Centre for Internet and Society

What India can Learn from the Snowden Revelations

elonnai — 2013-10-25T07:29:57Z

Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.

The title of the article was changed in the version published by Yahoo on October 23, 2013.

Since the ‘Snowden revelations’, which uncovered the United States government’s massive global surveillance through the PRISM program, there have been reactions aplenty to their impact.

The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.

The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.

Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.

This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including India.

India’s reaction

After the first news of the Snowden revelations, the Indian Supreme Court agreed to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.

The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any government or individual can take against the US government or companies incorporated there.

In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take.

For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.

To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same.

In India, P. Rajeev, Member of Parliament from Kerala, has started a petition asking that the companies disclose information on Indian data given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.

The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been voiced by many, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal Mutual Legal Assistance Treaty process, it does not necessarily enhance the privacy of Indian data.

As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.

Snooping

The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India.

For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually set up servers in Mumbai and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from Skype and Google. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.

Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive.

The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.

The gaps in the Indian surveillance regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, India is in the process of realizing a privacy legislation.

In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote The Report of the Group of Experts on Privacy, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.

The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.

For example, telecoms in India are now required to include user location data as part of the ‘call detail record’ and be able to provide the same to law enforcement agencies on request under provisions in the Unified Access Service and Internet Service Provider Licenses.

At the same time, the Government of India is in the process of putting in place a Central Monitoring System that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.

Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.

If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.

Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.

Policy vacuum

For any government, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe.

When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.

In 2013, the International Principles on the Application of Human Rights to Communications Surveillance were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications.

When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.

Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.

For more details visit https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations

An Interview with Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party

elonnai — 2013-10-25T04:50:56Z

The Centre for Internet and Society interviewed Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party.

What activities and functions does your office undertake?

The activities and functions of the Dutch data protection authority can roughly be divided in 4 different categories: supervisory activities, giving advise on draft legislation, raising awareness and international tasks.

The Dutch DPA supervises the legislation applicable in the Netherlands with regard to the use of personal data. The most important law is the Dutch Data Protection Act, but the Dutch DPA also supervises for example the Acts governing data processing by police and justice as well as parts of the Telecoms Act.

The supervisory activities mainly consist of investigating, ex officio, violations of the law, with the focus on violations that are serious, structural and impact a large amount of people. Where necessary, the Dutch DPA can use its sanctioning powers, including imposing a conditional fine, to enforce the law. The Dutch DPA can also decide to examine sector-wide codes of conduct that are submitted to it and provide its views in the form of a formal opinion.

In addition to investigations, the Dutch DPA advises the government, and sometimes the parliament, on draft legislation related to the processing of personal data. Following the Data Protection Act, the government is obliged to submit both primary and secondary legislation related to data processing to the DPA for advice.

As regards awareness-raising, next to publishing the results of the investigations, its views on codes of conduct and its advice on legislation, the Dutch DPA also issues guidelines, on its own initiative, explaining legal norms. Via its websites, the Dutch DPA provides more information to both data subjects and controllers on how data can and cannot be processed. Specifically for data subjects, self-empowerment tools – including standard letters to exercise their rights – are made available. Furthermore, they can contact the Dutch DPA daily via a telephone hotline.

Last but not least, the Dutch DPA participates in several International and European fora, including the Article 29 Working Party of which I am the Chair, the European and the International Conference of data protection and privacy commissioners, of whose Executive Committee I am also the Chair.

What powers does your office have? in your opinion are these sufficient? Which powers have been most useful? If there is a lack, what do you feel is needed?

The Dutch DPA has a broad range investigative powers, including the power to order the controller to hand over all relevant information and entering the premises of the controller unannounced. All organisations subjected to the supervision of the Dutch DPA are obligated to cooperate.

The Dutch DPA also has a considerable range of sanctioning powers, it can for example order the suspension or termination of certain processing operations and can also impose a conditional fine. Currently a bill is before Parliament to provide the Dutch DPA with fining powers as well.

Especially when the bill providing the Dutch DPA with fining powers will be passed, I feel the powers are sufficient, giving us all the necessary enforcement tools to ensure compliance with the law.

How is your office funded?

The Dutch DPA is funded through the government who, together with the parliament, each year determines the budget for the next year. The budget is drafted on the basis of a proposal from the Dutch DPA.

What is the organizational structure of your office and the responsibilities of the key executives?

The Dutch DPA consists of a college of commissioners and the supporting Secretariat, itself consisting of 6 departments and headed by the Director. The Dutch DPA has 2 supervision departments, one for the private and one for the public sector, a legal department, a communications department, an international department and a department providing the operational support.

If India creates a framework of co-regulation, how would you suggest the overseeing body be structured?

Considering the many differences between India and the Netherlands - and Europe - this is a very hard question to answer. But whatever construction is chosen in India, it is of utmost importance to guarantee the independence of the supervisory authorit(y)(ies), who shall be provided with sufficient and scalable powers to be able to sanction violations.

What legal challenges has your office faced?

The biggest legal challenge we face at the moment is the new European legal framework currently being discussed. It is as yet uncertain whether and when this will enter into force, but it is clear that it will bring new challenges for our office.

What are the main differences between your offices?

Generally, I think that the differences between my office and the UK and Canadian offices mostly stem from our different legal and cultural backgrounds, especially the difference between the common law and codified law systems.

In addition, the norms and powers differ per supervisory authority. The Dutch DPA for example can enter a building without prior notice, while the ICO, if I understand correctly, can only enter with the consent of the supervised organisation.

I however prefer to look at the similarities and possibilities to overcome our differences, because I think that we all feel that providing a high level of data protection and ensuring user control are all of our main priorities.

Naturally, I am very curious to hear from Chrisopher and Chantal as well.

What are the most recent privacy developments for each of your respective offices?

The technological developments of the past decades and the increasing use of smartphones and tablets, have also made privacy developments necessary and have obliged us, as data protection authorities, to consider the rules and norms in this new environment.

What would you broadly recommend for a privacy legislation for India?

In my view the privacy legislation in India should in any case contain the basic principles of the protection of personal data, applicable to both the public and the private sector. Naturally with some exceptions for law enforcement purposes.

Furthermore, the Indian law should protect the imported data of citizens from other parts of the world as well, including the EU.

And as mentioned in my answer to question 5, it is of utmost importance that the Indian legislation guarantees the establishment of (a) completely independent supervisory authorit(y)(ies), provided with sufficient sanctioning powers, to supervise compliance with the legislation also of the government, including police and justice.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm

Interview with Dr. Alexander Dix - Berlin Data Protection and Freedom of Information Commissioner

maria — 2013-11-06T09:29:32Z

Maria Xynou recently interviewed Berlin's Data Protection and Freedom of Information Commissioner: Dr. Alexander Dix. View this interview and gain an insight on recommendations for better data protection in India!

Dr. Alexander Dix has been Berlin's Data Protection and Freedom of Information Commissioner since June 2005. He has more than 26 years of practical experience in German data protection authorities and previously served as Commissioner for the state of Bradenburg for seven years.

Dr. Dix is a specialist in telecommunications and media and has dealt with a number of issues regarding the cross-border protection of citizen’s privacy. He chairs the International Working Group on Data Protection in Telecommunications (“Berlin Group”) and is a member of the Article 29 Working Party of European Data Protection Supervisory Authorities. In this Working Party he represents the Data Protection Authorities of the 16 German States (Länder).

A native of Bad Homburg, Hessen, Dr. Alexander Dix graduated from Hamburg University with a degree in law in 1975. He received a Master of Laws degree from the London School of Economics and Political Science in 1976 and a Doctorate in law from Hamburg University in 1984. He has published extensively on issues of data protection and freedom of information. Inter alia he is a co-editor of the German Yearbook on Freedom of Information and Information Law.

The Centre for Internet and Society interviewed Dr. Alexander Dix on the following questions:

What activities and functions does the Berlin data commissioner's office undertake?
What powers does the Berlin data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?
How is the office of the Berlin Data Protection Commissioner funded?
What is the organisational structure at the Office of the Berlin Data Protection Commissioner and the responsibilities of the key executives?
If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?
What challenges has your office faced?
What is the most common type of privacy violation that your office is faced with?
Does your office differ from other EU data protection commissioner offices?
How do you think data should be regulated in India?
Do you support the idea of co-regulation or self-regulation?
How can India protect its citizens' data when it is stored in foreign servers?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner

Beyond the Searchlight

praskrishna — 2013-10-23T11:15:27Z

Should we be wary of Google’s all-pervasiveness?

