Centre for Internet and Society

Privacy Matters — Medical Privacy

natasha — 2012-07-10T13:41:26Z

On June 30, 2012, Privacy India in partnership with the Indian Network for People living with HIV/AIDS, Centre for Internet & Society, IDRC, Society in Action Group, with support from London-based Privacy International, held a public discussion on "Medical Privacy" at the Yashwantrao Chavan Academy of Development Administration.

The conversation brought together a cross section of citizens, lawyers, activists, researchers, academia and students.

	Prashant Iyengar, Assistant Professor, Jindal Law University, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the series of ten consultations previously organized across India: Identity & Privacy, Kolkata, January 23, 2011 Internet & Privacy, Bangalore, February 5, 2011 National Security & Privacy, Ahmedabad, March 26, 2011 Transparency & Privacy, Guwahati, June 23, 2011 Telecommunication & Privacy, Chennai, August 6, 2011 Analyzing the Right to Privacy Bill, Mumbai, January 21, 2012 The High Level Privacy Conclave, New Delhi, February 3, 2012 The All India Privacy Symposium, New Delhi, February 4, 2012 Freedom of Expression & Privacy, Goa, June 2, 2012 Securing e-Governance, Ahmedabad, June 16, 2012

Prashant Iyengar, Assistant Professor, Jindal Law University, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the series of ten consultations previously organized across India:

Identity & Privacy, Kolkata, January 23, 2011
Internet & Privacy, Bangalore, February 5, 2011
National Security & Privacy, Ahmedabad, March 26, 2011
Transparency & Privacy, Guwahati, June 23, 2011
Telecommunication & Privacy, Chennai, August 6, 2011
Analyzing the Right to Privacy Bill, Mumbai, January 21, 2012
The High Level Privacy Conclave, New Delhi, February 3, 2012
The All India Privacy Symposium, New Delhi, February 4, 2012
Freedom of Expression & Privacy, Goa, June 2, 2012
Securing e-Governance, Ahmedabad, June 16, 2012

Elonnai Hickok, a member of Privacy India, introduced the draft book Privacy in India: A Policy Guide that Privacy India has been compiling. Focusing on the draft chapter, Medical Privacy, she provided examples of legislation and policy containing safeguards to privacy such as Medical Council of India's Code of Ethics Regulations 2002, and pointed out legislation with missing safeguards such as in the Mental Health Act of 1987. Additionally, she gave many examples of projects being implemented in India that impact health privacy including Save the Baby Girl Project, the Mother and Child Tracking System, the UID, and a cloud based system known as Health Hiway.

Elonnai Hickok, a member of Privacy India, introduced the draft book Privacy in India: A Policy Guide that Privacy India has been compiling. Focusing on the draft chapter, Medical Privacy, she provided examples of legislation and policy containing safeguards to privacy such as Medical Council of India's Code of Ethics Regulations 2002, and pointed out legislation with missing safeguards such as in the Mental Health Act of 1987. Additionally, she gave many examples of projects being implemented in India that impact health privacy including Save the Baby Girl Project, the Mother and Child Tracking System, the UID, and a cloud based system known as Health Hiway.

Medical Privacy in India

	Dr. Dharmesh Lal, MBBS, DHA, MD, DNB, DVLDP, Officiating Dean, IIHMR, Delhi, discussed the correlation between medical privacy and confidentiality. Medical Privacy involves the confidentiality of patient-provider encounters, along with the secrecy and security of information memorialized in physical, electronic and graphic records created as a consequence of patient-provider encounters. Confidentiality involves restricting information to persons belonging to a set of specifically authorized recipients.

Dr. Dharmesh Lal, MBBS, DHA, MD, DNB, DVLDP, Officiating Dean, IIHMR, Delhi, discussed the correlation between medical privacy and confidentiality. Medical Privacy involves the confidentiality of patient-provider encounters, along with the secrecy and security of information memorialized in physical, electronic and graphic records created as a consequence of patient-provider encounters. Confidentiality involves restricting information to persons belonging to a set of specifically authorized recipients.

He went on to explain that limited financial resources in public hospitals often preclude the separate examination of one patient at a time. “In Government hospitals, large numbers of patients congregate in the doctors office,” he says. Privacy is also related to a patient's financial status and decreases as one goes down the socio-economic ladder.

Additionally, he described the privacy concerns that arise due to infrastructural constraints. India's healthcare infrastructure has not kept up with the development of government health initiatives. For examples, the Janani Suraksha Yojana (JSY) initiative was launched in 2005, under the National Rural Health Mission (NRHM). JSY was implemented with the objective of reducing maternal and neo-natal mortality by promoting institutional delivery among the Poor Pregnant Woman. Financial incentives were provided to mothers. There was a phenomenal increase of institutional delivery. However, there was no proportional increase in infrastructure.

He called for a change in medical education, administration and management, stating, “Privacy protection has to be established as a core value that connects organizational culture. Alarmingly, medical curriculum in India does not have formal component on medical privacy, significant curriculum reforms in undergraduate medical teaching is necessary.

Medical Privacy- Legal Aspects

Mr. Pandit, Advocate, Pandit law Office, discussed the Hippocratic oath, which includes the duty of the caregiver to ‘keep secret’ and ‘never reveal’ ‘all that may come to my knowledge’. In other words, right to medical privacy has to be balanced with right to healthy life of another whose right will be affected unless such information is disclosed to her/him. He described the code of conduct prescribed by Indian Medical Council to its members, as a guideline to be followed is intended to preserve protect and uphold dignity of profession. Physicians should merit the confidence of patients entrusted to their care, rendering to each a full measure of service & devotion.

Mr. Pandit, Advocate, Pandit law Office, discussed the Hippocratic oath, which includes the duty of the caregiver to ‘keep secret’ and ‘never reveal’ ‘all that may come to my knowledge’. In other words, right to medical privacy has to be balanced with right to healthy life of another whose right will be affected unless such information is disclosed to her/him.

He described the code of conduct prescribed by Indian Medical Council to its members, as a guideline to be followed is intended to preserve protect and uphold dignity of profession. Physicians should merit the confidence of patients entrusted to their care, rendering to each a full measure of service & devotion.

Referring to the Dr.Tokugha Yepthomi Vs Appollo Hospital Enterprises Ltd & Anr. III case, he described the Supreme Court’s verdict on the ‘Right to Life’.

The “Right to life” would positively include the right to be told that a person, with whom she was proposed to be married, was a victim of deadly disease, which was sexually communicable, since right of life includes right to lead a healthy life. Moreover where there is a clash of two fundamental rights, The RIGHT which would advance the public morality or public interest, would alone be enforced through the process of Court.

He concluded by asserting that there is considerable force in the argument that there is a need for a comprehensive legislation to protect the interest of poor patients and ordinary citizens who cannot afford to initiate a protracted legal battle to protect their medical privacy.

Supreme Court views on Medical Negligence

	Professor K. Elumalai, Director, School of law, IGNOU, provided numerous Supreme Court verdicts on medical negligence cases. He summarized the cases and discussed their salient features. He discussed the manner in which a Medical professional can be prosecuted for medical negligence under criminal law. It must be shown that the accused did something or failed to do something which in the given facts and circumstances, no medical professional in his ordinary senses and prudence would have done or failed to do.

Professor K. Elumalai, Director, School of law, IGNOU, provided numerous Supreme Court verdicts on medical negligence cases. He summarized the cases and discussed their salient features. He discussed the manner in which a Medical professional can be prosecuted for medical negligence under criminal law. It must be shown that the accused did something or failed to do something which in the given facts and circumstances, no medical professional in his ordinary senses and prudence would have done or failed to do.

Confidentiality and privacy in medical Settigs vis-a-vis PLHIV

Ms. Nitu Sanadhya, Senior Legal Officer, Lawyers Collective, HIV/ AIDS Unit, stressed the importance of a rights-based approach and integrationist legal response to the HIV epidemic. When legislations or policies discriminate or isolate persons living with HIV, for example, through mandatory testing and breach of confidentiality, it drives the epidemic underground.

In India, there is no comprehensive law on HIV. In 2007, the National Aids Control Organization (NACO) released the Operational Guidelines for Integrated Counseling and Testing Centres. She described the salient features of the guideline especially focusing on the privacy provisions. She described the various situations that permit a health practitioner to disclose the HIV status of a patient to a partner and/ or third party. Discriminatory practices that arise out of a breach or confidentiality or privacy violation include stigmatization, denial of access to treatment, loss of employment, etc.

In India, there is no comprehensive law on HIV. In 2007, the National Aids Control Organization (NACO) released the Operational Guidelines for Integrated Counseling and Testing Centres. She described the salient features of the guideline especially focusing on the privacy provisions. She described the various situations that permit a health practitioner to disclose the HIV status of a patient to a partner and/ or third party.

Discriminatory practices that arise out of a breach or confidentiality or privacy violation include stigmatization, denial of access to treatment, loss of employment, etc.

Under the RTI Act, A person’s HIV status is confidential and is protected in law and can only be disclosed to a third person in limited circumstances. The RTI Act specifically exempts the disclosure of personal information which is not of public interest; information which would cause an unwarranted invasion of privacy; and information which has been received in a fiduciary capacity. Therefore, The RTI Act 2005 cannot be used to obtain a person’s HIV report.

Privacy in Practice

	Dr. Anand Philip, Personal Physician at NationWide Primary Healthcare Service Pvt. Ltd., drew from his personal experiences. During his presentation he emphasized how privacy is important, but it is clear that privacy does not happen the way it is theorized by. In fact there are many dichotomies in what we believe privacy is and how it is used. He pointed out that we often take for granted why privacy matters and where it comes from. He discussed how without patient autonomy and patient dignity, privacy cannot

Dr. Anand Philip, Personal Physician at NationWide Primary Healthcare Service Pvt. Ltd., drew from his personal experiences. During his presentation he emphasized how privacy is important, but it is clear that privacy does not happen the way it is theorized by. In fact there are many dichotomies in what we believe privacy is and how it is used. He pointed out that we often take for granted why privacy matters and where it comes from. He discussed how without patient autonomy and patient dignity, privacy cannot

be upheld. Yet, one sees a constant breach of people’s dignities in the medical system. Some people rationalize this violation of dignity by explaining that in India, doctors are used to people who have nothing and thus, dignity is not important. Yet, he argued, dignity is something that is inherent. The lack of dignity practiced in India's medical system shows a problem with how we are trained. Giving an example of how dignity is breached in India, Dr. Philip referred to two people being treated on the same table. He pointed out that the physical aspects of privacy are non-existent. For example, the WHO recommends five feet between beds, but typically two or three feet exist between hospital beds. Furthermore, there are often no curtains in hospitals. He then moved from physical privacy to information physical. In a hospital information flows in all directions, it is not a controlled environment and the patient does not choose who sees his/her information – the hospital decided. Dr. Philip then talked about training. The health care system encompasses a larger team of people from doctors to sweepers. Training is only given to clinical staff. Thus other aspects such as the Indian culture, infrastructure, and training all impact how privacy is carried out in the medical field. In conclusion Dr. Philip re-stated that privacy is a byproduct of autonomy and dignity. He noted that offering a patient dignity was a critical step that must be taken by service providers. Closing his presentation, he challenged the audience with the following questions: Considering how autonomy is not important, how do we reach people with the idea? Since physical privacy is key to other forms of privacy, how do we take it more seriously? What can we do about the medical team's approach to privacy?

