See Naavi's presenation here

Session I: Privacy and the Legal System

Dr. Sudhir Krishnaswamy, Assistant Professor at the National Law School of India

Dr. Krishnaswamy started off the presentation by questioning the normative assumptions the Draft Privacy Bill makes. He referred to the controversy of Newt Gingrich's second marriage, to question the range of moral interests that were involved. The Bill falls short in accounting for dignity in relation to privacy.

He described the Draft Privacy Bill as a reasonable advance, given where privacy laws were before. Although, he feels that it does fall short, in terms of a narrow position, on what privacy law should do. He also questioned if it satisfies constitutional standards. He stressed the importance of philosophical work around the Draft Privacy Bill considering that the nature of privacy is not neat and over-arching.

Privacy and the Constitutional Law

N S Nappinai, Advocate, High Court, Mumbai,

Nappinai spoke on the constitutional right to privacy. She explained the substantial development of Article 21 of the Constitution of India to include the ‘right to privacy’ with regards to its interpretation and application. She described the different shift of the application of the right to privacy in the West in comparison to India. The West has moved from the right to privacy pertaining to property to the right to privacy concerning personal rights, whereas India moved from personal rights to property rights. She outlined three aspects of privacy: dignity, liberty and property rights.

Ms. Nappinai dissected the Bill in its major components: interception, surveillance, method and manner of personal data, health information, collection, processing and use of personal data. Using these components, she questioned what precedence exists? What should be further protected or reversed? What lessons should legislators draw from?

Shortcomings of the Draft Right to Privacy Bill falls include:

The objects and reasons section in the Draft Privacy Bill declares the right to privacy to every citizen as well as delineates the collection and dissemination of data. Nappinai dismisses the need for this delineation on the grounds that data protection is an inherent part of the right to privacy, it is not exclusive.
Large focus on transmission of data. The provisions do not account for property rights pertaining to the right to privacy. Therefore, the ‘knock-and-enter’ rule, the ‘right to be left alone’ and the ‘right to happiness’ should be included.
Applicability of the Bill should extend to all persons as well as data residing within the territory. It would be self-defeating if it only includes citizens, considering that the Constitution extends to all persons within the territory.
The right to dignity is unaccounted for.

See Nappinai's presentation here

Session II: Privacy and Freedom of Expression

Apar Gupta, Advocate, Delhi

Apar Gupta is an advocate based in Delhi who specializes in IP and electronic commerce law, spoke predominantly on the interplay between privacy and freedom of expression. He used the example of an advocate tweeting about his criticism of a judges’ ruling, to illustrate how different realms of online anonymity enable freedom of speech. He went beyond the traditional realm of journalistic architecture such as television channels or newspapers and explained online community disclosure.

Mr. Gupta provided a practical example of Indian Kanoon, a popular online database of Indian court decisions. Because Indian Kanoon is linked to the Google search engine, many individuals involved in civil and criminal matters have requested Indian Kanoon to remove the court judgments, under privacy claims. This particularly occurs with individuals involved in matrimonial cases. However, as court judgment constitute public records India Kanoon only removes court judgments when requested by a court order.

He described the several ways legislators can define privacy and freedom of expression. Considering that the privacy of an individual may border upon freedom of speech and expression, he questioned whether or not privacy should override the right to freedom of speech and expression. In addition, Mr. Gupta discussed the debate on whether or not the Privacy Bill should override all existing provisions in other laws.

Additionally, he analyzed the provisions of the Draft Privacy Bill using three judgments. In these judgments, different entities sought of various forms of speech to be blocked under privacy claims. He spoke about the dangers of a statutory right for privacy that does not safeguard freedom of speech and expression. Considering that the privacy statute may allow for a form of civil action permitting private parties to approach courts to stop certain publications, he stressed the importance for legislators to ensure balanced privacy legislation inclusive of freedom of speech and expression.

Sexual Minorities and Privacy

Danish Sheikh, researcher at Alternative Law Forum

Danish examined the status of sexual minorities in the light of privacy framework in India. The tag of decriminalization has served to greatly alter the way institutions approach the question of privacy when it comes to sexual minorities. He used the Naz Foundation judgment as a chronological marker to map the developments in the right to privacy and sexual minorities over the years.

He outlined four key effects on the right to privacy due to the Naz Foundation judgment:

Prepared the understanding of privacy as a positive right and placed obligations on the state,
Discussed privacy as dealing with persons and not just places, it took into account decisional privacy as well as zonal privacy,
Connected privacy with dignity and the valuable worth of individuals, and
Included privacy on one’s autonomous identity.

He described various incidents that took place before the Naz Foundation judgment, pre-Naz, that altered the way we conceived of queer rights in general and privacy in particular, including the Lucknow incidents, transgender toilets, passport forms, the medical establishment and lesbian unions. Post-Naz, he described two incidents including the Allahabad Muslim University sting operation as well as the TV9 “Expose” that captured public imagination.

He concluded by asking: “What do these stories tell us about privacy?” The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs display the institutionalized disrespect for privacy and that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Session III: Privacy and National Security

Menaka Guruswamy, Advocate, Supreme Court of India

Menaka explored national security and its relationship to privacy. In her presentation, she compared the similar manner in which the courts approach national security and privacy issues. The courts feel national security and privacy issues are too complex to define, therefore, they take a case-by-case approach.

Ms. Guruswamy described three incidents that urged her to question national security and privacy. First, she was interested in the lack of regulation surrounding intelligence agencies and was involved in the introduction of the Regulations of Intelligence Agencies Bill as a private members bill. Second, national security litigation between the Salwa Judum judgment and the State of Chhattisgarh is an example of how national security triumphs constitutional rights and values. Third, privacy in the context of the impending litigation of Naz Foundation in the Supreme Court. She described the larger conversation of national security focus on values of equality and privacy. She discussed the following questions that serve in advancing certain conception of rights:

How do we posit privacy which necessarily, philosophically as well as judicially, is carved out as the right of an individual to be left alone?
What are the consequences when national security, which is posited as the rights of the nation, is in conflict with the right of the individual to be left alone?
Considering that constitutional rights are posited as a public facet of citizenship how does a right to privacy play in that context?

Privacy and UID

R. Ramakumar, professor at the Tata Institute of Social Sciences

Prof. Ramakumar spoke on UID, its collection of information and the threat to individual privacy. First, he provided a historical trajectory of national security that has led to increased identity card schemes. He described the concrete connection between UID and national security.

He briefed the gathering on the objectives of the UID project. He described several false claims as proposed by the UIDAI. He explicitly disproved the UIDAI claim that Aadhaar is voluntary. He did this by comparing various legislations associated with the National Population Registrar that had provisions mandating the inclusion of the UID number.

He went on to explain that the misplaced emphasis of technology to handle large populations remains unproven. He described two specific violations of privacy inherent in the UID system: convergence of information and consent. The UID database makes it possible for the linking or convergence of information across silos. In addition, consent is unaccounted for in the UID system. The UID enrollment form requires consent from a person to share their information. However, the software of the enrollment form automatically checks ‘yes’, therefore you are not asked. Even if you disagree, it automatically checks ‘yes’. Default consent raises the important question, “to what extent are we the owners of our information?” and “what are the privacy implications?”

Mr. Ramakumar was once asked, by Yashwant Sinha in a Parliamentary Standing Committee meeting, “Is the Western concept of privacy important in developing country like India?”. Using this question posed to him, he stressed the importance of privacy to be understood as a globally valued right, entitlement and freedom. He also referred to Amartya Sen’s work on individual freedoms.

Conclusion

During the daylong consultation numerous questions and themes relating to privacy were discussed:

How is the right to privacy defined?
How can the Draft Privacy Bill redefine the right to privacy?
How can reasonable deterrence mechanisms be included?
Does duplication of the right to privacy exists in different statutes?
Is the Cyber Appellate Tribunal an ideal monitoring mechanism or authority?
What are the circumstances under which authorized persons can exercise the Right of privacy invasion?
How can the Draft Privacy Bill account for the right to dignity?
How much information should the State be allowed to collect?
How can citizens become more informed about the use of their information and the privacy implications involved?
What would be the appropriate balance or trade-off between security and civil liberties?
What are the dangers with permitting the needs of national security to trump competing values?
What are the consequences for the homosexual community, when faced with institutionalized disregard for privacy?

For more details visit https://cis-india.org/internet-governance/privacy-matters-analyzing-the-right-to-privacy-bill

Privacy in Healthcare: Policy Guide

tanvi — 2014-08-31T15:18:12Z

The Health Policy Guide seeks to understand what are the legal regulations governing data flow in the health sector — particularly hospitals, and how are these regulations implemented. Towards this objective, the research reviews data practices in a variety of public and private hospitals and diagnostics labs. The research is based on legislation, case law, publicly available documents, and anonymous interviews.

Click to download the PDF (320 Kb)

Introduction

To this date, there exists no universally acceptable definition of the right to privacy. It is a continuously evolving concept whose nature and extent is largely context driven. There are numerous aspects to the right to privacy, each different from the other in terms of the circumstance in which it is invoked. Bodily privacy however, is to date, the most guarded facet of this vastly expansive right. The privacy over one’s own body including the organs, genetic material and biological functions that make up one’s health is an inherent right that does not; as in the case of other forms of privacy such as communication or transactional privacy, emanate from the State. It is a right that has its foundations in the Natural Law conceptions of The Right to Life, which although regulated by the State can at no point be taken away by it except under extreme circumstances of a superseding Right to Life of a larger number of people.

The deliberation leading to the construction of a universally applicable Right to Privacy has up until now however only been in terms of its interpretation as an extension of the Fundamental Right to Life and Liberty as guaranteed under Article 21 as well as the freedom of expression and movement under Articles 19(1)(a) and (b) of the Constitution of India. While this may be a valid interpretation, it narrows the ambit of the right as one that can only be exercised against the State. The Right to privacy however has much larger implications in spheres that are often removed from the State. There is thus an impending need to create an efficient and durable structure of Law and policy that regulates the protection of privacy in Institutions that may not always be agents of the State.

It is in this regard that the following analysis studies the existing conceptions of privacy in the Healthcare sector. It aims to study the existing mechanisms of privacy protection and their pragmatic application in everyday practices. Further, it determines definitive policy gaps in the existing framework and endeavors to provide effective recommendations to not only redress these shortcomings but also create a system that is efficient in its fulfillment of the larger objective of the actualization of the Right to Privacy at an individual, state and institutional level.

Purpose

The purpose of this research study is to formulate a comprehensive guide that maps the synthesis, structure and implementation of privacy regulations within the healthcare sector in India. It traces the domestic legislation pertaining to various aspects of the healthcare sector and the specific provisions of the law that facilitate the protection of the privacy of individuals who furnish their personal information as well as genetic material to institutions of healthcare, either for the purpose of seeking treatment or to contribute to research studies. It is however imperative that the nature and extent of the information collected be restricted through the establishment of requisite safeguards at an institutional level that percolate down to everyday practices of data collection, handling and storage within healthcare institutions. The study thus aims to collate the existing systems of privacy protection in the form of laws, regulations and guidelines and compare these with actual practices in government and private hospitals and diagnostic laboratories to determine whether these laws are in fact effective in meeting the required standards of privacy protection. Further, the study also broadly looks at International practices of privacy protection and offers recommendations to better the existing mechanisms of delimiting unnecessary intrusions on the privacy of patients.

Importance

The Indian Healthcare sector although at par with international standards in its methods of diagnosis, treatment and the use of contemporary technology, is still nascent in the nature and extent of its interaction with the Law. There are a number of aspects of healthcare that lie on the somewhat blurred line between the interest of the public and the sole right of the individual seeking treatment. One such aspect is the slowly evolving right to privacy. The numerous facets of this right have come to the fore largely through unique case laws that are reflective of a dynamic social structure, one that seeks to reconcile the socio economic rights that once governed society with individual interests that it has slowly come to realize. The right of an individual to disclose the nature of his disease, the liberty of a woman not to be compelled to undergo a blood test, the bodily autonomy to decide to bear children or not, the decisional privacy with regards to the termination of a pregnancy and the custodial rights of two individuals to their child are certain contentious aspects of healthcare that have constructed the porous interface between the right to privacy and the need for medical treatment. It is in this context that this study aims to delve into the existing basic structure of domestic legislation, case laws and regulations and their subsequent application in order to determine important gaps in the formulation of Law and Policy. The study thus aims to draw relevant conclusions to fill these gaps through recommendations sourced from international best practice in order to construct a broad framework upon which one can base future policy considerations and amendments to the existing law.

Methodology

This research study was undertaken in two major parts. The first part assesses domestic legislation and its efficacy in the current context. This is done through the determination of relevant provisions within the Act that are in consonance with the broader privacy principles as highlighted in the A.P Shah Committee report on Privacy Protection[1]. This part of the research paper is based on secondary sources, both in terms of books as well as online resources. The second part of the paper analyses the actual practices with regard to the assimilation, organization, use and storage of personal data as practiced in Government and Private hospitals and Diagnostic laboratories. Three Private hospitals, a prominent Government hospital and a Diagnostic laboratory were taken into consideration for this study. The information was provided by the concerned personnel at the medical records department of these institutions of healthcare through a survey conducted on the condition of anonymity. The information provided was analyzed and collated in accordance with the compliance of the practices of these institutions with the Principles of privacy envisioned in the Report of the Group of Experts on Privacy.

The Embodiment of Privacy Regulation within Domestic Legislation

This section of the study analyses the viability of an approach that takes into account the efficacy of domestic legislation in regulating practices pertaining to the privacy of individuals in the healthcare sector. This approach perceives the letter and spirit of the law as the foundational structure upon which internal practices, self regulation and the effective implementation of policy considerations that aim to create an atmosphere of effective privacy regulation take shape, within institutions that offer healthcare services. To this effect, domestic legislationthat provides for the protection of a patient’s privacy has been examined. The law has been further studied with respect to its tendency to percolate into the everyday practices, regulations and guidelines that private and government hospitals adhere to. The extent of its permeation into actual practice; in light of its efficacy in fulfilling the perambulatory objectives of ensuring safe and unobtrusive practices,within the construct of which a patient is allowed to recover and seek treatment, has also been examined.

The term ‘Privacy’ is used in a multitude of domestic legislations primarily in the context of the foundation of the fiduciary relationship between a doctor and a patient.This fiduciary relationship emanates from a reasonable expectation of mutual trust between the doctor and his patients and is established through the Indian Medical Council Act of 1952, specifically section 20(A) of the Act which lays down the code of ethics which a doctor must adhere to at all times. Privacy within the healthcare sector includes a number of aspects including but not limited to informational privacy (e.g., confidentiality, anonymity, secrecy and data security); physical privacy (e.g., modesty and bodily integrity); associational privacy (e.g. intimate sharing of death, illness and recovery); proprietary privacy (e.g., self-ownership and control over personal identifiers, genetic data, and body tissues); and decisional privacy (e.g., autonomy and choice in medical decision-making).