This article Debarshi Dasgupta was published in the Outlook on October 23, 2013. Sunil Abraham is quoted.

Search Google

Some queries to type in the window

Is what is good for Google good for India, especially after Brazil and the EU question its actions?
Are politicians sending out the right signals by associating with Google’s initiatives?
Is Google directing the internet intellectual discourse in a way that will benefit it?
Does Google initiate the kind of offline activities it does here in other democracies?
Is Google shutting out potential competition by obtaining a stranglehold on the internet?

Google’s policy, its CEO Eric Schmidt had once said, was to get right up to the creepy line, but not cross it. It has generated contentious debate about the firm’s activities and products, whether it’s accessing your e-mails to feed you targeted ads, something we have now come to accept grudgingly, or its soon-to-be-released Google Glass that comes fitted with miniature cameras and has advocates all worried about the next big breach on the privacy frontier.

Not just online, where privacy violations and anti-competitive practices have raised concerns globally, some of Google’s offline activities in India too should have us asking questions based on conflict of interest and lack of transparency. Here too, the company seems to have placed itself right next to the creepy line. Especially the way it has gone about sponsoring research at key think-tanks and academia on areas that directly concern its business interests.

Nothing illustrates this better than the work of PRS Legislative Research, which Google has funded in the past. PRS produces policy briefings that are sent out to lawmakers and the media, including on internet governance. PRS hasn’t got a clearance to receive foreign funds since it became independent of the Centre for Policy Research in 2010, where it was launched, and has since then been largely funded by domestic sources.

Prashant Reddy, Blogger

“That an Indian user seeking arbitration
with Google has to do so in a California
court reeks of double standards.”

Does this growing network mean Google is having a say in shaping internet governance laws? Maybe yes. They should have a say by all means, just as other interested parties must get theirs. But given its influence and the certain opaqueness that marks its activities, some more transparency can only boost the credentials of a firm whose informal motto is—“Don’t be evil”. Google may have helped you find that bit of information from the googol tera bytes of online data but it has so far largely evaded discussion on how it has gone on to become big and influential in India.

But while it may have been forced to back out from funding PRS directly, Google’s web of research fellows in this country is growing. In August this year, the Asia Internet Coalition, of which Google is a founding member, selected its two inaugural India fellows—Shehla Rashid Shora and Astik Sinha, both of whom will analyse policies concerning the internet environment here. Sinha also happens to be a social media advisor for BJP MP Anurag Thakur.

So big that it hobnobs with Narendra Modi in the first of its Hangout series and, quite contrary to its espousal of free speech, has comfortable questions pitched to him. Or so influential that it has telecom minister Kapil Sibal, its bete noire from 2011 when his ministry was forcing them to pull down content, to attend the launch of chandnichowkonline.in, a business directory of Sibal’s constituency. Outlook made several attempts to get a reaction from Google but received none by the time this article had to go to the press.


Blurred lines Paid ads seem no different from search results for cameras

Google, since 2011, has also placed three fellows so far under its annual Google Public Policy Fellowship programme at the Bangalore-based Centre for Internet and Society (CIS). The research is supposed to focus on “access to knowledge, openness in India, freedom of expression, privacy, and telecom”. Yet another crucial funding in May 2013 went to the Centre for Communication Governance at the National Law University in New Delhi, which does research on areas directly linked to its business interests. The agreement contains a clause that says “Google will not be excluded from any future business opportunities”. Its research director Chinmayi Arun did not respond to Outlook’s e-mail and said she was too busy to speak when Outlook called her up.

A third institution Google has funded is the media watch website The Hoot. After the 26/11 attacks in Mumbai when the government hastily amended the IT Act, clamping down in a restrictive spirit, noted journalist and the website’s editor Sevanti Ninan was one of the many criticising the government publicly in her articles. Google, she says, contacted her somewhere around mid-2009 seeking a proposal on how they could help with what she was working on. Ninan sent one proposing a Free Speech Hub and received a grant of $22,000 in January 2010 (approximately Rs 10 lakh at 2010 exchange rates) from Google to do so. The hub is an online forum to track free speech violation and highlight problems surrounding freedom of speech and expression and regulation of media.

The commitment was renewed in February 2012 with another grant of Rs 42 lakh. Ninan says that while Google was “not interested in media ethics but free speech”, its approach was entirely “hands-off” to what the site could include on the hub. “I think it’s entirely up to the organisation being funded to decide how it handles a grant. At the same time, anything Google does should be under scrutiny just like other corporations.”

“More transparency
and accountability
can only be good,
both for Google and for the organisation
it funds.”
Anja Kovacs, Internet Democracy Project

So just as it is necessary to publicise that Shell has ties with the India chapter of Brookings Institution or that Reliance sponsors the Observer Research Foundation, it is important that people know where Google is putting its money and for what gains. In fact, more so in the case of Google, a firm that touches our lives in so many more ways that Shell or Reliance does. Yet, a lot of what Google has been doing has gone without adequate publicity and scrutiny. Should we be any less sceptical of Google funding research that helps formulate policies on internet governance than we should be of, let’s say, the Tatas and Jindals on mining? “Google has huge money and its funding of research can be a very contentious issue, especially if it seeks to influence research. Therefore, parties who swear by full disclosure and transparency must adhere to it,” says senior journalist Paranjoy Guha Thakurta. “More transparency and accountability can only be good, both for Google and the organisations it funds,” adds Anja Kovacs, who works with the Internet Democracy Project.


The great connector Hangout with Narendra Modi

But there has been little of that transparency online. For instance, the Rules and Regulations Review of The Information Technology Rules, 2011, put out and sent to MPs by PRS Legislative Research has no mention that an interested party (Google) has funded its work. Similarly, The Hoot has no mention of Google funding it on the ‘About the Hub’ page even though it has details of Google’s funding on the ‘Support The Hoot’ page. Google has also funded numerous ngos, in areas such as health and education, and has sought to promote the use of technology (often theirs, such as in the ongoing Google Impact Challenge Award).

“Because there is
no privacy
commissioner,
Indian citizens are
left vulnerable to
Google when it comes to
privacy.”
Sunil Abraham, CIS, Bangalore

This offline influence apart, Google’s hold online is worrying enough to call for action. The way it manipulates search results to favour clients of its AdSense programme is a global concern. For instance, a search for a popular phone model throws up matches of Google’s clients and features them more prominently than the actual site of the product. The Jaipur-based Consumer Unity and Trust Society (CUTS) conducted a survey that found most internet users could not tell an ad from an organic search result from Google. Says Madhav Dar, an independent anti-trust economist, “Given its financial clout and dominance of e-commerce, Google can directly deny traffic to downstream sites. And because the internet ecosystem is still in a formative stage here, this is something that requires intense and urgent scrutiny by the Competition Commission of India (CCI).”

CUTS filed a formal complaint with the CCI in June last year alleging anti-competitive practices and abuse of its dominant position. BharatMatrimony.com too filed a complaint with the CCI in 2012 accusing it of directing online users’ search for “Bharat+Matrimony” to its rivals.

For many, Google crossed the creepy line when it declared, in a court filing in August this year, that people sending e-mails to any of Google’s 425 million Gmail users need have no “reasonable expectation” that their communications are confidential. This is something that concerns Sunil Abraham, the executive director of CIS, which hosts Google fellows but has received no funding from the firm. “India has no omnibus horizontal statutes, neither sufficiently evolved vertical statutes in specific areas of telecommunication or the internet,” he says. “And because of that there is no office of the privacy commissioner in India and the absence of this regulator doesn’t tame the voracious appetite that Google has for personal information. This happens in other jurisdictions, but the Indian citizen is left vulnerable to Google when it comes to privacy.” “Part of Google’s practice can be absolutely abhorrent, such as the way in which it seeks to have a monopoly in digitising information and being the only one to organise it,” adds Kovacs.