Best Practices of Medical Privacy in Various Health Settings

	Sriram Lakshmanan, Head Information Security, UnitedHealth Group Information Systems, spoke about the US health-care market touching on medicare, medicaid, employer-sponsored insurance, and individual insurance plans. He also commented on the EU regime pointing out that most of the laws in the EU have a long list of identifiers indicating when your information counts as being compromised. Canada PIPEDA, is very strict and protects health privacy. In his opinion, the IT Act caters to many aspects of privacy. He also touched upon the eight OECD Privacy Principles and

Sriram Lakshmanan, Head Information Security, UnitedHealth Group Information Systems, spoke about the US health-care market touching on medicare, medicaid, employer-sponsored insurance, and individual insurance plans. He also commented on the EU regime pointing out that most of the laws in the EU have a long list of identifiers indicating when your information counts as being compromised. Canada PIPEDA, is very strict and protects health privacy. In his opinion, the IT Act caters to many aspects of privacy. He also touched upon the eight OECD Privacy Principles and

how they can be adopted for the Indian scenario. A few of the principles included collection limitation principle, data quality principle, purpose specification principle, use limitation principle. For example, if health information for treating malaria is collected, than that information should only be used for that purpose. Closing his presentation, he noted that most of the technologies that we use today for health run on IT, and thus can be used to compromise individual or hospital wide information.

Epidemics and Privacy

Dr. Rajib Dasgupta, Assistant Professor, Center of Social Medicine and Community Heath at Jawaharlal Nehru University, examined conflicts of issues of privacy, confidentiality and the role of the state in the context of epidemics and the provisions within the Epidemic Diseases Act. Epidemics are population-level events in contrast to illnesses that only involve individuals; therein lies the uniqueness of the intersection between medical privacy and public health ethics. The state has unique responsibilities to detect, diagnose, manage and control epidemics. This has local/regional and international ramifications. Also linked to these are limits to the powers, rights of individuals and the extent to which such rights may need to be suspended.

Dr. Rajib Dasgupta, Assistant Professor, Center of Social Medicine and Community Heath at Jawaharlal Nehru University, examined conflicts of issues of privacy, confidentiality and the role of the state in the context of epidemics and the provisions within the Epidemic Diseases Act. Epidemics are population-level events in contrast to illnesses that only involve individuals; therein lies the uniqueness of the intersection between medical privacy and public health ethics. The state has unique responsibilities to detect, diagnose, manage and control epidemics. This has local/regional and international ramifications. Also linked to these are limits to the powers, rights of individuals and the extent to which such rights may need to be suspended.

The exercise of actions within the Act is not necessarily bereft of infringement of privacy and overt discrimination. Certain diseases, as indeed limitations imposed by the state, have elements of stigma that further confound the fuzziness of this debate.

When an epidemic occurs, the need for privacy in the mind of the individual goes down, as they are concerned solely with receiving treatment. He also pointed out that there are contradictory elements during epidemics. For instance an area might not want to be named as having an outbreak of a disease, but at the same time individuals will line up outside hospitals for treatment, exposing the fact that they have the disease. He also spoke about how steps taken to address epidemics can invade privacy. For example, during the SARS outbreak, it was the practice to put the patient in an infectious disease hospital. This was invasive to personal privacy as it created stigma and discrimination. Closing his presentation he explained how the conventional notions of privacy do not necessary hold in the case of epidemics because it is an emergency outbreak. Thus, protocol is established on a case-to-case basis. Despite this he believes that it is possible and valuable to protect privacy in cases of epidemics.

HIV/ AIDS and Privacy

	KK Abraham, President of Indian Network for People Living with HIV/AIDS, described how privacy could be understood as a luxury, in some cases it can be understood as a right, and in other cases it is understood of responsibility. Regarding HIV patients, Mr. Abraham emphasized the need for privacy to be understood as a right. Mr. Abraham also pointed out that as trends are changing in India, and more services are becoming available, that this is the right time to talk about privacy. Closing his presentation Mr. Abraham called for a greater understanding of patients' privacy needs and the negative effect of stigma.

KK Abraham, President of Indian Network for People Living with HIV/AIDS, described how privacy could be understood as a luxury, in some cases it can be understood as a right, and in other cases it is understood of responsibility. Regarding HIV patients, Mr. Abraham emphasized the need for privacy to be understood as a right. Mr. Abraham also pointed out that as trends are changing in India, and more services are becoming available, that this is the right time to talk about privacy. Closing his presentation Mr. Abraham called for a greater understanding of patients' privacy needs and the negative effect of stigma.

HIPPA with reference to Applicability to Patient Privacy and Clinical Data Confidentiality in India

Dr. Lavanian Dorairaj, MD, CEO at HCIT Consultants, described how IT is a powerful tool for health care, despite the fact that health care has been hesitant to use IT. He explained that IT can help reduce errors in health care; it can help increase accessibility of patient data, improve diagnosis, treatment, and prognosis. Healthcare IT has great advantages but needs to be handled with great responsibility. He also pointed out that IT can lead to privacy violations if inappropriate access to patient records takes place. He argued that though India has recognized the need for privacy, it still needs to find a way to implement privacy protections and police the implementation of the guidelines. Drawing on examples from HIPPA, he argued that India would benefit from establishing privacy standards and security standards for health information. He explained further that HIPPA is a flexible rule, which obligates relevant entities to comply. The Rule is designed to be flexible. Entities regulated by the rules are obligated to comply.

Dr. Lavanian Dorairaj, MD, CEO at HCIT Consultants, described how IT is a powerful tool for health care, despite the fact that health care has been hesitant to use IT. He explained that IT can help reduce errors in health care; it can help increase accessibility of patient data, improve diagnosis, treatment, and prognosis. Healthcare IT has great advantages but needs to be handled with great responsibility. He also pointed out that IT can lead to privacy violations if inappropriate access to patient records takes place. He argued that though India has recognized the need for privacy, it still needs to find a way to implement privacy protections and police the implementation of the guidelines. Drawing on examples from HIPPA, he argued that India would benefit from establishing privacy standards and security standards for health information. He explained further that HIPPA is a flexible rule, which obligates relevant entities to comply. The Rule is designed to be flexible. Entities regulated by the rules are obligated to comply.

Presentations

Click to download the presentation files. [Zip files, 2184 Kb]

For more details visit https://cis-india.org/internet-governance/blog/medical-privacy-conference-report

Privacy Matters — Consumer Privacy

praskrishna — 2012-07-31T10:55:30Z

Privacy India, in partnership with the Centre for Internet & Society, International Development Research Centre, Society in Action Group and Privacy International, invites you to a public conference focused on discussing the challenges and concerns to consumer privacy in India. The event will be held at the Indian International Centre, New Delhi on Saturday, July 7, 2012, from 9 a.m. to 5 p.m.

According to the Consumer Protection Act, 1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors.

Consumer privacy is concerned with accuracy of how a consumers information is collected and used. Because a consumers relationship with another entity is based on an exchange along consented terms, a breach in consumer privacy can be constituted as an action that was not agreed to. In the age of data collection – a breach in privacy occurs when information is used in different ways than was intended. Consumer privacy in India is determined at the sectoral level, and differs depending on the services that is provided for.

As corporations sell data banks, ISP's expose consumer habits, or ones personal information falls in the wrong hands – the consequences are far reaching, and can result in spamming, unwanted marketing, theft, or the violation can impact an individual's ability to buy a home, potential employment opportunities, or gain access to credit.

In India, the right to privacy has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. - people who most need to know that sensitive information is protected.

Since June 2010, Privacy India in collaboration with Privacy International, based in London, has been conducting workshops and engaging in public awareness. Participants include policy makers, researchers, sectoral experts, NGOs, and the public to discuss and deliberate different questions of privacy, its intersections and its implications with our everyday life. The discussions have ranged from topics of online privacy to minority rights and privacy and e-Governance initiatives privacy. The workshops have been organized in different cities - Bangalore, Guwahati, Mumbai, Delhi, Kolkata, Ahmedabad, Chennai, Goa, etc.

Click here for the agenda

Please confirm your participation with natasha@cis-india.org

Download the invite here [PDF, 160 Kb]

Download our research here [PDF, 178 Kb]

For more details visit https://cis-india.org/internet-governance/consumer-privacy-delhi

Privacy Matters — Analyzing the Right to "Privacy Bill"

natasha — 2012-02-15T04:27:28Z

On January 21, 2012 a public conference “Privacy Matters” was held at the Indian Institute of Technology in Mumbai. It was the sixth conference organised in the series of regional consultations held as “Privacy Matters”. The present conference analyzed the Draft Privacy Bill and the participants discussed the challenges and concerns of privacy in India.

The conference was organized by Privacy India in partnership with the Centre for Internet & Society, International Development Research Centre, Indian Institute of Technology, Bombay, the Godrej Culture Lab and Tata Institute of Social Sciences. Participants included a wide range of stakeholders that included the civil society, NGO representatives, consumer activists, students, educators, local press, and advocates.

Comments to the Right to Privacy Bill

Welcome

Prashant Iyengar was the Lead Researcher with Privacy India, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the five “Privacy Matters” series previously organised across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011 and in Chennai on August 6, 2011.

Keynote Address

Na. Vijayashankar (popularly known as Naavi), a Bangalore based e-business consultant, delivered the key note address on the quest of a good privacy law in India.

He described the essential features of good privacy legislation. In analyzing the Draft Privacy Bill’s definition of the right to privacy, he suggested it should be defined through the “right to personal liberty” rather than through what constitutes “infringements”. Mr. Vijayashankar went on to explain that the “privacy right” should be taken beyond “information protection” and defined as a “personal privacy or a sense of personal liberty without constraints by the society”. He explained the various classifications and levels of protection associated with the availability and disclosure of data. He expressed concerns regarding monitoring of data processors and suggested that data controllers have contractual agreements between data processors, so as to ensure an obligation of data security practices. He also called for the simplification and division of offences and suggested numerous reasons as to why the Cyber Appellate Tribunal would not be an ideal monitoring mechanism or authority. See Naavi's presenation here

Session I: Privacy and the Legal System

Dr. Sudhir Krishnaswamy, Assistant Professor at the National Law School of India

Dr. Krishnaswamy started off the presentation by questioning the normative assumptions the Draft Privacy Bill makes. He referred to the controversy of Newt Gingrich's second marriage, to question the range of moral interests that were involved. The Bill falls short in accounting for dignity in relation to privacy.