Privacy Violations stem from policy and information gaps: Violations in the healthcare sector that stem from policy formulation as well and implementation gaps[2] include the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, unlimited or unnecessary collection of personal health data, collection of personal health data that is not accurate or relevant, the purpose of collecting data is not specified, refusal to provide medical records upon request by client, provision of personal health data to public health, research, and commercial uses without de-identification of data and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory.[3] Furthermore, various goods such as employment, life, and medical insurance, could be placed at risk [4]if the flow of medical information were not restricted. ^{^[5]}

Disclosure of personal health information is permitted and does not amount to a violation of privacy in the following situations: 1) during referral, 2) when demanded by the court or by the police on a written requisition, 3) when demanded by insurance companies as provided by the Insurance Act when the patient has relinquished his rights on taking the insurance, and 4) when required for specific provisions of workmen's compensation cases, consumer protection cases, or for income tax authorities,^{^[6]} 5) disease registration, 6) communicable disease investigations, 7) vaccination studies, or 8) drug adverse event reporting. ^{^[7]}

The following domestic legislations have been studied and relevant provisions of the Act have been accentuated in order to analyse their compliance with the basic principles of privacy as laid out in the A.P Shah Committee report on Privacy.

Mental Health Act, 1987[8]
The Provisions under the Act pertaining to the protection of privacy of the patient have been examined. The principles embodied within the Act include aspects of the Law that determine the nature and extent of oversight exercised by the relevant authorities over the collection of information, the limitation on the collection of data and the restrictions on the disclosure of the data collected. The principle of oversight is embodied under the legislation within the provisions that allow for the inspection of records in psychiatric hospitals and nursing homes only by officers authorized by the State Government.^{^[9]} The limitation on the Collection of information is imposed by the Inspection of living conditionsby a psychiatrist and two social workers are on a monthly basis. This would include analyzing the living condition of every patient and the administrative processes of the psychiatric hospital and/or psychiatric nursing home. ^{^[10]}Additionally, Visitors must maintain a book regarding their observations and remarks.^{^[11]} Medical certificates may be issued by a doctor, containing information regarding the nature and degree of the mental disorder as reasons for the detention of a person in a psychiatric hospital or psychiatric nursing home. ^{^[12]}Lastly, the disclosure of personal records of any facility under this Act by inspecting officers is prohibited^{^[13]}

Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994 ^{^[14]}
The Act was instituted in light of a prevalent public interest consideration of preventing female foeticide. However, it is imperative that the provision of the Act remain just shy of unnecessarily intrusive techniques and do not violate the basic human requirement of privacy in an inherently personal sphere. The procedure that a mother has to follow in order to avail of pre-natal diagnostic testing is mandatory consent of age, abortion history and family history. These conditions require a woman to reveal sensitive information concerning family history of mental retardation or physical deformities.[15] Aspecial concern for privacy and confidentiality should be exercised with regards to disclosure of genetic information. [16]

Medical Termination of Pregnancy Act, 1971 ^{^[17]}
Although, the right to an abortion is afforded to a woman within the construct of her inherent right to bodily privacy, decisional privacy (for e.g., autonomy and choice in medical decision-making) is not afforded to patients and their families with regards to determining the sex of the baby. The sections of the Act that have been examined lay down the provisions available within the Act to facilitate the protection of a woman’s right to privacy during the possible termination of a pregnancy. These include the principles pertaining to the choice and consent of the patient to undergo the procedure, a limit on the amount of information that can be collected from the patient, the prevention of disclosure of sensitive information and the security measures in place to prevent the unauthorized access to this information. The Medical Termination of Pregnancy Regulations, 2003 supplement the Act and provide relevant restrictions within every day practices of data collection use and storage in order to protect the privacy of patients. The Act mandates Written Consent of the patient in order to facilitate an abortion .Consent implies that the patient is aware of all her options, has been counselled about the procedure, the risks and post-abortion care.[18]. The Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the State. [19]The Register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the last entry.[20] The Act also emphasizes upon the security of information collected. The medical practitioner assigns a serial number for the woman terminating her pregnancy.[21]Additionally, the admission register is stored in safe custody of the head of the hospital. [22]

Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002)
The Medical Council of India (MCI) Code of Ethics Regulations^{^[23]} sets the professional standards for medical practice. These provisions regulate the nature and extent of doctor patient confidentiality. It also establishes universally recognized norms pertaining to consent to a particular medical procedure and sets the institutionally acceptable limit for intrusive procedure or gathering excessively personal information when it is not mandatorily required for the said procedure. The provisions addressed under these regulations pertain to the Security of the information collected by medical practitioners and the nature of doctor patient confidentiality.

Physicians are obliged to protect the confidentiality of patients⁵during all stages of the procedure and with regard to all aspects of the information provided by the patient to the doctor, includinginformation relating to their personal and domestic lives. ^{^[24]}The only exception to this mandate of confidentiality is if the law requires the revelation of certain information, or if there is a serious and identifiable risk to a specific person and / or community ofa notifiable disease.

Ethical Guidelines for Biomedical Research on Human Subjects [25]
The provisions for the regulation of privacy pertaining to biomedical research include aspects of consent as well as a limitation on the information that may be collected and its subsequent use. The provisions of this act aim to regulate the protection of privacy during clinical trials and during other methods of research. The principal of informed consent is an integral part of this set of guidelines. ThePrivacy related information included in the participant/ patient information sheet includes: the choice to prevent the use of their biological sample, the extent to which confidentiality of records could be maintained and the consequences of breach of confidentiality, possible current and future uses of the biological material and of the data to be generated from the research and if the material is likely to be used for secondary purposes or would be shared with others, the risk of discovery of biologically sensitive information and publications, including photographs and pedigree charts.[26] The Guidelines require special concern for privacy and confidentiality when conducting genetic family studies. [27]The protection of privacy and maintenance of confidentiality, specifically surrounding the identity and records, is maintained whenusing the information or genetic material provided by participants for research purposes. ^{^[28]}The Guidelines require investigators to maintain confidentiality of epidemiological data due to the particular concern that some population based data may also have implications on issues like national security or public safety.[29]All documentation and communication of the Institutional Ethics Committee (IEC) must be dated, filed and preserved according to the written procedures.Data of individual participants can be disclosed in a court of law under the orders of the presiding judge, if there is a threat to a person’s life, communication to the drug registration authority regarding cases of severe adverse reaction and communication to the health authority if there is risk to public health.[30]

Insurance Regulatory and Development Authority (Third Party Administrators) Health Services Regulations, 2001
The provisions of the Act that have been addressed within the scope of the study regulate the practices of third party administrators within the healthcare sector so as to ensure their compliance with the basic principles of privacy.An exception to the maintenance and confidentiality of information confidentiality clause in the code of conduct, requires TPAs to provide relevant information to any Court of Law/Tribunal, the Government, or the Authority in the case of any investigation carried out or proposed to be carried out by the Authority against the insurance company, TPA or any other person or for any other reason.[31]In July 2010, the IRDA notified theInsurance Regulatory and Development Authority (Sharing of Database for Distribution of Insurance Products) Regulations [32]. These regulations restrict referral companies from providing details of their customers without their prior consent.[33]TPAs must maintain the confidentiality of the data collected by it in the course of its agreement and maintain proper records of all transactions carried out by it on behalf of an insurance company and are also required to refrain from trading information and the records of its business[34].TPA’s must keep records for a period of not less than three years.[35]

IDRA Guidelines on Outsourcing of Activities by Insurance Companies [36]
These guidelines require the insurer to take appropriate steps that require third party service providers protect confidential information of both the Insurer and its clients from intentional or inadvertent disclosure to unauthorized persons.[37]

Exceptions to the Protection of Privacy
The legal provisions with regard to privacy, confidentiality and secrecy are often superseded by Public Interest Considerations. The right to privacy, although recognized in the course of Indian jurisprudence and embodied within domestic legislation is often overruled prima facie when faced with situations or instances that involve a larger interest of a greater number of people. This policy is in keeping with India’s policy goals as a social welfare state to aid in the effectuation of its utilitarian ideals. This does not allow individual interest to at any point surpass the interest of the masses.

Epidemic Diseases Act, 1897 [38]
Implicit within this formulation of this Act is the assumption that in the case of infectious diseases, the right to privacy, of infected individuals must give way to the overriding interest of protecting public health.[39] This can be ascertained not only from the black letter of the Law but also from its spirit. Thus, in the absolute positivist as well as a more liberal interpretation, at the crux of the legislation lies the undeniable fundamental covenant of the preservation of public health, even at the cost of the privacy of a select few individuals [40].

Policy and Regulations

National Policy for Persons with Disabilities, 2006[41]
The following provisions of the Act provide for the incorporation of privacy considerations in prevalent practices with regard to persons with disabilities. The National Sample Survey Organization collects the following information on persons with disabilities: the socio- economic and cultural context, cause of disabilities, early childhood education methodologies and all matters connected with disabilities, at least once in five years.[42]This data is collected by non-medical investigators. [43]There is thus an inherent limit on the information collected. Additionally, this information is used only for the purpose for which it has been collected.

The Special Employment Exchange, as established under The Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995 Act, collects and furnishes information in registers, regarding provisions for employment. Access to such data is limited to any person who is authorized by the Special Employment Exchange as well as persons authorized by general or special order by the Government, to access, inspect, question and copy any relevant record, document or information in the possession of any establishment. [44] When conducting research on persons with disabilities consent is required from the individual or their family members or caregivers.[45]

HIV Interventions
In 1992, the Government of India instituted the National AIDS Control Organization (NACO) for the prevention and control of AIDS. NACO aims to control the spread of HIV in India through the implementation of Targeted Interventions (TIs) for most at risk populations (MARPs) primarily, sex workers, men having sex with men and people who inject drugs.[46]The Targeted Interventions (TIs) system of testing under this organization has however raised numerous concerns about relevant policy gaps in the maintenance of the confidentiality and privacy of persons living with HIV/ AIDS. The shortcomings in the existing policy framework include: The Lack of a limitation and subsequent confidentiality in the amount of Information collected. Project staff inTIsrecordthe name, address and other contact information of MARPs and share this data with Technical Support Unit and State AIDS Control Societies.[47] Proof of address and identity documents are required to get enrolled in government ART programs.[48]Peer-educators operate under a system known as line-listing, used to make referrals and conduct follow-ups. Peer-educators have to follow-up with those who have not gone at regular intervals for testing. [49] This practice can result in peer-educators noticing and concluding that the names missing are those who have tested positive. [50] Although voluntary in nature, the policy encourage the fulfillment of fulfilling of numerical targets, and in doing so supports unethical ways of testing.[51]

The right to privacy is an essential requirement for persons living with HIV/AIDS due to the potential stigmatizing and discriminatory impact of the revelation of this sensitive information, in any form.[52] The lack of privacy rights often fuels the spread of the disease and exacerbates its impact on high risk communities of individuals. Fears emanating from a privacy breach or a disclosure of data often deter people from getting tested and seeking medical care. The impact of such disclosure of sensitive information including the revelation of tests results to individuals other than the person being tested include low self esteem, fear of loss of support from family/peers, loss of earnings especially for female and transgender sex workers, fear of incrimination for illicit sex/drug use and the insensitivity of counselors. [53]HIV positive individualslive in constant fear of their positive status being leaked. They also shy away from treatment as they fear people might see them taking their medicines and thereby guess their status. Thus breaches in confidentiality and policy gaps in privacy regulation, especially with respect to diseases such as HIV also prevents people from seeking out treatment. [54]

Case Law

The following cases have been used to deliberate upon important points of contention within the ambit of the implementation and impact of Privacy Regulationsin the healthcare sector. This includes the nature and extent of privacy enjoyed by the patient and instances where in the privacy of the patient can be compromised in light of public interest considerations.

Mr. Surupsingh Hrya Naik vs. State of Maharashtra ,[55] (2007)

The decision in this case held that The RTI Act 2005 would supersede The Medical Council Code of Ethics. The health records of an individual in judicial custody should be made available under the Act and can only be denied in exceptional cases, for valid reasons.

Since the Code of Ethics Regulations are only delegated legislation, it was held in the case of Mr. SurupsinghHrya Naik v.State Of Maharashtra[56] that these would not prevail over the Right to Information Act, 2005 (RTI Act) unless the information sought falls under the exceptions contained in Section 8 of the RTI Act. This case dealt with the important point of contention of whether making the health records public under the RTI Act would constitute a violation of the right to privacy. These health records were required to determine why the convict in question was allowed to stay in a hospital as opposed to prison. In this context the Bombay High Court held thatThe Right to Information Act supersedes the regulation that mandate the confidentiality od a person, or in this case a convict’s medical records. It was held that the medical records of a a person sentenced or convicted or remanded to police or judicial custody, if during that period such person is admitted in hospital and nursing home, should be made available to the person asking the information provided such hospital nursing home is maintained by the State or Public Authority or any other Public Body. It is only in rare and in exceptional cases and for good and valid reasons recorded in writing can the information may be denied.

Radiological & Imaging Association v. Union of India ,^{^[57]} (2011)
On 14 January 2011 a circular was issued by the Collector and District Magistrate, Kolhapur requiring the Radiologists and Sonologists to submit an on-line form “F” under the PNDT Rules. This was challenged by the Radiological and Imaging Association, inter alia, on the ground that it violates the privacy of their patients. Deciding the above issue the Bombay High Court held that .The images stored in the silent observer are not transmitted on-line to any server and thus remain embedded in the ultra-sound machine. Further, the silent observer is to be opened only on request of the Collector/ the civil surgeonin the presence of the concerned radiologist/sonologist/doctor incharge of the Ultra-sound Clinic. In light of these considerations and the fact that the `F' form submitted on-line is submitted only to the Collector and District Magistrate is no violation of the doctor's duty of confidentiality or the patient's right to privacy. It was further observed that The contours of the right to privacy must be circumscribed by the compelling public interest flowing through each and every provision of the PC&PNDT Act, when read in the background of the following figures of declining sex ratio in the last five decades.

The use of a Silent Observer system on a sonograph has requisite safeguards and doesn’t violate privacy rights. The declining sex ratio of the country was considered a compelling public Interest that could supersede the right to privacy.

Smt. Selvi and Ors. v.State of Karnataka (2010)
The Supreme Court held that involuntary subjection of a person to narco analysis, polygraph test and brain-mapping violates the ‘right against self-incrimination' which finds its place in Article 20(3)[58] of the Constitution. [59] The court also found that narco analysis violated individuals’ right to privacy by intruding into a “subject’s mental privacy,” denying an opportunity to choose whether to speak or remain silent, and physically restraining a subject to the location of the tests and amounted to cruel, inhuman or degrading treatment.[60]

The Supreme Court found that Narco-analysis violated an individuals’ right to privacy by intruding into a “subject’s mental privacy,” denying an opportunity to choose whether to speak or remain silent.

Neera Mathur v. Life Insurance Corporation (LIC),[61] (1991)
In this casethe plaintiff contested a wrongful termination after she availed of maternity leave. LIC required women applicants to furnish personal details like their menstrual cycles, conceptions, pregnancies, etc. at the time of appointment. Such a requirement was held to go against the modesty and self respect of women. The Court held that termination was only because of disclosures in application, which was held to be intrusive, embarrassing and humiliating. LIC was directed to delete such questions.

The Court did not refer to the term privacy however it used the term personal details as well as modesty and self respect, but did not specifically link them to the right to life or any other fundamental right. These terms (modesty and self respect) are usually not connected to privacy but although they may be the harm which comes from an intrusion of one’s privacy.

The Supreme Court held that Questions related to an individual’s reproductive issues are personal details and should not be asked in the service application forms.