Amitabh Bachchan Google maps his home at WEF in Davos

Another controversial move online has been the decision between Airtel and Google to allow the former’s subscribers free usage of Google’s service up to 1 GB. This has thrown up concerns of violation of “network neutrality”, a widely acknowledged concept that requires internet service providers to not discriminate against third party applications and service.

Journalist and blogger Shivam Vij, however, thinks concerns surrounding Google’s offline activities are misplaced. “As long as they keep coming out with transparency reports that show the majority of requests for user data and content removal are refused, I’d consider them an ally. One should be grateful that Google is funding to protect free speech and ashamed that Indian firms aren’t,” he says. “And if they really have been trying to influence MPs, they would have bribed them, not put out research.”

Nikhil Pahwa, who runs Medianama, a digital media news and analysis website, is another person who says “he won’t look a gift horse in the mouth”. “I don’t know what the motives are, but I support what they are doing, especially given the way the state and Indian firms are failing us when it comes to protecting free speech online,” he adds. The only concern he has about Google is regarding its reported unwillingness to agree to a deal between the Advertising Agencies Association of India (AAAI) and the Internet and Mobile Association of India (IAMAI). The deal seeks to ensure smaller online publishers and advertising networks are paid on time by advertisers, who, in most cases, delay payments to smaller entities but always pay bigger players like Google on time. “Smaller players are suffering due to delay in payments, which can extend up to a year, a problem that Google does not face. The IAMAI initiative is something that Google is unwilling to support because it does not impact them,” he adds.

"Anything that
Google does should
be under scrutiny
just like other corporations."
Sevanti Ninan, Editor, The Hoot


The outreach Sibal attends the launch of chandnichowkonline, a business directory of his constituency; Qutub Minar, digitised

Criticising or questioning some of Google’s policies does not amount to siding with the government on cracking down on free speech on the internet. Outlook ran a cover in December 2011 where it was severely critical of the government’s attempt to muzzle online dissent. Neither does concern about Google’s activities stem from a fear of the foreign hand. Its expansion into Indian civil society has to be seen as an attempt by a profits-driven corporation to ensure its market interests in India are protected. The country becomes all the more important given the trouble it has been having in Brazil and in Europe, where the firm has been slapped with a slew of anti-trust charges. Keeping a close watch will only help enforce Google’s policy in India—not crossing the creepy line.

For more details visit https://cis-india.org/news/outlookindia-october-28-2013-debarshi-dasgupta-beyond-the-searchlight

Bali meet to discuss Internet governance issues

praskrishna — 2013-10-23T08:29:23Z

Four-day event hosted by Internet Governance Forum to also discuss Internet access and diversity, privacy, security.

This article by Moulishree Srivastava was published in Livemint on October 22, 2013. Sunil Abraham is quoted.

Representatives of governments around the world, technology executives and activists will discuss issues such as Internet access and diversity, privacy, security, inter-governmental corporation, and Internet governance at a four-day event hosted by the Internet Governance Forum (IGF) that begins on Tuesday in Bali, Indonesia.

J. Satyanarayana, secretary, ministry of communications and information technology, confirmed India’s participation in the forum and said the country would be represented by Dr Govind, a senior director and head of department, e-infrastructure and Internet governance division, department of information technology.

“We will also be taking part in a working group on Internet governance and enhanced cooperation, which will be convened by the United Nations Commission on Science and Technology for Development in November,” said Satyanarayana.

“IGF is a valuable learning forum wherein different stakeholders can discuss Internet governance policy issues without any antagonism. Other fora for Internet policy like ICANN, WIPO (World Intellectual Property Organization), ITU (International Telecommunication Union), etc., are places where international law and policy are developed, and do not allow for such learning because negotiations are always very acrimonious. Since IGF is only meant for learning, it does not directly address the global policy vacuum that exists for cyber crime, data protection and privacy,” said Sunil Abraham, executive director of Bangalore-based Centre for Internet and Society, who will be participating in the Bali event.

“Indian government, private sector, civil society, technical and academic community can become more competent and effective through such a dialogue in other multilateral and multi-stakeholder fora where international Internet standards, policies and laws are formulated. It also helps the stakeholders contribute to the development of internationally interoperable domestic policy,” he added.

In 2006, the UN secretary general established a small secretariat in Geneva to assist him in the convening of IGF. The first meeting was convened in October-November 2006 in Athens. In December 2010, IGF’s mandate was extended for five years.

In its eighth edition, IGF will have detailed discussions on issues such as free flow of information on the Internet, regulatory approaches to privacy, and protection of interests of individuals and communities in cyberspace, Internet surveillance and legal framework for cyber crime, said the forum in a statement on its website.

During the four-event, for instance, one of the workshops “will explore what core principles and strategies are needed to achieve a balanced and fair approach to data protection that is effective internationally and regionally”, according to IGF.

Some of the prominent speakers in the event include Jari Arkko, chairman, Internet Engineering Task Force, Finland; Virat Bhatia, president, South Asia, AT&T Inc.; Chris Painter, coordinator for cyber issues, US department of state; Karen Mulberry, policy adviser, Internet Society; and Matthew Shears, director of Internet policy and human rights, Center for Democracy and Technology.

According to industry estimates, over 2.5 billion Internet users interact in shared cross-border online spaces where they can post content potentially accessible worldwide.

“No clear frameworks exist yet to handle the tensions between these competing normative orders or values and enable peaceful cohabitation in cross-border cyberspace. This challenge constitutes a rare issue of common concern for all stakeholder groups,” said IGF on its website.

According to a UN estimate, nearly 40% of the world’s population will be online by the end of 2013. “The Internet has become an essential tool for the creation of jobs and the delivery of basic public services,” said the UN undersecretary-general for economic and social affairs, Wu Hungbo, in a statement, adding that it is also essential “for improving access to knowledge and education, for empowering women, for enhancing transparency, and for giving marginalized populations a voice in decision-making processes”.

For more details visit https://cis-india.org/news/livemint-moulishree-srivastava-october-22-2013-bali-meet-to-discuss-internet-governance-issues

Open Letter to Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee

elonnai — 2013-10-23T05:00:02Z

An open letter was sent to the Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee on the proposed EU Regulation. The letter was apart of an initiative that Privacy International and a number of other NGO's are undertaking.

Dear Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee,

On behalf of The Centre for Internet and Society, Bangalore, India, we are writing to express our support of the European Commission’s proposed General Data Protection Regulation (COM (2012) 11).

The legal framework established under the 1995 Data Protection Directive (95/46/EC) in Europe has positively influenced many existing privacy regimes worldwide, serving as a model legal framework in jurisdictions that are in the process of developing privacy regimes, including India. The positive impact of the Data Protection Directive shows the potential of the Regulation to become a global model for the protection of personal data. The Regulation seeks to address new scenarios that have arisen in the context of rapidly changing technologies and practices, increasing its potential for positively influencing privacy rights for individuals globally.

India is currently in the process of considering the enactment of privacy legislation, in part with the aim of ensuring adequate safeguards to enable and enhance information flows into India from countries around the world, including Europe. At the same time, India is seeking Data Secure Status from the EU, on the basis of its current regime.

It is clear that the EU framework for data protection has a major influence on the current and emerging privacy regime in India. India is only one country of many that are in the beginning stages of developing a comprehensive privacy regime. Thus, we ask that you keep in mind how the Regulation will impact the rights of individual in countries outside of Europe, particularly in countries that are in the process of developing privacy regimes.

We ask that you take into consideration the four following points that we believe need to be addressed in the Regulation to help ensure adequate protection of the rights of individuals in the European Union and around the world.