He described the Draft Privacy Bill as a reasonable advance, given where privacy laws were before. Although, he feels that it does fall short, in terms of a narrow position, on what privacy law should do. He also questioned if it satisfies constitutional standards. He stressed the importance of philosophical work around the Draft Privacy Bill considering that the nature of privacy is not neat and over-arching.

Privacy and the Constitutional Law

N S Nappinai, Advocate, High Court, Mumbai,

Nappinai spoke on the constitutional right to privacy. She explained the substantial development of Article 21 of the Constitution of India to include the ‘right to privacy’ with regards to its interpretation and application. She described the different shift of the application of the right to privacy in the West in comparison to India. The West has moved from the right to privacy pertaining to property to the right to privacy concerning personal rights, whereas India moved from personal rights to property rights. She outlined three aspects of privacy: dignity, liberty and property rights.

Ms. Nappinai dissected the Bill in its major components: interception, surveillance, method and manner of personal data, health information, collection, processing and use of personal data. Using these components, she questioned what precedence exists? What should be further protected or reversed? What lessons should legislators draw from?

Shortcomings of the Draft Right to Privacy Bill falls include:

The objects and reasons section in the Draft Privacy Bill declares the right to privacy to every citizen as well as delineates the collection and dissemination of data. Nappinai dismisses the need for this delineation on the grounds that data protection is an inherent part of the right to privacy, it is not exclusive.
Large focus on transmission of data. The provisions do not account for property rights pertaining to the right to privacy. Therefore, the ‘knock-and-enter’ rule, the ‘right to be left alone’ and the ‘right to happiness’ should be included.
Applicability of the Bill should extend to all persons as well as data residing within the territory. It would be self-defeating if it only includes citizens, considering that the Constitution extends to all persons within the territory.
The right to dignity is unaccounted for.

See Nappinai's presentation here

Session II: Privacy and Freedom of Expression

Apar Gupta, Advocate, Delhi

Apar Gupta is an advocate based in Delhi who specializes in IP and electronic commerce law, spoke predominantly on the interplay between privacy and freedom of expression. He used the example of an advocate tweeting about his criticism of a judges’ ruling, to illustrate how different realms of online anonymity enable freedom of speech. He went beyond the traditional realm of journalistic architecture such as television channels or newspapers and explained online community disclosure.

Mr. Gupta provided a practical example of Indian Kanoon, a popular online database of Indian court decisions. Because Indian Kanoon is linked to the Google search engine, many individuals involved in civil and criminal matters have requested Indian Kanoon to remove the court judgments, under privacy claims. This particularly occurs with individuals involved in matrimonial cases. However, as court judgment constitute public records India Kanoon only removes court judgments when requested by a court order.

He described the several ways legislators can define privacy and freedom of expression. Considering that the privacy of an individual may border upon freedom of speech and expression, he questioned whether or not privacy should override the right to freedom of speech and expression. In addition, Mr. Gupta discussed the debate on whether or not the Privacy Bill should override all existing provisions in other laws.

Additionally, he analyzed the provisions of the Draft Privacy Bill using three judgments. In these judgments, different entities sought of various forms of speech to be blocked under privacy claims. He spoke about the dangers of a statutory right for privacy that does not safeguard freedom of speech and expression. Considering that the privacy statute may allow for a form of civil action permitting private parties to approach courts to stop certain publications, he stressed the importance for legislators to ensure balanced privacy legislation inclusive of freedom of speech and expression.

Sexual Minorities and Privacy

Danish Sheikh, researcher at Alternative Law Forum

Danish examined the status of sexual minorities in the light of privacy framework in India. The tag of decriminalization has served to greatly alter the way institutions approach the question of privacy when it comes to sexual minorities. He used the Naz Foundation judgment as a chronological marker to map the developments in the right to privacy and sexual minorities over the years.

He outlined four key effects on the right to privacy due to the Naz Foundation judgment:

Prepared the understanding of privacy as a positive right and placed obligations on the state,
Discussed privacy as dealing with persons and not just places, it took into account decisional privacy as well as zonal privacy,
Connected privacy with dignity and the valuable worth of individuals, and
Included privacy on one’s autonomous identity.

He described various incidents that took place before the Naz Foundation judgment, pre-Naz, that altered the way we conceived of queer rights in general and privacy in particular, including the Lucknow incidents, transgender toilets, passport forms, the medical establishment and lesbian unions. Post-Naz, he described two incidents including the Allahabad Muslim University sting operation as well as the TV9 “Expose” that captured public imagination.

He concluded by asking: “What do these stories tell us about privacy?” The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs display the institutionalized disrespect for privacy and that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Session III: Privacy and National Security

Menaka Guruswamy, Advocate, Supreme Court of India

Menaka explored national security and its relationship to privacy. In her presentation, she compared the similar manner in which the courts approach national security and privacy issues. The courts feel national security and privacy issues are too complex to define, therefore, they take a case-by-case approach.

Ms. Guruswamy described three incidents that urged her to question national security and privacy. First, she was interested in the lack of regulation surrounding intelligence agencies and was involved in the introduction of the Regulations of Intelligence Agencies Bill as a private members bill. Second, national security litigation between the Salwa Judum judgment and the State of Chhattisgarh is an example of how national security triumphs constitutional rights and values. Third, privacy in the context of the impending litigation of Naz Foundation in the Supreme Court. She described the larger conversation of national security focus on values of equality and privacy. She discussed the following questions that serve in advancing certain conception of rights:

How do we posit privacy which necessarily, philosophically as well as judicially, is carved out as the right of an individual to be left alone?
What are the consequences when national security, which is posited as the rights of the nation, is in conflict with the right of the individual to be left alone?
Considering that constitutional rights are posited as a public facet of citizenship how does a right to privacy play in that context?

Privacy and UID

R. Ramakumar, professor at the Tata Institute of Social Sciences

Prof. Ramakumar spoke on UID, its collection of information and the threat to individual privacy. First, he provided a historical trajectory of national security that has led to increased identity card schemes. He described the concrete connection between UID and national security.

He briefed the gathering on the objectives of the UID project. He described several false claims as proposed by the UIDAI. He explicitly disproved the UIDAI claim that Aadhaar is voluntary. He did this by comparing various legislations associated with the National Population Registrar that had provisions mandating the inclusion of the UID number.

He went on to explain that the misplaced emphasis of technology to handle large populations remains unproven. He described two specific violations of privacy inherent in the UID system: convergence of information and consent. The UID database makes it possible for the linking or convergence of information across silos. In addition, consent is unaccounted for in the UID system. The UID enrollment form requires consent from a person to share their information. However, the software of the enrollment form automatically checks ‘yes’, therefore you are not asked. Even if you disagree, it automatically checks ‘yes’. Default consent raises the important question, “to what extent are we the owners of our information?” and “what are the privacy implications?”

Mr. Ramakumar was once asked, by Yashwant Sinha in a Parliamentary Standing Committee meeting, “Is the Western concept of privacy important in developing country like India?”. Using this question posed to him, he stressed the importance of privacy to be understood as a globally valued right, entitlement and freedom. He also referred to Amartya Sen’s work on individual freedoms.

Conclusion

During the daylong consultation numerous questions and themes relating to privacy were discussed:

How is the right to privacy defined?
How can the Draft Privacy Bill redefine the right to privacy?
How can reasonable deterrence mechanisms be included?
Does duplication of the right to privacy exists in different statutes?
Is the Cyber Appellate Tribunal an ideal monitoring mechanism or authority?
What are the circumstances under which authorized persons can exercise the Right of privacy invasion?
How can the Draft Privacy Bill account for the right to dignity?
How much information should the State be allowed to collect?
How can citizens become more informed about the use of their information and the privacy implications involved?
What would be the appropriate balance or trade-off between security and civil liberties?
What are the dangers with permitting the needs of national security to trump competing values?
What are the consequences for the homosexual community, when faced with institutionalized disregard for privacy?

For more details visit https://cis-india.org/internet-governance/privacy-matters-analyzing-the-right-to-privacy-bill

Privacy Matters — Analyzing the "Right to Privacy Bill"

Natasha Vaz — 2012-04-28T04:10:12Z

Privacy India in partnership with International Development Research Centre, Canada, Indian Institute of Technology, Bombay, the Godrej Culture Lab, Tata Institute of Social Sciences, Mumbai and the Centre for Internet and Society, Bangalore is organising "Privacy Matters", a public conference at IIT, Bombay on 21 January 2012.

The conference will focus on the questions and dilemmas posed by privacy in India today, with a concentration on the "Right to Privacy Bill". The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. — people who most need to know that sensitive information is protected.

Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

The event will focus on discussing the challenges and concerns to privacy in India. We invite you to attend the meeting and contribute your views. Please confirm your participation by getting in touch with Natasha (natasha@cis-india.org). We sincerely hope that you will be able to attend and look forward to your participation.