Ms. X vs. Mr. Z &Anr ,[62] (2001)
In this case, the Delhi High Court held that an aborted foetus was not a part of the body of a woman and allowed the DNA test of the aborted foetus at the instance of the husband. The application for a DNA test of the foetus was contested by the wife on the ground of “Right to Privacy”.7In this regard the court held that The Supreme Court had previously decided that a party may be directed to provide blood as a DNA sample but cannot be compelled to do so. The Court may only draw an adverse interference against such party who refuses to follow the direction of the Court in this respect.The position of the court in this case was that the claim that the preservation of a foetus in the laboratory of the All India Institute of Medical Science, violates the petitioner’s right to privacy, cannot be entertained as the foetus had been voluntarily discharges from her body previously, with her consent. The foetus, that she herself has dischargedis claimed to be subjected to DNA test. Thus, in light of the particular facts and the context of the case, it was held that petitioner does not have any right of privacy.

A woman’s right to privacy does not extend to a foetus, which is no longer a part of her body. The right to privacy may arise from a contract as well as a specific relationship, including a marital relationship. The principle in this case has been laid down in broad enough terms that it may be applied to other body parts which have been disassociated from the body of the individual.

It is important to note here that the fact that the Court is relying upon the principles laid down in the case of R. Rajagopal seems to suggest that the Court is treating organic tissue preserved in a public hospital in the same manner as it would treat a public document, insofar as the exception to the right to privacy is concerned.

B.K Parthasarthi vs. Government of Andhra Pradesh ,[63] (1999)
In this case, the Andhra Pradesh High Court was to decide the validity of a provision in the Andhra Pradesh Panchayat Raj Act, 1994 which stipulated that any person having more than two children should be disqualified from contesting elections. This clause was challenged on a number of grounds including the ground that it violated the right to privacy. The Court, in deciding upon the right to privacy and the right to reproductive autonomy, held thatThe impugned provision, i.eSection 19(3) of the said Act does not compel directly anyone to stop procreation, but only disqualifies any person who is otherwise eligible to seek election to various public offices coming within the ambit of the Andhra Pradesh Panchayat Raj Act, 1994 or declares such persons who have already been holding such offices to be disqualified from continuing in such offices if they procreate more than two children.Therefore, the submission made on behalf of the petitioners 'right to privacy' is infringed, is untenable and must be rejected.”

Mr. X v. Hospital Z, Supreme Court of India ,[64] (1998 and 2002)
The petitioner was engaged to be married and thereafter during tests for some other illness in the hospital it was found that the petitioner was HIV positive. This information was released by the doctor to the petitioner’s family and through them to the family of the girl to whom the petitioner was engaged, all without the consent of the petitioner. The Court held that:

“The Right to privacy is not treated as absolute and is subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedoms of others.”

Right to privacy and is subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedoms of others.

This decision of this case could be interpreted to extend the principle, of disclosure to the person at risk, to other communicable and life threatening diseases as well. However, a positivist interpretation would render these principle applicable to only to HIV+ cases.

M. Vijaya v. Chairman and Managing Director, Singareni Collieries Co. Ltd. [65] (2001)
The petitioner alleged that she had contracted the HIV virus due to the negligence of the authorities of Maternity and Family Welfare Hospital, Godavarikhani, a hospital under the control of Singareni Collieries Company Ltd., (SCCL), in conducting relevant precautionary blood tests before transfusion of blood of her brother (donor) into her body when she was operated for hysterectomy (Chronic Cervicitis) at the hospital. The petition was initially filed as a Public Interest Litigation,which the court duly expanded in order to address the problem of the lack of adequate precautionary measures in hospitals, thereby also dealing with issues of medical confidentiality and privacy of HIV patients. The court thus deliberated upon the conflict between the right to privacy of an HIV infected person and the duty of the state to prevent further transmission and held:

In the interests of the general public, it is necessary for the State to identify HIV positive cases and any action taken in that regard cannot be termed as unconstitutional. As under Article 47 of the Constitution, the State was under an obligation to take all steps for the improvement of the public health. A law designed to achieve this object, if fair and reasonable, in our opinion, will not be in breach of Article 21 of the Constitution of India

The right of reproductive autonomy is a component of the right to privacy .A provision disqualifying a person from standing for elections due to the number of children had, does not violate the right to privacy as the object of the legislation is not to violate the autonomy of an individual but to mitigate the population growth in the country. Measures to control population growth shall be considered legal unless they impermissibly violate a fundamental right.

However, another aspect of the matter is whether compelling a person to take HIV test amounts to denying the right to privacy? The Court analyzed the existing domestic legislation to arrive at the conclusion that there is no general law that can compel a person to undergo an HIV-AIDS test. However, specific provisions under the Prison Laws[66]

provide that as soon as a prisoner is admitted to prison, he is required to be examined medically and the record of prisoner's health is to be maintained in a register. Further, Under the ITP Act, the sex workers can also be compelled to undergo HIV/ AIDS test.[67]

Additionally, under Sections 269 and 270 of the Indian Penal Code, 1860, a person can be punished for negligent act of spreading infectious diseases.

The right to privacy of a person suspected to be HIV+ would be subordinate to the power and duty of the state to identify HIV+ patients in order to protect public interest and improve public health. However any law designed to achieve this object must be fair and reasonable. In a conflict between the individual’s privacy right and the public’s right in dealing with the cases of HIV-AIDS, the Roman Law principle 'SalusPopuliestSuprema' (regard for the public wealth is the highest law) applies when there is a necessity.

After mapping legislation that permit the invasion of bodily privacy, the Court concluded that they are not comprehensive enough to enable the State to collect information regarding patients of HIV/AIDS and devise appropriate strategies and therefore the State should draft a new legislation in this regard. Further the Court gave certain directions to the state regarding how to handle the epidemic of HIV/AIDS and one of those directions was that the “Identity of patients who come for treatment of HIV+/AIDS should not be disclosed so that other patients will also come forward for taking treatment.”

Sharda v. Dharmpal ,[68] (2003)

The basic question in this case was whether a party to a divorce proceeding can be compelled to a medical examination. The wife in the divorce proceeding refused to submit herself to medical examination to determine whether she was of unsound mind on the ground that such an act would violate her right to personal liberty. Discussing the balance between protecting the right to privacy and other principles that may be involved in matrimonial cases such as the ‘best interest of the child’ in case child custody is also in issue, the Court held:

If the best interest of a child is in issue in the case then the patient’s right to privacy and confidentiality would get limited. The right to privacy of an individual would be subordinate to the power of a court to arrive at a conclusion in a matrimonial dispute and the right of a party to protect his/her rights in a Court of law would trump the right to privacy of the other.

"Privacy" is defined as "the state of being free from intrusion or disturbance in one's private life or affairs". However, the right to privacy in India, is only conferred through an extensive interpretation of Article 21 and cannot therefore in any circumstance be considered an absolute right. Mental health treatment involves disclosure of one's most private feelings However, like any other privilege the psychotherapist-patient privilege is not absolute and may only be recognized if the benefit to society outweighs the costs of keeping the information private. Thus if a child's best interest is jeopardized by maintaining confidentiality the privilege may be limited.” Thus, the power of a court to direct medical examination of a party to a matrimonial litigation in a case of this nature cannot beheld to violate the petitioner’s right to privacy.

Regulation of Privacy in Government and Private Hospitals and Diagnostic Laborataries

A. Field Study
The Hospitals that have been chosen for the analysis of the efficacy of these legislations include prominent Government Hospitals, Private Hospitals and Diagnostic Centers. These Institutes were chosen because of their widely accredited status as centers of medical research and cutting edge treatment. They have also had a long standing reputation due to their staff of experienced and skilled on call doctors and surgeons. The Private Hospitals chosen had patient welfare centers that addressed the concerns of patients including questions and doubts relating to but not limited to confidentiality and consent. The Government hospitals had a public relations office that addressed the concerns of discharged patients. They also provided counseling services to patients to aid them in addressing concerns relate to the treatment that they might want to be kept confidential. Diagnostic laboratories also have an HR department that addresses similar concerns. The laboratory also has a patient welfare manager who addresses the concerns and queries of the patient prior to and during the procedure.

The following section describes the practices promulgated by Government and Private Hospitals, as well as Diagnostic Laboratories in their endeavor to comply with the basic principles of privacy as laid down in the A.P Shah Committee report on Privacy.

(i) Notice

Through an analysis of the information provided by Government and Private hospitals and diagnostic laboratories, relevant conclusions were drawn with regard to the nature, process and method in which the patient information is recorded. Through interviews of various medical personnel including administrative staff in the patient welfare and medical records departments we observed an environment of openness and accountability within the structure of the patient registration system.

In Government Hospitals, the patient is notified of all types of information that is collected, in terms of both personal information as well as medical history. The Patient admission as well as the patient consent form is filled out by the patient or the attending relative accompanying the patient and assistance for the same is provided by the attending staff members, who explain the required details that need to be filled in a language that the patient is able to understand. The patient is notified of the purpose for which such information is collected and the procedure that he/ she might have to undergo depending on his injury or illness. The patient is not however, notified of the method in which he/she may correct or withdraw the information that is provided. There is no protocol provided for the correction or withdrawal of information, once provided. The patient is, at all times notified of the extent and nature of doctor patient confidentiality including the fact that his/her personal information would not be shared even with his/her immediate relatives , insurance companies, consulting doctors who are not directly involved with his/her treatment or any unauthorized third party without requisite consent from the patient. The patient is informed of the fact that in some cases the medical records of the patient will have to be shared with consulting doctors and that all the patient’s medical records would be provided to insurance companies, but this will only be done with the consent of the patient.

The same system of transparency and accountability transcends across private hospitals and diagnostic laboratories as well. In private hospitals, the patient is informed of all the information that is collected and the purpose for which such information may be collected. Diagnostic laboratories have specific patient consent forms for specific types of procedures which the patient will have to fill out depending on the required tests. These forms contain provisions with regard to the confidential nature of all the information provided. This information can only be accessed by the patient and the consulting doctor with the consent of the patient. Both private hospitals and diagnostic laboratories have a specific protocol and procedure in place to correct or withdraw information that has been provided. In order to do so the patient would have to contact the medical records department with requisite proof of the correct information. Private hospitals inform patients of the nature and extent of doctor patient confidentiality at every stage of the registration process. Some private hospitals contain patient safety brochures which inform patients about the nature and extent of consent and confidentiality, even with regard to consulting doctors and insurance agencies. If the patient does not want certain information revealed to insurance agencies the hospital will retain such records and refraining from providing them to third party insurance agencies. Thus, all information provided by the patient remains confidential at the behest of the patient.

(ii) Choice and Consent

Choice and consent are two integral aspects of the regulation of privacy within the healthcare sector. Government and Private hospitals as well as diagnostic laboratories have specific protocols in place to ensure that the consent of the patient is taken at every stage of the procedure. The consent of the patient can also be withdrawn just prior to the procedure even if this consent has already been given by the patient in writing, previously. The choice of the patient is also given ample importance at all stages of the procedure. The patient can refuse to provide any information that may not mandatorily required for the treatment provided basic information regarding his identity and contact information in case of emergency correspondence has been given.

(iii) Collection Limitation

The information collected from the patient in both government and private hospitals is used solely for the purpose that the patient has been informed of. In case this information is used for purposes other than for the purpose that the patient has been informed of, the patient is informed of this new purpose as well. Patient records in both Government and Private hospitals are stored in the Medical Records Department as hard copies and in some cases as scanned soft copies of the hard copy as well. These Medical Records are all stored within the facility. The duration for which the records are stored range from a minimum of two years to a maximum of ten years in most private hospitals. Some private hospitals store these records for life. Government hospitals store these records for a term of thirty years only as hard copies after which the records are discarded. Private hospitals make medical records accessible to any medical personnel who may ask for it provided the requisite proof of identity and reasons for accessing the same are provided, along with an attested letter of authorization of the doctor who is currently involved or had been involved in the treatment of the patient. Government hospitals however do not let any medical personnel access these records except for the doctor involved in the treatment of that particular patient. Both private and government hospitals are required to share the medical records of the patient with the insurance companies. Government Hospitals only share patient records with nationalized insurance agencies such as The Life Insurance Corporation of India (LIC) but not with private insurance agencies. The insurance claims forms that are required prior to providing medical records to the insurance companies mandatorily require the signature of the patient. The patient is thus informed that his records will be shared with the insurance agencies and his signature is a proof of his implied consent to the sharing of these records with the company with which he has filed a health insurance claim.

Diagnostic laboratories collect patient information solely for the purpose of the particular test that they have been asked to conduct by the treating or consulting doctor. Genetic samples (Blood, Semen, Urine etc) are collected at one time and the various tests required are conducted on these samples. In case of any additional testing that is required to be conducted on these samples, the patient is informed. Additional testing is conducted only in critical cases and in cases where the referral doctor requests for the same to be conducted on the collected samples. In critical cases, where immediate testing is required and the patient is unreachable, the testing is conducted without informing the patient. The patient is mandatorily informed after the test that such additional testing was conducted. The patient sample is stored for one week within the same facility. The Patient records are digitized. They can only be accessed by the patient, who is provided with a particular username and password using which he can access only his records. The information is stored for a minimum of two years. This information can be made available to a medical personnel only if such medical personnel has the required lab no, the patients name, and reason for which it needs to be accessed. He thus requires the permission of the authorities at the facility as well as the permission and consent of the patient to access such records. The Medical test records of a patient are kept completely confidential. Even insurance companies cannot access such records unless they are provided to the company by the patient himself. In critical cases however, the patient information and tests results are shared with the treating or referral doctor without the consent of the patient.

(iv) Purpose Limitation

In Government and Private Hospitals, the information is only used for the purpose for which it is collected. There is thus a direct and relevant connection between the information collected and the purpose for which it used. Additional information is collected to gauge the medical history of the patient that may be relevant to the disease that has to be treated. The information is never deleted after it has been used for the purpose for which it had been collected. The Medical Records of the patient are kept for extended periods in hard copy as well as soft copy versions. There is a provision for informing the patient in case the information is used for any purpose other than the purpose for which it was collected. Consent of the patient is taken at all stages of collecting and utilizing the information provided by him.

Diagnostic Laboratories have a database of all the information collected which is saved in the server. The information is mandatorily deleted after it has been used for the purpose for which it was collected after a period of two years. In case the information is used for any purpose other than the purpose for which it was collected, for example, in critical cases where additional tests have to be conducted the patient is\ always informed of the same.

(v) Access and Correction

In private hospitals, the patient is allowed to access his own records during his stay at the hospital. He is given a copy of his file upon his discharge from the hospital in the form of a discharge summary. However, if he needs to access the original records at a later stage, he can do so by filing a request for the same at the Medical Records Department of the hospital. A patient can make amendments or corrections to his records by providing requisite proof to substantiate the amended information. The patient however at no stage can confirm if the hospital is holding or processing personal information about him or her with the exception of the provisions provided for the amendment or correction to the information held.

The Medical records of a patient in a government hospital are completely sealed. A patient has no access to his own records. Only the concerned doctor who was treating the patient during his stay at the hospital can access the records of the patient. This doctor has to be necessarily associated with the hospital and had to have been directly involved in the patient’s treatment in order to access the records. The patient is allowed to amend information in his medical records but only generic information such as the spelling of his name, his address, telephone number etc. The patient is at no point allowed to access his own records and therefore cannot confirm if the hospital is holding or processing any information about him/her. The patient is only provided with a discharge summary that includes his personal information, the details of his disease and the treatment provided in simple language.