Strengthen the principle of purpose limitation: The Regulation should incorporate a strong purpose limitation principle that strictly limits present and future uses of personal data to the purposes for which it was originally collected. Currently, Article 6(4) allows for the further processing of data when the processing is “not compatible with the one for which the personal data have been collected”. Though the provision establishes legal requirements, one of which must be before information can be used for a further purpose, this is has proven insufficient in the existing Directive. The current provision in the Regulation dilutes the principle of purpose limitation as well as weakening an individual’s ability to make informed decisions about their personal data.
Define principles for interpretation of broad terms: The Regulation should create principles for interpreting broad terms such as “legitimate interest” and “public interest”. These vague terms are used throughout the Regulation, and create the potential for loopholes or abuse. Because these terms can be interpreted in many different ways, it is important to create a set of principles to guide their interpretation by data protection authorities and courts to avoid inconsistent application and enforcement of the Regulation.
Clarify the scope of the Regulation: The Regulation should clearly describe the jurisdictional scope and reach of its provisions. Currently Article 3(1) states that the Regulation will apply to the processing of data “in the context of the activities of an establishment of a controller or a processor in the Union”. The flow of information on the online environment coupled with trends such as cloud computing, outsourcing, and cross border business creates a scenario where defining what constitutes “context of the activities of an establishment”, is difficult and could lead to situations where personal data is not protected, as the collection, use, or storage of it does not necessarily fall within the “context of the activities”.
Address access by foreign alliance bodies: In light of growing demands by law enforcement for access, use, and transfer of personal information for investigative purposes across jurisdictions– the Regulation should define the circumstances in which personal data protected by its provisions can be accessed and used by foreign intelligence bodies, and the procedure by which to do so. The Regulation should address challenges such as access by foreign intelligence bodies to data stored on the cloud and data that has passed through/is stored on foreign networks/servers.

For more details visit https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee

Privacy: from regional regulations to global connections ?

praskrishna — 2013-10-21T08:18:56Z

This workshop is being organised by Internet Society at Bali on October 24. Sunil Abraham is one of the panelists for this.

The Internet Governance Forum 2013 is being held at Bali from October 22 to 25. The overarching theme for the 2013 IGF meeting is: "Building Bridges"- Enhancing Multistakeholder Cooperation for Growth and Sustainable Development".

Read the original published on the IGF website.

Theme: Internet Governance Principles

The Internet dissolves geographical boundaries on a greater scale than any prior invention. It allows data, personal and otherwise, to flow across borders, supporting social and economic interactions. However, there is a complex mix of factors at play: multiple policy objectives that are sometimes in conflict; individuals’ rights; the interests of the communities; “monetization” of personal data for short-term and long-term commercial gain; different historical cultural and regulatory approaches to privacy; etc.

Across a diverse, global Internet, how can we best deal with the tensions that naturally result from differences in personal privacy expectations, economic aspirations, and regulatory regimes, particularly when it comes to online data protection?

This workshop will explore what core principles and strategies are needed to achieve a balanced and fair approach to data protection that is effective internationally and regionally. In the process, we will examine the possible paths to a global solution, together with impediments, and explore how successful local and regional approaches could be leveraged at the international level.

We will also strive to articulate lessons learned from recent initiatives such as the modernisation of the Council of Europe Convention 108, the revision of the OECD Privacy Guidelines, the APEC Cross Border Privacy Rules System, and the proposed revisions to the EU data protection framework, etc. in tackling these challenging issues.

Has the proponent organised a workshop with a similar subject during past IGF meetings?
Yes

Indication of how the workshop will build on but go beyond the outcomes previously reached

The submitter has not previously organised a workshop at the IGF. However, his colleague has co-organised the following workshops on related issues: 2012: ICC BASIS and ISOC - Solutions for enabling cross-border data flows – http://wsms1.intgovforum.org/sites/default/files/IGF%202012%20ws86%20report_10%2012%2012%20final.doc 2012: CoE and ISOC – Who is following me: tracking the trackers – http://wsms1.intgovforum.org/content/no181-who-following-me-tracking-trackers#report 2010: ISOC and EFF – The Future of Privacy – http://www.internetsociety.org/sites/default/files/future-privacy%2020100914.pdf Background papers: Report from a WSIS Forum 2012 thematic workshop entitled: “Data Privacy on a global scale: keeping pace with an evolving environment” – http://www.internetsociety.org/sites/default/files/Data%20Privacy%20on%20a%20global%20scale_0.pdf Report from a IGF2012 workshop entitled “Solutions for enabling cross-border data flows - https://www.internetsociety.org/sites/default/files/IGF%202012%20cross-border%20data%20flows.pdf

Background Paper

Download background paper

Co-organisers

Ms. Sophie Kwasny, Head of the Data Protection Unit, Council of Europe , Intergovernmental Organizations, FRANCE, Western Europe and Others Group - WEOG
Mr. Frederic Donck, Internet Society, Technical Community, BELGIUM, Western Europe and Others Group - WEOG

Have the Proponent or any of the co-organisers organised an IGF workshop before?
Yes

The link(s) to the workshop report(s)

Panelists

Please click on Biography to view the biography of panelist

Sophie Kwasny, Head of the Data Protection Unit, Council of Europe , Female, Intergovernmental Organizations, FRANCE, Western Europe and Others Group – WEOG
Nigel Waters, Public Officer, Australian Privacy Foundation , Male, Civil Society, Australia, Asia-Pacific Group
Wendy Seltzer, Policy Counsel, World Wide Web Consortium (W3C) , Female, Technical Community, United States, Western Europe and Others Group – WEOG
Biography
Joseph Alhadeff, Vice President for Global Public Policy, Chief Privacy Officer, Oracle Corporation, Male, Private Sector, United States, Western Europe and Others Group – WEOG
Biography
Sunil Abraham, Executive Director, Centre for Internet and Society (CIS), Bangalore, Male, Civil Society, India, Asia-Pacific Group
Biography

Moderator

Frederic Donck, Internet Society, Director European Regional Bureau

Remote Moderator

Luca Belli, CERSA,Université Panthéon-Assas Sorbonne University

Agenda

Moderator will briefly introduce the session as well as the different panellists. Each panellist will have 2 minutes (maximum) to introduce his/her own perspective on the general issues addressed by the moderator.

No powerpoints allowed. Very dynamic session with regular interventions from remote participants and audience, as well as between panellists is sought.

Moderator will work out questions (including through a coordinated approach before the session with panellists) and will organise the session in a way that allows a balanced conversation between all stakeholders (on-site/remotely).

Inclusiveness of the Session

Suitability for Remote Participation

Dynamic interaction with remote participants (ISOC community and chapters, technical community, Businesses, etc.) will be ensured through social medias, jabber, webex, and twitter (hashtag will be provided) etc.

Coordinated approach with remote moderator will be ensured as well as the necessary communication and information to remote participants in advance of and during the session.

For more details visit https://cis-india.org/news/igf-2013-workshop-335-privacy-from-regional-regulations-to-global-connections

Interview with the Tactical Technology Collective on Privacy and Surveillance

maria — 2013-10-18T09:56:16Z

The Centre for Internet and Society recently interviewed Anne Roth from the Tactical Technology Collective in Berlin. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of the Tactical Technology Collective, it's a Berlin and Bangalore-based non-profit organisation which aims to advance the skills, tools and techniques of rights advocates, empowering them to use information and communications to help marginalised communities understand and effect progressive social, environmental and political change.

Tactical Tech's Privacy & Expression programme builds the digital security awareness and capacity of human rights defenders, independent journalists, anti-corruption advocates and activists. The programme's activities range from awareness-raising comic films aimed at audiences new to digital security issues, to direct training and materials for high-risk defenders working in some of the world's most repressive environments.

Anne Roth works with Tactical Tech on the Privacy & Expression programme as a researcher and editor. Anne holds a degree in political science from the Free University of Berlin. She cofounded one of the first interactive media activist websites, Indymedia, in Germany in 2001 and has been involved with media activism and various forms of activist online media ever since. She has worked as a web editor and translator in the past. Since 2007 she has written a blog that covers privacy, surveillance, media, net politics and feminist issues.

The Centre for Internet and Society interviewed Anne Roth on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/ Why not?
What is the balance between Internet freedom and surveillance?
According to research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/ Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally”. Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-the-tactical-technology-collective

Interview with Bruce Schneier - Internationally Renowned Security Technologist

maria — 2013-10-17T08:54:32Z

Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist.

He is the author of 12 books -- including Liars and Outliers: Enabling the Trust Society Needs to Survive -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.

Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for BT -- formerly British Telecom.