Agenda

09:30- 10:00	Registration
10:00- 10:30	Welcome- Privacy in India Prashant Iyengar is a practicing lawyer and lead researcher for Privacy India. He will present who Privacy India is, and the objectives of Privacy India's research. His presentation will focus on discussing privacy in India.
10:30- 11:15	Key Note Address- Draft Privacy Bill Critique Na. Vijayashankar is an e-business consultant. He established the premier Cyber Law information portal in India. He is the founder secretary of Cyber Society of India, Founder Trustee of International Institue of Information Technology Law, and Founder Chairman of Digital Society Foundation. He will present a critique of the Draft Privacy Bill.
11:15- 11:30	Tea Break
11:30- 12:15	Session I Privacy and the Legal System Sudhir Krishnaswamy is an Assistant Professor at the National law School of India University and is currently writing a Doctoral Thesis at the Faculty of Law, Oxford University on ‘The Basic Structure Doctrine in Indian Constitutional Adjudication’. His presentation will look at the trajectory of privacy through the years from a legal perspective.
12:15- 13:00	Privacy and Constitutional Law N. Nappinai is an advocate who specializes in IP and technology laws. She is a founder member of Technology Law Forum (TLF). She has spearheaded and driven several initiatives of TLF with various organization including NASSCOM, FICCI, IMC etc., and has also conducted several workshops and training sessions for the Mumbai Police, Public Prosecutors & Industry verticals in Cyber Laws. Her presentation will define the scope of Article 21 under the Indian Constitution, which protects the right to privacy.
13:00- 13:15	Discussion
13:15- 14:00	Lunch Break
14:00- 14:45	Session II Privacy and Freedom of Expression Apar Gupta is an advocate who specializes in intellectual property, electronic commerce law and technology media and telecoms. He holds a master from Columbia Law School and has authored a Commentary on the Information Technology Act, 2000. His presentation will focus on the limits of a privacy right when it competes and conflicts with the freedom of speech and expression. He will examine certain provisions of the Draft Privacy Bill questioning how privacy arguments may be used to stifle debate or disclosure made in the public interest.
14:45- 15:30	Sexuality Minorities and Privacy Danish Sheikh graduated from Nalsar University of Law with a B.A., LL.B. (Hons.). Currently, he is a researcher at the Alternative Law Forum in Bangalore. He will examine the status of sexual minorities in the light of privacy framework in India. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he will bring to light the privacy violations being committed by both individuals as we all state authorities.
15:30- 15:45	Discussion
15:45- 16:30	Session III Privacy and National Security Menaka Guruswamy practices law at the Supreme Court of India. She was a Rhodes Scholar at Oxford University, a Gammon Fellow at Harvard Law School, and a gold medalist from the National Law School of India and has law degrees from all three schools. Menaka has advised the United National Development Program and the United Nations Development Fund for Women. She will discuss the relationship between national security and privacy, from the perspective of surveillance by the state etc.
16:30- 17:15	Privacy and UID R. Ramkumar is a Professor at the Tata Institute of Social Sciences. He is advocate as well as a patent and trademark attorney. His presentation will focus on what standards of privacy are afforded within the UID system.
17:15- 17:30	Tea Break
17:30- 18:00	Discussion and Questions

	Organizers
	Privacy India Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.
	Privacy International (https://www.privacyinternational.org/) Privacy International’s mission is to defend the right to privacy across the world, and to fight surveillance and other intrusions into private life by governments and corporations. PI has been providing citizens and policy-makers with the tools and perspectives to enable them to hold to account those who threaten privacy since 1990. PI has active associates and networks in 46 countries.
	The International Development Research Centre (www.idrc.ca/) Canada’s International Development Research Centre (IDRC) is one of the world’s leading institutions in the generation and application of new knowledge to meet the challenges of international development. They help developing countries use science and technology to find practical, long-term solutions to the social, economic, and environmental problems they face.
	The Centre for Internet & Society (http://cis-india.org/) The Centre for Interenet & Society brings together a team of practitioners, theoreticians, researchers and artists to work on the emerging field of Internet and Society to critically engage with concerns of digital pluralism, public accountability and pedagogic practices, with particular emphasis on South-South dialogues and exchange.
	Partners
	The Godrej India Culture Lab (www.godrej.com) The Godrej India Culture Lab is an interdisciplinary space which aims to build knowledge networks and interpret the changes rapidly taking place in contemporary India by bringing together the best minds from global academia, business and the creative worlds working on different aspects of Indian society.
	IIT, Bombay (www.iitb.ac.in/) Established in 1958, IIT is recognised worldwide as a leader in the field of engineering education and research. It is reputed for the quality of its faculty and the outstanding calibre of students graduating from its undergraduate and postgraduate programmes. Over the years, there has been dynamic progress at IIT Bombay in all academic and research activities, and a parallel improvement in facilities and infrastructure, to keep it on par with the best institutions in the world.
	Tata Institute of Social Sciences (http://www.tiss.edu/) Tata Institute of Social Sciences (TISS) offers higher professional education in the field of human service and applied social science research. The institute has gone beyond the initial concern of social work education, since its inception in 1936, to consistently contribute to the promotion of sustainable, participatory development and social justice. Through its work, the Institute facilitates strong linkages between education, research, field action and policy advocacy.

Speakers

1. Apar Gupta

2. Danish Sheikh, Alternative Law Forum

3. NA Vijayashankar, E-Business Consultant, Founder Secretary of Cyber Society of India, Founder Trustee of International Institute of Information Technology Law, and Founder Chairman of Digital Society Foundation

4. N S Nappinai, Advocate and Founder Member of Technology Law Forum

5. Prashanth Iyengar, Assistant Professor & Assistant Director, Centre for Intellectual Property Rights Studies, Lead Researcher with Privacy India, Bangalore; Legal Aid Manager with Rural Development Institute, Hyderabad; Researcher & Lawyer with Alternative Law Forum

6. R. Ramkumar, Assistant Professor, School of Social Sciences, Tata Institute of Social Sciences

7. Shishir Jha, Project Lead at Creative Commons India and Associate Professor at Indian Institute of Technology, Bombay

8. Menaka Guruswamy, practices law at the Supreme Court of India.

9. Sudhir Krishnaswamy, is an Assistant Professor at the National law School of India University.

Download the invitation [PDF, 988 kb]

Download the event poster [PDF, 2155 kb]
IIT Bombay Map http://www.iitb.ac.in/campus/howto/howtoget.html

VIDEOS

For more details visit https://cis-india.org/internet-governance/right-to-privacy-bill-conference

Privacy laws: Alternatives to consent

Admin — 2017-08-23T00:00:32Z

As changes in technology have made it near impossible to obtain informed consent, the solution may lie in an accountability-based standard for privacy protection.

The article was published in the Livemint on August 11, 2017. Pranesh Prakash was quoted.

On 1 August, the government set in motion the process of drafting a new data protection law by setting up a panel under the guidance of former Supreme Court judge B.N. Srikrishna. The panel has been asked to suggest the principles to be considered while framing a data protection law. Most lawmakers around the world resort to consent as the default model to protect personal privacy. But is consent really the best and only way to provide meaningful control and to protect the individual?

In an earlier article in this series we discussed the various reasons why consent is no longer the best way to protect personal privacy. Today, traditional point-to-point transfers of data have been replaced with data flows through distributed systems, making it difficult for individuals to know which organizations are processing their data and for what purposes. This context makes it impossible to obtain valid individual consent. Machine learning systems do not need explicit programming and can teach themselves from mountains of data. This makes consent particularly inappropriate, as given the fraud prevention purposes for which these tools are used, seeking consent would prejudice the very purpose of processing.

Europe’s new General Data Protection Regulation (GDPR), which will come into force in May 2018, seems to suggest that accountability will become the new basis for compliance. According to experts, the transition period until the new rules come into force will be all about getting data controllers to adopt accountability measures to ensure greater security and trust around processing.

The new rules “advocate a risk-based approach with the data subject at its centre, so controllers will need to assess any risks to individuals posed by their processing activities and what measures they need to take to address them. The requirements also identify common factors for controllers to take into account when making those assessments, like the state of the art, the cost of implementation and the nature, scope and purposes of data processing,” according to a paper by Irish law firm Matheson.

In India, a paper by Rahul Matthan, a fellow at the Bengaluru-based policy think tank Takshashila Institute, bats for the adoption of a similar model that would hold data controllers and processors accountable for any harm caused to data subjects, irrespective of the consent they may have obtained. Instead of requiring data controllers to obtain consent for the collection and subsequent use of personal data, Matthan suggests the implementation of a rights-based model for data privacy that will impute a set of data rights for everyone rather than look to specific terms and conditions that they have entered into with each site they sign up to.

The accountability model will have the greatest impact on companies that deal with personal data, increasing their obligations to ensure that their actions do not, even inadvertently, result in breach of the privacy of their subscribers. What do these firms think about a new model where privacy is not based so much on the specific policies that their users agree to, but on a much broader obligation to be accountable for their actions?

“When we think about new products, we design them from the ground up with privacy in mind,” a Facebook Inc. spokesperson said in an emailed response. “We complete thorough privacy reviews of our products so that innovation does not come at the expense of choice and control. We integrate tools people can use to control their information and make personal privacy choices.”

A Twitter Inc. spokesperson did not directly address the question of accountability but pointed to its updated privacy policy, new privacy tools and past efforts in advocacy of privacy.

In general, corporations are likely to find accountability to be an easy standard to comply with. Most already adhere to this higher standard of care as, regardless of the specific terms of their privacy policies, the public relations fallout that would result from a privacy breach due to their negligence will have a huge impact on subscriber confidence in their services.

To that extent, most companies already think of themselves as being responsible for the personal privacy of their users above and beyond the specific terms and conditions of their privacy policy.

But can accountability totally replace consent? Opinions are divided.

“Substituting accountability for consent is neither simple nor easy,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank. “With current consent models, one doesn’t necessarily need to prove specific harm, whereas accountability models might require it, and that would be difficult, and especially impossible given the current state of courts.”

Secondly, while a rights/fiduciary model brings flexibility for data controllers data users, it comes at the cost of uncertainty, he argued.

“Consent brings in some amount of inflexibility but with the benefit of certainty,” he said. “If we move to a rights and fiduciary duty model, that would mean the entity using your data cannot do anything against your best interests, just as your accountant, or your doctor, or your lawyer owe you a high standard of care. But with that increased duty, there comes the added flexibility in terms of using data anonymously, in a way that doesn’t cause much harm while providing benefits.”

“I agree that consent, in theory, provides greater certainty,” counters Matthan, “However, it is questionable whether we can actually benefit from that certainty. In today’s context, it is impossible to obtain truly informed consent. We must, therefore, find an alternative mechanism to protect the privacy of our citizens. Accountability shifts the responsibility of determining whether or not a particular use of data will harm an individual away from that person, who has little or no ability to accurately decide that for himself, to the data controller, who has a far greater ability to do so.”

Others, such as advocate and cyber law expert N.S. Nappinai, say that it should not be a question of either/or and that both consent and accountability are needed for a robust data protection law.

“A huge loophole in the laws across the world, including the very robust GDPR, which will come into effect in 2018, is the sharing of third-party data, as in social media,” said Nappinai. “Data protection laws address the need for consent of the user who is sharing content. Many times, the user isn’t sharing sensitive or personal information only about themselves; it can be about a much larger audience or set of data subjects. When one is dealing with that kind of data, which a third party has shared about a data subject, it is not enough to have only accountability or consent but also vesting of responsibility.”

“For now the least threshold of protection that the GDPR offers—i.e., of the ‘right to be forgotten’—ought to at least be codified in other jurisdictions including India to ensure protection of such third-party data that is shared, in effect without their consent,” she added.

Models for a new privacy protection framework

There are alternative mechanisms in the privacy toolkit and existing legal regimes that, in the appropriate contexts, are able to deliver privacy protection and meaningful control more effectively than consent. Though these mechanisms already exist, they must be better understood, further developed and more broadly accepted, suggest researchers at the International Association of Privacy Professionals (IAPP). Here are a few examples of such mechanisms.

• Legitimate-interest processing: This is particularly relevant, according to IAPP, as it provides the necessary flexibility to face future technology and business process changes, while requiring organizations to be proactive, think hard and consider and mitigate risks and harmful impacts on individuals as they process personal data.