Diagnostic laboratories have an online database of patient records. The patient is given a username and a password and can access the information at any point. The patient may also amend or correct any information provided by contacting the Medical records department for the same. The patient can at any time view the status of his record and confirm if it is being held or processed by the hospital. A copy of such information can be obtained by the patient at any time.

(vi) Disclosure of Information

Private Hospitals are extremely cautious with regard to the disclosure of patient information. Medical records of patients cannot be accessed by anyone except the doctor treating that particular patient or consulting on the case. The patient is informed whenever his records are disclosed even to doctors. Usually, even immediate relatives of the patient cannot access the patient’s records without the consent of the patient except in cases where the condition of the patient is critical. The patient is always informed about the type and extent of information that may be disclosed whenever it is disclosed. No information of the patient is made available publicly at any stage. The patient can refuse to consent to sharing of information collected from him/her with non-authorized agencies. However, in no circumstance is the information collected from him/her shared with non authorized agencies. Some private hospitals also provide the patient with patient’s safety brochures highlighting the extent of doctor patient confidentiality, the patient’s rights including the right to withdraw consent at any stage and refuse access of records by unauthorized agencies.

In government hospitals, the medical records of the patient can only be disclosed to authorized agencies with the prior approval of patient. The patient is made aware of the type and extent of information that is collected from him/her and is mandatorily shared with authorized bodies such as insurance agencies or the treating doctor. No information of the patient is made publicly available. In cases where the information is shared with insurance agencies or any such authorized body the patient gives an undertaking via a letter of his consent to such disclosure. The insurance companies only use medical records for verification purposes and have to do so at the facility. They cannot take any original documents or make copies of the records without the consent of the patient as provided in the undertaking.

Diagnostic Laboratories provide information regarding the patient’s medical records only to the concerned or referred doctor. The patient is always informed of any instance where his information may be disclosed and the consent of the patient is always taken for the same. No information is made available publicly or shared with unauthorized agencies at any stage. Information regarding the patient’s medical records is not even shared with insurance companies.

Government and Private Hospitals provide medical records of patients to the police only when a summons for the same has been issued by a judge. Diagnostic laboratories however do not provide information regarding a patient’s records at any stage to any law enforcement agencies unless there is summons from a judge specifying exactly the nature and extent of information required.

Patients are not made aware of laws which may govern the disclosure of information in private and government hospitals as well as in diagnostic laboratories. The patient is merely informed that the information provided by him to the medical personnel will remain confidential.

(vii) Security

The security measures that are put in place to ensure the safety of the collected information is not adequately specified in the forms or during the collection of information from the patient in Government or Private Hospitals. Diagnostic laboratories however do provide the patient with information regarding the security measures put in place to ensure the confidentiality of the information.

(viii) Openness

The information made available to the patient at government and private hospital and diagnostic laboratories is easily intelligible. At every stage of the procedure the explicit consent of the patient is obtained. In government and private hospitals the signature of the patient is obtained on consent forms at every stage of the procedure and the nature and extent of the procedure is explained to the patient in a language that he understands and is comfortable speaking. The information provided is detailed and is provided in simplistic terms so that the patient does at all stages understand the nature of any procedure he is consenting to undergo.

(ix) Accountability

Private hospitals and Diagnostic laboratories have internal and external audit mechanisms in place to check the efficacy of privacy measures. They both have grievance redress mechanisms in the form of patient welfare cells and complaint cells. There is an assigned officer in place to take patient feedback and address and manage the privacy concerns of the patient.

Government hospitals do not have an internal or external audit mechanism in place to check the efficacy of privacy measures. There is however a grievance redressal mechanism in government hospitals in the form of a Public Relations Office that addresses the concerns, complaints, feedback and suggestions of the patients. There is an officer in charge of addressing and managing the privacy concerns of patients. This officer also offers counseling to the patients in case of privacy concerns regarding sensitive information.

International Best Practices and Recommendations

A. European Union
An official EU data protection regulation [69]was issued in January 2012. A key objective of this was to introduce a uniform policy directive across all member states. The regulation, once implemented was to be applicable in all member states and left no room for alteration or amendments.

The regulation calls for Privacy Impact Assessments[70]when there are specific risks to privacy which would include profiling, sensitive data related to health, genetic material or biometric information. This is an important step towards evaluating the nature and extent of privacy regulation required for various procedures and would be effective in the creation of a systematic structure for the implementation of these regulations. The regulation also established the need for explicit consent for sensitive personal data. The basis for this is an inherent imbalance in the positions of the data subject and the data controller, or in simpler terms the patient and the hospital or the life sciences company conducting the research. Thus, implied consent is not enough [71]and a need arises to proceed with the testing only when there is explicit informed consent.

Embedded within the regulation is the right to be forgotten [72]wherein patients can request for their data to be deleted after they have been discharged or the clinical trial has been concluded. In the Indian scenario, patient information is kept for extended periods of time. This can be subject to unauthorized access and misuse. The deletion of patient information once it has been used for the purpose for which it was collected is thus imperative towards the creation of an environment of privacy protection.

Article 81 of the regulation specifies that health data may be processed only for three major processes[73] :

a) In cases of Preventative or occupational medicine, medical diagnosis, the care, treatment or management of healthcare services, and in cases where the data is processed by the healthcare professionals, the data is subject to the obligation of professional secrecy;

b) Considerations of public interest bearing a direct nexus to public health, for example, the protection of legitimate cross border threats to health or ensuring a high standard of quality and safety for medicinal products or services;

c) Or other reasons of public interest such as social protection.

An added concern is the nature and extent of consent. The consent obtained during a clinical trial may not always be sufficient to cover additional research even in instances of data being coded adequately. Thus, it may not be possible to anticipate additional research while carrying out initial research. Article 83[74] of the regulation prohibits the use of data collected for an additional purpose, other that the purpose for which it was collected.

Lastly, the regulation covers data that may be transferred outside the EEA, unless there is an additional level of data protection. If a court located outside the EU makes a request for the disclosure of personal data, prior authorization must be obtained from the local data protection authority before such transfer is made. It is imperative that this be implemented within Indian legislation as currently there is no mechanism to regulate the cross border transfer of personal data.

B. The United States of America
The Health Maintenance Organizations Act, 1973 [75]was enacted with a view to keep up with the rapid development in the Information Technology sector. The digitization of personal information led to new forms of threats with regard to the privacy of a patient. In the face of this threat, the overarching goal of providing effective and yet unobtrusive healthcare still remains paramount.

To this effect, several important federal regulations have been implemented. These include the Privacy and Security Ruled under the Health Insurance Portability and Accountability Act (HIPAA) 1996[76] and the State Alliance for eHealth (2007) [77].The HIPAA privacy rules addressed the use and subsequent disclosure of a patient's personal information under various healthcare plans, medical providers, and clearinghouses. These insurance agencies were the primary agents involved in obtaining a patients information for purposes such as treatment, payment, managing healthcare operations, medical research and subcontracting. Under the HIPAA it is required of insurance agencies to ensure the implementation of various administrative safeguards such as policies, guidelines, regulations or rules to monitor and control inter as well as intra organizational access.

Apart from the HIPAA, approximately 60 laws related to privacy in the healthcare sector have been enacted in more than 34 states. These legislations have been instrumental in creating awareness about privacy requirements in the healthcare sector and improving the efficiency of data collection and transfer. Similar legislative initiative is required in the Indian context to aid in the creation of a regulated and secure atmosphere pertaining to the protection of privacy within the healthcare sector.

C. Australia
Australia has a comprehensive law that deals with sectoral regulations of the right to privacy.An amendment to the Privacy Act1988 [78]applies to all healthcare providers and was made applicable from 21st December 2001.The privacy Act includes the followingpractices:

a. A stringent requirement for informed consent prior to the collection of health related information

b. A provision regarding the information that needs to be provided to individuals before information is collected from them

c. The considerations that have to be taken into account before the transfer of information to third parties such as insurance agencies, including the specific instances wherein this information can be passed on

d. The details that must be included in the Privacy policy of the healthcare service providers' Privacy Policy

e. The securing and storing of information; and

f. Providing individuals with a right to access their health records.

These provisions are in keeping with the 13 National Privacy [79]Principles that represent the minimum standards of privacy regulation with respect to the handling of personal information in the healthcare sector.These guidelines are advisory in nature and have been issued by the Privacy Commissioner in exercise of his power under Section 27(1)(e) [80]of the Privacy Act.

The Act also embodiessimilar privacy principles which include a collection limitation, a definitive use and purpose for the information collected, a specific set of circumstance and an established protocol for the disclosure of information to third parties including the nature and extent of such disclosure, maintenance accuracy ofthe data collected, requisite security measures to ensure the data collected is at all times protected, a sense of transparency,accountability and openness in the administrative functioning of thehealthcare provider and accessibility of the patient to his ownrecords for the purpose of viewing, corroboration or correction.

Additionally, the Act includes the system of identifiers which includes a number assigned by the organization to an individual to identify the purpose of that person's data for the operation of the organization. Further, the Act provides for anonymity wherein individuals have the optionnot to identify themselves while entering into transactions with an organization. The Act also provides for restrictions on the transfer of personal data outside Australia and establishes conclusive and stringent barriers to the extent of collection of personal and sensitive data.These principles although vaguely similar to those highlighted in the A.P. Shah Committee report can be usedto streamline the regulations pertaining to privacy in the healthcare sector and make them more efficient.

Key Recommendations

It is Imperative that Privacy concerns relating to the transnational flow of Private data be addressed in the most efficient way possible. This would involve international cooperation and collaboration to address privacy concerns including clear provisions and the development of coherent minimum standards pertaining to international data transfer agreements. This exchange of ideas and multilateral deliberation would result in creating more efficient methods of applying the provisions of privacy legislation even within domestic jurisdictions.

There is a universal need for the development of a foundational structure for the physical collection, use and storage of human biological specimens (in contrast to the personalinformation that may be derived from those specimens) as these are extremely important aspects of biomedical research and clinical trials. The need for Privacy Impact Assessments would also arise in the context of clinical trials, research studies and the gathering of biomedical data.

Further, there also arises the need for patients to be allowed to request for the deletion of their personal information once it has served the purpose for which it was obtained. The keeping of records for extended periods of time by hospitals and laboratories is unnecessary and can often result in the unauthorized access to and subsequent misuse of such data.

There is a definitive need to ensure the incorporation of safeguards to regulate the protection of patient’s data once accessed by third parties, such as insurance companies. In the Indian Context as well as insurance agencies often have unrestricted access to a patient's medical records however there is a definitive lack of sufficient safeguards to ensure that this information is not released to or access by unauthorized persons either within these insurance agencies or outsourced consultants

The system of identifiers which allocate specific numbers to an individual’s data which can only be accessed using that specific number or series of numbers can be incorporated into the Indian system as well and can simplify the administrative process thus increasing its efficacy. This would afford individuals the privilege of anonymity while entering into transactions with specific healthcare institutions.

An important means of responding to public concerns over potential unauthorized use ofpersonal information gathered for research, could be through the issuing of Certificates of confidentiality as issued in the United States to protectsensitive information on research participants from forced disclosure. [81]

Additionally, it is imperative that frequent discussions, deliberations, conferences and roundtables take place involving multiple stakeholders form the healthcare sector, insurance companies, patient’s rights advocacy groups and the government. This would aid in evolving a comprehensive policy that would aid in the protection of privacy in the healthcare sector in an efficient and collusive manner.

Conclusions

The Right to Privacy has been embodied in a multitude of domestic legislations pertaining to the healthcare sector. The privacy principles envisioned in the A.P Shah Committee report have also been incorporated into the everyday practices of healthcare institutions to the greatest possible extent. There are however significant gaps in the policy formulation that essentially do not account for the data once it has been collected or its subsequent transfer. There is thus an imminent need for institutional collaboration in order to redress these gaps. Recommendations for the same have been made in the report. However, for an effective framework to be laid down there is still a need for the State to play an active role in enabling the engagement between different institutions both in the private and public domain across a multitude of sectors including insurance companies, online servers that are used to harbour a data base of patient records and civil action groups that demand patient privacy while at the same time seek to access records under the Right to Information Act. The collaborative efforts of these multiple stakeholders will ensure the creation of a strong foundational framework upon which the Right to Privacy can be efficiently constructed.

[1] . Report of the group of experts on Privacy chaired by Justice A.P Shah <http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf> [Accessed on 14^th May 2014]

[2] . Nissenbaum, H. (2004). Privacy as Contextual Integrity. Washington Law Review, 79(1), 101-139.

[3] . Ibid.

[4] . Thomas, J. (2009). Medical Records and Issues in Negligence, Indian Journal of Urology : IJU : Journal of the Urological Society of India, 25(3), 384-388. doi:10.4103/0970-1591.56208.

[5] . Ibid

[6] . Plaza, J., &Fischbach, R. (n.d.). Current Issues in Research Ethics : Privacy and Confidentiality. Retrieved December 5, 2011, from http://ccnmtl.columbia.edu/projects/cire/pac/foundation/index.html.

[7] . Ibid.

[8] . The Mental Health Act, 1987 <https://sadm.maharashtra.gov.in/sadm/GRs/Mental%20health%20act.pdf> [Accessed on 14^th May 2014]

[9] . The Mental Health Act, 1987, s. 13(1).

[10] .The Mental Health Act, 1987, s. 38.

[11] .The Mental Health Act, 1987, s. 40.

[12] .The Mental Health Act, 1987, s. 21(2).

[13] .The Mental Health Act, 1987, s. 13(1), Proviso.

[14] . Also see the: Pre-Conception and and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Rules, 1996.

[15] . Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(3).

[16] . Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(2). Pre-natal diagnostic techniques shall be conducted for the purposes of detection of: chromosomal abnormalities, genetic metabolic diseases, haemoglobinopathies, sex-linked genetic diseases, congenital anomalies any other abnormalities or diseases as may be specified by the Central Supervisory Board.

[17] .Medical Termination of Pregnancy Amendment Act, 2002, Notification on Medical Termination of Pregnancy (Amendment) Act, Medical Termination of Pregnancy Regulations, 2003 and Medical Termination of Pregnancy Rules, 2003.

[18] .Medical Termination of Pregnancy Act, 1971 (Amended in 2002), s. 2(4) and 4, and Medical Termination of Pregnancy Rules, 2003, Rule 8

[19] .Medical Termination of Pregnancy Regulations, 2003, Regulation 4(5).

[20] .Medical Termination of Pregnancy Regulations, 2003, Regulation 5.

[21] .Medical Termination of Pregnancy Regulations, 2003, Regulation 4(2).

[22] .Medical Termination of Pregnancy Regulations, 2003, Regulations 4(2) and 4(4).

[23] . Code of Ethics Regulations, 2002 available at

http://www.mciindia.org/RulesandRegulations/CodeofMedicalEthicsRegulations2002.aspx .

[24] . Code of Ethics Regulations, 2002 Chapter 2, Section 2.2.

[25] .Ethical Guidelines for Biomedical Research on Human Subjects. (2006) Indian Council of Medical Research New Delhi.

[26] . Informed Consent Process, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 21.

[27] . Statement of Specific Principles for Human Genetics Research, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000) . Indian Council of Medical Research New Delhi.P. 62.

[28] . General Ethical Issues. Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 29.

[29] . Statement of Specific Principles for Epidemiological Studies, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000) . Indian Council of Medical Research New Delhi P. 56.

[30] . Statement of General Principles, Principle IV and Essential Information on Confidentiality for Prospective Research Participants, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 29.