The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:

Do you think India needs privacy legislation? Why/ Why not?
The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?
Should people have the right to give up their right to privacy? Why/ Why not?
Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?
How can individuals protect their data (and themselves) from spyware, such as FinFisher?
How would you advise young people working in the surveillance industry?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier

Interview with Big Brother Watch on Privacy and Surveillance

maria — 2013-10-15T14:24:27Z

Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.

Big Brother Watch was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.

Emma Carr joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/Why not?
What is the balance between Internet freedom and surveillance?
According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance

Concerns Regarding DNA Law

bhairav — 2013-10-29T10:09:26Z

Recently, a long government process to draft a law to permit the collection, processing, profiling, use and storage of human DNA is nearing conclusion. There are several concerns with this government effort. Below, we present broad-level issues to be kept in mind while dealing with DNA law.

Background

The Department of Biotechnology released, in 29 April 2012, a working draft of a proposed Human DNA Profiling Bill, 2012 ("DBT Bill") for public comments. The draft reveals an effort to (i) permit the collection of human blood, tissue and other samples for the purpose of creating DNA profiles, (ii) license private laboratories that create and store the profiles, (iii) store the DNA samples and profiles in various large databanks in a number of indices, and (iv) permit the use of the completed DNA profiles in scientific research and law enforcement. The regulation of human DNA profiling is of significant importance to the efficacy of law enforcement and the criminal justice system and correspondingly has a deep impact on the freedoms of ordinary citizens from profiling and monitoring. Below, we highlight five important concerns to bear in mind before drafting and implementing DNA legislation.

Primary Issues

Purpose of DNA Profiling

DNA profiling serves two broad purposes – (i) forensic – to establish unique identity of a person in the criminal justice system; and, (ii) research – to understand human genetics and its contribution to anthropology, biology and other sciences. These two purposes have very different approaches to DNA profiling and the issues and concerns attendant on them vary accordingly. Forensic DNA profiling is undertaken to afford either party in a criminal trial a better possibility of adducing corroborative evidence to prosecute, or to defend, an alleged offence. DNA, like fingerprints, is a biometric estimation of the individuality of a person. By itself, in the same manner that fingerprint evidence is only proof of the presence of a person at a particular place and not proof of the commission of a crime, DNA is merely corroborative evidence and cannot, on its own strength, result in a conviction or acquittal of an offence. Therefore, DNA and fingerprints, and the process by which they are collected and used as evidence, should be broadly similar.

Procedural Integrity

Forensic DNA profiling results from biological source material that is usually collected from crime scenes or forcibly from offenders and convicts. Biological source material found at a crime scene is very rarely non-contaminated and the procedure by which it is collected and its integrity ensured is of primary legislative importance. To avoid the danger of contaminated crime scene evidence being introduced in the criminal justice system to pervert the course of justice, it is crucial to ensure that DNA is collected only from intact human cells and not from compromised genetic material. Therefore, if the biological source material found at a crime scene does not contain at least one intact human cell, the whole of the biological source material should be destroyed to prevent the possibility of compromised genetic material being collected to yield inconclusive results. Adherence to this basic principle will obviate the possibility of partial matches of DNA profiles and the resulting controversy and confusion that ensues.

Conditions of Collection

In India, the taking of fingerprints is chiefly governed by the Identification of Prisoners Act, 1920 ("Prisoners Act") and section 73 of the Indian Evidence Act, 1872 ("Evidence Act"). The Prisoners Act permits the forcible taking of fingerprints from convicts and suspects in certain conditions. The Evidence Act, in addition, permits courts to require the taking of fingerprints for the forensic purpose of establishing unique identity in a criminal trial. No
provisions exist for consensual taking of fingerprints, presumably because of the danger of self-incrimination and general privacy concerns. Since, as discussed earlier, fingerprints and DNA are biometric measurements that should be treated equally to the extent possible, the conditions for the collection of DNA should be similar to those for the taking of fingerprints.Accordingly, there should be no legal provisions that enable other kinds of collection, including from volunteers and innocent people.

Retention of DNA

As a general rule applicable in India, the retention of biometric measurements must be supported by a clear purpose that is legitimate, judicially sanctioned and transparent. The Prisoners Act, which permits the forcible taking of fingerprints from convicts, also mandates the destruction of these fingerprints when the person is acquitted or discharged. The indefinite collection of biometric measurements of people is dangerous, susceptible to abuse and invasive of civil rights. Therefore, once lawfully collected from crime scenes and offenders, their DNA profiles must be retained in strictly controlled databases with highly restricted access for the forensic purpose of law enforcement only. DNA should not be held in databases that allow non-forensic use. Further, the indices within these databases should be watertight and exclusive of each other.

DNA Laboratories

The process by which DNA profiles are created from biological source material is of critical importance. Because of the evidentiary value of DNA profiles, the laboratories in which these profiles are created must be properly licensed, professionally managed and manned by competent and impartial personnel. Therefore, the process by which DNA laboratories are licensed and permitted to operate is significant.

For more details visit https://cis-india.org/internet-governance/blog/concerns-regarding-dna-law

The India Privacy Monitor Map

maria — 2013-10-09T16:26:14Z

The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country.

In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.

In particular, the map in its current format includes data on the following:

UID: The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.

NPR: Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.

CCTV: Closed-circuit television cameras which can produce images or recordings for surveillance purposes.

UAV: Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.

CCTNS: The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.

Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor

This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!

For more details visit https://cis-india.org/internet-governance/blog/india-privacy-monitor-map

Re: The Human DNA Profiling Bill, 2012

bhairav — 2013-10-29T10:00:47Z

This short note speaks to legal issues arising from the proposed Human DNA Profiling Bill, 2012 ("DBT Bill") that was circulated drafted under the aegis of the Department of Biotechnology of the Ministry of Science and Technology, Government of India, which seeks to collect human DNA samples, profile them and store them. These comments are made clause-by-clause against the DBT Bill.

Note: Clause-by-clause comments on the Working Draft version of April 29, 2012 from the Centre for Internet and Society