Legitimate-interest processing can legitimize many ordinary business uses of data, such as improving and marketing a company’s own products or services, or ensuring information and network security.

It also plays an increasingly significant role in the context of Big Data, the Internet of Things and machine learning by enabling beneficial uses of data where consent is not feasible and the benefits of the proposed uses outweigh any privacy risks or other harmful impact on individuals.

• Focus on risk and impact on individuals: This approach, IAPP has said, puts individuals firmly at the centre of an organization’s information management practices and results in better protection and compliance for individuals, especially in contexts where individual consent is neither required nor feasible.

• Individuals’ rights to access and correction: The ability of individuals to have access to their data and be able to correct inaccurate or obsolete data is an essential mechanism of control that should be made available as widely as possible.

Access and correction are also intrinsically related to transparency and organizations may be able to innovate here too, IAPP researchers have noted.

• Fair processing: Fair processing is a standalone data protection principle in many data privacy laws in Europe and beyond. Over the years, practitioners and regulators have equated fairness with providing privacy notices to individuals. Fair processing, however, goes beyond privacy notices and IAPP researchers believe the time has come to resurrect this principle back into practice.

This is the third of a four-part series on privacy. Read the first part here and the second part here.

For more details visit https://cis-india.org/internet-governance/news/livemint-august-11-2017-privacy-laws-alternatives-to-consent

Privacy Law Must Fit the Bill

sunil — 2013-09-12T06:25:35Z

The process of updating Indian privacy policy has gained momentum ever since the launch of the UID project and also the leak of the Radia tapes. The Department of Personnel and Training has lead the drafting of privacy bill for the last three years. This bill will ideally articulate privacy principles and establish the office of the privacy commissioner and most importantly have an over-riding effect over 50 odd existing laws, rules and policies with privacy implications.

The article was published in the Deccan Chronicle on September 9, 2013.

Given the harmonizing impact of the proposed privacy bill, we must ensure that rigorous debate and discussion happens before the bill is finalized otherwise there may be terrible consequences.

Here is a short list of what can possibly go wrong:

One, the privacy bill ignores the massive power asymmetry in Indian societies undermining the right to information – in other jurisdictions referred to as freedom of information and access to information. The power asymmetry is addressed via a public interest test. The right to privacy would be the same for everyone except when public interest is at stake. This enables protection of the right to privacy to be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power. In other words, the poor would have greater privacy than a middle-class citizens who in turn would have greater privacy than political and economic elites. And transparency requirements would be greatest for economic and political elites and lower for middle-class citizens and lowest for the poor. If this is not properly addressed in the language of the bill – privacy activists would have undone the significant accomplishments of the right to information or transparency movement in India over the last decade.

Two, the privacy bill has chilling effect on free speech. This can happen either by denying the speaker privacy, or by affording those who are spoken about too much privacy. For the speaker - Know Your Customer (KYC) and data retention requirements for telecom and internet infrastructure necessary to participate in the networked public sphere can result in the death of anonymous and pseudonymous speech. Anonymous and pseudonymous speech must be protected as it is a necessary for good governance, free media, robust civil society, and vibrant art and culture in a democracy. For those spoken about - privacy is clearly required in certain cases to protect the victims of certain categories of crimes. However, the right to privacy could be abused by those occupying public office and those in public life to censor speech that is in the public interest. If for example a sport person does not publicly drink the aerated drink that he or she endorses in advertisements then the public has a right to know.

Three, the privacy bill has a limited scope. Jurisprudence in India derives the right to privacy from the right to life and liberty through several key judgments including Naz Foundation v. Govt. of NCT of Delhi decided by the Delhi High Court. The right to life and liberty or Article 21 unlike other constitutionally guaranteed fundamental rights does not distinguish between citizens and non-citizens. As a consequence the privacy bill must also protect residents, visitors and other persons who may never visit India, but whose personal information may travel to India as part of the global outsourcing phenomena. Also the obligations and safeguards under the privacy bill must equally apply to both the state and the private sector entities that could potentially infringe upon the individual's right to privacy. Different levels of protection may be afforded to citizens, residents, visitors and everybody else. Government and private sector data controllers may be subject to different regulations – for ex. an intelligence agency may not require 'consent' of the data subject to collect personal information and may only provide 'notice' after the investigation has cleared the suspect of all charges.

Four, the privacy bill is expected to fix poorly designed technology. There are two diametrically opposite definitions of projects like NATGRID, CMS and UID. The government definition is that all these systems will allow only for targeted interception and surveillance, however the majority of civil society believes that these system will be used for blanket surveillance. If these systems are indeed built in a manner that supports blanket surveillance then legal band-aid in the form of a new law or provision that prohibits blanket surveillance will be a complete failure. The principle of 'privacy by design' is the only way to address this. For ex. shutters of digital cameras are silent and this allows for a particular form of voyeurism called upskirt. Almost a decade ago, the Korean government enacted a law that requires camera and mobile phone manufacturers to ensure that audio recording of a mechanical shutter is played every time the camera function is used. It is also illegal for the user to circumvent or disable this feature. In this example, the principle of notice is hardwired within the technology itself. To remix Spiderman's motto – with great power comes great temptation. We know that a rogue NTRO official installed a spy camera in the office toilet to make recording female colleagues and most recently that NSA officers confessed to spying on their love interests. If the technology can be abused it will be abused. Therefore legal safeguards are a poor substitute for technological safeguards. We need both simultaneously.

Five, the bill does not require compliance with internationally accepted privacy principles including the ones discussed so far 'consent', 'notice' and 'privacy by design'. Apart from human rights considerations – the most important imperative to modernize India privacy laws is trade. We have a vibrant ITES, BPO and KPO sector which handles personal information of foreigners mostly from the North American and European continents. The Justice AP Shah committee in October 2012 identified privacy principle that required for India - notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. A privacy bill that does include all these principles will increase the regulatory compliance overhead for Indian enterprise with foreign clients and for multinationals operating in India. There is also the risk that privacy regulators in these jurisdictions will ban outsourcing to Indian firms because our privacy laws are not adequate by their standards.

To conclude, it is not sufficient for India to enact a privacy law it is essential that we get it right so that there are no unintended consequences on other equally important rights and dimensions of our democracy.

For more details visit https://cis-india.org/internet-governance/blog/deccan-chronicle-september-9-2013-sunil-abraham-privacy-law-must-fit-the-bill

Privacy law mooted to protect people against misuse of info

praskrishna — 2012-10-22T10:25:53Z

A government-appointed expert group today suggested enactment of a law to protect individuals against misuse of information collected through telephone tapping, videography or any other method.

Read the original published in the Business Standard on October 18, 2012.

The group headed by former Delhi High Court Chief Justice A P Shah recommended setting up of a regulatory framework comprising Privacy Commissioners at the Centre and regional levels to deal with privacy issues and mandatory destruction of telephone conversation after a specified period.

As regards the specific issue of phone tapping, it said "interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days".

The group, set up by Minister of State for Planning Ashwani Kumar in September 2011, suggested that the records of the conversation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

The proposed law seeks to protect individuals from misuse of data collected by agencies, whether in private or public sector. It said the data of individuals should be used only for the purpose for which it was collected.

The issues concerning privacy of individuals assume significance in view of the collection of data by multiple agencies, government as well as private, for different purposes. At present, data is being collected under programmes like Aadhar, Know Your Customer (KYC) norms, recordings of telephone conversation, DNA profiling, brain mapping, etc.

The group, Kumar said, "has evaluated what is happening in the other country and what is the constitutional position in India... How imperatives of national security and right to privacy of individual can be harmonised".

Note: The Centre for Internet & Society was part of the expert committee even though it is not explicitly mentioned.

For more details visit https://cis-india.org/news/business-standard-october-18-2012-privacy-law-mooted-to-protect-people-against-misuse-of-info

Privacy law mooted to protect people against misuse of info

praskrishna — 2012-10-22T06:35:42Z

A government-appointed expert group on Thursday suggested enactment of a law to protect individuals against misuse of information collected through telephone tapping, videography or any other method.

Published in Zee News on October 18, 2012.

The group, set up by Minister of State for Planning Ashwani Kumar in September 2011, suggested that the records of the conservation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned here.

For more details visit https://cis-india.org/news/zee-news-october-22-2012-privacy-law-mooted-to-protect-people-against-misuse-of-info

Privacy Law in India: A Muddled Field - I

bhairav — 2014-05-05T06:17:06Z

The absence of a statute expressing the legislative will of a democracy to forge a common understanding of privacy is a matter of concern, says BHAIRAV ACHARYA in the first of a two part series.

The article was published in the Hoot on April 15, 2014.

Privacy evades definition and for this reason sits uneasily with law. The multiplicity of everyday privacy claims and transgressions by ordinary people, and the diversity of situations in which these occur, confuse any attempt to create a common meaning of privacy to inform law. Instead, privacy is negotiated contextually, and the circumstances that permit a privacy claim in one situation might form the basis for its transgression in another.

It is easy to understand privacy when it is claimed in relation to the body; it is beyond argument that every person has a right to privacy in relation to their bodies, especially intimate areas. It is also accepted that homes and private property secure to their owners a high degree of territorial privacy. But what of privacy from intrusive stares, or even from camera surveillance, when in a public place? Or of biometric privacy to protect against surreptitious fingerprint capturing or DNA collection from the things we touch and the places we visit every day? Or the privacy of a conversation in a restaurant from other patrons? Clearly, there are multiple meanings of privacy that are negotiated by individuals all the time.

Law has, where social custom has demanded, clothed some aspects of human activity with an expectation of privacy. In relation to bodily privacy, this is achieved by both ordinary common law without reference to privacy at all, such as the offences of battery and rape; and, by special criminal law that is premised on an expectation of privacy, such as the discredited offences regarding women’s modesty in sections 354 and 509 of the Indian Penal Code, 1860 (IPC), and the new offences of voyeurism and stalking contained in sections 354C and 354D of the IPC.

The law also privileges communications that are made through telephones, letters, and emails by regulating the manner of their interception in special circumstances. Conditional interception provisions with procedural safeguards – which, for several reasons, are flawed and ineffective – exist to protect the privacy of such communications in section 5(2) of the Indian Telegraph Act, 1885, section 26 of the Indian Post Office Act, 1898, and section 69 of the Information Technology Act, 2000.

Territorial privacy, which is afforded by possession of private property, is ordinarily protected by the broad offence of trespass – in India, these are the offences of criminal trespass, house trespass, and lurking house-trespass contained in sections 441 to 443 of the IPC – and house-breaking, which is akin to the offence of breaking and entering in other jurisdictions, in section 445 of the IPC.

Some measure of protection is provided to biometric information, such as fingerprints and DNA, by limiting their lawful collection by the state: sections 53, 53A, and 54 of the Code of Criminal Procedure, 1973 permit collections of biometric information from arrestees in certain circumstances; this is in addition to a colonial-era collection regime created by the Identification of Prisoners Act, 1920. However, nothing expressly prohibits the police or anybody else from non-consensually developing DNA profiles from human material that is routinely left behind by our bodies, for instance, saliva on restaurant cutlery or hair at the barbershop.

Physical surveillance, by which a person is visually monitored to invade locational privacy, is also inadequately regulated. Besides man-on-woman stalking, which was criminalised only one year ago, no effective measures exist to otherwise protect locational privacy. Indian courts regularly employ their injunctive power but have been loath to issue equitable remedies such as restraining orders to secure privacy. Police surveillance, which is usually covert, is an executive function that is practised with wide latitude under every state police statute and government-issued rules and regulations thereunder with little or no oversight. The risk of misuse of these powers is compounded by the increasingly widespread use of surveillance cameras sans regulation.

Other technologies too compromise privacy: GPS-enabled mobile phones offer precise locational information, presumably consensually; cell-tower tracking, almost always non-consensually, is ordered by Indian police without any procedurally built-in safeguards; radio frequency identification to locate vehicles is sought to be made mandatory; and, satellite-based surveillance is available to intelligence agencies, none of which are registered or regulated unlike in other liberal democracies.

No uniform privacy standard in law

None of these laws applies a uniform privacy standard nor are they measured against a commonly understood meaning of privacy. The lack of a statutory definition is not the issue; the lack of a statute that expresses the legislative will of a democracy to forge a common understanding of privacy to inform all kinds of human activity is the concern. Ironically, the impetus to draft a privacy law has come from abroad. Foreign senders of personal information – credit card data, home addresses, phone numbers, and the like – to India’s information technology and outsourcing industry demand institutionalised protection for their privacy.

Pressure from the European Union, which has the world’s strongest information privacy standards and with which India is currently negotiating a free trade agreement, to enact a data protection regime to address privacy has not gone unanswered. The Indian government – specifically, the Department of Personnel and Training, the same department that administers the Right to Information Act, 2005 – is currently drafting a privacy law to govern data protection and surveillance. At stake is the continued growth of India’s information technology and outsourcing sectors that receive significant amounts of European personal data for processing, which drives national exports and gross domestic product.

An inferred right

For its part, the Supreme Court has examined more than a few privacy claims to find, intermittently and unconvincingly, that there is a constitutional right to privacy, but the contours of this right remain vague. In 1962, the Supreme Court rejected the existence of a privacy right in Kharak Singh’s case which dealt with intrusive physical surveillance by the police.

The court was not unanimous; the majority of judges expressly rejected the notion of locational privacy while declaring that privacy was not a constituent of personal liberty, a lone dissenting judge found the opposite to be true and, furthermore, held that surveillance had a chilling effect on freedom. In 1975, in the Gobind case that presented substantially similar facts, the Supreme Court leaned towards, but held short of, recognising a right to privacy. It did find that privacy flowed from personal autonomy, which bears the influence of American jurisprudence, but subjected it to the interests of government; the latter prevailed.

However, in the PUCL case of 1997 that challenged inadequately regulated wiretaps, the Supreme Court declared that phone conversations were protected by a fundamental right to privacy that flowed from Article 21 of the Indian Constitution. To intrude upon this right, the court said, a law was necessary that is just, fair, and reasonable. If this principle were to be extended beyond communications privacy to, say, identity cards, the Aadhar project, which is being implemented without the sanction of an Act of Parliament, would be judicially stopped.

But what does “law” mean? Is it only the law of our Constitution and courts? What of the law that governed Indian societies before European colonisation brought the word ‘privacy’ to our legal system? Classical Hindu law – distinct from colonial and post-independence Hindu law – also recognises and enforces expectations of privacy in different contexts. It recognised the sanctity of the home and family, the autonomy of the community, and prescribed penalties for those who breached these norms. So, too, does Islamic law: all schools of Islamic jurisprudence – ‘fiqh’ – recognise privacy as an enforceable right.

Different words and concepts are used to secure this right, and these words have meanings and connotations of their own. But, the hermeneutics of privacy notwithstanding, this belies the common view that privacy is not an Indian value. Privacy may or may not be a cultural norm, but it has existed in India and South Asia in different forms for millennia.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-bhairav-acharya-april-15-2014-privacy-law-in-india-a-muddled-field-1

Privacy Issues with DRM

Jalaj Pandey — 2016-05-03T02:41:15Z

This post has been written by Jalaj Pandey interning at CIS. It elaborates upon the various privacy issues with the Digital Rights Management. The author talks about the various ways in which content producers use DRM as a tool to infringe the privacy of the end users.

Nehaa Chaudhari provided inputs and also edited the blog post. Click to download the File.

The ubiquity of internet in today's world has made content and information sharing an easy task. A certain media file can be shared and made public with hardly any technical obstacles. Issues like hacking, unauthorized copying and publication, unlicensed usage have become concerns for content producers, who have employed Digital Rights Management (hereafter DRM) measures to address some of them.

Several instances of the online privacy intrusion by the content producers have been recorded. In such a scenario the balancing the rights of the content producers and the end users becomes an important one. It is imperative to find a common ground to safeguard the interests of both the parties involved. In the recent past DRM has been receiving a lot of flak because of the privacy issues contented by the users.

In the most rudimentary form privacy can be explained as any information about an individual which he/she does not want to be made public. It is important to mention that this information is seen from the perspective of an ordinary reasonable person. The UN Declaration of Human Rights, 1948, defines privacy as a fundamental right of every human. The functioning of the DRM is based on restricting the usage or distribution of the content. Since this restriction is only possible after there is a formal identification of the end user, the content producers end up collecting information about the users. For example: a DRM for a music file might work in a manner where it can only be accessed by one computer from which the user accesses and registers for the first time. DRMs initially identify the IP addresses of the system and make the file functioning on only that IP address. In this way the producer ends up collecting information about the end user. Different DRM models take different ways to collect information of their user. While collecting IP addresses in one of them the other way is tracking the user information via download, browsing activities, subscription service, etc. The usage log of the users is generated and becomes a valuable asset to assess and predict the preferences of the users

Two contentions of privacy have been raised on the privacy issues of DRM -

a) What is the accountability of this process and

b) Whether it puts the content producers in a position where they can control the users.

The information collected is under the control of content producers, who mostly store this information in the form database. BEUC (European Consumer Organization) claimed that the DRM systems technologically enable content providers to monitor private consumption of content, create reports of consumption, and profile users.

The information is at the disposal of the content producers. An assessment of DRM applications under Canadian Privacy showed that the firms did not even recognise privacy issues of the customers as a priority. In fact the firms failed to provide the information that was stored in their databases. This gives an idea about the lack of transparency that exists in collecting the information about users. The question whether users are aware of what information is being collected and to what extent they are being tracked online remains unanswered. The CEN/ISSS (European Committee for Standardization/ Information Society Standardisation System) pointed out that DRMs have a large potential to transmit, generate personal information about users. It has also been characterized by unprecedented levels of monitoring by various content producers.

Further the principled level argumentation to this is on lines of collection of information without any authentication from the user herself/himself. It is essential that if any information is collected or saved by the producers it should only be after taking consent of the user. Surveillance and compelled disclosure of information about intellectual consumption threaten rights to personal integrity.

DRMs take away the anonymity of the consumption. Since the producers can practically monitor the content usage of the user, this has led to wide scale of price discrimination. This means that producers would monitor and assess the preferences of the user and subsequently raise the prices of that particular class of products. In the report of FIPR (Foundation of Information Policy and Research) it was found that Microsoft had been trying to implement their DRM systems in their products using a similar approach to gain a monopoly position as in their strategy of browser implementation.

The Sony BMG copy protection rootkit scandal in 2005 brought much criticism to DRM. It was found out that Sony BMG had introduced illegal and harmful copy protection measure in its CDs. The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. Further more than just the DRM part of it the software also made the user's system open to a number of malwares and created vulnerabilities in the system. Sony was eventually made to compensate consumer costs, etc on the same. However the question of whether the database in the hands of companies can be used in arbitrary manner was intensely discussed after this.

It is essential that an effective framework is brought into effect which caters to privacy interests of the users. Privacy is the basic human right and it is the onus of the State to protect and safeguard this right. It is essential that the State does not compromise and support mechanisms which promote the welfare of the content producers over the users. The balance of users and producers becomes all the more important in a developing country like ours. The lack the awareness and the knowledge coupled with increasing usage of internet can lead to the exploitation of many. It is essential that the States see through these problems and collectively find an all encompassing solution to it.

K. G. Coffman and A. M. Odlyzko, Growth of the Internet, AT&T Labs - Research, July 6, 2001, available at, ( www.dtc.umn.edu/~odlyzko//doc/oft.internet.growth.pdf) (hereinafter Growth).

The Daily Source, The Growing Impact of the Internet, April 4, 2016, available at (https://www.dailysource.org/about/impact).

Corryne Mcsherry, Adobe Spyware Reveals (Again) The Price Of DRM: Your Privacy And Security, Electronic Frontier Foundation, October 17, 2014, available at,

(https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security).

Digital Rights Management: A failure in the developed world, a danger to the developing world, Electronic Frontier Foundation, March 23, 2005, available at,

(https://www.eff.org/wp/digital-rights-management-failure-developed-world-danger-developing-world).

R. Subramanya and Byung k. Yi, Digital Rights Management, available at, ( https://www.academia.edu/8054608/Digital_Rights_Management) (hereinafter Digital Rights Management).

Global internet liberty campaign, privacy and human rights, An International Survey of Privacy Laws and Practice, available at, (http://gilc.org/privacy/survey/intro.html).

Ann Cavoukian, Privacy and Digital Rights Management (DRM): An Oxymoron, Information and Privacy Commissioner Ontario, available at, ( https://www.ipc.on.ca/images/Resources/up-1drm.pdf ) (hereinafter Oxymoron)

Varian, H.R. (1985) 'Price discrimination and social welfare', American Economic Review, Vol. 75, available at, (http://www.economics-ejournal.org/economics/journalarticles/2007-1/references/Varian1985).

Privacy and Digital Rights Management,A position paper for the W3C workshop on Digital Rights Management, January 2001, available at, ( www.w3.org/2000/12/drm-ws/pp/hp-poorvi.html).

Growth supra note, 1.

Digital Rights Management supra note, 5.

Thierry Rayna, Privacy or piracy, why choose? Two solutions to the issues of digital rights management and the protection of personal information, Intellectual Property Management, Vol. X, No. Y, available at,

(www.inderscienceonline.com/doi/abs/10.1504/IJIPM.2008.021138).

Oxymoron supra note, 7.

BEUC, Consumentenbond, and CLCV at DRM Working Group 1 (2002), available at, (https://privacy.org.nz/assets/Files/4558510.pdf).

Natali Helberger and Kristo´f Ker´enyi and Bettina Krings, Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations, available at (citeseerx.ist.psu.edu/showciting?cid=733532).

Knud Bohle, Indicare, Research into unfriendly DRM : A Review, December, 2004,available at, (citeseerx.ist.psu.edu/showciting?cid=733532) (hereinafter Indicare).

European Committee for Standardization/Information Society Standardisation System (CEN/ISSS) DRM Report, 2003.

Indicare supra note, 16.

News Release, "Forrester Technographics Finds Online Consumers Fearful of Privacy Violations" (October 27, 1999 available at, (www.forrester.com/ER/Press/Release/0,1769,177,FF.html).

Julia E. Cohen, Georgetown Law Faculty Publications, DRM and Privacy, January 2010, available at,

(https://www.academia.edu/2164013/DRM_and_Privacy).

Moe, W. and Fader, P. (2004) 'Dynamic conversion behavior at e-commerce sites', Management Science, Vol. 50, available at,

(https://www.researchgate.net/publication/227447618_Dynamic_Conversion_Behavior_at_E-Commerce_Sites).

Privacy or piracy supra note, 21.

Sismeiro, C. and Bucklin, R. (2004) 'Modeling purchase behavior at an e-commerce web site: a task completion approach', Journal of Marketing Research, available at, (citeseerx.ist.psu.edu/showciting?cid=906878).

Ross Anderson, Foundation of Information Policy and Research Consultation Response to DRM (2004), available at, (www. fipr.org/APIG_DRM_submission.pdf).

Otto Helweg, Sony, Rootkits and Digital Rights Management Gone Too Far, Oct, Oct. 31, 2014, available at (https://blogs.technet.microsoft.com/markrussinovich/2005/10/31).

Sony BMG Litigation Info, Electronic Frontier Foundation, available at, (https://www.eff.org/cases/sony-bmg-litigation-info).

For more details visit https://cis-india.org/internet-governance/blog/privacy-issues-with-drm

Privacy issues exist even without Aadhaar

Admin — 2017-11-23T16:12:11Z

There is a critical need for a data privacy regulator to penalize unauthorized disclosure of personal information.

The article by Ronald Abraham was published by Livemint on November 15, 2017.

In part I, I argued that while Aadhaar can be a tool to infringe upon our right to privacy, it is merely one such; there exist other tools that can be similarly exploited. This becomes evident when you analyse each privacy issue related to Aadhaar using the National Privacy Principles framework, and compare Aadhaar’s data privacy risks to other national ID systems. We need an independent data privacy regulator, backed by a robust law, to safeguard against the risks.

Here, we explore two such data privacy issues: data disclosure and voluntariness (database linking was analysed in part I).

Data disclosure

According to the National Privacy Principle on data disclosure, “a data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure”.

On paper, the Aadhaar Act appears compliant with this principle as Section 29 prohibits the disclosure of personal information. Exceptions exist for courts to request demographic data, and for joint secretaries and higher ranks to request biometric data; the latter on the grounds of “national security”. However, greater clarity is required on whether individuals will be informed of data disclosures.

In practice, however, data disclosures well beyond these exceptions have taken place. A study by the Centre for Internet and Society found that nearly 130 million Aadhaar numbers had been published online by four government departments. In many cases, these were published along with information on “caste, religion, address, photographs and financial information”. If someone manages to steal these individuals’ fingerprints as well (which is becoming less difficult), one possibility is that Aadhaar-linked bank accounts can be cleaned out using micro-ATMs.

Demographic data disclosure, however, is not limited to Aadhaar. For transparency reasons, state election commission websites disclose the personal information of every person registered to vote online. Agencies scrape these databases and sell them.

Like database linking, the onus of abiding by the principle of data disclosure is on the “data controller”. The four government agencies that disclosed Aadhaar data—not the Unique Identification Authority of India (UIDAI)—are the relevant data controllers in this case. However, UIDAI has not pressed charges against them; under the Aadhaar Act, it is solely authorized to do so. Given UIDAI’s role of working with the government to enable and encourage the use of Aadhaar, it should not also be responsible for regulating them. Additionally, the Election Commission’s data disclosure norms demonstrate that the issue is bigger than Aadhaar.

This, therefore, points to the critical need for a data privacy regulator to investigate and penalize unauthorized disclosure of sensitive personal information. A strong regulator, with a clear law, will also serve as an effective deterrent for negligent disclosure practices.

Voluntariness

The ability to voluntarily opt in and out of data systems, based on informed consent, is central to the National Privacy Principle of “Choice and Consent”. Once an individual opts in, the principle clarifies that they “also have an option to withdraw (their) consent given earlier to the data controller”.

With regard to opting in, UIDAI has maintained that Aadhaar enrolment is voluntary. However, Section 7 of the Aadhaar Act and various orders by government agencies require Aadhaar to access basic services. Though exceptions are allowed, in practice they are implemented inconsistently, making Aadhaar near-mandatory.

To be sure, the choice principle states that data controllers can choose not to provide services if an individual doesn’t consent to provide data, “if such information is necessary for providing the goods or services”. However, we need more explicit guidelines on what features satisfy this condition, something that can be defined in a data privacy law.

With regard to opting out, no such UIDAI provision exists. One argument is that more data increases UIDAI’s capability to establish the uniqueness of new enrollees. However, it is unclear why this is the case because even if millions opt out of Aadhaar, UIDAI’s ability to guarantee the uniqueness of new enrollees compared to existing enrollees doesn’t diminish.

While voluntariness is actively discussed with Aadhaar, the same is not true for other IDs and data initiatives. For example, fingerprints are collected to issue Indian passports, but the use of this is not clear—raising concerns around voluntariness as well as purpose limitation.

Through this analysis, it becomes clear that data privacy issues exist even without Aadhaar. To tackle the risks to privacy, India requires a strong, competent and independent data privacy regulator, backed by a robust law.

With the recent Supreme Court judgement and upcoming hearings, we have a unique opportunity to strengthen our institutional ability to manage future risks. We must seize this opportunity to try and secure a privacy-protected future.

Ronald Abraham is a partner at IDinsight and co-author of ‘State of Aadhaar’ report 2016-17.

Research contributions from Shreya Dubey and Akash Pattanayak.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar

Privacy is now a right in India. Here's what that means for the tech industry

Admin — 2017-08-31T14:35:45Z

India's top court has put tech companies on notice.

The blog post by Rishi Iyengar was published by CNN Tech on August 29, 2017.

In ruling that privacy is a fundamental right, the country's Supreme Court singled out tech firms for gathering huge amounts of data: Facebook knows who we are friends with, the justices wrote, while Alibaba studies our shopping habits and Airbnb tracks our travel.

"This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford," the court said last week. "There is an unprecedented need for regulation regarding [how] such information can be stored, processed and used."

Indian internet activists hailed the decision, but warned that the debate about how tech giants collect and use data is only just beginning.

"These companies must brace for [legal action]," said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "Individuals who are unhappy with the treatment of their personal information can now take them to court, because it is an infringement of a fundamental right."

The UN Conference on Trade and Development said that while the United States, European Union, China and other nations have established similar protections, roughly 60 developing countries have no rules that govern how the tech industry should collect and use personal data.

Activists say legal protections are needed to keep tech firms from irresponsibly harvesting data. Internet giants including Facebook and Google have built their business models around aggregating information about their users, and then marketing it to retailers. Some firms sell the data to third parties.

The global battle lines are being drawn: The U.S. government recently asked the Supreme Court to compel Microsoft (MSFT, Tech30) to hand over user data stored overseas, and the U.K. has proposed legislation that would allow users to ask platforms to delete their posts. The EU has taken several tech firms to task over privacy concerns.

Now the debate is heating up in the world's largest democracy. Nikhil Pahwa, an internet activist and founder of tech website MediaNama, said the Indian court's ruling gives campaigners a major tool in the fight to keep data private.

"We've now been given a right which allows us to argue for our rights against practices of different companies," Pahwa said.

The ruling could even cause problems for the Indian government, which is pushing its own controversial biometric ID card program. Nearly 1.2 billion people -- 92% of India's population -- have registered for the Aadhaar scheme, which links their fingerprints and iris scans to a unique 12-digit number.

The program is designed to make welfare payments and medical services much more efficient. But skeptics have bristled at recent orders that seek to make the biometric ID mandatory when opening a bank account or filing taxes.

"I don't want an Aadhaar number," Pahwa said. "I want to have the right to live in my country ... in a manner that I'm not being surveilled and watched."

Activists are also worried about how their data may be used and protected by third parties. Microsoft, for example, announced in July that it had integrated the biometric program with Skype Lite, a low-bandwidth version of the communications app made for the Indian market.

"If ... your fingerprints are your passwords -- and they're passwords that you can't change -- once they're gone they're gone forever," Pahwa said or potential data leaks.

The Indian government, which argued before the Supreme Court that privacy was not a fundamental right, said following the ruling that it was working on a stringent data protection law. Technology minister Ravi Shankar Prasad told local media that the new rules would be in place by December.

The National Association of Software and Services Companies, which represents India's tech industry, welcomed the Supreme Court's verdict.

"This landmark judgment will ensure that protection of citizen's privacy is a cardinal principle in our growing digital economy," NASSCOM president R Chandrashekhar said in a statement. "It will enhance citizens' trust in digital services."

Microsoft (MSFT, Tech30), Google (GOOGL, Tech30), Facebook (FB, Tech30) and Uber, which all operate in India, did not respond to requests for comment. Local tech players including Ola and Flipkart also did not respond. Amazon (AMZN, Tech30), which is investing heavily in the country, said that it complies with local laws and "has a high bar" for data protection and privacy.

Abraham, from the Centre for Internet and Society, said that "regulatory innovation" is needed to rein in large firms without making life difficult for Indian startups.

"We need to prevent the internet giants from dancing around the regulations with large legal teams, and we need to prevent onerous regulations from crushing emerging firms," he said. "If our lawmakers and parliament are innovative, we can leapfrog straight to the age of big data."

For more details visit https://cis-india.org/internet-governance/news/cnn-tech-august-29-2017-rishi-iyengar-privacy-is-now-a-right-in-india

Privacy is not a unidimensional concept

amber — 2017-08-07T08:02:20Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.

This article, written by Amber Sinha was published in the Economic Times on July 23, 2017.

In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

One must wonder why we are debating the contours of the right to privacy, which 40 years of jurisprudence had lulled us into believing we already had. The answer to that can be found in a series of hearings in the Aadhaar case that began in 2012. Justice KS Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court, questioning the validity of the Aadhaar project due its lack of legislative basis (since then the Aadhaar Act was passed in 2016) and its transgressions on our fundamental rights. Over time, a number of other petitions also made their way to the apex court, challenging different aspects of the Aadhaar project. Since then, five different interim orders by the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number. Aadhaar, according to the court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The real spanner in the works in the progress of this case was the stand taken by Mukul Rohatgi, then attorney general of India who, in a hearing before the court in July 2015, stated that there is no constitutionally guaranteed right to privacy. His reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench.

The reference to a larger bench has since delayed the entire matter, even as a number of government schemes have made Aadhaar mandatory. This reading of privacy as a unidimensional concept by the courts is, with due respect, erroneous. Privacy, as a concept, includes within its scope, spatial, familial, informational and decisional aspects. We all have a legitimate expectation of privacy in our private spaces, such as our homes, and in our personal relationships. Similarly, we must be able to exercise some control over how personal data, like our financial information, are disseminated. Most importantly, privacy gives us the space to make autonomous choices and decisions without external interference. All these dimensions of privacy must stand as distinct rights. In MP Sharma, the court rejected a certain aspect of the right of privacy by refusing to acknowledge a right against search and seizure. This, in no way prevented the court, even in the form of a smaller bench, from ruling on any other aspects of privacy, including those that are relevant to the Aadhaar case.

The limited referral to this bench means that the court will have to rule on the status of privacy and its possible limitations in isolation, without even going into the details of the Aadhaar case (based on the nature of protection that this bench accords to privacy, the petitioners and defendants in the Aadhaar case will have to argue afresh on whether the project does impede on this most fundamental right). There are no facts of the case to ground the legal principles in, and defining the contours of a right can be a difficult exercise. The court must be wary of how any limits they put on the right may be used in future. Equally, it is important to articulate that any limitations on the right to privacy due to competing interests such as national security and public interest must be imposed only when necessary and always be proportionate.

It will not be enough for the court to merely state that we have a constitutional right to privacy. They would be well advised to cut through the muddle of existing privacy jurisprudence, and unequivocally establish the various facets of the right. Without that, we may not be able to withstand the modern dangers of surveillance, denial of bodily integrity and self-determination through forcible collection of information. The nine judges, in their collective wisdom, must not only ensure that we have a right to privacy, but also clearly articulate a robust reading of this right capable of withstanding the growing interferences with our autonomy.

For more details visit https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept

Privacy is culture specific, MNCs hit by Aadhaar, says TRAI chief

praskrishna — 2017-06-07T13:57:08Z

A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.

The article by Pranav Mukul was published in the Indian Express on June 1, 2017.

Questioning the anti-Aadhaar campaigns by non-governmental organisations and civil society groups, Telecom Regulatory Authority of India’s (TRAI) Chairman R S Sharma, who is also the former Director General of Unique Identification Authority of India (UIDAI), said that various multinational companies were being affected by Aadhaar as it was in conflict with their attempts to create their own database of users.

“It’s making a mountain out of a molehill. There are motivated campaigns being launched. Various multinationals are getting affected. There are companies, which are creating their own identities. Someone has called it digital colonisation. The fingerprint scanners on smartphones can be easily used for authenticating Aadhaar but they don’t allow it. A lot of fraudulent or benami transactions can go down because of Aadhaar,” Sharma told The Indian Express. While he refused to elaborate on these multinationals, the remarks are an apparent reference to Silicon Valley giants such as Facebook and Google.

Sharma’s remarks come at a time when civil society groups have flagged serious concerns on issues such as privacy and accountability that arise from the Centre’s increasing use of Aadhaar. A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.

Recently, a Bengaluru-based NGO — Centre for Internet & Society (CIS) — released a report suggesting 130 million Aadhaar numbers were leaked on government portals. CIS later updated its report to say that there were no “leaks” or “leakages” but a “public disclosure”. The UIDAI served a show-cause notice to CIS, asking it to explain its claims.

The TRAI chairman defended UIDAI’s decision to send the notice to CIS and said that there were no leakages from Aadhaar, or decryption of of biometric data from the UIDAI server. At the same time, Sharma made a case for having a comprehensive data protection law in the country. “There is a need for a larger data protection law. In today’s digitally connected world, data protection law is a must. Data security, its protocols, rules, responsibilities, accountabilities, damage, payments, compensations, all these issues must come in that law,” he said.

“Aadhaar Act, itself, is very self-contained, which takes into account all data protection and privacy issues,” Sharma said, adding that privacy was a cultural concept. “Privacy is a culture specific concept, which they are trying to import here. Except for NGOs, has any individual or poor person complained, or filed a case about privacy?” he asked.

In a recent interview to The Indian Express, Minister of Law & Justice and Electronics & Information Technology Ravi Shankar Prasad had tried to allay fears of any loopholes in the Aadhaar security system and said “this systematic campaign against Aadhaar comes as a surprise for me”. He said that the voter ID information was also in public domain, but “I don’t see any campaign there”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-june-1-2017-pranav-mukul-privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief

Privacy International's Trip to Asia

praskrishna — 2012-04-25T09:58:12Z

In February 2012, the PI team travelled to India, Bangladesh and Hong Kong to meet with our local partners in the region and speak at four conferences they had organized. We also got the chance to interview our partners in India and Bangladesh on the privacy issues facing them at the moment - this video is the result of those conversations.

PI spent the first half of February in Asia, visiting our regional partners and speaking at events. Our trip began in Delhi, where the Centre for Internet and Society (in collaboration with the Society in Action Group) had organized two consecutive privacy conferences – an invite-only conclave on Friday 3rd February and a free symposium open to the public on Saturday 4th February. The conclave consisted of two panels, the first focusing on the relationship between national security and privacy, the second on privacy and the Internet. We were seriously impressed with the calibre of the speakers CIS and SAG had gathered – the panels included a Supreme Court Advocate, a Member of Parliament and the Former Chief of the Research and Analysis Wing (the Indian equivalent of MI-6 and the CIA) – but Gus and Eric held their own!

The All India Privacy Symposium the next day was partly intended as a public showcase of the amazing research Privacy India, CIS and SAG have conducted over the past two years, including consultations in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai and Mumbai. The event was organized into five panels: Privacy and Transparency, Privacy and E-Governance Initiatives, Privacy and National Security, Privacy and Banking, and Privacy and Health. A few themes recurred throughout the day – perhaps the most prominent being the repeated allegation that the Indian government's technological illiteracy is putting its citizens at risk. One panellist described how an RTI (right to information) request had recently revealed that the government had no idea how many of its own computers had been hacked or how much data had been stolen – even though this information has been in the public domain since the Wikileaks diplomatic cable releases.

On Sunday, our IDRC funder in Delhi very kindly lent us his beautiful house for a PrivAsia strategy meeting. We chatted about how the Indian project had gone thus far, and the sort of activities our partners would like to undertake over the next couple of years. Their main priority at the moment is India's proposed UID (Unique Identification) project, which is riddled with flaws, inconsistencies and logical gaps. The project is also extremely expensive, with estimates ranging from just under $4 billion to $33 billion. Our partners strongly oppose the programme in its current form, and are exploring a number of strategies for fighting it - we'll keep you appraised of their progress...

PI then parted ways – Gus headed to Hong Kong and Eric and I flew to Dhaka to meet up with Simon and Ahmed Swapan of Voices for Interactive Choice and Empowerment (VOICE), our partner in Bangladesh. We spent a day at the VOICE offices, getting extremely jealous of their huge kitchen and the fact that they all sit down to a freshly cooked lunch every day. That evening, Ahmed took us to a book fair, which was much livelier than we were expecting! It was held outside and was packed with people socialising, eating deep-fried crayfish and (occasionally) perusing the books and pamphlets on display. The fair is apparently an annual event and VOICE have had their own stand there for the past few years.

The following day was the National Convention on the Right to Privacy and Data Protection, organized by VOICE and a group of other Bangladeshi NGOs. We were delighted by the turnout - over 80 people showed up to listen and to voice their own opinions - but Ahmed was unsurprised, explaining that privacy was a hot topic in Bangladesh at the moment. Several issues were clearly extremely controversial, and the debate became very heated when it turned to the relationship between privacy and the right to information (recently enshrined in law in the RTI Act 2009). It was amazing to see how passionate people were, and how eager to improve things. The debate was presided over by retired Justice Golam Rabbani, who urged the government to create a national tribunal for the protection of the citizen's right to privacy.

Gus spent a brief 36 hours in Hong Kong but was able to participate in a symposium run by our partners at Hong Kong University's Faculty of Law. The participants at the symposium included the Privacy Commissioner of Hong Kong, academics and industry experts from China, Macau and Taiwan, and guest speakers from Switzerland and Canada. The slides of many of the presentations are available online. Apparently the level of sophistication in the academic research that is now starting to influence the legislative environment in Hong Kong and China is astonishing.

Trips like these are exhausting but invaluable - they allow us to see the PrivAsia work in action rather than hearing about it in emails and phone calls, and to discuss progress and problems face-to-face. Eric and Gus are already looking forward to Pakistan in April...

This blog post by Emma Draper was published on the Privacy International blog

Watch the video about contemporary privacy issues in India and Bangladesh below

For more details visit https://cis-india.org/news/privacy-internationals-trip-to-asia

Centre for Internet and Society

Privacy Matters — Medical Privacy

Medical Privacy in India

Medical Privacy- Legal Aspects

Supreme Court views on Medical Negligence

Confidentiality and privacy in medical Settigs vis-a-vis PLHIV

Privacy in Practice

Best Practices of Medical Privacy in Various Health Settings

Epidemics and Privacy

HIV/ AIDS and Privacy

HIPPA with reference to Applicability to Patient Privacy and Clinical Data Confidentiality in India

Presentations

Privacy Matters — Consumer Privacy

Privacy Matters — Analyzing the Right to "Privacy Bill"

Welcome

Keynote Address

Session I: Privacy and the Legal System

Privacy and the Constitutional Law

Session II: Privacy and Freedom of Expression

Sexual Minorities and Privacy

Session III: Privacy and National Security

Privacy and UID

Conclusion

Privacy Matters — Analyzing the "Right to Privacy Bill"

Agenda

Session I

Session II

Session III

Organizers

Partners

Speakers

Privacy laws: Alternatives to consent

Privacy Law Must Fit the Bill

Privacy law mooted to protect people against misuse of info

Privacy law mooted to protect people against misuse of info

Privacy Law in India: A Muddled Field - I

No uniform privacy standard in law

An inferred right

Privacy Issues with DRM

Privacy issues exist even without Aadhaar

Privacy is now a right in India. Here's what that means for the tech industry

Privacy is not a unidimensional concept

Privacy is culture specific, MNCs hit by Aadhaar, says TRAI chief

Privacy International's Trip to Asia