[31] . The IRDA (Third Party Administrators - Health Services) Regulations 2001, (2001), Chapter 5. Section 2.

[32] . The IRDA (Sharing Of Database for Distribution of Insurance Products) Regulations 2010.

[33] . The IRDA (Sharing Of Database For Distribution Of Insurance Products) Regulations 2010.

[34] . The IRDA (Sharing Of Database For Distribution Of Insurance Products) Regulations 2010

[35] . List of TPAs Updated as on 19th December, 2011, Insurance Regulatory and Development Authority (2011), http://www.irda.gov.in/ADMINCMS/cms/NormalData_Layout.aspx?page=PageNo646 (last visited Dec 19, 2011).

[36] . The IRDA, Guideline on Outsourcing of Activities by Insurance Companies, (2011).

[37] . The IRDA, Guideline on Outsourcing of Activities by Insurance Companies, (2011), Section 9.11. P. 8.

[38] .The Epidemic Diseases Act, 1897.

[39] .The Epidemic Diseases Act, 1897. s. 2.1.

[40] .The Epidemic Diseases Act, 1897, s. 2.2(b).

[41] . The National Policy for Persons with Disabilities, 2006, Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995, Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Rules, 1996.

[42] . Research, National Policy for Persons with Disabilities, 1993.

[43] . Survey of Disabled Persons in India. (December 2003) National Sample Survey Organization. Ministry of Statistics and Programme Implementation. Government of India.

[44] .Persons With Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act. 1995, Section 35.

[45]. Research. National Policy for Persons with Disabilities, 2003.

[46]. http://www.lawyerscollective.org/files/Anti%20rights%20practices%20in%20Targetted%20Interventions.pdf

[47]. http://www.lawyerscollective.org/files/Anti%20rights%20practices%20in%20Targetted%20Interventions.pdf

[48]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.22.

[49]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.16.

[50]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.16.

[51]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.14.

[52]. http://www.hivaidsonline.in/index.php/HIV-Human-Rights/legal-issues-that-arise-in-the-hiv-context.html

[53]. Chakrapani et al, (2008) ‘HIV Testing Barriers and Facilitators among Populations at-risk in Chennai, India’, INP, p 12.

[54]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.24.

[55] .http://www.indiankanoon.org/doc/570038/

[56] .http://www.indiankanoon.org/doc/570038/

[57] .http://www.indiankanoon.org/doc/680703/

[58] . No person accused of any offence shall be compelled to be a witness against himself’, (the 'right to silence').

[59] . http://indiankanoon.org/doc/338008/

[60] . http://www.hrdc.net/sahrdc/hrfeatures/HRF205.pdf

[61] . AIR 1992 SC 392.

[62] . 96 (2002) DLT 354.

[63] .AIR 2000 A.P 156.

[64] .http://indiankanoon.org/doc/382721/

[65] .http://indiankanoon.org/doc/859256/

[66] .See Sections 24, 37, 38 and 39 of The Prisons Act, 1894 (Central Act 9 of 1894) Rules 583 to 653 (Chapter XXXV) and Rules 1007 to 1014 (Chapter LVII) of Andhra Pradesh Prisons Rules, 1979

[67] .Section 10-A,17(4) ,19(2) Immoral Traffic (Prevention) Act 1956

[68] .http://www.indiankanoon.org/doc/1309207/

[69] . http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

[70] . Article 33, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) < http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf> [Accessed on 14^th May, 2014]

[71] .Article 4 (Definition of “Data Subject’s Consent”), Article 7, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[72] . Article 17, “Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st

Century” COM(2012) 9 final. Based on, Article 12(b), EU Directive 95/46/EC – The Data Protection Directive at <http://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm> [Accessed on 14^th May, 2014]

[73] . Article 81, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[74] .Article 83, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[75] . Health Maintainence and Organization Act 1973, Notes and Brief Reports available at http://www.ssa.gov/policy/docs/ssb/v37n3/v37n3p35.pdf [Accessed on 14th May 2014].

[76] . Health Insurance Portability and Accountability Act, 1996 available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/hipaastatutepdf.pdf [Accessed on 14th May 2014]

[77] . Illinois Alliance for Health Innovation plan available at http://www2.illinois.gov/gov/healthcarereform/Documents/Alliance/Alliance%20011614.pdf [Accessed on 14^th May 2014]

[78] . The Privacy Act 1988 available at http://www.comlaw.gov.au/Series/C2004A03712 [Accessed on 14th May 2014]

[79] . Schedule 1, Privacy Act 1988 [Accessed on 14^th May 2014]

[80] .Section 27(e), Privacy Act 1988 [Accessed on 14^th May 2014]

[81] . Guidance on Certificates of Confidentiality, Office of Human Research Protections, U.S Department of Health and Human Services available at http://www.hhs.gov/ohrp/policy/certconf.pdf [Accessed on 14^th May, 2014].

For more details visit https://cis-india.org/internet-governance/blog/privacy-in-healthcare-policy-guide

Preliminary Submission on "Internet Governance Issues" to the Associated Chambers of Commerce & Industry of India

geetha — 2015-02-12T14:52:04Z

On January 30, 2015, Associated Chambers of Commerce & Industry of India (ASSOCHAM) held a consultation on Internet governance. A committee was set up to draft a report on Internet governance, with a focus on issues relevant to India. The Centre for Internet and Society (CIS) is represented on the committee, and has provided its preliminary comments to ASSOCHAM.

ASSOCHAM convened a meeting of its members and other stakeholders, at which CIS was represented. At this meeting, inputs were sought on Internet governance issues relevant for India, on which the industry body proposed to make comments to the Ministry of External Affairs, Government of India. Such a discussion, proposing to consolidate the views of ASSOCHAM members in consultation with other stakeholders, is a commendable move. This submission presents preliminary comments from the Centre for Internet and Society (CIS) in light of ASSOCHAM's consultation on Internet governance.

I. About CIS

1. CIS is a non-profit research organization that works, inter alia, on issues relating to privacy, freedom of expression, intermediary liability and internet governance, access to knowledge, open data and open standards, intellectual property law, accessibility for persons with disabilities, and engages in academic research on the budding Indian disciplines of digital natives and digital humanities.

2. CIS engages in international and domestic forums for Internet governance. We are a Sector-D member of the International Telecommunications Union (ITU),[1] and participated in the World Conference on International Telecommunications (WCIT), 2012 (Dubai) [2] and the Plenipotentiary Conference, 2014 (Busan).[3] We have also participated in the WSIS+10 Multistakeholder Preparatory Platform (MPP)[4] and the WSIS+10 High Level Event, organized by the ITU.[5]

3. CIS is also a member of the Non-Commercial Users Constituency (NCUC) at ICANN. Pranesh Prakash, our Policy Director, held a position on the NCUC Executive Committee from December 2013 to November 2014.[6]

4. CIS has been engaging at the Internet Governance Forum (IGF) since 2008, and has organized and participated in over 60 panels to date.[7] We have also organized panels at the Asia-Pacific Regional IGF (APrIGF). [8] Our Executive Director Sunil Abraham is a member of the Multistakeholder Advisory Group (MAG) for the India-IGF, and has attended in its meetings.[9] We are also in the process of developing international principles for intermediary liability, in collaboration with international civil society organisations like EFF and Article19. [10]

II. Structure of Submission

5. In this submission, we identify issues in Internet governance where engagement from and within India is necessary. In particular, brief descriptions of issues such as freedom of expression and privacy online, cyber-security, critical Internet resources and ICANN, multistakeholderism and net neutrality are provided.

III. Internet Governance Issues

6. The history of the Internet is unique, in that it is not exclusively government-regulated. Though governments regulate the Internet in many ways (for instance, by ordering website blocking or filtering, licensing of ISPs, encryption controls, investment caps, etc.), the running of the Internet is largely in the hands of private businesses, technical organisations and end-users.

7. International processes like the World Summit on Information Society (WSIS), and forums such as ICANN, the ITU, the IGF and the UN are involved in governing in the Internet in many ways. Regional organisations like the OECD, APEC and the Shanghai Cooperation Organisation (SCO) are also involved (for instance, in cyber-security matters).

8. The issues surrounding Internet governance are many, and range from telecom infrastructure and technical coordination to human rights and access to information.

Rights Online

9. The status of 'human rights online' has come under discussion, with the NETmundial Outcome Document affirming that offline rights must also be protected online. These issues are important in the context of, among others, the large scale violations of privacy in light of the Snowden Revelations,[11] and increased instances of website blocking and takedowns in different parts of the world.[12]

10. Internationally, issues of freedom of speech, privacy and access or the digital divide (though it is debatable that the latter is a human right) are discussed at the UN Human Rights Council, such as the resolution on human rights and the Internet, and the UN Human Rights Commissioner's report on the right to privacy in the digital age , which discusses the need for checks and balances on digital mass surveillance. During the Universal Periodic Review of India in 2012, India noted a recommendation from Sweden to " ensure that measures limiting freedom of expression on the internet is based on clearly defined criteria in accordance with international human rights standard ".

11. Freedom of speech and privacy are also relevant for discussion at the ITU.[13] For instance, at the Plenipotentiary meeting in 2014 (Busan), India proposed a resolution that sought, among other things, complete traceability of all Internet communications. [14] This has implications for privacy that are not yet addressed by our domestic laws. A Privacy Bill and such other protections are only in the pipeline in India.[15]

12. At ICANN as well, the root zone management function may affect freedom of expression. If, for instance, a top level domain (TLD) such as .com is erased from the root zone file, hundreds of thousands of websites and their content can be wiped from the World Wide Web. A TLD can be erased by Verisign if a request to that effect is raised or accepted by ICANN, and signed off on by the National Telecommunications and Information Administration (NTIA) of the US government. Similarly,the WHOIS database, which contains information about the holders of domain names and IP addresses, has implications for privacy and anonymity.

13. In India, the judiciary is currently adjudicating the constitutionality of several provisions of the Information Technology Act, 2000 (as amended in 2008), including S. 66A, S. 69A and S. 79. A series of writ petitions filed, among others, by the Internet Service Providers Association of India (ISPAI) and Mouthshut.com, relate to the constitutionality of the nature of content controls on the Internet, as well as intermediary liability. [16]

14. A judgment on the constitutionality of Ss. 66A, 69A and 79 are crucial for end-users and citizens, as well as companies in the Internet ecosystem. For instance, an uncertain intermediary liability regime with penalties for intermediaries - S. 79, IT Act and Intermediaries Guidelines Rules, 2011 - disincentivises ISPs, online news websites and other content providers like Blogger, Youtube, etc. from allowing free speech to flourish online. [17] The ongoing cases of Kamlesh Vaswani v. UOI and Sabu George v. UOI also have consequences for ISPs and search engines, as well as for fundamental rights.[18] International and domestic engagement is desirable, including in consultations with the Law Commission of India (for instance, the consultation on media laws).

Critical Internet Resources

15. Critical Internet Resources form the backbone of the Internet, and include management of IP addresses, the domain name system (DNS) and the root zone. [19] ICANN, a global non-profit entity incorporated in California, manages the IANA functions (Internet Assigned Numbers Authority) for the global Internet. These functions include allocating the global pool of IP addresses (IPv4 and IPv6) to Regional Internet Registries (RIRs), administering the domain name system and maintaining a protocol registry.

16. At present, the IANA functions are performed under a contract with the NTIA. On March 14, 2014, the NTIA announced its intention to transition oversight of the IANA functions to an as-yet-undetermined "global multi-stakeholder body". The deadline for this transition is September 30, 2015, though the NTIA has expressed its willingness to renew the IANA contract and extend the deadline. ICANN was charged with convening the transition process, and set up the IANA Coordination Group (ICG), a team of 30 individuals who will consolidate community input to create a transition proposal. At the moment, thenames (CWG-Names),numbers (CRISP) and protocols (IETF) communities are debating existing draft proposals. A number of new entities with which ICANN will have contractual arrangements have been proposed. At ICANN's meetings in Singapore (February 7-12, 2015) and Buenos Aires (June 2015), these proposals will be discussed.

17. At the same time, a parallel track to examine ICANN's own transparency and accountability has been introduced. The CCWG-Accountability is considering ICANN's accountability in two Workstreams: first, in light of the IANA transition and second, a revision of ICANN's policies and by-laws to strengthen accountability. ICANN's accountability and transparency are crucial to its continued role in Internet governance.

18. Several issues arise here: Should ICANN continue to remain in the US? Should the IANA Functions Department be moved into a separate entity from ICANN? Ought ICANN's by-laws be amended to create oversight over the Board of Directors, which is now seen to have consolidated power? Ought ICANN be more transparent in its financial and operational matters, proactively and reactively?

19. It is, for instance, beneficial to the stability of the Internet and to India if the IANA department is separate from ICANN - this will ensure aseparation of powers. Second, stronger transparency and accountability mechanisms are necessary for ICANN; it is a growing corporate entity performing a globally Internet function. As such, granular information about ICANN's revenues and expenses should be made public. See, for ex.,CIS' request for ICANN's expenses for travel and meetings, and ICANN's response to the same.

20. The most ideal forum to engage in this is ICANN, and within India, working groups on Internet governance at the Ministry level. As such, ASSOCHAM may seek open, transparent and inclusive consultations with the relevant departments of the Government (the Ministry of External Affairs, DeitY, Department of Telecommunications). At ICANN, industry bodies can find representation in the Business Constituency or the Commercial Stakeholders Group. Additionally, comments and proposals can be made to the ICG and the CCWG-Accountability by anyone.

Cyber-security

21. Cyber-security is often used as an umbrella-term, covering issues ranging from network security (DNSSEC and the ICANN domain), cyber-crime, and cyber-incidents such as the Distributed Denial of Service attacks on Estonian public institutions and the Stuxnet virus that attacked Iran's nuclear programme. Within the ITU, spam and child safety online are also assessed as security issues (See Study Group 17 under ITU-T).

22. At the international level, the UN Group of Governmental Experts has published three reports to date, arguing also that in cyber-security incidents, international humanitarian law will apply. International humanitarian law applies during armed attacks on states, when special rules apply to the treatment of civilians, civilian and military buildings, hospitals, wounded soldiers, etc.

23. The ITU also launched a Global Cybersecurity Agenda in 2007, aiming at international cooperation. Such cooperative methods are also being employed at the OSCE, APEC and the SCO, which have developed drafts of Confidence Building Measures. The Global Conferences on Cyberspace (London 2011, Budapest 2012, Seoul 2013, The Hague 2015) resulted in, inter alia, the Budapest Convention on Cybercrime. India has not ratified the Convention, and remains tight-lipped about its security concerns.

24. Surveillance and monitoring of online communications is a crucial issue in this regard. In India, the surveillance power finds its source in S. 5, Telegraph Act, 1888, and the Rule 419A of the Telegraph Rules, 1951. Further, S. 69 of the Information Technology Act, 2000 and the Interception Rules, 2009 enable the government and authorized officers to intercept and monitor Internet traffic on certain grounds. Information regarding the implementation of these Rules is scant.

25. In any event, the applicability of targeted surveillance should be subject to judicial review , and a balance should be struck between fundamental rights such as freedom of speech and privacy and the needs of security. An accountability model such as that present in the UK for the Interception of Communications Commissioner may provide valuable insight.

26. In India, the government does not make public information regarding its policies in cyber-security and cybercrime. This would be welcome, as well as consultations with relevant stakeholders.

Models of Internet Governance

27. Multi-stakeholderism has emerged as one of the catchphrases in Internet governance. With the display of a multi-stakeholder model at NETmundial (April 2014), controversies and opinions regarding the meaning, substance and benefits of multi-stakeholderism have deepened.

28. The debates surrounding stakeholder-roles in Internet governance began with ¶49 of the Geneva Declaration of Principles and ¶35 of the Tunis Agenda, which delineated clear roles and responsibilities. It created a 'contributory' multi-stakeholder model, where states held sovereign authority over public policy issues, while business and civil society were contributed to 'important roles' at the 'technical and economic fields' and the 'community level', respectively.

29. As the WGEC meeting (April 30-May 2, 2014) demonstrated, there is as yet no consensus on stakeholder-roles. Certain governments remain strongly opposed to equal roles of other stakeholders, emphasizing their lack of accountability and responsibility. Civil society is similarly splintered, with a majority opposing the Tunis Agenda delineation of stakeholder-roles, while others remain dubious of permitting the private sector an equal footing in public policy-making.

30. The positions in India are similarly divided. While there is appears to be high-level acceptance of "multi-stakeholder models" across industry, academia and civil society, there exists no clarity as to what this means. In simple terms, does a multi-stakeholder model mean that the government should consult industry, civil society, academia and the technical community? Or should decision-making power be split among stakeholders? In fact, the debate is more specific.

31. In India, the Multistakeholder Advisory Group (MAG) for the India-IGF was established in February 2014, and some meetings were held. Unfortunately, neither the minutes of the meetings nor action points (if any) are publicly available.

32. The Indian government's position is more complex. At the 68^th UN General Assembly session in 2011, India argued for a (multilateral) 50-member UN Committee on Internet-related Policies (CIRP). However, the Ministry for Communications and Information Technology (MCIT) has, over the years, presented differing views at the IGF and ITU through its two departments: DeitY and DoT. Further, at the meetings of the Working Group on Enhanced Cooperation (WGEC), India has presented more nuanced views, suggesting that certain issues remain within the governmental domain (such as cyber-security and child online protection). At the 9^th IGF (Istanbul, September 2014), Mr. R.S. Sharma of the DeitY echoed such a view of delineated roles for stakeholders.

33. A clear message from the Indian government, on whether it favours multistakeholderism or governmental policy authority for specific issues, would be invaluable in shaping opinion and domestic processes. In any event, a transparent consultative procedure to take into account the views of all stakeholders is desirable.

Emerging Issues

Net Neutrality

34. In simple terms, net neutrality concerns differential treatment of packets of data by carriers such as ISPs, etc. over networks. The issue has gained international attention following the U.S. FCC's regulatory stance, and the U.S. Court of Appeal's 2014 decision in Verizon v. FCC. Though this decision turned on the interpretation of 'broadband providers' under the Communications Act, 1934, net neutrality has since been debated in the US, both by the FCC and other stakeholders. There is no international consensus in sight; the NETmundial Outcome Document recognized net neutrality as an emerging issue (page 11, no. IV).

35. In India, a TRAI consultation on Over-The-Top Services on August 5, 2014 brought concerns of telecom and cellular operators to light. OTTs were seen as hijacking a portion of telcos' revenues, and as lacking consumer protection and privacy safeguards. While these concerns are legitimate, net neutrality regulation is not yet the norm in India. In any event, any such regulation must take into account the consequences of regulation on innovation, competition, and consumer choice, as well as on the freedom of the medium (which may have detrimental impacts freedom of expression).

36. Though net neutrality regulation is being mooted, there is as yet anarray of definitions of 'net neutrality'. The views of telcos themselves differ in India. Further study on the methods of identifying and/or circumventing net neutrality is necessary before a policy position can be taken.

IV. Conclusions

37. CIS welcomes ASSOCHAM's initiative to study and develop industry-wide positions on Internet governance. This note provides brief descriptions of several issues in Internet governance where policy windows are open internationally and domestically. These issues include freedom of expression and privacy under Part III (Fundamental Rights) of the Constitution of India. The Supreme Court's hearing of a set of cases alleging unconstitutionality of Ss. 66A, 69, 69A and 79 (among others) of the IT Act, 2000, as well as consultations on issues such as pornography by the Rajya Sabha Parliamentary Committee and media laws by the Law Commission of India are important in this regard.

38. International and domestic engagement is necessary in the transition of stewardship of the IANA functions, as well as ICANN's own accountability and transparency measures. Similarly, in the area of cyber-security, though several initiatives are afoot internationally, India's engagement has been cursory until now. A concrete position from India's stakeholders, including the government, on these and the question of multi-stakeholderism in Internet governance would be of immense assistance.

39. Finally, net neutrality is an emerging issue of importance to industry's revenues and business models, and to users' rights such as access to information and freedom of expression.

[1] CIS gets ITU-D Sector Membership, goo.gl/PBGKWt (l.a. 8 Feb. 2015).

[2] Letter for Civil Society Involvement in WCIT, goo.gl/gXpYQD (l.a. 8 Feb. 2015).

[3] See, ex., Hariharan, What India's ITU Proposal May Mean for Internet Governance, goo.gl/hpWaZn (l.a. 8 Feb. 2015).

[4] Panday, WSIS +10 High Level Event: Open Consultation Process MPP: Phase Six: Fifth Physical Meeting, goo.gl/3XR24X (l.a. 8 Feb. 2015).

[5] Hariharan, WSIS+10 High Level Event: A Bird's Eye Report, goo.gl/8XkwyJ (l.a. 8 Feb. 2015).

[6] Pranesh Prakash elected as Asia-Pacific Representative to the Executive Committee of NonCommercial Users Constituency, goo.gl/iJM7C0 (l.a. 8 Feb. 2015).

[7] See, ex., CIS@IGF 2014, goo.gl/Werdiz (l.a. 8 Feb. 2015).

[8] Multi-stakeholder Internet Governance: The Way Ahead , goo.gl/NuktNi; Minimising legal risks of online Intermediaries while protecting user rights, goo.gl/mjQyww (l.a. 8 Feb. 2015).

[9] First Meeting of the Multistakeholder Advisory Group for India Internet Governance Forum, goo.gl/NCmKRp (l.a. 8 Feb. 2015).

[10] See Zero Draft of Content Removal Best Practices White Paper, goo.gl/RnAel8 (l.a. 8 Feb. 2015).

[11] See, ex., UK-US surveillance regime was unlawful 'for seven years', goo.gl/vG8W7i (l.a. 9 Feb. 2015).

[12] See, ex., Twitter: Turkey tops countries demanding content removal, goo.gl/ALyO3B (l.a. 9 Feb. 2015).

[13] See, ex., The ITU convenes a programme on Child Online Protection, goo.gl/qJ4Es7 (l.a. 9 Feb. 2015).

[14] Hariharan, Why India's Proposal at the ITU is Troubling for Internet Freedoms, goo.gl/Sxh5K8 (l.a. 9 Feb. 2015).

[15] Hickok, Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill, goo.gl/454qA6 (l.a. 9 Feb. 2015).

[16] See, Supreme Court Of India To Hear Eight IT Act Related Cases On 11th April 2014 - SFLC, goo.gl/XLWsSq (l.a. 9 Feb. 2015).

[17] See, Dara, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet, goo.gl/bwBT0x (l.a. 9 Feb. 2015).

[18] See, ex., Arun, Blocking online porn: who should make Constitutional decisions about freedom of speech?,goo.gl/NPdZcK; Hariharan & Subramanian, Search Engine and Prenatal Sex Determination: Walking the Tight Rope of the Law, goo.gl/xMj4Zw (l.a. 9 Feb. 2015).

[19] CSTD, The mapping of international Internet public policy issues, goo.gl/zUWdI1 (l.a. 9 Feb. 2015).

For more details visit https://cis-india.org/internet-governance/blog/preliminary-submission-on-internet-governance-issues-to-assocham

Pre-Budget Consultation 2016 - Submission to the IT Group of the Ministry of Finance

sumandro — 2016-01-12T13:34:41Z

The Ministry of Finance has recently held pre-budget consultations with different stakeholder groups in connection with the Union Budget 2016-17. We were invited to take part in the consultation for the IT (hardware and software) group organised on January 07, 2016, and submit a suggestion note. We are sharing the note below. It was prepared and presented by Sumandro Chattapadhyay, with contributions from Rohini Lakshané, Anubha Sinha, and other members of CIS.

It is our distinct honour to be invited to submit this note for consideration by the IT Group of the Ministry of Finance, Government of India, as part of the pre-budget consultation for 2016-17.

The Centre for Internet and Society is (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. We receive financial support from Kusuma Trust, Wikimedia Foundation, MacArthur Foundation, IDRC, and other donors.

We have divided our suggestions into the different topics that our organisation has been researching in the recent years.

Free/Libre and Open Source Software (FLOSS) is the Basis for Digital India

We congratulate the policies introduced by the government to promote use of free/libre and open source software and that of open APIs for all e-governance projects and systems. This is not only crucial for the government to avoid vendor lock-in when it comes to critical software systems for governance, but also to ensure that the source code of such systems is available for public scrutiny and do not contain any security flaws.

We request the government to empower the implementation of these policies by making open sharing of source code a necessity for all software vendors hired by government agencies a necessary condition for awarding of tenders. The 2016-17 budget should include special support to make all government agencies aware and capable of implementing these policies, as well as to build and operate agency-level software repositories (with version controlling system) to host the source codes. These repositories may function to manage the development and maintenance of software used in e-governance projects, as well as to seek comments from the public regarding the quality of the software.

Use of FLOSS is not only important from the security or the cost-saving perspectives, it is also crucial to develop a robust industry of software development firms that specialise in FLOSS-based solutions, as opposed to being restricted to doing local implementation of global software vendors. A holistic support for FLOSS, especially with the government functioning as the dominant client, will immensely help creation of domestic jobs in the software industry, as well as encouraging Indian programmers to contribute to development of FLOSS projects.

An effective compliance monitoring and enforcement system needs to be created to ensure that all government agencies are Strong enforcement of the 2011 policy to use open source software in governance, including an enforcement task force that checks whether government departments have complied with this or not.

Open Data is a Key Instrument for Transparent Decision Making

With a wider set of governance activities being carried out using information systems, the government is increasingly acquiring a substantial amount of data about governance processes and status of projects that needs to be effectively fed back into the decision making process for the same projects. Opening up such data not only allows for public transparency, but also for easier sharing of data across government agencies, which reduces process delays and possibilities of duplication of data collection efforts.

We request the 2016-17 budget to foreground the National Data Sharing and Accessibility Policy and the Open Government Data Platform of India as two key enablers of the Digital India agenda, and accordingly budget for modernisation and reconfiguration of data collection and management processes across government agencies, so that those processes are made automatic and open-by-default. Automatic data management processes minimise the possibility of data loss by directly archiving the collected data, which is increasingly becoming digital in nature. Open-by-default processes of data management means that all data collected by an agency, once pre-recognised as shareable data (that is non-sensitive and anonymised), will be proactively disclosed as a rule.

Implementation of the National Data Sharing and Accessibility Policy has been hindered, so far, by the lack of preparation of a public inventory of data assets, along with the information of their collection cycles, modes of collection and storage, etc., by each union government agency. Specific budgetary allocation to develop these inventories will be crucial not only for the implementation of the Policy, but also for the government to get an extensive sense of data collected and maintained currently by various government agencies. Decisions to proactively publish, or otherwise, such data can then be taken based on established rules.

Availability of such open data, as mentioned above, creates a wider possibility for the public to know, learn, and understand the activities of the government, and is a cornerstone of transparent governance in the digital era. But making this a reality requires a systemic implementation of open government data practices, and various agencies would require targeted budget to undertake the required capacity development and work process re-engineering. Expenditure of such kind should not be seen as producing government data as a product, but as producing data as an infrastructure, which will be of continuous value for the years to come.

As being discussed globally, open government data has the potential to kickstart a vast market of data derivatives, analytics companies, and data-driven innovation. Encouraging civic innovations, empowered by open government data - from climate data to transport data - can also be one of the unique initiatives of budget 2016-17.

For maximising impact of opened up government data, we request the government to publish data that either has a high demand already (such as, geospatial data, and transport data), or is related to high-net-worth activities of the government (such as, data related to monitoring of major programmes, and budget and expenditure data for union and state governments).

Promotion of Start-ups and MSMEs in Electronics and IT Hardware Manufacturing

In line with the Make in India and Digital India initiatives, to enable India to be one of the global hubs of design, manufacturing, and exporting of electronics and IT hardware, we request that the budget 2016-17 focus on increasing flow of fund to start-ups and Medium and Small-Scale Manufacturing Enterprises (MSMEs) in the form of research and development grants (ideally connected to government, especially defense-related, spending on IT hardware innovation), seed capital, and venture capital.

Generation of awareness and industry-specific strategies to develop intellectual property regimes and practices favourable for manufacturers of electronics and IT hardware in India is an absolutely crucial part of promotion of the same, especially in the current global scenario. Start-ups and MSMEs must be made thoroughly aware of intellectual property concerns and possibilities, including limitations and exceptions, flexibilities, and alternative models such as open innovation.

We request the budget 2016-17 to give special emphasis to facilitation of technology licensing and transfer, through voluntary mechanisms as well as government intervention, such as compulsory licensing and government enforced patent pools.

Applied Mathematics Research is Fundamental for Cybersecurity

Recent global reports have revealed that some national governments have been actively involved in sponsoring distortion in applied mathematics research so as to introduce weaknesses in encryption standards used in for online communication. Instead of trying to regulate key-length or mandating pre-registration of devices using encryption, as suggested by the withdrawn National Encryption Policy draft, would not be able to address this core emerging problem of weak cybersecurity standards.

For effective and sustainable cybersecurity strategy, we must develop significant expertise in applied mathematical research, which is the very basis of cybersecurity standards development. We request the budget 2016-17 to give this topic the much-needed focus, especially in the context of the Digital India initiative and the upcoming National Encryption Policy.

Along with developing domestic research capacity, a more immediately important step for the government is to ensure high quality Indian participation in global standard setting organisations, and hence to contribute to global standards making processes. We humbly suggest that categorical support for such participation and contribution is provided through the budget 2016-17, perhaps by partially channeling the revenues obtained from spectrum auctions.

For more details visit https://cis-india.org/openness/pre-budget-consultation-2016-submission-to-the-ministry-of-finance

Political is as Political does

nishant — 2011-08-04T10:30:51Z

The Talking Back workshop has been an extraordinary experience for me. The questions that I posed for others attending the workshop have hounded me as they went through the course of discussion, analysis and dissection. Strange nuances have emerged, certain presumptions have been questioned, new legacies have been discovered, novel ideas are still playing ping-pong in my mind, and a strange restless excitement – the kind that keeps me awake till dawning morn – has taken over me, as I try and figure out the wherefore and howfore of things. I began the research project on Digital Natives in a condition of not knowing, almost two years ago. Since then, I have taken many detours, rambled on strange paths, discovered unknown territories and reached a mile-stone where I still don’t know, but don’t know what I don’t know, and that is a good beginning.

The researcher in his heaven, all well with the world

This first workshop is not merely a training lab. For me, it was the extension of the research inquiry, and collaboratively producing some frames of reference, some conditions of knowing, and some ways of thinking about this strange, ambiguous and ambivalent category of Digital Natives. The people who have assembled at this workshop have identified themselves as Digital Natives as a response to the open call. They all have practices which are startlingly unique and simultaneously surprisingly similar. Despite the great dissonance in their geo-political contexts and socio-cultural orientations, they seem to be bound together by things beyond the technological.

Each one chose a definition for him/herself that straddles so many different ideas of how technologies interact with us; there are writers who offer a subjective position and affective relation to technologies and the world around them; there are artists who seek to change the world, one barcode at a time; there are optimist warriors who have waged battles against injustice and discrimination in the worlds they occupy; there are explorers who have made meaning out of socio-cultural terrains that they live in; there are leaders who have mobilized communities; there are adventurers who have taken on responsibilities way beyond their young years; there are researchers who have sought higher grounds and epistemes in the quest of knowledge. The varied practice is further informed by their own positions as well as their relationship with the different realities they engage with.

How, then, does one make sense of this babble of diversity? How does one even begin to articulate a collective identity for people who are so unique that sometimes they are the only ones in their contexts to initiate these interventions? Where do I find a legacy or a context that makes sense of these diversities without conflating or coercing their uniqueness? This is not an easy task for a researcher, and I have struggled over the two days to figure out a way in which I can start develop a knowledge framework through which I can not only bring coherence to this group but also do it without imposing my questions, suggestions or agendas on you. And it is only now, at a quarter to dawn, as I think and interact more with the different digital natives that things get shapes for me – shapes that are not yet clear, probably obscured by the blurriness of sleep and the rushed time that we have been living in the last few days – and I now attempt to trace the contours if not the details of these shapes.

Questioning the Question

The first insight for me came from the fact that the Digital Natives in the workshop talked back – not only to the structures that their practice engages with, but also the questions that I posed to them. “What does it mean to be Political?” I has asked on the first day, knowing well that this wasn’t going to be an easy dialogue. Even after years of thinking about the Political as necessarily the Personal (and vice versa), it still is sometimes difficult to actually articulate the process or the imagination of the Political. It is no wonder that so many people take the easy recourse of talking about governments, judiciaries, democracies and the related paraphernalia to talk about Politics.

I knew, even before I posed the question, that this was going to lead to confusion, to conditions of being lost, to processes of destabilising comfort zones. However, what I was not ready for was a schizophrenic moment of epiphany where I tried to ask myself what I understood as the Political. And as I tried to explain it to myself, to explain it to others, to push my own knowledge of it, to understand others’ ideas and imaginations, I came up with a formulation which goes beyond my own earlier knowledges. There are five different articulations of the legacies and processes of the Political that I take with me from the discussions (some were suggested by other people, some are my flights of fancy based on our conversations), and it is time to reflect on them:

Political as dialogue

This was perhaps, the easiest to digest because it sounds like a familiar formulation. To be political is to be in a condition of dialogue. Which means that Talking Back was suddenly not about Talking Against or Being Talked To. It was about Talking With. It was a conversation. Sometimes with strangers. Sometimes with people made familiar with time. Sometimes with people who we know but have not realised we know. Sometimes with the self. The power of names, the strength of being in a conversation – to talk and also to listen is a condition of the Political. In dialogue (as opposed to a babble) is the genesis of being political. Because when we enter a dialogue, we are no longer just us. We are able to detach ourselves from US and offer a point of engagement to the person who was, till now, only outside of us.

Political as concern

This particular idea of the political as being concerned was a surprise to me. I have, through discourses and practice within gender and sexuality fields, understood affective relationships as sustaining political concerns and subjectivities. However, I had overlooked the fact that the very act of being concerned, what a young digital native called ‘being burned’ about something that we notice in our immediate (or extended) environments is already a political subjectivity formation. To be concerned, to develop an empathetic link to the problems that we identify, is a political act. It doesn’t always have to take on the mantle of public action or intervention. Sometimes, just to care enough, is enough.

Political as change

This is a debate that needs more conversations for me. Politics, Knowledge, Change, Transformation – these are the four keywords (further complicated by self-society binaries) that have strange permutations and combination. To Know is to be political because it produces a subjectivity that has now found a new way of thinking about itself and how it relates to the external reality. This act of Knowing, thus produces a change in our self. However, this change is not always a change that leads to transformation. Knowledge for knowledge’s sake can often be indulgent. Even when the knowledge produces a significant and dramatic change, often this change is restricted to the self.

When does this knowing self, which is in a condition of change, become a catalyst for transformation? When does this knowing-changing translate into a transformation for the world outside of us? Just to be in a condition of knowing does not grant the agency required for the social transformation that we are trying to understand. Where does this agency come from? How do we understand the genesis and dissemination of this agency? And what are the processes of change that embody and foster the Political?

Political as Freedom

On the first thought, the imagination of Political as Freedom seemed to obvious; commonsense and perhaps commonplace. However, I decided put the two in an epistemological dialogue and realised that there are many prismatic relationships I had not talked about before I was privy to these conversations. Here is a non-exhaustive list: Political Freedom, Politics of Freedom, Free to be Political, Political as Freedom, Freedom as Political... is it possible to be political without the quest of freedom? Is the freedom we achieve, at the expense of somebody else’s Political stance? How does the business of being Political come to be? Not Why? But How? If Digital Natives are changing the state of being political what are they replacing? What are they inventing? Where, in all these possibilities lies Freedom?

Political as Reticence

We all talked about voice – whose, where, for whom, etc. It was a given that to give voice, to have voice, to speak, to talk, to talk back were conditions of political dialogue and subversion, of intervention and exchange. So many of us – participants or facilitators – talked about how to speak, what technologies of speech, how to build conditions of interaction... and then, like the noise in an otherwise seamless fabric of empowerment came the idea of reticence. Is it possible to be silent and still be political? If I do not speak, is it always only because I cannot? What about my agency to choose not to speak? As technologies – of governance, of self, and of the social constantly force us to produce data and information, through ledgers and censuses and identification cards – make speech a normative way of engagement, isn’t the right of Refusal to Speak, political?

Sometimes, it is necessary to exercise silence as a tool or a weapon of political resistance. The non-speaking subject holds back and refuses to succumb to pressures and expectations of a dominant erstwhile, and in his/her silence, produces such a cacophony of meaning that it asks questions that the loudest voices would not have managed to ask.

The Beginning of a Start; Perhaps also the other way round

These are my first reflections on the conversations we have had over the two days. I feel excited, inspired, moved and exhilarated as I carry myself on these flights of ideation, thought and conceptualisation. It is important for me that these are questions that I did not think of in a vacuum but in conversation and dialogue with this varied pool of people who have spent so much of their time and effort to not only make their work intelligible but also to reflect on the processes by which we paint ourselves political. I have learned to sharpen questions of the political that I came with and I have learned to ask new questions of Digital Natives practice. I don’t have a definition that explains the work that these Digital Natives do. But I now have a framework of what is their understanding of the political and what are the various points of engagement and investment.

For more details visit https://cis-india.org/digital-natives/blog/political

Platforms, Power, and Politics: Perspectives from Domestic and Care Work in India

Aayush Rathi, and Ambika Tandon — 2021-07-07T15:19:37Z

CIS has been undertaking a two-year project studying the entry of digital platforms in the domestic and care work in India, supported by the Association for Progressive Communications as part of the Feminist Internet Research Network. Implemented through 2019-21, the objective of the project is to use a feminist lens to critique platform modalities and orient platformisation dynamics in radically different, worker-first ways. Ambika Tandon and Aayush Rathi led the research team at CIS. The Domestic Workers’ Rights Union is a partner in the implementation of the project, as co-researchers. Geeta Menon, head of DWRU, was an advisor on the project, and the research team consisted of Parijatha G.P., Radha Keerthana, Zeenathunnisa, and Sumathi, who are office holders in the union and are responsible for organising workers and addressing their concerns.

The Executive Summary for the project report is below.

The full report, ‘Platforms, power, and politics: Perspectives from domestic and care work in India’, can be found here.

The press release can be found here.

Introduction

Paid domestic and care work is witnessing the entry of digital intermediaries over the past decade. More recently, there has been tremendous growth of digital platforms. This holds the potential to impact millions of workers in the sector, which is characterised by a long history of informality and exclusion from rights-according legal frameworks. Digital intermediation of domestic and care work has been a space of high-growth, but also high-attrition. In India, order books of digital platforms providing domestic and care work services were reported to have been growing by upto 60 percent month-on-month in 2016. This is expected to shift the organisation of workers and employment relations profoundly.

Broadly, the discourse on digital platforms providing home-based services can be summarised as follows: proponents argue that digitisation will act as a step towards bringing formalisation to the sector, while critics argue that platforms could replicate the exploitation of workers by further disguising the employer-employee relationship. Similar debates around lack of protections and precarity have also taken place in other occupations in gig work such as transportation and food delivery. In fact, the similarity in precarity and the informal nature of this relationship across gig work and domestic work has led to domestic workers being labelled the original gig workers. Domestic work is a particularly vulnerable and unprotected sector, which makes work in the sector qualitatively different from most other sectors in the gig or sharing economy.

Through a feminist approach to digital labour, our project aimed to examine the dynamics of platformisation in, and of domestic or reproductive care work. Our hypothesis was that platforms are reconfiguring labour conditions, which could empower and/or exploit workers in ways qualitatively different from non-standard work off the platform. In order to interrogate this further, we studied several aspects of the work relationship, including wages, conditions of work, social security, skill levels, and worker surveillance off platforms.

Methodology

We borrowed from ethnographic methods and feminist principles to co-design and implement the research tools with grassroots workers and organisers. Between June to November 2019, we conducted 65 in-depth semi-structured interviews primarily in New Delhi and Bengaluru. A majority of these were with domestic workers who were seeking or had found work through platforms. We also did interviews with workers who had found work through traditional placement agencies to compare our findings, and with representatives from platforms, government labour departments, and workers collectives. Of the workers we interviewed, a majority were women, but men were included as well. Interviews in New Delhi were undertaken by CIS, while interviews with workers in Bengaluru were undertaken by grassroots activists in Bengaluru, affiliated with the Domestic Workers Rights Union (DWRU).

In implementing the data collection approach, we employed feminist methodological principles of intersectionality, self-reflexivity, and participation. The methodology draws on standpoint theory, which encourages knowledge production that centres the lived experiences of marginalised groups. We were acutely aware of our own positionality as high income, Savarna researchers studying a sector dominated by Dalit, Bahujan and Adivasi women from low income groups. This power differential was softened partially by involving DWRU through the course of the project. Workers across both field sites were also interviewed in spaces familiar to them, most often their homes, in languages that they were comfortable with including Hindi, Kannada, and Tamil.

Feminist principles also instrumental during the data analysis, with focus on intersectionality and self-reflexivity. We highlighted the ways in which inequalities of gender, income, migration status, caste, and religion are replicated and amplified in the platform economy. In particular, we discussed the impact of the digital gender gap in access and skills on workers’ ability to find economic opportunities.

Findings

Our typology of platforms mediating domestic work finds three types of platforms – (i) marketplace, or platforms that list workers’ data on their profile, provide certain filters for automated selection of a pool of workers, and charge a fee from customers for access to workers’ contact details, (ii) digital placement agency, or platforms that provide an end-to-end placement service to customers, identify appropriate workers on the basis of selection criteria, and negotiate conditions of work on behalf of workers, and (iii) on-demand platforms, or companies that provide services or ‘gigs’ such as cleaning on an hourly basis, performed by a roster of workers who are characterised as ‘independent contractors’.

When it comes to the role played by platforms in determining employment relations, there is a wide variation within and across platform categories. There are both weak and strong models of intervention. On one end of the spectrum are marketplaces, with minimal intervention in the recruitment process, and on the other on-demand platforms, that exact control over each aspect of work. Digital platforms reconfigure the conception of intermediaries in the domestic work sector, functioning as next-generation placement agencies. All three platform types contain aspects that provide workers agency, as well as those that reinforce their positions of low-power. Platform design impacts the role platforms play in setting conditions of work, but does not determine it entirely.

(Re)shaping the terms of work
Across the three types of platforms, wages are slightly higher than or matching those of workers off platforms. Some marketplace platforms have incorporated features to nudge customers towards setting higher wages, such as enforcing minimum wage standards, or informing customers of expected wages in their locality. Conversely, on-demand platforms charge a high rate of commission from workers, despite refusing to recognise them as employees. This indicates that this is a misclassification of an employment relationship, given that workers are unable to set their own conditions or wages for work. Despite the high rates of commission and appropriation of labour by platforms, on-demand workers earn higher wages than workers on other platforms. The relatively high wage is a result of marketing on-demand cleaning as professionalised and more skilled than day-to-day cleaning. Tasks in the sector continue to be distributed along the lines of gender and caste, as has historically been the case. Dalit, Bahujan and Adivasi women are more likely to take up work such as cleaning and washing dishes, while men and women across castes are equally distributed in cooking work. Women dominate tasks such as elderly and childcare, as in the traditional economy. Workers in professionalised tasks such as deep cleaning that requires technical equipment and chemicals are almost entirely men.

Digital divides and workers’ agency
We find that workers are primarily onboarded onto platforms by learning about it from other workers, through onboarding camps held by platforms, or offline advertising by platforms. Such in-person onboarding techniques allows workers with no digital access or literacy to register themselves on marketplace platforms and digital placement agencies.

However, we find that low levels of education and digital literacy continue to impact platformed labour by creating a strong informational asymmetry between workers and platforms. For instance, we find that women workers from low income communities have very little information about how platforms work, causing deep distrust. Workers with digital devices and literacy (and therefore a relatively better understanding of the functionality of the platform), physical mobility and the resources to bear indirect costs that were outsourced to them were at a significant advantage in finding better-paying jobs. Workers who were seeking flexibility and were not necessarily dependent on the platform for their primary income were also better placed than those entirely dependent on platforms. Women workers tended to be disadvantaged on all these counts, limiting their agency and capacity to reap the benefits of the platform economy.

Across the three types of platforms, systems of placement and ratings add to the information asymmetry, as workers are not aware of the impact of ratings on their ability to find work or charge better wages. Ratings and filtering systems also hard-code the impact of workers’ social characteristics on their work. Workers are unable to exercise control over their data, further undermining their agency vis-a-vis platforms and employers. We identify a clear need for collective bargaining structures to protect workers’ rights, although platformed domestic workers remained distant from both domestic work unions and emergent unions of platform workers in other sectors.

Intersectionalities of formalisation
We find that inequalities of caste, class, and gender that have historically shaped the sector continue to be replicated or even amplified in the platform economy. What remains clear is that platforms in the domestic work sector adopt the logics of this sector, more than the converse. Platformisation is conflated with formalisation, and it is within this vector, from complete informality to piecemeal formalisation, that platforms operate. Labour benefits do not take the form of labour protections or welfare entitlements that are the central function of formalisation processes. Instead, the so-called benefits are intended to transform domestic workers to participate within the logics and vagaries of the market.

Policy Recommendations

Recognise and implement labour protections for domestic workers
Domestic workers have historically occupied the most vulnerable positions in the workforce, with limited legal protections. Exposed to the regulatory grey areas that platforms operate in, this doubly exposes domestic workers to precarious conditions of work. Despite an avowed move towards formalisation of domestic work, platform-mediated labour continues to retain characteristics of informal labour, even heightening some.

If pushed to do so, platform companies can be instrumental in resolving some of the implementation challenges that governments have faced in enforcing legislative protections sought to be made available to domestic workers. Platforms have databases of workers, which can be used to mandatorily register them for social security schemes offered by the government. This data can also be used for better policy making, in the absence of reliable statistics particularly on migrant workers in the informal economy.

Reduce the protective gap between employment and self-employment
The (mis)classification of “gig” work within labour law frameworks is still a matter that continues to be hotly debated within policy practitioners, legal scholarship, and civil society actors. Three positions, in particular, have been taken—treating gig workers as employees, independent contractors, or occupying a third intermediate category. More recently, there have been some legal victories guaranteeing employment protections and increasing platform companies’ accountability. However, these successes have been more visible in Global North jurisdictions.

Regardless of the resolution of these ongoing debates over employment status, labour frameworks should provide some universal protections to all categories of labour. Such protections must include universal coverage of social security, in addition to rights such as freedom of association, collective bargaining, equal remuneration and anti-discrimination. Policies geared towards achieving this objective would be significant in reducing the protective gaps between different categories of labour, and would particularly help historical and emerging occupational categories of workers such as “gig” workers and domestic workers.

Recognise the specific challenge(s) and potential of platformisation of domestic work
Platforms hold the potential of acting as effective facilitators in informal labour markets. Even when they do not replace existing recruitment pathways, they provide alternate ones. Workers were more likely to register on a platform if they were entering the domestic work labour market recently (often distress and migration driven), or had not enjoyed success with informal, word-of-mouth networks. However, platforms also heighten labour market insecurities, and create new ones. These potential risks need to be specifically recognised through appropriate frameworks, such as social security, discrimination law and data protection.

Tailor policy-making to platform models
We identify three types of platforms, each of which intervene to varying degrees in the work relationship. We recommend that digital placement agencies and marketplace platforms be registered with governments and enforce basic protections for workers such as provision of minimum wage, preventing abuse (including non-payment of wages) and trafficking. On-demand companies on the other hand, must be treated as employers, and workers be accorded employment protections including social security.

In addition to rights-based policy actions, legal-regulatory mechanisms geared towards mitigating the precariousness of platform-based work are required. This can take the shape of clarifying and expanding existing legal-regulatory formulations, or preparing new ones. Such policy making should factor in the power and information asymmetry between domestic workers (and gig workers, generally) and platforms.

Further, in the absence of health or retirement benefits, risks and indirect costs of operations are shifted from employers to workers. For instance, workers provide capital in the form of tools or equipment, support the fluctuation of business and income, and can be ‘deactivated’ from an application as a result of poor ratings or periods of inactivity. Any regulation aiming to extend employee status should mandate platforms to support such indirect costs.

Related Publications

1. Research notes with reflections from union members.
2. The event report from a stakeholder consultation with workers, unions, companies and government representatives.
3. A reflection note on the participatory approach taken by the project.
4. A paper with a comparative analysis of the policy landscape on domestic work in the platform economy.

For more details visit https://cis-india.org/raw/platforms-power-and-politics-perspectives-from-domestic-and-care-work-in-india

Platforming precarity: Data narratives of workers sustaining urban platform services

2024-10-15T02:42:26Z

CIS conducted quantitative surveys with over 800 workers employed in the app-based taxi and delivery sectors across 4 cities in India as part of the ‘Labour Futures’ project supported by the Internet Society Foundation. The surveys covered key employment indicators, including earnings and working hours, work-related cost burdens, income and social security, and platform policies and management. Findings from these surveys are presented as data visualisation briefs centring workers’ everyday experiences. These data briefs form a foundational evidence base for policy and action around labour rights, social protection, and urban inclusion in platform work.

It has been over a decade since app-based delivery and taxi sectors began operations in India, and have since expanded to several metropolitan and smaller cities. These sectors together account for the largest proportion of the platform workforce in India. Workers’ organising and collective action have long revealed extractive labour practices in the platform economy. Their demands call for the recognition of their labour rights by policymakers and platforms, an end to exploitative working conditions, and the introduction of effective policy that protects their rights and wellbeing.

In 2021-22, the labour research vertical at the Centre for Internet and Society conducted quantitative surveys with over 800 workers in the app-based taxi services and app-based delivery services sectors. Spanning four cities (Delhi-NCR, Mumbai, Guwahati, Lucknow), the surveys gathered comprehensive data on the conditions of work in the platform economy in these cities, within its two dominant sectors.

The survey covered key labour indicators—(i) the conditions of work for workers, including recruitment, wages, incentive structures, and work-related cost burdens (ii) workforce management, including hours spent working for the platform, surveillance and control measures, and (iii) workers’ coverage under income security, social security and social protections, including provident funds, health and accident insurance, and pensions.

Key Findings

The generation of city-level data aimed to support policymaking and advocacy towards achieving just outcomes for workers in the rapidly platformising Indian economy. These survey findings speak to i) top-down approaches of regulatory, legislative, and judicial action through evidence-building, and ii) bottom-up approaches of mobilisation and advocacy campaigns of workers’ collectives.

The city-wise data briefs highlight region-specific differences and similarities shaped by histories and newer developments of labour platforms operating in the urban economy. Across the four survey cities, the data briefs reveal the ways in which precarity materialised in platform work. Workers grappled with numerous socioeconomic vulnerabilities that influenced their entry and continued employment in platform work. They faced low-wage outcomes, worsened by a reduction in bonuses, and high operational work-related expenses. Earnings remained low and uncertain despite workers putting in immensely long hours working for platforms. Worsening these burdens was widespread income insecurity that workers faced in both app-based taxi and delivery sectors.

Mapping delivery and taxi platform services across cities

The taxi services sector in all cities was dominated by two large platforms—Uber and Ola Cabs. These platforms had established a highly concentrated labour market for taxi workers. The exception to this was the taxi platform labour market in Guwahati, where the local platform, PeIndia, employed 35% of taxi workers in the city.

The delivery services sector in all cities had a high concentration of pan-India platforms. Food delivery services were concentrated by Swiggy and Zomato across cities. E-commerce delivery services had a diversity of platforms including Amazon, Flipkart, E-kart Logistics, and Shadowfax, as well as grocery delivery services like Big Basket, Dunzo, and Jio Mart.

Economic necessity and a lack of alternative employment pushing workers into precarious platform work

The pathway to precarious platform work was distress-driven, borne out of low wages in previous salaried work, or a lack of alternative employment. A large proportion of workers were previously engaged in salaried employment, who then shifted to platform work, marking increased informality and precarity in their employment status. In Mumbai, over 64% of workers were in salaried employment previously, and this also the case for over 50% of workers in Guwahati, and over 42% of workers in Delhi-NCR. In Lucknow and Delhi-NCR, pandemic-driven unemployment was a key driver for a staggering proportion of workers who joined platform work as a distress employment source. Over 30% of workers in Lucknow and Delhi-NCR were previously unemployed.

These socioeconomic vulnerabilities influenced workers entry and continued employment in platform work. Key factors for workers entering were the lack of alternative employment sources and the hope for better pay and potential job flexibility. The lack of alternative jobs was a major push into platform work for workers in Delhi-NCR and Lucknow—over 60% of workers in Delhi-NCR and over 50% of workers in Lucknow. At least 40% of workers across cities mentioned the expectation of better pay as a major reason to start platform work, while potential job flexibility was also a key reason for workers in Mumbai and Guwahati. However, as the findings below show, workers’ expectations were unmet.

Externalised joining, statutory, and operational costs

High joining, statutory, and operational costs were offloaded onto workers to access and continue platform work. This was especially the case for taxi workers who owned their vehicles, and had to incur vehicle investment costs and downpayment, as well as statutory costs that included operating permits, road tax, vehicle insurance, and fitness fee. Across all cities, average monthly expenses for taxi workers were above INR 30,000. For delivery workers, average monthly expenses mostly comprised fuel costs, and were around INR 5,500 in Guwahati and Lucknow, and around INR 6,700 in Delhi-NCR and Mumbai. These high externalised costs reveal the economic vulnerabilities inherent within platform work.

Compounding these costs, platforms in the taxi services sectors also charged commissions unevenly and in varying fee structures—ranging from 20% to 30% of the fare in Mumbai and Lucknow, and going as high as 35% in Delhi-NCR and Guwahati. It is important to note that high commissions persist despite the mandate under the Motor Vehicle Aggregator Guidelines, 2020 to cap commissions and other platform charges at 20% of the fare.

Platforms’ offloading of costs to workers have resulted in workers’ having to rely on informal leasing, debt, and subcontracting arrangements. These arrangements were seen across all cities, where workers in the city were either renting the vehicle they were driving, paying a commission to a vehicle owner, paying off vehicle EMIs on someone else’s behalf, or were paid a fixed salary by a vehicle owner. Notably, in Lucknow, around 35% of taxi workers were engaged under these informal arrangements.

Insufficient incomes and economic vulnerabilities

Workers' experiences, across cities, highlight how a majority contended with low-wage outcomes. Earnings remained low and uncertain for workers despite the fact that they were putting in long work hours. Several factors contributed to this insufficiency and uncertainty in workers’ earnings: stringent platform requirements around high acceptance rates and ratings, which were important determinants, decreased flexibility, and high offloaded work-related expenses.

Across cities, earnings for delivery workers were considerably lower than those for taxi workers. When earnings were adjusted for standard weekly work hours (48 hours/week), over 50% of delivery workers in Mumbai, Guwahati, and Lucknow were earning less than the corresponding state-wise minimum wages. Further, over 75% of delivery workers in these cities were earning below estimated state-wise living wages. Platform work was also insufficient in meeting essential living needs for taxi workers in Mumbai, Guwahati, and Lucknow. Around 30% of taxi workers (23% in Guwahati) were earning less than minimum wages, and around 50% (80% in Mumbai) were earning less than estimated living wages. Earnings for both delivery and taxi workers in Delhi-NCR were substantially lower than minimum wage and living wage standards. 69% of workers in the taxi services sector and 87% of workers in the delivery services sector earned less than the minimum wage in Delhi. Moreover, 92% of workers in the taxi sector and 97% of workers in the delivery sector earned lower than the estimated living wage.

These insufficient incomes were particularly damaging to workers’ lives and livelihoods, considering their high dependence on income from platform work. An overwhelming proportion of workers (over 94% across all cities) were engaged in platform work as their main source of income, as opposed to part-time employment. They also faced significant economic burdens such as being sole earners in their household, having multiple financial dependents, having financial commitments to provide remittances back home, and so on. Worsening these burdens was widespread income insecurity that workers faced across all cities—for over 43% of workers (up to 65% in Guwahati), earnings from platform work were insufficient for covering basic household expenses.

Workplace risks and ineffective redressal mechanisms

Workers in both sectors were working immensely long hours in order to try and make adequate earnings while working for platforms, working several hours above standard weekly work hours (48 hours/week) typically prescribed by occupational health standards. Across all cities, delivery workers spent a median of over 60 weekly hours working for platforms, and taxi workers spent a median of around 84 weekly hours.

Alongside the adverse health impacts of long work hours, workers faced grievous workplace risks, including risks of physical assault, theft, poor road safety, and harsh weather conditions. Around 75% of delivery and taxi workers faced these issues in Mumbai and Lucknow. An even greater proportion of workers were exposed to these risks in Delhi-NCR (84%) and Guwahati (90%).

Despite several workplace risks, platforms remained unaccountable for their failure to guarantee safe working conditions. Across all cities, less than 10% of workers found that their platform took steps to improve working conditions. Workers’ overall experience with platform grievance redressal mechanisms was mixed. For instance, in Lucknow, only around 25% of workers who raised grievances did not receive a resolution. In contrast, 50% of taxi workers in Delhi-NCR did not receive a resolution, as was the case for 76% of taxi workers in Mumbai. Workers have limited recourse when their grievances go unanswered. Platforms, however, wield significant control over terms of work, making it difficult for workers to challenge unfair decisions.

Low coverage and accessibility of social protection mechanisms

Social security covered by platforms typically included health insurance and accident insurance. Workers faced significant gaps in insurance coverage, and these gaps were particularly glaring in the taxi services sector. Across cities, health and accident insurance coverage for taxi workers was below 10% (an exception was 11% of workers covered by accident insurance in Delhi-NCR). It is important to note that this low coverage exists despite the Motor Vehicle Aggregator Guidelines, 2020 mandating provision of health insurance and term insurance from platforms.

Delivery workers had a relatively higher percentage of insurance coverage from platforms, although coverage varied across cities. Health insurance coverage was low for delivery workers in Delhi-NCR (21%) and Guwahati (14%), but higher for workers in Lucknow (34%) and Mumbai (44%). In the case of accident insurance, insurance was covered by platforms for over 40% of delivery workers in Delhi-NCR and Lucknow, while a greater proportion of workers were covered in Mumbai (63%) and Guwahati (72%). Even though delivery workers were covered by platform-provisioned insurance, claiming benefits was an unreliable and time-consuming process. Workers who attempted to access benefits faced several obstacles, including poor awareness of available schemes, inadequate coverage, and little to no platform support in navigating complex claims procedures.

The inadequacy of platform-provisioned insurance was exacerbated by the exclusion of workers from government social protection mechanisms. In Delhi-NCR, Guwahati, and Lucknow, over 35% of workers in both sectors were left outside of social protection from governments. In Mumbai, over 66% of workers were excluded.

Contributors

Conceptualisation + planning: Aayush Rathi, Abhishek Sekharan, Ambika Tandon, Chetna V M, Chiara Furtado, and Nishkala Sekhar

Writing: Aayush Rathi, Ambika Tandon, Chetna V M, Chiara Furtado, and Nishkala Sekhar

Data analysis: Abhishek Sekharan, Chetna V M, and Nishkala Sekhar

Data visualisation: Sriharsha Devulapalli

Design + design direction: Annushka Jaliwala and Yatharth

Review: Aayush Rathi and Abhineet Nayyar

Survey design + planning: Abhishek Sekharan and Ambika Tandon

Survey implementation: Abhishek Kumar

Research advice: Nora Gobel and Uma Rani Amara

We are deeply grateful to the workers who participated in the surveys for generously sharing their time, experiences, and insights with us.

This work was supported by the Internet Society Foundation, as part of the “Labour Futures” project at the Centre for Internet and Society.

This work is shared under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0)

To know more about this work, please write to us at chiara@cis-india.org

Explore more of CIS’ research on labour and digitalisation at platformwork.in

For more details visit https://cis-india.org/raw/platforming-precarity-data-narratives-workers

Pervasive Technologies: Access to Knowledge in the Market Place — A Presentation by Sunil Abraham

sunil — 2013-02-13T07:05:15Z

The 2012 Global Congress on Intellectual Property and the Public Interest was organized in Rio de Janeiro from December 15 to 17, 2012. The Centre for Internet & Society partnered FGV, Washington College of Law, the American Embassy, African Information Research and Training and International Centre for Trade and Sustainable Development in this event. Sunil Abraham made a presentation on Pervasive Technologies on the opening day, December 15, 2012.

Sunil Abraham presented on 13 different smartphones from the Indian market such as: The Classroom in a Box, The Supercharger, The Networker, The Linguist, TV on the Go, The Spy, The Semi-Smartphone, The Trendy, The Boombox, 3D, The Mighty Mini, The Pianist, and the Indian Experience.

Most of the above devices are manufactured in China and imported into India through local companies for domestic consumption and made available for its 900 million mobile subscribers.

Download the presentation [PDF, 4.61 Mb]

For more details visit https://cis-india.org/a2k/blogs/access-to-knowledge-in-market-place