This short note speaks to legal issues arising from the proposed Human DNA Profiling Bill, 2012 ("DBT Bill") that was circulated within the Experts Committee constituted under the aegis of the Department of Biotechnology of the Ministry of Science and Technology, Government of India.
This note must be read against the relevant provisions of the DBT Bill and, where indicated, together with the proposed Forensic DNA Profiling (Regulation) Bill, 2013 that was drafted by the Centre for Internet & Society, Bangalore ("CIS Bill"). These comments must also be read alongside the two-page submission titled “A Brief Note on the Forensic DNA Profiling (Regulation) Bill, 2013” ("CIS Note"). Whereas the aforesaid CIS Note raised issues that informed the drafting of the CIS Bill, this present note seeks to provide legal comments on the DBT Bill.
Preamble
The DBT Bill, in its current working form, lacks a preamble. No doubt, a preamble will be added later once the text of the DBT Bill is finalised. Instead, the DBT Bill contains an introduction. It must be borne in mind that the purpose of the legislation should be spelt out in the preamble since preambular clauses have interpretative value. [See, A. Thangal Kunju Musaliar AIR 1956 SC 246; Burrakur Coal Co. Ltd. AIR 1961 SC 954; and Arnit Das (2000) 5 SCC 488]. Hence, a preamble that states the intent of Parliament to create permissible conditions for DNA source material collection, profiling, retention and forensic use in criminal trials is necessary.
Objects Clause
An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the DBT Bill should incorporate an objects clause that makes clear that (i) the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimisation must be adhered to at all times; (ii) DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity; (iii) all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA; (iv) centralised databases are inherently dangerous because of the volume of information that is at risk; (v) forensic DNA profiling is intended to have probative value; therefore, if there is any doubt regarding a DNA profile, it should not be received in evidence by a court; (vi) once adduced, the evidence created by a DNA profile is only corroborative and must be treated on par with other biometric evidence such as fingerprint measurements.
Definitions
The definition of “analytical procedure” in clause 2(1)(a) of the DBT Bill is practically redundant and should be removed. It is used only twice – in clauses 24 and 66(2)(p) which give the DNA Profiling Board the power to frame procedural regulations. In the absence of specifying the content of any analytical procedure, the definition serves no purpose.
The definition of “audit” in clause 2(1)(b) is relevant for measuring the training programmes and laboratory conditions specified in clauses 12(f) and 27. However, the term “audit” is subsequently used in an entirely different manner in Chapter IX which relates to financial information and transparency. This is a conflicting definition. The term “audit” has a well-established use for financial information that does not require a definition. Hence, this definition should be removed.
The definition of “calibration” in clause 2(1)(d) is redundant and should be removed since the term is not meaningfully used in the DBT Bill.
The definition of “DNA Data Bank” in clause 2(1)(h) is unnecessary. The DBT Bill seeks to establish a National DNA Data Bank, State DNA Data Banks and Regional DNA Data Banks vide clause 32. These national, state and regional databases must be defined individually with reference to their establishment clauses. Defining a “DNA Data Bank”, exclusive of the national, state and regional databases, creates the assumption that any private individual can start and maintain a database. This is a drafting error.
The definition of “DNA Data Bank Manager” in clause 2(1)(i) is misleading since, in the text of the DBT Bill, it is only used in relation to the proposed National DNA Data Bank and never in relation to the State and Regional Data Banks. If it is the intention of DBT Bill that only the national database should have a manager, the definition should be renamed to ‘National DNA Data Bank Manager’ and the clause should specifically identify the National DNA Data Bank. This is a drafting error.
The definition of “DNA laboratory” in clause 2(1)(j) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.
The definition of “DNA profile” in clause 2(1)(l) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person.
The definition of “forensic material” in clause 2(1)(o) needs to be amended to remove the references to intimate and non-intimate body samples. If the references are retained, then evidence collected from a crime scene, where an intimate or non-intimate collection procedure was obviously not followed, will not fall within the scope of “forensic material”.
The terms “intimate body sample” and “non-intimate body sample” that are defined in clauses 2(1)(q) and 2(1)(v) respectively are not used anywhere outside the definitions clause except for an inconsequential reference to non-intimate body samples only in the rule-making provision of clause 66(2)(zg). “Intimate body sample” is not used anywhere outside the definitions clause. Both these definitions are redundant and should be removed.
The terms “intimate forensic procedure” and “non-intimate forensic procedure”, that are defined in clauses 2(1)(r) and 2(1)(w) respectively, are not used anywhere except for an inconsequential reference of non-intimate forensic procedure in the rule-making provision of clause 66(2)(zg). “Intimate forensic procedure” is not used anywhere outside the definitions clause. Both these definitions are redundant and should be removed.
The term “known samples” that is defined in clause 2(1)(s) is not used anywhere outside the definitions clause and should be removed for redundancy.
The definition of “offender” in clause 2(1)(y) if vague because it does not specify the offences for which an “offender” need be convicted. It is also linked to an unclear definition of the term “undertrial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offences such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.
The term “proficiency testing” that is defined in clause 2(1)(zb) is not used anywhere in the text of the DBT Bill and should be removed.
The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule-making powers under clauses 18 and 66. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.
The term “suspect” defined in clause 2(1)(zi) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").
The DNA Profiling Board
Clause 3 of the DBT Bill, which provides for the establishment of the DNA Profiling Board, contains a sub-clause (2) which vests the Board with corporate identity. This vesting of legal personality in the DNA Profiling Board – when other boards and authorities, even ministries and independent departments, and even the armed forces do not enjoy this function – is ill-advised and made without sufficient thought. Bodies corporate may be corporations sole – such the President of India, or corporations aggregate – such as companies. The intent of corporate identity is to create a fictional legal personality where none previously existed in order for the fictional legal personality to exist apart from its members, enjoy perpetual succession and to sue in its own legal name. Article 300 of the Constitution of India vests the Central Government with legal personality in the legal name of the Union of India and the State Governments with legal personality in the legal names of their respective states. Apart from this constitutional dispensation, some regulatory authorities, such as the Telecom Regulatory Authority of India ("TRAI") and the Securities and Exchange Board of India ("SEBI") have been individually vested with legal personalities as bodies corporate to enable their autonomous governance and independent functioning to secure their ability to free, fairly and impartially regulate the market free from governmental or private collusion. Similarly, some overarching national commissions, such as the Election Commission of India and the National Human Rights Commission ("NHRC") have been vested with the power to sue and be sued in their own names. In comparison, the DNA Profiling Board is neither an independent market regulator nor an overarching national commission with judicial powers. There is no legal reason for it to be vested with a legal personality on par with the Central Government or a company. Therefore, clause 3(2) should be removed.
The size and composition of the Board that is staffed under clause 4 is extremely large. Creating unwieldy and top-heavy bureaucratic authorities and investing them with regulatory powers, including the powers of licensing, is avoidable. The DBT Bill proposes to create a Board of 16 members, most of them from a scientific background and including a few policemen and one legal administrator. In its present form, the Board is larger than many High Courts but does not have a single legal member able to conduct licensing. Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be drastically reduced to no more than five members, at least half of whom should be lawyers or ex-judges. The change in the legal composition of the Board is necessary because the DBT Bill contemplates that it will perform the legal function of licensing that must obey basic tenets of administrative law. The current membership may be viable only if the Board is divested of its administrative and regulatory powers and left with only scientific advice functions. Moreover, stacking the Board with scientists and policemen appears to ignore the perils that DNA collection and retention pose to the privacy of ordinary citizens and their criminal law rights. The Board should have adequate representation from the human rights community – both institutional (e.g NHRC and the State Human Rights Commissions) and non-institutional (well-regarded and experienced human rights activists). The Board should also have privacy advocates.
Clauses 5(2) and 5(3) establish an unequal hierarchy within the Board by privileging some members with longer terms than others. There is no good reason for why the Vice-Chancellor of a National Law University, the Director General of Police of a State, the Director of a Central Forensic Science Laboratory and the Director of a State Forensic Science Laboratory should serve membership terms on the Board that are longer than those of molecular biologists, population geneticists and other scientists. Such artificial hierarchies should be removed at the outset. The Board should have one pre-eminent chairperson and other equal members with equal terms.
The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed. Clause 4 should be modified to mention the appointment of the Chairperson and other Members.
Clause 7 deals with the issue of conflict of interest in narrow cases. The clause requires members to react on a case-by-case basis to the business of the Board by recusing themselves from deliberations and voting where necessary. Instead, it may be more appropriate to require members to make a full and public disclosures of their real and potential conflicts of interest, and then granting the Chairperson the power to prevent such members from voting on interested matters. Failure to follow these anti-collusion and anti-corruption safeguards should attract criminal penalties.
Clause 10 anticipates the appointment of a Chief Executive Officer of the Board who shall be a serving Joint Secretary to the Central Government. Clause 10(3) further requires this officer to be scientist. This may not be possible because the administrative hierarchy of the Central Government may not contain a genetic scientist.
The functions of the Board specified in clause 12 are overbroad. Advising ministries, facilitating governments, recommending the size of funds and so on – these are administrative and governance functions best left to the executive. Once the Board is modified to have sufficient legal and human rights representation, then the functions of the Board can non-controversially include licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.
DNA Laboratories
The provisions of Chapters V and VI may be simplified and merged.
DNA Data Banks
The creation of multiple indices in clause 32(4) cannot be justified and must be removed. The collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast and have either not been properly understood or deliberately ignored. At this moment, the forcible collection of biological source material should be restricted to the categories of offenders mentioned in the Identification of Prisoners Act, 1920 ("Prisoners Act") with a suitable addition for persons arrested in connection with certain specified terrorism-related offences. Therefore, databases should contain only an offenders’ index and a crime scene index.
Clause 32(6), which requires the names of individuals to be connected to their profiles, and hence accessible to persons connected with the database, should be removed. DNA profiles, once developed, should be anonymised and retained separate from the names of their owners.
Clause 36, which allows international disclosures of DNA profiles of Indians, should be removed immediately. Whereas an Indian may have legal remedies against the National DNA Data Bank, he/she certainly will not be able to enforce any rights against a foreign government or entity. This provision will be misused to rendition DNA profiles abroad for activities not permitted in India. Similarly, as in data protection regimes around the world, DNA profiles should remain within jurisdictions with high privacy and other legal standards.
Use
The only legitimate purpose for which DNA profiles may be used is for establishing the identity of individuals in criminal trials and confirming their presence or absence from a certain location. Accordingly, clauses 39 and 40 should be re-drafted to specify this sole forensic purpose and also specify the manner in which DNA profiles may be received in evidence. For more information on this point, see the relevant provisions of the CIS Note and the CIS Bill.
The disclosure of DNA profiles should only take place to a law enforcement agency conducting a valid investigation into certain offences and to courts currently trying the individuals to whom the DNA profiles pertains. All other disclosures of DNA profiles should be made illegal. Non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The DBT Bill does not prescribe stringent criminal penalties and other mechanisms to affix individual liability on individual scientists and research institutions for improper use of DNA profiles; it is therefore open to the criticism that it seeks to sacrifice individual rights of persons, including the fundamental right to privacy, without parallel remedies and penalties. Clause 40 should be removed in entirety.
Clause 43 should be removed in entirety. This note does not contemplate the retention of DNA profiles of suspects and victims, except as derived from a crime scene.
Clause 45 sets out a post-conviction right related to criminal procedure and evidence. This would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights. However, courts may re-try cases in certain narrow cases when fresh evidence is brought forth that has a nexus to the evidence upon which the person was convicted and if it can be proved that the fresh evidence was not earlier adduced due to bias. Any other fresh evidence that may be uncovered cannot prompt a new trial. Clause 45 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721].

For more details visit https://cis-india.org/internet-governance/blog/re-the-human-dna-profiling-bill-2012

Privacy Meet

praskrishna — 2013-11-20T05:13:57Z

Bhairav Acharya was invited by Yahoo's Director of International Privacy, Laura Juanes Micas, to a dinner meeting on privacy at the Oberoi in New Delhi.

The meeting was attended by Justice A.P. Shah, Dr. Gulshan Rai, Dr. Kamlesh Bajaj and others. At this event, Bhairav spoke about the need to develop laws to regulate surveillance and personal data in India. Bhairav further spoke about both the commercial benefits that will accrue from data protection law as well as the national benefit from surveillance regulation and security law. Bhairav also spoke of the need to create a procedure that is just, fair and reasonable and, he highlighted the point that these laws would have to survive constitutional scrutiny by the Supreme Court of India. He also pointed out that meaningful protections lay in creating procedural law that allowed individuals the protection of natural justice and identified magistrates to authorise data collections and interceptions. He further made it clear that India's distinct security situation, both internal and external, warranted a robust surveillance framework that enables law enforcement and strengthens the criminal justice system in manner consistent with the rule of law.

Timings	Agenda
19.00 19.25	Handshakes and Introduction
19.25 19.30	Welcome Remarks by Laura Juanes Micas, Director – International Privacy, Yahoo Inc
19.30 19.35	Address by Manoj Joshi, Joint Secretary, Deptt of Personnel and Training
19.35 19.40	Address by Dr. Gulshan Rai, Director General, CERT-IN
19.40 19.45	Address by Dr. Kamlesh Bajaj, CEO – Data Security Council of India (DSCI)
19.45 19.50	Address by Bhairav Acharya, Legal Adviser, Centre for Internet and Society (CIS)
19.50 19.55	Address by Rajan Mathews, Director General, Cellular Operators Association of India (COAI)
19.55 20.00	Address by Justice A P Shah, Former Chief Justice, Delhi High Court and Chairman, Group of Experts
20.00 20.05	Address by Pavan Duggal, Advocate, Supreme Court
20.05 20.10	Address by Chinmayi Arun, Research Director – Centre for Communication Governance, National Law University - Delhi
20.10 20.15	Address by Prasanth Sugathan, Counsel, Software Freedom Law Centre (SFLC.IN)
20.15 20.20	Address by Dr. Subho Ray, President, Internet and Mobile Association of India (IAMAI)
20.20	Discussions (Along with Sit – Down Dinner)

For more details visit https://cis-india.org/news/privacy-meet-october-7-2013

An Analysis of the Cases Filed under Section 46 of the Information Technology Act, 2000 for Adjudication in the State of Maharashtra

bhairav — 2013-10-01T15:29:46Z

This is a brief review of some of the cases related to privacy filed under section 46 of the Information Technology Act, 2000 ("the Act") seeking adjudication for alleged contraventions of the Act in the State of Maharashtra.

Background

Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government [see section 46(1) of the Act], must have field experience with information technology and law [see section 46(3) of the Act] and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A) of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a civil court [see section 46(5) of the Act] and must follow basic principles of natural justice while conducting adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority.

In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court [see section 46(2) of the Act], and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences [see section 47 of the Act]. The adjudicating officer may impose penalties for any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003.[1]

It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasi-judicial authority.

Excursus

At the outset, it is important to understand the distinction between compensation and damages. Compensation is a sum of money awarded by a civil court, before or along with the primary decree, to indemnify a person for injury or loss. It is usually awarded to a person who has a suffered a monetary loss as a result of the acts or omissions of another party. Its quantification is usually guided by principles of equity. [See Shantilal Mangaldas AIR 1969 SC 634 and Ranbir Kumar Arora AIR 1983 P&H 431]. On the hand, damages are punitive and, in addition to restoring an indemnitee to wholeness, may be imposed to deter an offender, punish exemplary offences, and recover consequential losses, amongst other objectives. Damages that are punitive, while not judicially popular in India, are usually imposed by a criminal court in common law jurisdictions. They are distinct from civil and equitable actions. [See the seminal case of The Owners of the Steamship Mediana [1900] AC 113 (HL)].

Unfortunately, section 46 of the Act uses the terms “damage”, “injury” and “compensation” interchangeably without regard for the long and rich jurisprudence that finds them to be different concepts.

The Cases related to Privacy

In the State of Maharashtra, there have been a total of 47 cases filed under section 46 of the Act. Of these, 33 cases have been disposed of by the Adjudicating Officer and 14 are currently pending disposal. [2] At least three of these cases before the Adjudicating Officer deal with issues related to privacy of communications and personal data. They are:

Case Title	Forum	Date
Vinod Kaushik v. Madhvika Joshi	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	10.10.2011
Amit D. Patwardhan v. Rud India Chains	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	15.04.2013
Nirmalkumar Bagherwal v. Minal Bagherwal	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	26.08.2013

In all three cases the Adjudicating Officer was called upon to determine and penalise unauthorised access to personal data of the complainants. In the Vinod Kaushik case, the complainants’ emails and chat sessions were accessed, copied and made available to the police for legal proceedings without the permission of the complainants. In the Amit Patwardhan and Nirmalkumar Bagherwal cases, the complainants’ financial information in the form of bank account statements were obtained from their respective banks without their consent and used against them in legal proceedings.

The Vinod Kaushik complaint was filed in 2010 for privacy violations committed between 2008 and 2009. The complaint was made against the complainant’s daughter-in-law – the respondent, who was estranged from her husband, the complainant’s son. The respondent had, independent of the proceedings before the Adjudicating Officer, instituted criminal proceedings alleging cruelty and dowry-related harassment against her estranged husband and the complainant. To support some of the claims made in the criminal proceedings, the respondent accessed the email accounts of her estranged husband and the complainant and printed copies of certain communications, both emails and chat transcripts. The complaint to the Adjudicating Officer was made in relation to these emails and chat transcripts that were obtained without the consent and knowledge of the complainant and his son. On 09.08.2010, the then Adjudicating Officer dismissed the complaint after finding that, owing to the marriage between the respondent and the complainant’s son, there was a relation of mutual trust between them that resulted in the complainant and his son consensually sharing their email account passwords with the respondent. This ruling was appealed to the Cyber Appellate Tribunal ("CyAT") which, in a decision of 29.06.2011, found irregularities in the complainant’s son’s privity to the proceedings and remanded the complaint to the Adjudicating Officer for re-adjudication. The re-adjudication, which was conducted by Shri Rajesh Aggarwal as Adjudicating Officer, resulted in a final order of 10.10.2011 ("the final order") that is the subject of this analysis. The final order found that the respondent had violated the privacy of the complainant and his son by her unauthorised access of their email accounts and sharing of their private communications. However, the Adjudicating Officer found that the intent of the unauthorised access – to obtain evidence to support a criminal proceeding – was mitigatory and hence ordered the respondent to pay only a small token amount in compensation, not to the complainants but instead to the State Treasury. The Delhi High Court, which was moved in appeal because the CyAT was non-functional, upheld the final order in its decision of 27.01.2012.

The Amit Patwardhan complaint was filed against the complainant’s ex-employer – the respondent, for illegally obtaining copies of the complainant’s bank account statement. The complainant had left the employ of the respondent to work with a competing business company but not before colluding with the competing business company and diverting the respondent’s customers to them. For redress, the respondent filed suit for a decree of compensation and lead the complainant’s bank statements in evidence to prove unlawful gratification. Since the bank statements were obtained electronically by the respondent without the complainant’s consent, the jurisdiction of the Adjudicating Officer was invoked. In his order of 15.04.2013, Shri Rajesh Aggarwal, the Adjudicating Officer, found that the respondent had, by unlawfully obtaining the complainant’s bank account statements which constitute sensitive personal data, violated the complainant’s privacy. The Adjudicating Officer astutely applied the equitable doctrine of clean hands to deny compensation to the complainant; however, because the complainant’s bank was not a party to the complaint, the Adjudicating Officer was unable to make a ruling on the lack of action by the bank to protect the sensitive personal data of its depositors.

The Nirmalkumar Bagherwal complaint bears a few similarities to the preceding two cases. Like the Vinod Kaushik matter, the issue concerned the manner in which a wife, estranged but still legally married, accessed electronic records of personal data of the complainants; and, like the Amit Patwardhan matter, the object of the privacy violation was the bank account statements of the complainants that constitute sensitive personal data. The respondent was the estranged wife of one of the complainants who, along with his complainant father, managed the third complainant company. To support her claim for maintenance from the complainant and his family in an independent legal proceeding, the respondent obtained certain bank account statements of the complainants without their consent and, possibly, with the collusion of the respondent bank. After reviewing relevant law from the European Union and the United States, and observant of relevant sectoral regulations applicable in India including the relevant Master Circular of the Reserve Bank of India, and further noting preceding consumer case law on the subject, the Adjudicating Officer issued an order on 26.08.2013. The order found that the complainant’s right to privacy was violated by both the respondents but, while determining the quantum of compensation, distinguished between the respondents in respect of the degree of liability; the respondent wife was ordered to pay a token compensation amount while the respondent bank was ordered to pay higher compensation to each of the three complainants individually.

The high quality of each of the three orders bears specific mention. Despite the superb quality of the judgments of the Indian higher judiciary in the decades after independence, the overall quality of judgment-writing appears to have declined. [3] In the last decade, several Indian judges have called for higher standards of judgment writing from their fellow judges. [4] In this background, it is notable that Shri Rajesh Aggarwal, despite not being a member of the judiciary, has delivered well-reasoned, articulate and clear orders that are cognisant of legal issues and also easily understandable to a non-legal reader.

In each of these cases, the Adjudicating Officer has successfully navigated around the fact that none of the primary parties were interacting and transacting at arm’s length. In the Vinod Kaushik and Nirmalkumar Bagherwal matters, the primary parties were estranged but still legally married partners and in the Amit Patwardhan matter the parties were in an employer-employee relationship. The first Adjudicating Officer in the Vinod Kaushik matter failed, in his order of 09.08.2010, to appreciate that the individual communications of individual persons were privileged by an expectation of privacy, regardless of their relationship. Hence, despite acknowledging that the marital partners in that matter were in conflict with each other, and despite being told by one party that the other party’s access to those private communications was made without consent, the Adjudicating Officer allowed his non-judicial opinion of marriage to influence his order. This mistake was corrected when the matter was remanded for re-adjudication. In the re-adjudication, the new Adjudicating Officer correctly noted that the respondent wife could have chosen to approach the police or a court to follow the proper investigative procedure for accessing emails and other private communications of another person and that her unauthorised use of the complainant’s passwords amounted to a violation of their privacy.

Popular conceptions of different types of relationships may affect the (quasi) judicial imagination of privacy. In comparison to the Vinod Kaushik matter, the Nirmalkumar Bagherwal and Amit Patwardhan matters both dealt with unauthorised access to bank account statements, by a wife and by an ex-employer respectively. In any event, the same Adjudicating Officer presided over all three matters and correctly found that the facts in all three matters admitted to contraventions of the privacy of the complainants. The conjecture as to whether the first Adjudicating Officer in the Vinod Kaushik matter would have applied the same standard of family unity to unauthorised access of bank account statements by an estranged wife who was seeking maintenance remains untested. However, the reliance placed on the decision of the Delhi State Consumer Protection Commission in the matter of Rupa Mahajan Pahwa, [5] where the Commission found that unauthorised access to a bank pass book by an estranged husband violated the privacy of the wife, would suggest that judges clothe financial information with a standard of privacy higher than that given to emails.

Emails are a form of electronic communication. The PUCL case (Supreme Court of India, 1996)[6] while it did not explicitly deal with the standard of protection accorded to emails, held that personal communications were protected by an individual right to privacy that emanated from the protection of personal liberty guaranteed under Article 21 of the Constitution of India. Following the Maneka Gandhi case (Supreme Court of India, 1978)[7]

it is settled that persons may be deprived of their personal liberty only by a just, fair and reasonable procedure established by law. As a result, interceptions of private communications that are protected by Article 21 may only be conducted in pursuance of such a procedure. This procedure exists in the form of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that came into effect on 27 October 2009 ("the Interception Rules"). The Interception Rules set out a regime for accessing private emails in certain conditions. The powers and procedure of Section 91 of the Code of Criminal Procedure ("CrPC") may also apply to obtain data at rest, such as emails stored in an inbox or sent-mail folder.

Finally, the orders of the Adjudicating Officer reveal a well-reasoned and progressive understanding of the law and principles relating to the quantification of compensation. By choosing to impose larger amounts of compensation on the bank that violated the privacy of the complainant in the Nirmalkumar Bagherwal matter, the Adjudicating Officer has indicated that the institutions that hold sensitive personal data, such as financial information, are subject to a higher duty of care in relation of it. But, most importantly, the act of imposing monetary compensation of privacy violations is a step forward because, for the first time in India, it recognises that privacy violations are civil wrongs or injuries that demand compensation.

[1]. These Rules were issued vide GSR 220(E), dated 17 March 2003 and published in the Gazette of India, Extraordinary, Part II, Section 3(i). These Rules can be accessed here – http://it.maharashtra.gov.in/PDF/Qual_ExpAdjudicatingOfficer_Manner_of_Holding_Enquiry_Rules.PDF (visited on 30 September 2013).

[2]. These cases and statistics may be viewed here – http://it.maharashtra.gov.in/1089/IT-Act-Judgements (visited on 30 September 2013).

[3]. See generally, Upendra Baxi “"The Fair Name of Justice": The Memorable Voyage of Chief Justice Chandrachud” in A Chandrachud Reader (Justice V. S. Deshpande ed., Delhi: Documentation Centre etc., 1985) and, Rajeev Dhavan, "Judging the Judges" in Judges and the Judicial Power: Essays in Honour of Justice V. R. Krishna Iyer (Rajeev Dhavan and Salman Khurshid eds., London: Sweet & Maxwell, 1985).

[4]. See generally, Justice B.G .Harindranath, Art of Writing Judgments (Bangalore: Karnataka Judicial Academy, 2004); Justice T .S. Sivagnanam, The Salient Features of the Art of Writing Orders and Judgments (Chennai: Tamil Nadu State Judicial Academy, 2010); and, Justice Sunil Ambwani, “Writing Judgments: Comparative Models” Presentation at the National Judicial Academy, Bhopal (2006) available here – http://districtcourtallahabad.up.nic.in/articles/writing%20judgment.pdf (visited on 29 Sep 2013).

[5]. Appeal No. FA-2008/659 of the Delhi State Consumer Protection Commission, decided on 16 October 2008.

[6]. (1997) 1 SCC 301.

[7]. (1978) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra