Centre for Internet and Society

Privacy in Healthcare: Policy Guide

tanvi — 2014-08-31T15:18:12Z

The Health Policy Guide seeks to understand what are the legal regulations governing data flow in the health sector — particularly hospitals, and how are these regulations implemented. Towards this objective, the research reviews data practices in a variety of public and private hospitals and diagnostics labs. The research is based on legislation, case law, publicly available documents, and anonymous interviews.

Click to download the PDF (320 Kb)

Introduction

To this date, there exists no universally acceptable definition of the right to privacy. It is a continuously evolving concept whose nature and extent is largely context driven. There are numerous aspects to the right to privacy, each different from the other in terms of the circumstance in which it is invoked. Bodily privacy however, is to date, the most guarded facet of this vastly expansive right. The privacy over one’s own body including the organs, genetic material and biological functions that make up one’s health is an inherent right that does not; as in the case of other forms of privacy such as communication or transactional privacy, emanate from the State. It is a right that has its foundations in the Natural Law conceptions of The Right to Life, which although regulated by the State can at no point be taken away by it except under extreme circumstances of a superseding Right to Life of a larger number of people.

The deliberation leading to the construction of a universally applicable Right to Privacy has up until now however only been in terms of its interpretation as an extension of the Fundamental Right to Life and Liberty as guaranteed under Article 21 as well as the freedom of expression and movement under Articles 19(1)(a) and (b) of the Constitution of India. While this may be a valid interpretation, it narrows the ambit of the right as one that can only be exercised against the State. The Right to privacy however has much larger implications in spheres that are often removed from the State. There is thus an impending need to create an efficient and durable structure of Law and policy that regulates the protection of privacy in Institutions that may not always be agents of the State.

It is in this regard that the following analysis studies the existing conceptions of privacy in the Healthcare sector. It aims to study the existing mechanisms of privacy protection and their pragmatic application in everyday practices. Further, it determines definitive policy gaps in the existing framework and endeavors to provide effective recommendations to not only redress these shortcomings but also create a system that is efficient in its fulfillment of the larger objective of the actualization of the Right to Privacy at an individual, state and institutional level.

Purpose

The purpose of this research study is to formulate a comprehensive guide that maps the synthesis, structure and implementation of privacy regulations within the healthcare sector in India. It traces the domestic legislation pertaining to various aspects of the healthcare sector and the specific provisions of the law that facilitate the protection of the privacy of individuals who furnish their personal information as well as genetic material to institutions of healthcare, either for the purpose of seeking treatment or to contribute to research studies. It is however imperative that the nature and extent of the information collected be restricted through the establishment of requisite safeguards at an institutional level that percolate down to everyday practices of data collection, handling and storage within healthcare institutions. The study thus aims to collate the existing systems of privacy protection in the form of laws, regulations and guidelines and compare these with actual practices in government and private hospitals and diagnostic laboratories to determine whether these laws are in fact effective in meeting the required standards of privacy protection. Further, the study also broadly looks at International practices of privacy protection and offers recommendations to better the existing mechanisms of delimiting unnecessary intrusions on the privacy of patients.

Importance

The Indian Healthcare sector although at par with international standards in its methods of diagnosis, treatment and the use of contemporary technology, is still nascent in the nature and extent of its interaction with the Law. There are a number of aspects of healthcare that lie on the somewhat blurred line between the interest of the public and the sole right of the individual seeking treatment. One such aspect is the slowly evolving right to privacy. The numerous facets of this right have come to the fore largely through unique case laws that are reflective of a dynamic social structure, one that seeks to reconcile the socio economic rights that once governed society with individual interests that it has slowly come to realize. The right of an individual to disclose the nature of his disease, the liberty of a woman not to be compelled to undergo a blood test, the bodily autonomy to decide to bear children or not, the decisional privacy with regards to the termination of a pregnancy and the custodial rights of two individuals to their child are certain contentious aspects of healthcare that have constructed the porous interface between the right to privacy and the need for medical treatment. It is in this context that this study aims to delve into the existing basic structure of domestic legislation, case laws and regulations and their subsequent application in order to determine important gaps in the formulation of Law and Policy. The study thus aims to draw relevant conclusions to fill these gaps through recommendations sourced from international best practice in order to construct a broad framework upon which one can base future policy considerations and amendments to the existing law.

Methodology

This research study was undertaken in two major parts. The first part assesses domestic legislation and its efficacy in the current context. This is done through the determination of relevant provisions within the Act that are in consonance with the broader privacy principles as highlighted in the A.P Shah Committee report on Privacy Protection[1]. This part of the research paper is based on secondary sources, both in terms of books as well as online resources. The second part of the paper analyses the actual practices with regard to the assimilation, organization, use and storage of personal data as practiced in Government and Private hospitals and Diagnostic laboratories. Three Private hospitals, a prominent Government hospital and a Diagnostic laboratory were taken into consideration for this study. The information was provided by the concerned personnel at the medical records department of these institutions of healthcare through a survey conducted on the condition of anonymity. The information provided was analyzed and collated in accordance with the compliance of the practices of these institutions with the Principles of privacy envisioned in the Report of the Group of Experts on Privacy.

The Embodiment of Privacy Regulation within Domestic Legislation

This section of the study analyses the viability of an approach that takes into account the efficacy of domestic legislation in regulating practices pertaining to the privacy of individuals in the healthcare sector. This approach perceives the letter and spirit of the law as the foundational structure upon which internal practices, self regulation and the effective implementation of policy considerations that aim to create an atmosphere of effective privacy regulation take shape, within institutions that offer healthcare services. To this effect, domestic legislationthat provides for the protection of a patient’s privacy has been examined. The law has been further studied with respect to its tendency to percolate into the everyday practices, regulations and guidelines that private and government hospitals adhere to. The extent of its permeation into actual practice; in light of its efficacy in fulfilling the perambulatory objectives of ensuring safe and unobtrusive practices,within the construct of which a patient is allowed to recover and seek treatment, has also been examined.

The term ‘Privacy’ is used in a multitude of domestic legislations primarily in the context of the foundation of the fiduciary relationship between a doctor and a patient.This fiduciary relationship emanates from a reasonable expectation of mutual trust between the doctor and his patients and is established through the Indian Medical Council Act of 1952, specifically section 20(A) of the Act which lays down the code of ethics which a doctor must adhere to at all times. Privacy within the healthcare sector includes a number of aspects including but not limited to informational privacy (e.g., confidentiality, anonymity, secrecy and data security); physical privacy (e.g., modesty and bodily integrity); associational privacy (e.g. intimate sharing of death, illness and recovery); proprietary privacy (e.g., self-ownership and control over personal identifiers, genetic data, and body tissues); and decisional privacy (e.g., autonomy and choice in medical decision-making).

Privacy Violations stem from policy and information gaps: Violations in the healthcare sector that stem from policy formulation as well and implementation gaps[2] include the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, unlimited or unnecessary collection of personal health data, collection of personal health data that is not accurate or relevant, the purpose of collecting data is not specified, refusal to provide medical records upon request by client, provision of personal health data to public health, research, and commercial uses without de-identification of data and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory.[3] Furthermore, various goods such as employment, life, and medical insurance, could be placed at risk [4]if the flow of medical information were not restricted. ^{^[5]}

Disclosure of personal health information is permitted and does not amount to a violation of privacy in the following situations: 1) during referral, 2) when demanded by the court or by the police on a written requisition, 3) when demanded by insurance companies as provided by the Insurance Act when the patient has relinquished his rights on taking the insurance, and 4) when required for specific provisions of workmen's compensation cases, consumer protection cases, or for income tax authorities,^{^[6]} 5) disease registration, 6) communicable disease investigations, 7) vaccination studies, or 8) drug adverse event reporting. ^{^[7]}

The following domestic legislations have been studied and relevant provisions of the Act have been accentuated in order to analyse their compliance with the basic principles of privacy as laid out in the A.P Shah Committee report on Privacy.

Mental Health Act, 1987[8]
The Provisions under the Act pertaining to the protection of privacy of the patient have been examined. The principles embodied within the Act include aspects of the Law that determine the nature and extent of oversight exercised by the relevant authorities over the collection of information, the limitation on the collection of data and the restrictions on the disclosure of the data collected. The principle of oversight is embodied under the legislation within the provisions that allow for the inspection of records in psychiatric hospitals and nursing homes only by officers authorized by the State Government.^{^[9]} The limitation on the Collection of information is imposed by the Inspection of living conditionsby a psychiatrist and two social workers are on a monthly basis. This would include analyzing the living condition of every patient and the administrative processes of the psychiatric hospital and/or psychiatric nursing home. ^{^[10]}Additionally, Visitors must maintain a book regarding their observations and remarks.^{^[11]} Medical certificates may be issued by a doctor, containing information regarding the nature and degree of the mental disorder as reasons for the detention of a person in a psychiatric hospital or psychiatric nursing home. ^{^[12]}Lastly, the disclosure of personal records of any facility under this Act by inspecting officers is prohibited^{^[13]}

Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994 ^{^[14]}
The Act was instituted in light of a prevalent public interest consideration of preventing female foeticide. However, it is imperative that the provision of the Act remain just shy of unnecessarily intrusive techniques and do not violate the basic human requirement of privacy in an inherently personal sphere. The procedure that a mother has to follow in order to avail of pre-natal diagnostic testing is mandatory consent of age, abortion history and family history. These conditions require a woman to reveal sensitive information concerning family history of mental retardation or physical deformities.[15] Aspecial concern for privacy and confidentiality should be exercised with regards to disclosure of genetic information. [16]

Medical Termination of Pregnancy Act, 1971 ^{^[17]}
Although, the right to an abortion is afforded to a woman within the construct of her inherent right to bodily privacy, decisional privacy (for e.g., autonomy and choice in medical decision-making) is not afforded to patients and their families with regards to determining the sex of the baby. The sections of the Act that have been examined lay down the provisions available within the Act to facilitate the protection of a woman’s right to privacy during the possible termination of a pregnancy. These include the principles pertaining to the choice and consent of the patient to undergo the procedure, a limit on the amount of information that can be collected from the patient, the prevention of disclosure of sensitive information and the security measures in place to prevent the unauthorized access to this information. The Medical Termination of Pregnancy Regulations, 2003 supplement the Act and provide relevant restrictions within every day practices of data collection use and storage in order to protect the privacy of patients. The Act mandates Written Consent of the patient in order to facilitate an abortion .Consent implies that the patient is aware of all her options, has been counselled about the procedure, the risks and post-abortion care.[18]. The Act prohibits the disclosure of matters relating to treatment for termination of pregnancy to anyone other than the Chief Medical Officer of the State. [19]The Register of women who have terminated their pregnancy, as maintained by the hospital, must be destroyed on the expiry of a period of five years from the date of the last entry.[20] The Act also emphasizes upon the security of information collected. The medical practitioner assigns a serial number for the woman terminating her pregnancy.[21]Additionally, the admission register is stored in safe custody of the head of the hospital. [22]

Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002)
The Medical Council of India (MCI) Code of Ethics Regulations^{^[23]} sets the professional standards for medical practice. These provisions regulate the nature and extent of doctor patient confidentiality. It also establishes universally recognized norms pertaining to consent to a particular medical procedure and sets the institutionally acceptable limit for intrusive procedure or gathering excessively personal information when it is not mandatorily required for the said procedure. The provisions addressed under these regulations pertain to the Security of the information collected by medical practitioners and the nature of doctor patient confidentiality.

Physicians are obliged to protect the confidentiality of patients⁵during all stages of the procedure and with regard to all aspects of the information provided by the patient to the doctor, includinginformation relating to their personal and domestic lives. ^{^[24]}The only exception to this mandate of confidentiality is if the law requires the revelation of certain information, or if there is a serious and identifiable risk to a specific person and / or community ofa notifiable disease.

Ethical Guidelines for Biomedical Research on Human Subjects [25]
The provisions for the regulation of privacy pertaining to biomedical research include aspects of consent as well as a limitation on the information that may be collected and its subsequent use. The provisions of this act aim to regulate the protection of privacy during clinical trials and during other methods of research. The principal of informed consent is an integral part of this set of guidelines. ThePrivacy related information included in the participant/ patient information sheet includes: the choice to prevent the use of their biological sample, the extent to which confidentiality of records could be maintained and the consequences of breach of confidentiality, possible current and future uses of the biological material and of the data to be generated from the research and if the material is likely to be used for secondary purposes or would be shared with others, the risk of discovery of biologically sensitive information and publications, including photographs and pedigree charts.[26] The Guidelines require special concern for privacy and confidentiality when conducting genetic family studies. [27]The protection of privacy and maintenance of confidentiality, specifically surrounding the identity and records, is maintained whenusing the information or genetic material provided by participants for research purposes. ^{^[28]}The Guidelines require investigators to maintain confidentiality of epidemiological data due to the particular concern that some population based data may also have implications on issues like national security or public safety.[29]All documentation and communication of the Institutional Ethics Committee (IEC) must be dated, filed and preserved according to the written procedures.Data of individual participants can be disclosed in a court of law under the orders of the presiding judge, if there is a threat to a person’s life, communication to the drug registration authority regarding cases of severe adverse reaction and communication to the health authority if there is risk to public health.[30]

Insurance Regulatory and Development Authority (Third Party Administrators) Health Services Regulations, 2001
The provisions of the Act that have been addressed within the scope of the study regulate the practices of third party administrators within the healthcare sector so as to ensure their compliance with the basic principles of privacy.An exception to the maintenance and confidentiality of information confidentiality clause in the code of conduct, requires TPAs to provide relevant information to any Court of Law/Tribunal, the Government, or the Authority in the case of any investigation carried out or proposed to be carried out by the Authority against the insurance company, TPA or any other person or for any other reason.[31]In July 2010, the IRDA notified theInsurance Regulatory and Development Authority (Sharing of Database for Distribution of Insurance Products) Regulations [32]. These regulations restrict referral companies from providing details of their customers without their prior consent.[33]TPAs must maintain the confidentiality of the data collected by it in the course of its agreement and maintain proper records of all transactions carried out by it on behalf of an insurance company and are also required to refrain from trading information and the records of its business[34].TPA’s must keep records for a period of not less than three years.[35]

IDRA Guidelines on Outsourcing of Activities by Insurance Companies [36]
These guidelines require the insurer to take appropriate steps that require third party service providers protect confidential information of both the Insurer and its clients from intentional or inadvertent disclosure to unauthorized persons.[37]

Exceptions to the Protection of Privacy
The legal provisions with regard to privacy, confidentiality and secrecy are often superseded by Public Interest Considerations. The right to privacy, although recognized in the course of Indian jurisprudence and embodied within domestic legislation is often overruled prima facie when faced with situations or instances that involve a larger interest of a greater number of people. This policy is in keeping with India’s policy goals as a social welfare state to aid in the effectuation of its utilitarian ideals. This does not allow individual interest to at any point surpass the interest of the masses.

Epidemic Diseases Act, 1897 [38]
Implicit within this formulation of this Act is the assumption that in the case of infectious diseases, the right to privacy, of infected individuals must give way to the overriding interest of protecting public health.[39] This can be ascertained not only from the black letter of the Law but also from its spirit. Thus, in the absolute positivist as well as a more liberal interpretation, at the crux of the legislation lies the undeniable fundamental covenant of the preservation of public health, even at the cost of the privacy of a select few individuals [40].

Policy and Regulations

National Policy for Persons with Disabilities, 2006[41]
The following provisions of the Act provide for the incorporation of privacy considerations in prevalent practices with regard to persons with disabilities. The National Sample Survey Organization collects the following information on persons with disabilities: the socio- economic and cultural context, cause of disabilities, early childhood education methodologies and all matters connected with disabilities, at least once in five years.[42]This data is collected by non-medical investigators. [43]There is thus an inherent limit on the information collected. Additionally, this information is used only for the purpose for which it has been collected.

The Special Employment Exchange, as established under The Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995 Act, collects and furnishes information in registers, regarding provisions for employment. Access to such data is limited to any person who is authorized by the Special Employment Exchange as well as persons authorized by general or special order by the Government, to access, inspect, question and copy any relevant record, document or information in the possession of any establishment. [44] When conducting research on persons with disabilities consent is required from the individual or their family members or caregivers.[45]

HIV Interventions
In 1992, the Government of India instituted the National AIDS Control Organization (NACO) for the prevention and control of AIDS. NACO aims to control the spread of HIV in India through the implementation of Targeted Interventions (TIs) for most at risk populations (MARPs) primarily, sex workers, men having sex with men and people who inject drugs.[46]The Targeted Interventions (TIs) system of testing under this organization has however raised numerous concerns about relevant policy gaps in the maintenance of the confidentiality and privacy of persons living with HIV/ AIDS. The shortcomings in the existing policy framework include: The Lack of a limitation and subsequent confidentiality in the amount of Information collected. Project staff inTIsrecordthe name, address and other contact information of MARPs and share this data with Technical Support Unit and State AIDS Control Societies.[47] Proof of address and identity documents are required to get enrolled in government ART programs.[48]Peer-educators operate under a system known as line-listing, used to make referrals and conduct follow-ups. Peer-educators have to follow-up with those who have not gone at regular intervals for testing. [49] This practice can result in peer-educators noticing and concluding that the names missing are those who have tested positive. [50] Although voluntary in nature, the policy encourage the fulfillment of fulfilling of numerical targets, and in doing so supports unethical ways of testing.[51]

The right to privacy is an essential requirement for persons living with HIV/AIDS due to the potential stigmatizing and discriminatory impact of the revelation of this sensitive information, in any form.[52] The lack of privacy rights often fuels the spread of the disease and exacerbates its impact on high risk communities of individuals. Fears emanating from a privacy breach or a disclosure of data often deter people from getting tested and seeking medical care. The impact of such disclosure of sensitive information including the revelation of tests results to individuals other than the person being tested include low self esteem, fear of loss of support from family/peers, loss of earnings especially for female and transgender sex workers, fear of incrimination for illicit sex/drug use and the insensitivity of counselors. [53]HIV positive individualslive in constant fear of their positive status being leaked. They also shy away from treatment as they fear people might see them taking their medicines and thereby guess their status. Thus breaches in confidentiality and policy gaps in privacy regulation, especially with respect to diseases such as HIV also prevents people from seeking out treatment. [54]

Case Law

The following cases have been used to deliberate upon important points of contention within the ambit of the implementation and impact of Privacy Regulationsin the healthcare sector. This includes the nature and extent of privacy enjoyed by the patient and instances where in the privacy of the patient can be compromised in light of public interest considerations.

Mr. Surupsingh Hrya Naik vs. State of Maharashtra ,[55] (2007)

The decision in this case held that The RTI Act 2005 would supersede The Medical Council Code of Ethics. The health records of an individual in judicial custody should be made available under the Act and can only be denied in exceptional cases, for valid reasons.

Since the Code of Ethics Regulations are only delegated legislation, it was held in the case of Mr. SurupsinghHrya Naik v.State Of Maharashtra[56] that these would not prevail over the Right to Information Act, 2005 (RTI Act) unless the information sought falls under the exceptions contained in Section 8 of the RTI Act. This case dealt with the important point of contention of whether making the health records public under the RTI Act would constitute a violation of the right to privacy. These health records were required to determine why the convict in question was allowed to stay in a hospital as opposed to prison. In this context the Bombay High Court held thatThe Right to Information Act supersedes the regulation that mandate the confidentiality od a person, or in this case a convict’s medical records. It was held that the medical records of a a person sentenced or convicted or remanded to police or judicial custody, if during that period such person is admitted in hospital and nursing home, should be made available to the person asking the information provided such hospital nursing home is maintained by the State or Public Authority or any other Public Body. It is only in rare and in exceptional cases and for good and valid reasons recorded in writing can the information may be denied.

Radiological & Imaging Association v. Union of India ,^{^[57]} (2011)
On 14 January 2011 a circular was issued by the Collector and District Magistrate, Kolhapur requiring the Radiologists and Sonologists to submit an on-line form “F” under the PNDT Rules. This was challenged by the Radiological and Imaging Association, inter alia, on the ground that it violates the privacy of their patients. Deciding the above issue the Bombay High Court held that .The images stored in the silent observer are not transmitted on-line to any server and thus remain embedded in the ultra-sound machine. Further, the silent observer is to be opened only on request of the Collector/ the civil surgeonin the presence of the concerned radiologist/sonologist/doctor incharge of the Ultra-sound Clinic. In light of these considerations and the fact that the `F' form submitted on-line is submitted only to the Collector and District Magistrate is no violation of the doctor's duty of confidentiality or the patient's right to privacy. It was further observed that The contours of the right to privacy must be circumscribed by the compelling public interest flowing through each and every provision of the PC&PNDT Act, when read in the background of the following figures of declining sex ratio in the last five decades.

The use of a Silent Observer system on a sonograph has requisite safeguards and doesn’t violate privacy rights. The declining sex ratio of the country was considered a compelling public Interest that could supersede the right to privacy.

Smt. Selvi and Ors. v.State of Karnataka (2010)
The Supreme Court held that involuntary subjection of a person to narco analysis, polygraph test and brain-mapping violates the ‘right against self-incrimination' which finds its place in Article 20(3)[58] of the Constitution. [59] The court also found that narco analysis violated individuals’ right to privacy by intruding into a “subject’s mental privacy,” denying an opportunity to choose whether to speak or remain silent, and physically restraining a subject to the location of the tests and amounted to cruel, inhuman or degrading treatment.[60]

The Supreme Court found that Narco-analysis violated an individuals’ right to privacy by intruding into a “subject’s mental privacy,” denying an opportunity to choose whether to speak or remain silent.

Neera Mathur v. Life Insurance Corporation (LIC),[61] (1991)
In this casethe plaintiff contested a wrongful termination after she availed of maternity leave. LIC required women applicants to furnish personal details like their menstrual cycles, conceptions, pregnancies, etc. at the time of appointment. Such a requirement was held to go against the modesty and self respect of women. The Court held that termination was only because of disclosures in application, which was held to be intrusive, embarrassing and humiliating. LIC was directed to delete such questions.

The Court did not refer to the term privacy however it used the term personal details as well as modesty and self respect, but did not specifically link them to the right to life or any other fundamental right. These terms (modesty and self respect) are usually not connected to privacy but although they may be the harm which comes from an intrusion of one’s privacy.

The Supreme Court held that Questions related to an individual’s reproductive issues are personal details and should not be asked in the service application forms.

Ms. X vs. Mr. Z &Anr ,[62] (2001)
In this case, the Delhi High Court held that an aborted foetus was not a part of the body of a woman and allowed the DNA test of the aborted foetus at the instance of the husband. The application for a DNA test of the foetus was contested by the wife on the ground of “Right to Privacy”.7In this regard the court held that The Supreme Court had previously decided that a party may be directed to provide blood as a DNA sample but cannot be compelled to do so. The Court may only draw an adverse interference against such party who refuses to follow the direction of the Court in this respect.The position of the court in this case was that the claim that the preservation of a foetus in the laboratory of the All India Institute of Medical Science, violates the petitioner’s right to privacy, cannot be entertained as the foetus had been voluntarily discharges from her body previously, with her consent. The foetus, that she herself has dischargedis claimed to be subjected to DNA test. Thus, in light of the particular facts and the context of the case, it was held that petitioner does not have any right of privacy.

A woman’s right to privacy does not extend to a foetus, which is no longer a part of her body. The right to privacy may arise from a contract as well as a specific relationship, including a marital relationship. The principle in this case has been laid down in broad enough terms that it may be applied to other body parts which have been disassociated from the body of the individual.

It is important to note here that the fact that the Court is relying upon the principles laid down in the case of R. Rajagopal seems to suggest that the Court is treating organic tissue preserved in a public hospital in the same manner as it would treat a public document, insofar as the exception to the right to privacy is concerned.

B.K Parthasarthi vs. Government of Andhra Pradesh ,[63] (1999)
In this case, the Andhra Pradesh High Court was to decide the validity of a provision in the Andhra Pradesh Panchayat Raj Act, 1994 which stipulated that any person having more than two children should be disqualified from contesting elections. This clause was challenged on a number of grounds including the ground that it violated the right to privacy. The Court, in deciding upon the right to privacy and the right to reproductive autonomy, held thatThe impugned provision, i.eSection 19(3) of the said Act does not compel directly anyone to stop procreation, but only disqualifies any person who is otherwise eligible to seek election to various public offices coming within the ambit of the Andhra Pradesh Panchayat Raj Act, 1994 or declares such persons who have already been holding such offices to be disqualified from continuing in such offices if they procreate more than two children.Therefore, the submission made on behalf of the petitioners 'right to privacy' is infringed, is untenable and must be rejected.”

Mr. X v. Hospital Z, Supreme Court of India ,[64] (1998 and 2002)
The petitioner was engaged to be married and thereafter during tests for some other illness in the hospital it was found that the petitioner was HIV positive. This information was released by the doctor to the petitioner’s family and through them to the family of the girl to whom the petitioner was engaged, all without the consent of the petitioner. The Court held that:

“The Right to privacy is not treated as absolute and is subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedoms of others.”

Right to privacy and is subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedoms of others.

This decision of this case could be interpreted to extend the principle, of disclosure to the person at risk, to other communicable and life threatening diseases as well. However, a positivist interpretation would render these principle applicable to only to HIV+ cases.

M. Vijaya v. Chairman and Managing Director, Singareni Collieries Co. Ltd. [65] (2001)
The petitioner alleged that she had contracted the HIV virus due to the negligence of the authorities of Maternity and Family Welfare Hospital, Godavarikhani, a hospital under the control of Singareni Collieries Company Ltd., (SCCL), in conducting relevant precautionary blood tests before transfusion of blood of her brother (donor) into her body when she was operated for hysterectomy (Chronic Cervicitis) at the hospital. The petition was initially filed as a Public Interest Litigation,which the court duly expanded in order to address the problem of the lack of adequate precautionary measures in hospitals, thereby also dealing with issues of medical confidentiality and privacy of HIV patients. The court thus deliberated upon the conflict between the right to privacy of an HIV infected person and the duty of the state to prevent further transmission and held:

In the interests of the general public, it is necessary for the State to identify HIV positive cases and any action taken in that regard cannot be termed as unconstitutional. As under Article 47 of the Constitution, the State was under an obligation to take all steps for the improvement of the public health. A law designed to achieve this object, if fair and reasonable, in our opinion, will not be in breach of Article 21 of the Constitution of India

The right of reproductive autonomy is a component of the right to privacy .A provision disqualifying a person from standing for elections due to the number of children had, does not violate the right to privacy as the object of the legislation is not to violate the autonomy of an individual but to mitigate the population growth in the country. Measures to control population growth shall be considered legal unless they impermissibly violate a fundamental right.

However, another aspect of the matter is whether compelling a person to take HIV test amounts to denying the right to privacy? The Court analyzed the existing domestic legislation to arrive at the conclusion that there is no general law that can compel a person to undergo an HIV-AIDS test. However, specific provisions under the Prison Laws[66]

provide that as soon as a prisoner is admitted to prison, he is required to be examined medically and the record of prisoner's health is to be maintained in a register. Further, Under the ITP Act, the sex workers can also be compelled to undergo HIV/ AIDS test.[67]

Additionally, under Sections 269 and 270 of the Indian Penal Code, 1860, a person can be punished for negligent act of spreading infectious diseases.

The right to privacy of a person suspected to be HIV+ would be subordinate to the power and duty of the state to identify HIV+ patients in order to protect public interest and improve public health. However any law designed to achieve this object must be fair and reasonable. In a conflict between the individual’s privacy right and the public’s right in dealing with the cases of HIV-AIDS, the Roman Law principle 'SalusPopuliestSuprema' (regard for the public wealth is the highest law) applies when there is a necessity.

After mapping legislation that permit the invasion of bodily privacy, the Court concluded that they are not comprehensive enough to enable the State to collect information regarding patients of HIV/AIDS and devise appropriate strategies and therefore the State should draft a new legislation in this regard. Further the Court gave certain directions to the state regarding how to handle the epidemic of HIV/AIDS and one of those directions was that the “Identity of patients who come for treatment of HIV+/AIDS should not be disclosed so that other patients will also come forward for taking treatment.”

Sharda v. Dharmpal ,[68] (2003)

The basic question in this case was whether a party to a divorce proceeding can be compelled to a medical examination. The wife in the divorce proceeding refused to submit herself to medical examination to determine whether she was of unsound mind on the ground that such an act would violate her right to personal liberty. Discussing the balance between protecting the right to privacy and other principles that may be involved in matrimonial cases such as the ‘best interest of the child’ in case child custody is also in issue, the Court held:

If the best interest of a child is in issue in the case then the patient’s right to privacy and confidentiality would get limited. The right to privacy of an individual would be subordinate to the power of a court to arrive at a conclusion in a matrimonial dispute and the right of a party to protect his/her rights in a Court of law would trump the right to privacy of the other.

"Privacy" is defined as "the state of being free from intrusion or disturbance in one's private life or affairs". However, the right to privacy in India, is only conferred through an extensive interpretation of Article 21 and cannot therefore in any circumstance be considered an absolute right. Mental health treatment involves disclosure of one's most private feelings However, like any other privilege the psychotherapist-patient privilege is not absolute and may only be recognized if the benefit to society outweighs the costs of keeping the information private. Thus if a child's best interest is jeopardized by maintaining confidentiality the privilege may be limited.” Thus, the power of a court to direct medical examination of a party to a matrimonial litigation in a case of this nature cannot beheld to violate the petitioner’s right to privacy.

Regulation of Privacy in Government and Private Hospitals and Diagnostic Laborataries

A. Field Study
The Hospitals that have been chosen for the analysis of the efficacy of these legislations include prominent Government Hospitals, Private Hospitals and Diagnostic Centers. These Institutes were chosen because of their widely accredited status as centers of medical research and cutting edge treatment. They have also had a long standing reputation due to their staff of experienced and skilled on call doctors and surgeons. The Private Hospitals chosen had patient welfare centers that addressed the concerns of patients including questions and doubts relating to but not limited to confidentiality and consent. The Government hospitals had a public relations office that addressed the concerns of discharged patients. They also provided counseling services to patients to aid them in addressing concerns relate to the treatment that they might want to be kept confidential. Diagnostic laboratories also have an HR department that addresses similar concerns. The laboratory also has a patient welfare manager who addresses the concerns and queries of the patient prior to and during the procedure.

The following section describes the practices promulgated by Government and Private Hospitals, as well as Diagnostic Laboratories in their endeavor to comply with the basic principles of privacy as laid down in the A.P Shah Committee report on Privacy.

(i) Notice

Through an analysis of the information provided by Government and Private hospitals and diagnostic laboratories, relevant conclusions were drawn with regard to the nature, process and method in which the patient information is recorded. Through interviews of various medical personnel including administrative staff in the patient welfare and medical records departments we observed an environment of openness and accountability within the structure of the patient registration system.

In Government Hospitals, the patient is notified of all types of information that is collected, in terms of both personal information as well as medical history. The Patient admission as well as the patient consent form is filled out by the patient or the attending relative accompanying the patient and assistance for the same is provided by the attending staff members, who explain the required details that need to be filled in a language that the patient is able to understand. The patient is notified of the purpose for which such information is collected and the procedure that he/ she might have to undergo depending on his injury or illness. The patient is not however, notified of the method in which he/she may correct or withdraw the information that is provided. There is no protocol provided for the correction or withdrawal of information, once provided. The patient is, at all times notified of the extent and nature of doctor patient confidentiality including the fact that his/her personal information would not be shared even with his/her immediate relatives , insurance companies, consulting doctors who are not directly involved with his/her treatment or any unauthorized third party without requisite consent from the patient. The patient is informed of the fact that in some cases the medical records of the patient will have to be shared with consulting doctors and that all the patient’s medical records would be provided to insurance companies, but this will only be done with the consent of the patient.

The same system of transparency and accountability transcends across private hospitals and diagnostic laboratories as well. In private hospitals, the patient is informed of all the information that is collected and the purpose for which such information may be collected. Diagnostic laboratories have specific patient consent forms for specific types of procedures which the patient will have to fill out depending on the required tests. These forms contain provisions with regard to the confidential nature of all the information provided. This information can only be accessed by the patient and the consulting doctor with the consent of the patient. Both private hospitals and diagnostic laboratories have a specific protocol and procedure in place to correct or withdraw information that has been provided. In order to do so the patient would have to contact the medical records department with requisite proof of the correct information. Private hospitals inform patients of the nature and extent of doctor patient confidentiality at every stage of the registration process. Some private hospitals contain patient safety brochures which inform patients about the nature and extent of consent and confidentiality, even with regard to consulting doctors and insurance agencies. If the patient does not want certain information revealed to insurance agencies the hospital will retain such records and refraining from providing them to third party insurance agencies. Thus, all information provided by the patient remains confidential at the behest of the patient.

(ii) Choice and Consent

Choice and consent are two integral aspects of the regulation of privacy within the healthcare sector. Government and Private hospitals as well as diagnostic laboratories have specific protocols in place to ensure that the consent of the patient is taken at every stage of the procedure. The consent of the patient can also be withdrawn just prior to the procedure even if this consent has already been given by the patient in writing, previously. The choice of the patient is also given ample importance at all stages of the procedure. The patient can refuse to provide any information that may not mandatorily required for the treatment provided basic information regarding his identity and contact information in case of emergency correspondence has been given.

(iii) Collection Limitation

The information collected from the patient in both government and private hospitals is used solely for the purpose that the patient has been informed of. In case this information is used for purposes other than for the purpose that the patient has been informed of, the patient is informed of this new purpose as well. Patient records in both Government and Private hospitals are stored in the Medical Records Department as hard copies and in some cases as scanned soft copies of the hard copy as well. These Medical Records are all stored within the facility. The duration for which the records are stored range from a minimum of two years to a maximum of ten years in most private hospitals. Some private hospitals store these records for life. Government hospitals store these records for a term of thirty years only as hard copies after which the records are discarded. Private hospitals make medical records accessible to any medical personnel who may ask for it provided the requisite proof of identity and reasons for accessing the same are provided, along with an attested letter of authorization of the doctor who is currently involved or had been involved in the treatment of the patient. Government hospitals however do not let any medical personnel access these records except for the doctor involved in the treatment of that particular patient. Both private and government hospitals are required to share the medical records of the patient with the insurance companies. Government Hospitals only share patient records with nationalized insurance agencies such as The Life Insurance Corporation of India (LIC) but not with private insurance agencies. The insurance claims forms that are required prior to providing medical records to the insurance companies mandatorily require the signature of the patient. The patient is thus informed that his records will be shared with the insurance agencies and his signature is a proof of his implied consent to the sharing of these records with the company with which he has filed a health insurance claim.

Diagnostic laboratories collect patient information solely for the purpose of the particular test that they have been asked to conduct by the treating or consulting doctor. Genetic samples (Blood, Semen, Urine etc) are collected at one time and the various tests required are conducted on these samples. In case of any additional testing that is required to be conducted on these samples, the patient is informed. Additional testing is conducted only in critical cases and in cases where the referral doctor requests for the same to be conducted on the collected samples. In critical cases, where immediate testing is required and the patient is unreachable, the testing is conducted without informing the patient. The patient is mandatorily informed after the test that such additional testing was conducted. The patient sample is stored for one week within the same facility. The Patient records are digitized. They can only be accessed by the patient, who is provided with a particular username and password using which he can access only his records. The information is stored for a minimum of two years. This information can be made available to a medical personnel only if such medical personnel has the required lab no, the patients name, and reason for which it needs to be accessed. He thus requires the permission of the authorities at the facility as well as the permission and consent of the patient to access such records. The Medical test records of a patient are kept completely confidential. Even insurance companies cannot access such records unless they are provided to the company by the patient himself. In critical cases however, the patient information and tests results are shared with the treating or referral doctor without the consent of the patient.

(iv) Purpose Limitation

In Government and Private Hospitals, the information is only used for the purpose for which it is collected. There is thus a direct and relevant connection between the information collected and the purpose for which it used. Additional information is collected to gauge the medical history of the patient that may be relevant to the disease that has to be treated. The information is never deleted after it has been used for the purpose for which it had been collected. The Medical Records of the patient are kept for extended periods in hard copy as well as soft copy versions. There is a provision for informing the patient in case the information is used for any purpose other than the purpose for which it was collected. Consent of the patient is taken at all stages of collecting and utilizing the information provided by him.

Diagnostic Laboratories have a database of all the information collected which is saved in the server. The information is mandatorily deleted after it has been used for the purpose for which it was collected after a period of two years. In case the information is used for any purpose other than the purpose for which it was collected, for example, in critical cases where additional tests have to be conducted the patient is\ always informed of the same.

(v) Access and Correction

In private hospitals, the patient is allowed to access his own records during his stay at the hospital. He is given a copy of his file upon his discharge from the hospital in the form of a discharge summary. However, if he needs to access the original records at a later stage, he can do so by filing a request for the same at the Medical Records Department of the hospital. A patient can make amendments or corrections to his records by providing requisite proof to substantiate the amended information. The patient however at no stage can confirm if the hospital is holding or processing personal information about him or her with the exception of the provisions provided for the amendment or correction to the information held.

The Medical records of a patient in a government hospital are completely sealed. A patient has no access to his own records. Only the concerned doctor who was treating the patient during his stay at the hospital can access the records of the patient. This doctor has to be necessarily associated with the hospital and had to have been directly involved in the patient’s treatment in order to access the records. The patient is allowed to amend information in his medical records but only generic information such as the spelling of his name, his address, telephone number etc. The patient is at no point allowed to access his own records and therefore cannot confirm if the hospital is holding or processing any information about him/her. The patient is only provided with a discharge summary that includes his personal information, the details of his disease and the treatment provided in simple language.

Diagnostic laboratories have an online database of patient records. The patient is given a username and a password and can access the information at any point. The patient may also amend or correct any information provided by contacting the Medical records department for the same. The patient can at any time view the status of his record and confirm if it is being held or processed by the hospital. A copy of such information can be obtained by the patient at any time.

(vi) Disclosure of Information

Private Hospitals are extremely cautious with regard to the disclosure of patient information. Medical records of patients cannot be accessed by anyone except the doctor treating that particular patient or consulting on the case. The patient is informed whenever his records are disclosed even to doctors. Usually, even immediate relatives of the patient cannot access the patient’s records without the consent of the patient except in cases where the condition of the patient is critical. The patient is always informed about the type and extent of information that may be disclosed whenever it is disclosed. No information of the patient is made available publicly at any stage. The patient can refuse to consent to sharing of information collected from him/her with non-authorized agencies. However, in no circumstance is the information collected from him/her shared with non authorized agencies. Some private hospitals also provide the patient with patient’s safety brochures highlighting the extent of doctor patient confidentiality, the patient’s rights including the right to withdraw consent at any stage and refuse access of records by unauthorized agencies.

In government hospitals, the medical records of the patient can only be disclosed to authorized agencies with the prior approval of patient. The patient is made aware of the type and extent of information that is collected from him/her and is mandatorily shared with authorized bodies such as insurance agencies or the treating doctor. No information of the patient is made publicly available. In cases where the information is shared with insurance agencies or any such authorized body the patient gives an undertaking via a letter of his consent to such disclosure. The insurance companies only use medical records for verification purposes and have to do so at the facility. They cannot take any original documents or make copies of the records without the consent of the patient as provided in the undertaking.

Diagnostic Laboratories provide information regarding the patient’s medical records only to the concerned or referred doctor. The patient is always informed of any instance where his information may be disclosed and the consent of the patient is always taken for the same. No information is made available publicly or shared with unauthorized agencies at any stage. Information regarding the patient’s medical records is not even shared with insurance companies.

Government and Private Hospitals provide medical records of patients to the police only when a summons for the same has been issued by a judge. Diagnostic laboratories however do not provide information regarding a patient’s records at any stage to any law enforcement agencies unless there is summons from a judge specifying exactly the nature and extent of information required.

Patients are not made aware of laws which may govern the disclosure of information in private and government hospitals as well as in diagnostic laboratories. The patient is merely informed that the information provided by him to the medical personnel will remain confidential.

(vii) Security

The security measures that are put in place to ensure the safety of the collected information is not adequately specified in the forms or during the collection of information from the patient in Government or Private Hospitals. Diagnostic laboratories however do provide the patient with information regarding the security measures put in place to ensure the confidentiality of the information.

(viii) Openness

The information made available to the patient at government and private hospital and diagnostic laboratories is easily intelligible. At every stage of the procedure the explicit consent of the patient is obtained. In government and private hospitals the signature of the patient is obtained on consent forms at every stage of the procedure and the nature and extent of the procedure is explained to the patient in a language that he understands and is comfortable speaking. The information provided is detailed and is provided in simplistic terms so that the patient does at all stages understand the nature of any procedure he is consenting to undergo.

(ix) Accountability

Private hospitals and Diagnostic laboratories have internal and external audit mechanisms in place to check the efficacy of privacy measures. They both have grievance redress mechanisms in the form of patient welfare cells and complaint cells. There is an assigned officer in place to take patient feedback and address and manage the privacy concerns of the patient.

Government hospitals do not have an internal or external audit mechanism in place to check the efficacy of privacy measures. There is however a grievance redressal mechanism in government hospitals in the form of a Public Relations Office that addresses the concerns, complaints, feedback and suggestions of the patients. There is an officer in charge of addressing and managing the privacy concerns of patients. This officer also offers counseling to the patients in case of privacy concerns regarding sensitive information.

International Best Practices and Recommendations

A. European Union
An official EU data protection regulation [69]was issued in January 2012. A key objective of this was to introduce a uniform policy directive across all member states. The regulation, once implemented was to be applicable in all member states and left no room for alteration or amendments.

The regulation calls for Privacy Impact Assessments[70]when there are specific risks to privacy which would include profiling, sensitive data related to health, genetic material or biometric information. This is an important step towards evaluating the nature and extent of privacy regulation required for various procedures and would be effective in the creation of a systematic structure for the implementation of these regulations. The regulation also established the need for explicit consent for sensitive personal data. The basis for this is an inherent imbalance in the positions of the data subject and the data controller, or in simpler terms the patient and the hospital or the life sciences company conducting the research. Thus, implied consent is not enough [71]and a need arises to proceed with the testing only when there is explicit informed consent.

Embedded within the regulation is the right to be forgotten [72]wherein patients can request for their data to be deleted after they have been discharged or the clinical trial has been concluded. In the Indian scenario, patient information is kept for extended periods of time. This can be subject to unauthorized access and misuse. The deletion of patient information once it has been used for the purpose for which it was collected is thus imperative towards the creation of an environment of privacy protection.

Article 81 of the regulation specifies that health data may be processed only for three major processes[73] :

a) In cases of Preventative or occupational medicine, medical diagnosis, the care, treatment or management of healthcare services, and in cases where the data is processed by the healthcare professionals, the data is subject to the obligation of professional secrecy;

b) Considerations of public interest bearing a direct nexus to public health, for example, the protection of legitimate cross border threats to health or ensuring a high standard of quality and safety for medicinal products or services;

c) Or other reasons of public interest such as social protection.

An added concern is the nature and extent of consent. The consent obtained during a clinical trial may not always be sufficient to cover additional research even in instances of data being coded adequately. Thus, it may not be possible to anticipate additional research while carrying out initial research. Article 83[74] of the regulation prohibits the use of data collected for an additional purpose, other that the purpose for which it was collected.

Lastly, the regulation covers data that may be transferred outside the EEA, unless there is an additional level of data protection. If a court located outside the EU makes a request for the disclosure of personal data, prior authorization must be obtained from the local data protection authority before such transfer is made. It is imperative that this be implemented within Indian legislation as currently there is no mechanism to regulate the cross border transfer of personal data.

B. The United States of America
The Health Maintenance Organizations Act, 1973 [75]was enacted with a view to keep up with the rapid development in the Information Technology sector. The digitization of personal information led to new forms of threats with regard to the privacy of a patient. In the face of this threat, the overarching goal of providing effective and yet unobtrusive healthcare still remains paramount.

To this effect, several important federal regulations have been implemented. These include the Privacy and Security Ruled under the Health Insurance Portability and Accountability Act (HIPAA) 1996[76] and the State Alliance for eHealth (2007) [77].The HIPAA privacy rules addressed the use and subsequent disclosure of a patient's personal information under various healthcare plans, medical providers, and clearinghouses. These insurance agencies were the primary agents involved in obtaining a patients information for purposes such as treatment, payment, managing healthcare operations, medical research and subcontracting. Under the HIPAA it is required of insurance agencies to ensure the implementation of various administrative safeguards such as policies, guidelines, regulations or rules to monitor and control inter as well as intra organizational access.

Apart from the HIPAA, approximately 60 laws related to privacy in the healthcare sector have been enacted in more than 34 states. These legislations have been instrumental in creating awareness about privacy requirements in the healthcare sector and improving the efficiency of data collection and transfer. Similar legislative initiative is required in the Indian context to aid in the creation of a regulated and secure atmosphere pertaining to the protection of privacy within the healthcare sector.

C. Australia
Australia has a comprehensive law that deals with sectoral regulations of the right to privacy.An amendment to the Privacy Act1988 [78]applies to all healthcare providers and was made applicable from 21st December 2001.The privacy Act includes the followingpractices:

a. A stringent requirement for informed consent prior to the collection of health related information

b. A provision regarding the information that needs to be provided to individuals before information is collected from them

c. The considerations that have to be taken into account before the transfer of information to third parties such as insurance agencies, including the specific instances wherein this information can be passed on

d. The details that must be included in the Privacy policy of the healthcare service providers' Privacy Policy

e. The securing and storing of information; and

f. Providing individuals with a right to access their health records.

These provisions are in keeping with the 13 National Privacy [79]Principles that represent the minimum standards of privacy regulation with respect to the handling of personal information in the healthcare sector.These guidelines are advisory in nature and have been issued by the Privacy Commissioner in exercise of his power under Section 27(1)(e) [80]of the Privacy Act.

The Act also embodiessimilar privacy principles which include a collection limitation, a definitive use and purpose for the information collected, a specific set of circumstance and an established protocol for the disclosure of information to third parties including the nature and extent of such disclosure, maintenance accuracy ofthe data collected, requisite security measures to ensure the data collected is at all times protected, a sense of transparency,accountability and openness in the administrative functioning of thehealthcare provider and accessibility of the patient to his ownrecords for the purpose of viewing, corroboration or correction.

Additionally, the Act includes the system of identifiers which includes a number assigned by the organization to an individual to identify the purpose of that person's data for the operation of the organization. Further, the Act provides for anonymity wherein individuals have the optionnot to identify themselves while entering into transactions with an organization. The Act also provides for restrictions on the transfer of personal data outside Australia and establishes conclusive and stringent barriers to the extent of collection of personal and sensitive data.These principles although vaguely similar to those highlighted in the A.P. Shah Committee report can be usedto streamline the regulations pertaining to privacy in the healthcare sector and make them more efficient.

Key Recommendations

It is Imperative that Privacy concerns relating to the transnational flow of Private data be addressed in the most efficient way possible. This would involve international cooperation and collaboration to address privacy concerns including clear provisions and the development of coherent minimum standards pertaining to international data transfer agreements. This exchange of ideas and multilateral deliberation would result in creating more efficient methods of applying the provisions of privacy legislation even within domestic jurisdictions.

There is a universal need for the development of a foundational structure for the physical collection, use and storage of human biological specimens (in contrast to the personalinformation that may be derived from those specimens) as these are extremely important aspects of biomedical research and clinical trials. The need for Privacy Impact Assessments would also arise in the context of clinical trials, research studies and the gathering of biomedical data.

Further, there also arises the need for patients to be allowed to request for the deletion of their personal information once it has served the purpose for which it was obtained. The keeping of records for extended periods of time by hospitals and laboratories is unnecessary and can often result in the unauthorized access to and subsequent misuse of such data.

There is a definitive need to ensure the incorporation of safeguards to regulate the protection of patient’s data once accessed by third parties, such as insurance companies. In the Indian Context as well as insurance agencies often have unrestricted access to a patient's medical records however there is a definitive lack of sufficient safeguards to ensure that this information is not released to or access by unauthorized persons either within these insurance agencies or outsourced consultants

The system of identifiers which allocate specific numbers to an individual’s data which can only be accessed using that specific number or series of numbers can be incorporated into the Indian system as well and can simplify the administrative process thus increasing its efficacy. This would afford individuals the privilege of anonymity while entering into transactions with specific healthcare institutions.

An important means of responding to public concerns over potential unauthorized use ofpersonal information gathered for research, could be through the issuing of Certificates of confidentiality as issued in the United States to protectsensitive information on research participants from forced disclosure. [81]

Additionally, it is imperative that frequent discussions, deliberations, conferences and roundtables take place involving multiple stakeholders form the healthcare sector, insurance companies, patient’s rights advocacy groups and the government. This would aid in evolving a comprehensive policy that would aid in the protection of privacy in the healthcare sector in an efficient and collusive manner.

Conclusions

The Right to Privacy has been embodied in a multitude of domestic legislations pertaining to the healthcare sector. The privacy principles envisioned in the A.P Shah Committee report have also been incorporated into the everyday practices of healthcare institutions to the greatest possible extent. There are however significant gaps in the policy formulation that essentially do not account for the data once it has been collected or its subsequent transfer. There is thus an imminent need for institutional collaboration in order to redress these gaps. Recommendations for the same have been made in the report. However, for an effective framework to be laid down there is still a need for the State to play an active role in enabling the engagement between different institutions both in the private and public domain across a multitude of sectors including insurance companies, online servers that are used to harbour a data base of patient records and civil action groups that demand patient privacy while at the same time seek to access records under the Right to Information Act. The collaborative efforts of these multiple stakeholders will ensure the creation of a strong foundational framework upon which the Right to Privacy can be efficiently constructed.

[1] . Report of the group of experts on Privacy chaired by Justice A.P Shah <http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf> [Accessed on 14^th May 2014]

[2] . Nissenbaum, H. (2004). Privacy as Contextual Integrity. Washington Law Review, 79(1), 101-139.

[3] . Ibid.

[4] . Thomas, J. (2009). Medical Records and Issues in Negligence, Indian Journal of Urology : IJU : Journal of the Urological Society of India, 25(3), 384-388. doi:10.4103/0970-1591.56208.

[5] . Ibid

[6] . Plaza, J., &Fischbach, R. (n.d.). Current Issues in Research Ethics : Privacy and Confidentiality. Retrieved December 5, 2011, from http://ccnmtl.columbia.edu/projects/cire/pac/foundation/index.html.

[7] . Ibid.

[8] . The Mental Health Act, 1987 <https://sadm.maharashtra.gov.in/sadm/GRs/Mental%20health%20act.pdf> [Accessed on 14^th May 2014]

[9] . The Mental Health Act, 1987, s. 13(1).

[10] .The Mental Health Act, 1987, s. 38.

[11] .The Mental Health Act, 1987, s. 40.

[12] .The Mental Health Act, 1987, s. 21(2).

[13] .The Mental Health Act, 1987, s. 13(1), Proviso.

[14] . Also see the: Pre-Conception and and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Rules, 1996.

[15] . Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(3).

[16] . Pre-Conception and Pre-Natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994, s. 4(2). Pre-natal diagnostic techniques shall be conducted for the purposes of detection of: chromosomal abnormalities, genetic metabolic diseases, haemoglobinopathies, sex-linked genetic diseases, congenital anomalies any other abnormalities or diseases as may be specified by the Central Supervisory Board.

[17] .Medical Termination of Pregnancy Amendment Act, 2002, Notification on Medical Termination of Pregnancy (Amendment) Act, Medical Termination of Pregnancy Regulations, 2003 and Medical Termination of Pregnancy Rules, 2003.

[18] .Medical Termination of Pregnancy Act, 1971 (Amended in 2002), s. 2(4) and 4, and Medical Termination of Pregnancy Rules, 2003, Rule 8

[19] .Medical Termination of Pregnancy Regulations, 2003, Regulation 4(5).

[20] .Medical Termination of Pregnancy Regulations, 2003, Regulation 5.

[21] .Medical Termination of Pregnancy Regulations, 2003, Regulation 4(2).

[22] .Medical Termination of Pregnancy Regulations, 2003, Regulations 4(2) and 4(4).

[23] . Code of Ethics Regulations, 2002 available at

http://www.mciindia.org/RulesandRegulations/CodeofMedicalEthicsRegulations2002.aspx .

[24] . Code of Ethics Regulations, 2002 Chapter 2, Section 2.2.

[25] .Ethical Guidelines for Biomedical Research on Human Subjects. (2006) Indian Council of Medical Research New Delhi.

[26] . Informed Consent Process, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 21.

[27] . Statement of Specific Principles for Human Genetics Research, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000) . Indian Council of Medical Research New Delhi.P. 62.

[28] . General Ethical Issues. Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 29.

[29] . Statement of Specific Principles for Epidemiological Studies, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2000) . Indian Council of Medical Research New Delhi P. 56.

[30] . Statement of General Principles, Principle IV and Essential Information on Confidentiality for Prospective Research Participants, Ethical Guidelines for Biomedical ResearchonHuman Subjects (2006). Indian Council of Medical Research New Delhi.P. 29.

[31] . The IRDA (Third Party Administrators - Health Services) Regulations 2001, (2001), Chapter 5. Section 2.

[32] . The IRDA (Sharing Of Database for Distribution of Insurance Products) Regulations 2010.

[33] . The IRDA (Sharing Of Database For Distribution Of Insurance Products) Regulations 2010.

[34] . The IRDA (Sharing Of Database For Distribution Of Insurance Products) Regulations 2010

[35] . List of TPAs Updated as on 19th December, 2011, Insurance Regulatory and Development Authority (2011), http://www.irda.gov.in/ADMINCMS/cms/NormalData_Layout.aspx?page=PageNo646 (last visited Dec 19, 2011).

[36] . The IRDA, Guideline on Outsourcing of Activities by Insurance Companies, (2011).

[37] . The IRDA, Guideline on Outsourcing of Activities by Insurance Companies, (2011), Section 9.11. P. 8.

[38] .The Epidemic Diseases Act, 1897.

[39] .The Epidemic Diseases Act, 1897. s. 2.1.

[40] .The Epidemic Diseases Act, 1897, s. 2.2(b).

[41] . The National Policy for Persons with Disabilities, 2006, Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act, 1995, Persons with Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Rules, 1996.

[42] . Research, National Policy for Persons with Disabilities, 1993.

[43] . Survey of Disabled Persons in India. (December 2003) National Sample Survey Organization. Ministry of Statistics and Programme Implementation. Government of India.

[44] .Persons With Disabilities (Equal Opportunities, Protection of Rights and Full Participation) Act. 1995, Section 35.

[45]. Research. National Policy for Persons with Disabilities, 2003.

[46]. http://www.lawyerscollective.org/files/Anti%20rights%20practices%20in%20Targetted%20Interventions.pdf

[47]. http://www.lawyerscollective.org/files/Anti%20rights%20practices%20in%20Targetted%20Interventions.pdf

[48]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.22.

[49]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.16.

[50]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.16.

[51]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.14.

[52]. http://www.hivaidsonline.in/index.php/HIV-Human-Rights/legal-issues-that-arise-in-the-hiv-context.html

[53]. Chakrapani et al, (2008) ‘HIV Testing Barriers and Facilitators among Populations at-risk in Chennai, India’, INP, p 12.

[54]. Aneka, Karnataka Sexual Minorities Forum. (2011)“Chasing Numbers, Betraying People: Relooking at HIV Services in Karnataka”, p.24.

[55] .http://www.indiankanoon.org/doc/570038/

[56] .http://www.indiankanoon.org/doc/570038/

[57] .http://www.indiankanoon.org/doc/680703/

[58] . No person accused of any offence shall be compelled to be a witness against himself’, (the 'right to silence').

[59] . http://indiankanoon.org/doc/338008/

[60] . http://www.hrdc.net/sahrdc/hrfeatures/HRF205.pdf

[61] . AIR 1992 SC 392.

[62] . 96 (2002) DLT 354.

[63] .AIR 2000 A.P 156.

[64] .http://indiankanoon.org/doc/382721/

[65] .http://indiankanoon.org/doc/859256/

[66] .See Sections 24, 37, 38 and 39 of The Prisons Act, 1894 (Central Act 9 of 1894) Rules 583 to 653 (Chapter XXXV) and Rules 1007 to 1014 (Chapter LVII) of Andhra Pradesh Prisons Rules, 1979

[67] .Section 10-A,17(4) ,19(2) Immoral Traffic (Prevention) Act 1956

[68] .http://www.indiankanoon.org/doc/1309207/

[69] . http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

[70] . Article 33, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) < http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf> [Accessed on 14^th May, 2014]

[71] .Article 4 (Definition of “Data Subject’s Consent”), Article 7, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[72] . Article 17, “Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st

Century” COM(2012) 9 final. Based on, Article 12(b), EU Directive 95/46/EC – The Data Protection Directive at <http://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm> [Accessed on 14^th May, 2014]

[73] . Article 81, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[74] .Article 83, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

[75] . Health Maintainence and Organization Act 1973, Notes and Brief Reports available at http://www.ssa.gov/policy/docs/ssb/v37n3/v37n3p35.pdf [Accessed on 14th May 2014].

[76] . Health Insurance Portability and Accountability Act, 1996 available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/hipaastatutepdf.pdf [Accessed on 14th May 2014]

[77] . Illinois Alliance for Health Innovation plan available at http://www2.illinois.gov/gov/healthcarereform/Documents/Alliance/Alliance%20011614.pdf [Accessed on 14^th May 2014]

[78] . The Privacy Act 1988 available at http://www.comlaw.gov.au/Series/C2004A03712 [Accessed on 14th May 2014]

[79] . Schedule 1, Privacy Act 1988 [Accessed on 14^th May 2014]

[80] .Section 27(e), Privacy Act 1988 [Accessed on 14^th May 2014]

[81] . Guidance on Certificates of Confidentiality, Office of Human Research Protections, U.S Department of Health and Human Services available at http://www.hhs.gov/ohrp/policy/certconf.pdf [Accessed on 14^th May, 2014].

For more details visit https://cis-india.org/internet-governance/blog/privacy-in-healthcare-policy-guide

Privacy Gaps in India's Digital India Project

Anisha Gupta and Edited by Amber Sinha — 2017-02-21T01:55:59Z

This paper seeks to assess the privacy protections under 15 e-governance schemes: Soil Health Card, Crime and Criminal Tracking Network & Systems (CCTNS), Project Panchdeep, U-Dise, Electronic Health Records, NHRM Smart Card, MyGov, eDistricts, Mobile Seva, Digi Locker, eSign framework for Aadhaar, Passport Seva, PayGov, National Land Records Modernization Programme (NLRMP), and Aadhaar.

Introduction

The Central and State governments in India have been increasingly taking steps to fulfill the goal of a ‘Digital India’ by undertaking e-governance schemes. Numerous schemes have been introduced to digitize sectors such as agriculture, health, insurance, education, banking, police enforcement, etc. With the introduction of the e-Kranti program under the National e-Governance Plan, we have witnessed the introduction of forty four Mission Mode Projects.[1]

The digitization process is aimed at reducing the human handling of personal data and enhancing the decision making functions of the government. These schemes are postulated to make digital infrastructure available to every citizen, provide on demand governance and services and digital empowerment.[2]

In every scheme, personal information of citizens are collected in order to avail their welfare benefits. While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns. Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.[3]

The schemes identified for the purpose of this paper have been introduced by the following government agencies:

S.No.	Scheme	Government Agency Involved
1	SOIL HEALTH CARD A scheme designed to provide complete soil information to farmers.	Department of Agriculture Corporation (DACNET)
2	CRIME AND CRIMINAL NETWORK TRACKING & SYSTEMS (CCTNS) A scheme that seeks to facilitate the functioning of the criminal system through online records, and has proposed data analysis for the purpose of trend setting, crime analysis, disaster and traffic management, etc.	National Crime Records Bureau (NCRB)
3	U-Dise Serves as the official data repository for educational information.	Ministry of Human Resource Development (MHRD)
4	PROJECT PANCHDEEP The use of Unified Information System for implementation of health insurance facilities under ESIC (Employee State Insurance Corporation).	Ministry of Labour & Employment
5	ELECTRONIC HEALTH RECORDS A scheme to digitally record all health data of a citizen from birth to death.	Ministry of Health and Family Welfare (MoHFW)
6	NHRM SMART CARD Under the Rashtriya Swasthya Bima Yojana (RSBY) Scheme, every beneficiary family is issued a biometric enabled smart card for providing health insurance to persons covered under the scheme.	Ministry of Health and Family Welfare (MoHFW)
7	MYGOV An online platform for government and citizen interaction.	The Department of Electronics and Information Technology (DeITY)
8	EDISTRICTS Common Service Centres are being established under the scheme to provide multiple services to the citizens at a district level.	DeITY
9	MOBILE SEVA A centralized mobile app, used to host various mobile applications.	DeITY
10	DIGILOCKER A scheme that provides a secure dedicated personal electronic space for storing the documents.	DeITY
11	eSIGN FRAMEWORK FOR AADHAAR eSign is an online electronic signature service to facilitate an Aadhaar holder to digitally sign a document.	Ministry of Electronic and Information Technology
12	PAYGOV A centralized platform for all citizen to government payments.	DeITY and NSDL Database Management Limited (NDML)
13	PASSPORT SEVA An online scheme for passport application and documentation.	Ministry of External Affairs
14	NATIONAL LAND RECORDS MODERNIZATION PROGRAM (NLRMP) The scheme seeks to modernize land records system through digitization and computerization of land records.	DeITY and NDML
15	AADHAAR A scheme for unique identification of citizens for the purpose of targeted delivery of welfare benefits.	Unique Identification Authority of India (UIDAI)

Read the full paper

[1]. Introduction to Digital India, available at http://www.governancenow.com/ news/regular-story/securing-digital-india

[2]. Id.

[3]. GN Bureau, Securing Digital India, Governance Now (June 11, 2016) available at http://www.governancenow.com/news/regular-story/securing-digitalindia

For more details visit https://cis-india.org/internet-governance/blog/privacy-gaps-in-indias-digital-india-project

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme

Privacy concerns multiply for Aadhaar, India’s national biometric identity registry

praskrishna — 2017-03-22T14:38:52Z

The largest and most sophisticated biometric identity system of any country in the world, India’s Aadhaar, is sparking new fears that the personal data it stores on more than 1.1 billion people could be vulnerable to exploitation.

The article by Kaelyn Lowmaster was published by One World Identity on March 17, 2017, Sunil Abraham was quoted.

Aadhaar, which translates to “foundation” in Hindi, is a unique 12-digit code tied to citizens’ biometric data and personal information. The system was launched in 2009 in an effort to extend social services to India’s millions of unregistered citizens, and to cut down on welfare benefit “leakage” resulting from an opaque and often corrupt bureaucracy.

Constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates.

The government has also looked to Aadhaar data to underpin mobile payment transfer platforms, which have become crucial for cashless transactions during the country’s demonetization push over past year.

But constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates, who cite several vulnerabilities both with the Aadhaar system and the Modi administration’s planned expansion.

Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, more than 99% of Indian adults are now enrolled. Over three billion individual identity verifications have been conducted, and some reports indicate that the Indian government is saving a billion dollars per year now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.

Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.

Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government assurances that Aadhaar biometrics have never been misused or stolen.

“There are no regulations in India on safeguards over and procedures for the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information by any service provider,” according to a 2016 World Bank report.

A patchwork of rules outlining “reasonable security practices and procedures” for personal data has accumulated since Aadhaar was launched, but there is no codified law outlining how data in the system must be secured, or what penalties exist for potential leaks, fraud or misuse.

“Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records” – Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore

This regulatory gap poses a particularly acute risk now that the government has begun offering companies and app developers support for starting new businesses that use Aadhaar data. Through a new initiative called IndiaStack, the administration is providing open program interfaces for companies in fintech, healthcare, and other areas to integrate Aadhaar-based transactions into their business platforms. While IndiaStack’s terms of use explicitly state that user consent is required for any information sharing between service providers and the Aadhaar database, doubts remain about the integrity of the network infrastructure and the lack of clarity surrounding acceptable information sharing and storing protocols.

Another source of concern is the risk that Aadhaar information could be leveraged by the government itself for political purposes.

“Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station,” Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, told Reuters. “It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records.”

Further stoking fears of federal overreach, the Modi administration has attempted to make Aadhaar registration mandatory in certain sectors, violating a Supreme Court ruling from October 2015 that enrollment must remain voluntary.

Still, the benefits of building on the Aadhaar identity system appear to be outweighing the risks for now, and the system is gathering momentum worldwide. The World Bank is helping market the Aadhaar model abroad, and Russia, Morocco, Tunisia, and Algeria have all expressed interest in instituting national biometric identity programs of their own. Microsoft is already on board, and Google is negotiating ways to get involved.

Aadhaar may indeed live up to is potential and become the global standard for universal legal identity, but until India can manage to create more robust mechanisms to protect citizens’ personal data, their security could remain uncertain.

For more details visit https://cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry

Privacy Concerns in Whole Body Imaging: A Few Questions

elonnai — 2012-03-21T10:09:02Z

Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.

What is Whole Body Imaging?

Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons.

How are These Technologies Being Used - Two News Items to Ponder:

News Item One

In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.

Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.

Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.

News Item Two

In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car.

Questions at the Heart of the WBI Debate:

Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?

How Have Other Countries Responded to Whole Body Imaging and How Should India Respond?

Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.

In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.

Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.

The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies.

For more details visit https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions

Privacy By Design — Conference Report

praskrishna — 2011-08-22T12:03:30Z

How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.

Introduction

On April 16th, The Center for Internet and Society hosted Privacy by Design, an Open Space meant to foster discussions around questions related to how privacy is being designed into technological systems. The day opened with two basic questions: How do we imagine privacy? And how are individuals building technology systems incorporating privacy into the system? Throughout the day the conversations took many twist and turns, but at the end of the day three basic points about privacy had come out of the many discussions: 1. Privacy cannot be limited to one definition; it is constantly changing based on person and on context 2. To a person - privacy is a function of abuse and violation 3. The increased generation of data that was made possible by web 2.0 has lead to a rise in privacy issues and is significantly changing many traditional concepts, spaces, and relationships – such as what constitutes a public space, and the relationship between a state and its citizens.

Database architecture and privacy

The morning discussion focused on databases and privacy, and began with questions like: How can a database be built to protect privacy? When a database is built, what role does privacy play in the migration of data? Is privacy protected in databases simply by limiting access to certain parts of data sets? Though many of these were left unanswered, the conversation highlighted the fact that th databases are coded to segregate /regulate users and information in order to protect the system. Thus, databases are architected to incorporate privacy in such a way that protects the viability of only the system and not the individual. In our research we have seen many cases of this. Individual’s privacy has been violated because of malfunctioning or poorly constructed databases. For example, currently Indian governmental databases often have incorrect information, individuals do not have the ability to access and change their information, and if an individual’s information is compromised the government is not held accountable, and there is no course of action that an individual can take towards redress.

Security vs. Privacy

Embedded in this understanding of how privacy is built into technological systems is the question of what security is, and when systems are built, whether privacy and security are considered to be essentially the same. Thus far in our research we have distinguished between privacy and security, saying that, security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

The right to be forgotten and regulation of data

The possibility of creating systems with "off switches" also came out of this thread of conversation. For instance, can a database be structured to show only necessary information to third parties based on the context. In this scenario a card would be created that has all of an individual’s information on it, but only the pertinent information will be shown based on the different situations - if, for example, a teenager goes to a bar, the card will only show a third party that he is over 18. This idea is already taking shape in many Western countries, and is similar to the idea of a federated identity system. A question to ask though is if such a system could work for India, or be even more appropriate for India than a system like the UID. The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

Data types and privacy

Emerging from the conversation on database structure, a conversation on types of data in databases was started. The question was raised as to whether or not databases can actually handle certain types of data. The example given was caste-related data. Information about a person’s caste is constantly changing as people lie about their caste, change their caste, and become married and take on another caste. Furthermore, some people do not want to live with their caste and want to shed off their caste. Therefore, can a database accurately represent such a dynamic data set? Is it dangerous to put such a politically volatile concept as caste into a database where it will confine a person to one definition once entered? Another side to this question though is that perhaps it is in fact necessary to try and place a person in one caste, as there benefits enshrined by law based on a person’s caste, and an individual who has the ability to change his/her caste at their whim therefore defeats and takes advantage of governmental benefits. The point was also raised that by placing information like caste and identity into a database, governments have the ability to divide the country into subsets of identities that they decide to generate. Caste is not the only data that faces these complications and issues. For instance religion and race raise similar question. How can you define and represent a person’s relationship with God in a database? How to you represent a child of multiracial parents on a database?

Changes in the relationship between the state and the citizen

It was also brought out that the representation of citizens’ identities on a database changes the relationship between a state and its citizenry. States no longer see citizens as individuals, but instead as data samples. The UID is an example of an e-governance program that if enacted, could further such a change in the relationship between the state and the citizen, as the whole of India will suddenly and ubiquitously be recognized by the Government (and other entities/organizations) according to their aadhaar number. The relationship between the state and the citizen is not the only social change that databases bring about. Databases also change the concept of public space. As web 2.0 has facilitated the generation of large amounts of data, public space has become a space where one enters and interacts as a dataset. For example face book and twitter allow individuals to create datasets of them and interact with other people through their datasets. Beyond social networking online banking and online shopping also push people to form datasets about themselves and interact with services that were traditionally done in person as individuals, as datasets.

Questions of ownership

The above thread of conversation led to the next question of whether or not individuals control technology or whether technology controls individuals. The example of Facebook was used to illustrate this question. Even though Facebook has a privacy policy, once a person engages with Facebook he or she accepts Facebook’s definition of privacy – which is two tiered. On one level Facebook defines user privacy in terms of restriction - allowing the user to limit who can see their profiles. On another level Facebook’s privacy policy allows the company to share and sell personal information. In these ways companies are constructing databases so that instead of the company being the custodian of information – an entity that provides a structure to protect and hold information - the companies are now the owners of information- selling and using individuals information for profit. In India, this is a problem. Companies, once they collect data, treat it as their own - selling and sharing data with third parties, or using it in ways that were not agreed to by the customer. The question of ownership was a critical question for the group. In the discussions it was important to individuals that they had control and ownership over their information. Individuals felt that information that could be traced back to them or their identity belonged to them, and that in order to protect privacy consent should be secured before any information is used. For instance, data mining by websites without notice was seen as a violation of privacy. The collection of data in public places for marketing purposes without a person’s consent or awareness was similarly seen as a privacy violation. It was also brought out from this conversation that the digitization of information has caused a commercialization of information, and that has led to a sense of ownership and need for privacy over information. For example, before, if someone were to take one’s name and mis-use it, that person was charged with defamation – not for violation of privacy – but if someone misuses information that is in a database or online, that person is now charged for a violation of privacy. This shift in thinking is another example of how web 2.0 has increased privacy violations.

Perceptions and expectations of privacy

The day ended with a conversation about the perceptions and expectations of privacy. Privacy as it relates to an individual is almost wholly dependent on expectation, which changes from person to person, from community to community, and from culture to culture. Just as the expectation of privacy varies between individuals, so does the degree of violation. Thus, it is important to recognize the changing nature of privacy, because it explains why it is difficult for the legal system to address all the nuances of privacy with one broad legislation. This point has been crucial in our research thus far as we are consulting with the public, analyzing legislation, and following news items to see if privacy legislation is wanted and needed in India, and if it is - how it should be shaped.

From the conversation on perceptions of privacy and privacy violations it was also brought out that the concept of privacy is on one hand related to the notion of ownership, and on the other hand it is related to the violation. From the experiences shared by individuals, their privacy never became a concern until it was violated, or they learned about someone else’s privacy being violated. This led to the observation that not only is it difficult for the law to address privacy violations because the violation is based on perception, but also because the effect when one’s privacy is violated is often an emotional one.

Conclusion

The conversations held throughout the day showed the dynamic and personal nature of privacy, and how when databases are constructed, and how our lives made digital this personal aspect is easily lost. When we think about the conversations held throughout the day in relation to our initial questions: what are the different ways of imagining privacy, and how is privacy being built into technological systems, besides the three basic themes of privacy highlighted in the beginning of this blog - there emerged to more themes. One theme portrayed an imagination of privacy that is more personal, and that address the emotional component and the perception component to privacy. Another theme portrayed an imagination of privacy that is technologically more controlled, that allows for more personal regulation, more precise segregation of information in a database, and restricted access by third parties. This imagination of privacy can be and is being met by new and developing technologies. Increasingly in many countries technology is being structured with privacy built into the system. The larger question that this open space has raised, and not completely answered is if privacy legislation can adequately protect an individual’s privacy, and if it cannot, can technology can fill the gaps that privacy legislation leaves open.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacybydesign

Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?

Prashant Iyengar — 2012-12-14T10:29:12Z

How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples.

What kinds of computer related activities impinge on privacy?

Although Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironically these very capacities of technology which make us vulnerable to intrusions of our privacy on a previously impossible scale. Firstly, data on our own personal computers can compromise us in unpleasant ways — with consequences ranging from personal embarrassment to financial loss. Secondly, transmission of data over the Internet and mobile networks is equally fraught with the risk of interception — both lawful and unlawful — which could compromise our privacy. Thirdly, in this age of cloud computing when much of "our" data — our emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the companies whose services we use, our privacy becomes only as strong as these companies’ internal electronic security systems. Fourthly, the privacy of children, women and minorities tend to be especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly, Internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive email to ‘phishing’ — impersonating someone else’s identity for financial gain — each of which have the effect of impinging on one’s privacy.

Although there are a number of technological measures through which these risks can be reduced, it is equally important to have a robust legal regime in place which lays emphasis on the maintenance of privacy. This note looks at whether and how the Information Technology Act that we currently have in India measures up to these challenges of electronic privacy [1].

What provisions in the IT Act protect against violations of privacy?

At the outset, it would be pertinent to note that the IT Act defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software” [2]. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly. These will be examined in detail in the following sub-sections.

Intrusions into computers and mobile devices

accessing

downloading/copying/extraction of data or extracts any data

introduction of computer contaminant[3];or computer virus[4]

causing damage either to the computer resource or data residing on it

disruption

denial of access

facilitating access by an unauthorized person

charging the services availed of by a person to the account of another person,

destruction or diminishing of value of information

stealing, concealing, destroying or altering source code with an intention

The Act provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both[5].

Bangalore techie convicted for hacking govt site (2009, Deccan Herald)[6]

In November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking).

Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers.

The CBI had registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet.

The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities, they said.

Children's privacy online

As computers and the Internet become ubiquitous children have increasingly become exposed to crimes such as pornography and stalking that make use of their private information. The newly inserted section 67B of the IT Act (2008) attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children.

The section firstly penalizes anyone engaged in child pornography. Thus, any person who “publishes or transmits” any material which depicts children engaged in sexually explicit conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges this material may be punished with imprisonment upto five years (seven years for repeat offenders) and with a fine of upto Rs. 10 lakh.

Secondly, this section punishes the online enticement of children into sexually explicitly acts, and the facilitation of child abuse, which are also punishable as above.

Viewed together, these provisions seek to carve out a limited domain of privacy for children from would-be sexual predators.

The section exempts from its ambit, material which is justified on the grounds of public good, including the interests of "science, literature, art, learning or other objects of general concern". Material which is kept or used for bona fide "heritage or religious purpose" is also exempt.

In addition, the newly released Draft Intermediary Due-Diligence Guidelines, 2011 [7]require ‘intermediaries’[8]to notify users not to store, update, transmit and store any information that is inter alia, “pedophilic” or “harms minors in any way”. An intermediary who obtains knowledge of such information is required to “act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity”. Further, the intermediary is required to inform the police about such information and preserve the records for 90 days.

Electronic Voyeurism

Although once regarded as only the stuff of spy cinema, the explosion in consumer electronics has lowered the costs and the size of cameras to such an extent that the threat of hidden cameras recording people’s intimate moments has become quite real. Responding to the growing trend of such electronic voyeurism, a new section 66E has been inserted into the IT Act which penalizes the capturing, publishing and transmission of images of the "private area" [9]of any person without their consent, "under circumstances violating the privacy" [10] of that person.

This offence is punishable with imprisonment of upto three years or with a fine of upto Rs. two lakh or both.

Phishing – or Identity Theft

The word 'phishing' is commonly used to describe the offence of electronically impersonating someone else for financial gain. This is frequently done either by using someone else’s login credentials to gain access to protected systems, or by the unauthorized application of someone else’s digital signature in the course of electronic contracts. Increasingly a new type of crime has emerged wherein sim cards of mobile phones have been ‘cloned’ enabling miscreants to make calls on others' accounts. This is also a form of identity theft.

Two sections of the amended IT Act penalize these crimes:

Section 66C makes it an offence to “fraudulently or dishonestly” make use of the electronic signature, password or other unique identification feature of any person. Similarly, section 66D makes it an offence to “cheat by personation” [11] by means of any ‘communication device’[12] or 'computer resource'.

Both offences are punishable with imprisonment of upto three years or with a fine of upto Rs. one lakh.

Mumbai Police Solves Phishing scam [13]

In 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID.

An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The place of offence, Vijaywada was searched for the evidence. One laptop and mobile phone used for committing the crime was seized.

The arrested accused had used open source code email application software for sending spam e-mails. He had downloaded the same software from the Internet and then used it as it is.

He used only VSNL to spam the e-mail to customers of the financial institute because VSNL email service provider does not have spam box to block the unsolicited emails.

After spamming e-mails to the institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because they do not have debit card details as required for e-banking."

The customers who received his e-mail felt that it originated from the bank. When they filled the confidential information and submitted it the said information was directed to the accused. This was possible because the dynamic link was given in the first page (home page) of the fake website. The dynamic link means when people click on the link provided in spam that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick () event and the information of the form will be submitted to the web server (where the fake website is hosted). Then server will send the data to the configured e-mail address and in this case the e-mail configured was to the e-mail of the accused. All the information after phishing (user name, password, transaction password, debit card number and PIN, mother’s maiden name) which he had received through the Wi-Fi Internet connectivity of Reliance.com was now available on his Acer laptop.

This crime was registered under section 66 of the IT Act, sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 which attract the punishment of three years imprisonment and fine upto Rs 2 lac which the accused never thought of.

Spam and Offensive Messages

Although the advent of e-mail has greatly enhanced our communications capacities, most e-mail networks today remain susceptible to attacks from spammers who bulk-email unsolicited promotional or even offensive messages to the nuisance of users. Among the more notorious of these scams is/was the so-called "section 409 scam" in which victims receive e-mails from alleged millionaires who induce them to disclose their credit information in return for a share in millions.

Section 66A of the IT Act attempts to address this situation by penalizing the sending of:

any message which is grossly offensive or has a menacing character
false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will
any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages;

This offence is punishable with imprisonment upto three years and with a fine[14]

Hoax E-mails [15]

In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell (CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the police to find them before it was too late.

According to police officials, at around 1p.m. on May 25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you have two hours to find it.” The police, who were alerted immediately, traced the Internet Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said officials.

Minor Hoax Spells Major Trouble

Sixteen-year-old Rakesh Patel (name changed), a student from Ahmedabad, sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. He was charge-sheeted on November 28, 2008.
Status: Patel was given a warning by a juvenile court
A 14-year-old Colaba boy sent a hoax e-mail to a TV channel in Madhya Pradesh, three days after the July 26, 2008, Ahmedabad bomb blasts. He claimed that 29 bombs would go off in Jabalpur. He was picked up by officers of the anti-terrorism squad (ATS) who, with the help of the MP police, were able to trace the e-mail to a cyber café in Colaba.
Status: No FIR was registered. The Cuffe Parade police registered a non-cognizable (NC) complaint against him, and the boy was allowed to go home after the police gave him a “strict warning”.
Shariq Khan, 18, was arrested in Bhopal on July 26, 2006, for sending out three e-mails claiming to be a member of the terrorist organisation, which the police believed was behind the 7/11 train bombings. He was arrested by the Bhopal police. Later, the ATS brought the boy to Mumbai and also booked him for a five-year-old unsolved case where an unknown accused had sent e-mail warnings to the department of Atomic Energy (DAE) in 2001.
Status: The police filed a charge-sheet against Shariq who claimed that he had sent the e-mails for fun. Trial is pending in a juvenile court. Shariq is presently out on bail in Bhopal.
On February 26, 2006, a 17-yearold student from Jamnabai Narsee School called an Alitalia flight bound to Milan at 2 a.m. telling them there was a bomb on board. He wanted to stop his girlfriend from going abroad. She was one of the 12 students on their way to attend a mock United Nations session in Geneva.
Status: After being grilled by the police, he was arrested, but let out on bail.

Lawful Interception and monitoring of electronic communications under the IT Act

In addition to violations of privacy by criminal and the mischievous minded, electronic communications and storage are also a goldmine for governmental supervision and surveillance. This section provides a brief overview of the provisions in the IT Act which circumscribe the powers of the state to intercept electronic communications.

The newly amended IT Act completely rewrote its provisions in relation to lawful interception. The new section 69 dealing with “power to issue directions for interception or monitoring or decryption of any information through any computer resource” is much more elaborate than the one it replaced, In October 2009, the Central Government notified rules under section 69 which lay down procedures and safeguards for interception, monitoring and decryption of information (the “Interception Rules 2009”). This further thickens the legal regime in this context.

Unlawful Intercept

In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and detained for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages [16].

The incident highlights how minor privacy violations by ISPs and intermediaries could have impacts that gravely undermine other basic human rights [17].

In addition to section 69, the Government has been empowered under the newly inserted section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource".

"Traffic data" has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.” Rules have been issued by the Central Government under this section (the “Monitoring and Collecting Traffic Data Rules, 2009”) which are similar, although with important distinctions, to the rules issued under section 69.

Thus, there are two parallel interception and monitoring regimes in place under the Information Technology Act. In the paragraphs that follow, we provide an overview of the regime of surveillance under section 69 — since they are more targeted towards the individual, and consequently the threats to privacy are more severe — while highlighting important differences in the rules drafted under section 69.

Who may lawfully intercept?

Section 69 empowers the “Central Government or a state government or any of its officers specially authorised by the Central Government or the state government, as the case may be” to exercise powers of interception under this section.

Under the Interception Rules 2009, the secretary in the Ministry of Home Affairs has been designated as the "competent authority", with respect to the Central Government, to issue directions pertaining to interception, monitoring and decryption. Similarly, the respective state secretaries in charge of Home Departments of the various states and union territories are designated as "competent authorities" to issue directions with respect to the state government [18].

	Central Government	State/Union Territory
Ordinary Circumstances	Secretary in the Ministry of Home Affairs	Secretary in charge of Home Departments of State
Emergency	Head or second senior most officer of security and law enforcement	Authorized officer not below the rank of Inspectors General of Police

However, an exception is made in cases of emergency, either

in remote areas where obtaining prior directions from the competent authority is not feasible or

for ‘operational reasons’ where obtaining prior directions is not feasible.

In such cases it would be permissible to carry out interception after obtaining the orders of the Head or second senior most officer of security and law enforcement at the central level, and an authorized officer not below the rank of Inspector General of Police at the state or union territory level. The order must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days, failing which the order would lapse.

Where a state/union territory wishes to intercept/monitor or decrypt information beyond its territory, the competent authority for that state must make a request to the competent authority of the Central Government to issue appropriate directions.

Under what circumstances a direction to intercept may be issued?

Purposes for which interception may be directed

Under section 69, the powers of interception may be exercised by the authorized officers “when they are satisfied that it is necessary or expedient” to do so in the interest of:

sovereignty or integrity of India,

defense of India,

security of the state,

friendly relations with foreign states or

public order or

preventing incitement to the commission of any cognizable offence relating to above or

for investigation of any offence.

Under section 69B, the competent authority may issue directions for monitoring for a range of “cyber security”[20] purposes including, inter alia, “identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security”.

Contents of direction

The reasons for ordering interception must be recorded in writing [21].

In the case of a direction under section 69, in arriving at its decision, the competent authority must consider alternate means of acquiring the information other than issuing a direction for interception [22]. The direction must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources [23]. The direction must specify the name and designation of the officer to whom information obtained is to be disclosed, and also specify the uses for which the information is to be employed [24].

Duration of interception and periodic review

Once issued, an interception direction issued under section 69 remains in force for a period of 60 days (unless withdrawn earlier), and may be renewed for a total period not exceeding 180 days [25]. A direction issued under section 69B does not expire automatically through the lapse of time and theoretically would continue until withdrawn.

Within seven days of its issue, a copy of a direction issued under either section 69 or section 69B must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act [26]. Every two months, the review committee is required to meet and record its findings as to whether the direction was validly issued in light of section 69(3) [27]. If the review committee is of the opinion that it was not, it can set aside the direction and order destruction of all information collected [28].

What powers of interception do they have?

The competent authority may, in his written direction “direct any agency of the appropriate government to intercept monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource”[29].

Accordingly, the subscriber or intermediary or any person in charge of the computer resource is must, if required by the designated government agency, extend all facilities, equipment and technical assistance to:

provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

intercept, monitor, or decrypt[30] the information, as the case may be; or

provide information stored in computer resource.

The intermediary must maintain records mentioning the intercepted information, the particulars of the person, e-mail account, computer resource, etc., that was intercepted, the particulars of the authority to whom the information was disclosed, number of copies of the information that were made, the date of their destruction, etc. [31]. This list of requisitions received must be forwarded to the government agency once every 15 days to ensure their authenticity [32].

In addition, a responsibility is cast on the intermediary to put in place adequate internal checks to ensure that unauthorized interception does not take place, and extreme secrecy of intercepted information is maintained [33].

How long can information collected during interception be retained?

Interception rules require all records, including electronic records pertaining to interception to be destroyed by the government agency “in every six months except in cases where such information is required or likely to be required for functional purposes”. In the case of the Monitoring and Collecting of Traffic Data Rules 2009, this period is nine months from the date of creation of record.

In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings. In the case of Monitoring Rules, this period is six months from the date of discontinuance.

What penalties accrue to intermediaries and subscribers for resisting interception?

Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any “subscriber or intermediary or any person who fails to assist the agency” empowered to intercept.

Data Protection under the IT Act

Data Retention Requirements of 'Intermediaries'

Section 67C of the amended IT Act mandates ‘intermediaries’[34] to maintain and preserve certain information under their control for durations which are to be specified by law.

Any intermediary who fails to retain such electronic records may be punished with imprisonment up to three years and a fine.

Liability for body-corporates under section 43A

The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure.

It is only the narrowly-defined ‘body corporates’ [35] engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section [36].

“Sensitive personal data or information” is any information that the Central Government may designate as such, when it sees fit to.

The “reasonable security practices” which the section obliges body corporates to observe are restricted to such measures as may be specified either “in an agreement between the parties” or in any law in force or as prescribed by the Central Government.

By defining both “sensitive personal data” and “reasonable security practice” in terms that require executive elaboration, the section in effect pre-empts the courts from evolving an iterative, contextual definition of these terms.

Mphasis BPO Fraud: 2005 [37]

In December 2004, four call centre employees, working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the PINs.

In association with others, the call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information gleaned during their employment at MphasiS to transfer money from the bank accounts of CitiGroup customers to the new accounts at Indian banks.

By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly identified the individuals involved in the scam. Arrests were made when those individuals attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount recovered was $230,000.

Draft Reasonable Security Practices Rules 2011 [38]

In February 2011, the Ministry of Information and Technology, published draft rules under section 43A in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold.

Sensitive Personal Information
Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:

password;

user details as provided at the time of registration or thereafter;

information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;

physiological and mental health condition;

medical records and history;(vi) Biometric information;

information received by body corporate for processing, stored or processed under lawful contract or otherwise;

call data records;

This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.

They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”[40]

Mandatory Privacy Policies for body corporates

Rule 4 of the draft rules enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” [41]. The policy must provide details of:

Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in rule 6 [42].

Prior Consent and Use Limitation during Data Collection

In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable”[43] to ensure that the individual from whom data is collected is aware of :

the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of :
the agency that is collecting the information; and
the agency that will hold the information.

During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection [44]. They must also permit individuals to review and modify the information they provide "wherever necessary" [45]. Information collected is to be kept securely [46], used only for the stated purpose [47] and any grievances must be addressed by the body corporate “in a time bound manner” [48].

Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected.

Limitations on Disclosure of Information

The draft rules require a body corporate to obtain prior permission from the provider of such information obtained either “under lawful contract or otherwise” before information is disclosed [49]. The body corporate or any person on its behalf shall not publish the sensitive personal information [50]. Any third party receiving this information is prohibited from disclosing it further [51]. However, a proviso to this sub-rule mandates information to be provided to ‘government agencies’ for the purposes of “verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to “state that the information thus obtained will not be published or shared with any other person” [52].

Sub-rule (2) of rule 6 requires “any information” to be “disclosed to any third party by an order under the law for the time being in force.” This is to be done “without prejudice” to the obligations of the body corporate to obtain prior permission from the providers of information [53].

Reasonable Security Practices

Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:

a comprehensive documented information security program; and

information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

In case of an information security breach, such body corporate will be “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”.

The rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures.

The rule also permits “industry associations or industry clusters” who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of sub-rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A.

Penalties and Remedies for breach of Data Protection

Civil Liability for Corporates

As mentioned above, any body corporates who fail to observe data protection norms may be liable to pay compensation if:

it is negligent in implementing and maintaining reasonable security practices, and thereby

causes wrongful loss or wrongful gain to any person;[54]

Claims for compensation are to be made to the adjudicating officer appointed under section 46 of the IT Act. Further, details of the powers and functions of this officer are given in succeeding sections of this note.

Criminal liability for disclosure of information obtained in the course of exercising powers under the IT Act

Section 72 of the Information Technology Act imposes a penalty on “any person” who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the Act or rules, discloses such information without the consent of the person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Criminal Liability for unauthorized disclosure of information by any person of information obtained under contract

Section 72A of the IT Act imposes a penalty on any person [55] (including an intermediary) who

has obtained personal information while providing services under a lawful contract and

discloses the personal information without consent of the person,

with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss [56]

Such unauthorised disclosure to a third person is punishable with imprisonment upto three years or with fine upto Rs five lakh, or both.

Whom to call? Adjudicatory Mechanism and Remedies under the IT Act

This section provides a brief outline of the mechanism installed by the IT Act to activate the various remedies and penalties prescribed in various sections of the Act. As a victim of online intrusion, how does one use the IT Act to seek redressal?

As mentioned above, the IT Act provides for both the civil remedy of damages in compensation (Chapter IX) as well as criminal penalties for offences such as imprisonment and fine (Chapter XI). In general, claiming a civil remedy does not bar one from seeking criminal prosecution and ideally both should be pursued together. For clarity, in the sections that follow, we will be discussing the two procedures separately.

Civil Damages and Compensation

Whom to approach?

Section 46 of the IT Act empowers the Central Government to appoint “adjudication officers” to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (See section 2.1 and 4.2 above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the secretaries of the Department of Information Technology of each of the states or union territories as the “adjudicating officer” with respect to each of their territories [57].

However, a pecuniary limit has been placed on the powers of adjudicating officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. five crores. In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the “competent court”, under the Code of Civil Procedure [58].

Section 61 of the Act bars ordinary civil courts from jurisdiction over matters which the adjudicating officers have been empowered to decide under this Act.

When must a complaint be filed?

The Limitation Act provides that a suit must be filed within three years from when the right to sue accrues [59].

What is the procedure?

Section 46 and the rules framed under that section provide elaborate guidelines on the procedure that is to be followed by the adjudicating officer. Thus, the adjudicating officer is required to give the accused person “a reasonable opportunity for making representation in the matter”. Thereafter, if , on an inquiry, “he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.”

In order to carry out their duties adjudicating officer have been invested with the powers of a civil court which are conferred on the cyber appellate tribunal [60]. Additionally, they have the power to punish for their contempt undert the Code of Criminal Procedure.

Rules framed under the section provide further details on the procedure that must be followed and provide for the issuance of a “show cause notice”, manner of holding enquiry, compounding of offences, etc. [61].

Section 47 provides that in adjudging the quantum of compensation, the adjudicating officer shall have due regard to the following factors, namely:—

the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;

the amount of loss caused to any person as a result of the default;

the repetitive nature of the default.

Where must a complaint be filed and in what format?

The complaint must be made to the adjudicating officer of the state or union territory on the basis of location of computer system, computer network. The complaint must be made on a plain paper in the format provided in the Performa attached to the rules [62].

In case the offender or computer resource is located abroad, it would be deemed, for the purpose of prosecution to be located in India [63].

How long does the process take?

The Rules direct that the whole matter should be heard and decided “as far as possible” within a period of six months [64].

How much does it cost?

The Rules stipulates a variable fee payable by a bank draft calculated on the basis of damages claimed by way of compensation

a) Upto Rs. 10,000	10% ad valorem rounded off to nearest next hundred
b) From 10001 to Rs.50000	Rs. 1000 plus 5% of the amount exceeding Rs.10,000 rounded off to nearest next hundred
c) From Rs.50001 to Rs.100000	Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded off to nearest next hundred
d) More than Rs. 100000	Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded off to nearest next hundred

Appeals to the Cyber Appellate Tribunal and the High Court

The Act provides for the constitution of a cyber appellate tribunal to hear appeals from cases decided by the adjudicating officer.

Within 25 days of the copy of the decision being made available by the adjudicating officer, the aggrieved party may file an appeal before the cyber appellate tribunal.

Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order. Such an appeal must be filed within 60 days from the date of communication of the decision or order of the cyber appellate tribunal.

Can contraventions be compounded (compromised) with the offender?

Except in the case of repeat offenders, contraventions may be compromised by the adjudicating officer or between the parties either before or after institution of the suit. Where any contravention has been compounded the IT Act provides that “no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded”[65].

Criminal Penalties

The process described above applies to “contraventions” under Chapter IX of the Act. In addition to being liable to pay compensation, in the cases falling under section 43, such offenders may also be liable for criminal penalties such as imprisonment and fines [66]. This sub-section of this paper deals with the procedure to be followed with respect to the criminal offences set out under Chapter XI of the Act (for example, see sections 2.2 to 2.5 above).

Whom to approach? Who can take cognizance of offences and investigate them?

Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act.

Many states have set up dedicated cyber crime police stations to investigate offences under this Act [67]. Thus, for example, the State of Karnataka has set up a special cyber crime police station responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka [68].

When must a complaint be lodged?

Although there is no time limit prescribed by the IT Act or the Code of Criminal Procedure with respect to when an FIR must be filed, in general, courts tend to take an adverse view when a significant delay has occurred between the time of occurrence of an offence and it’s reporting to the nearest police station.

The Code of Criminal Procedure forbids courts from taking cognizance of cases after three years “if the offence is punishable with imprisonment for a term exceeding one year but not exceeding three years”. Where either the commission of the offence was not known to the person aggrieved, or where it is not known by whom the offence committed, this period is computed from the date on which respectively the offence or the identity of the offender comes to the knowledge of the person aggrieved [69].

What is the procedure?

No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation, charge sheet, trial, decision, sentencing and appeal.

Can offences be compounded?

Offences punishable with imprisonment of upto three years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which “affect the socio-economic conditions of the country” or those committed against a child under 18 years of age or against women cannot be compounded [70].

Bibliography

[1].The IT Act is only one of the various laws which safeguard citizens from violations of online privacy. In addition, in the domain of finance, for instance, various RBI regulations mandate strong security protocols with respect to data held by financial institutions. Since this is the subject of a different dispatch on banking and privacy which we have brought out, these regulations are omitted from this discussion.

[2].Section 2(k) of the IT Act defines ‘computer’ as any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

[3].Section 43 defines "computer contaminant" as any set of computer instructions that are designed— (a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;

[6].Section 66 of the IT Act. Anon, 2009. Bangalore techie convicted for hacking govt site. Deccan Herald. Available at: http://goo.gl/jCvAh. [Accessed March 29, 2011];

[7].The Information Technology (Due Diligence observed by Intermediaries Guidelines) Rules, 2011;

[8].‘Intermediary’ has been defined very expansively under section 2(w) of the Act to mean, with respect to any electronic record, “any person who on behalf of another person receives, stores or transmits that record, or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

[9].‘Private area’ has been defined in section 66E as “the naked or undergarment clad genitals, pubic area, buttocks or female breast”.

[10].Defined as “circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his or her private area was being captured or (ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place”. See explanation to Section 66E

[11]."Cheating by personation" is a crime defined under section 416 the Indian Penal Code. According to that section, “a person is said to "cheat by personation" if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is." The explanation to the section adds that "the offence is committed whether the individual personated is a real or imaginary person". Two illustrations to the section further elaborate its meaning: (a) A cheats by pretending to be a certain rich banker of the same name. A cheats by personation (b) A cheats by pretending to be B, a person who is deceased. A cheats by personation.

[12].Communication device" has been defined to mean "cell phones, personal digital assistance (sic) or combination of both or any other device used to communicate send or transmit any text, video, audio or image".

[13].2005. Cyber Crime Cell, Mumbai: Case of Phishing. Mumbai Police. Available at: http://www.cybercellmumbai.com/case-studies/case-of-fishing [Accessed March 23, 2011].

[14]. Although no maximum limit is prescribed for the fine under this section, Section 63 of the Indian Penal Code declares that “Where no sum is expressed to which a fine may extend, the amount of fine to which the offender is liable is unlimited, but shall not be excessive”.

[15].Hafeez, M., 2009. Crime Line: Curiosity was his main motive, say city police. Crime Line. Available at: http://mateenhafeez.blogspot.com/2009/05/curiosity-was-his-main-motive-say-city.html [Accessed March 23, 2011].

[16]. Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[18]. By contrast, rules framed under Section 69B designates only the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and IT as the “competent authority” to issue orders of interception.

[19].It is unclear what these “operational reasons” could mean. The text of the rules provide no useful guidance.

[20].“Cyber security breach” is defined as meaning “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly acceptable security policy resulting in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information or changes to date, information without authorization”. Rule 2(f) of the Monitoring and Collecting of Traffic Data Rules 2009.

[21].Rule 7 of the Interception Rules 2009; Rule 3(3) of the Monitoring and Collecting of Traffic Data Rules 2009

[22].Rule 8 of the Interception Rules 2009

[23]. Rule 9 of the Interception Rules 2009

[24].Rule 10 of the Interception Rules 2009;

[25].Rule 11 of the Interception Rules 2009

[26].Rule 7 of the Interception Rules 2009

[27].Rule 22 of the Interception Rules 2009

[28]. Ibid

[29].Section 69 of the IT Act.

[30].The intermediary is required to assist in the decryption only to the extent that the intermediary has control over the decryption key. See Sub-Rule 13(3) of the Interception Rules 2009. Rule 17 enjoins the holder of a decryption key to provide decryption assistance when directed to by the competent authority.

[31].Rule 16 of the Interception Rules 2009

[32].Rule 18 of the Interception Rules 2009

[33]. Rule 20 of the Interception Rules 2009; Rules 10 & 11 of the Monitoring and Collecting of Traffic Data Rules 2009. Failure to maintain secrecy of data may attract punishment under Section 72 of the Information Technology Act.

[34].Supra n. 6 for definition

[35].Section 43A defines "'body corporate" as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

[36].This does not necessarily mean that these entitles are exempt from taking reasonable care to safeguard information that they collect, maintain or control – only that remedies against the government must be sought under general common law, rather than under the IT Act.

[37].Anon, 2005. The MphasiS Scandal – And How it Concerns U.S. Companies Considering Offshore BPO. Carretek. Available at: http://www.carretek.com/main/news/articles/MphasiS_scandal.htm [Accessed March 29, 2011]. See also Anon, 2005. MphasiS case: BPOs feel need to tighten security. Indian Express. Available at: http://www.expressindia.com/news/fullstory.php?newsid=44856 [Accessed March 29, 2011].

[38]. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011. Available at http://www.mit.gov.in/sites/upload_files/dit/files/senstivepersonainfo07_02_11.pdf, last accessed February 15th, 2011.

[39].Rule 5 of the Draft Rules.

[40]. This is perhaps a bit vague, since the potential ‘lawful uses’ are numerous and could be inexhaustible. It is unclear whether “lawful usage” is coterminous with “the uses which are disclosed to the individual at the time of collection”. In addition, this rule is framed rather weakly since it does not impose a positive obligation (although this is implied) to destroy information that is no longer required or in use.

[41].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[42]. This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6.

[43].One wonders about the convoluted language used here when a simpler phrase like “take reasonable steps” alone might have sufficed - reasonableness has generally been interpreted by courts contextually. As the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

[44].Sub-Rule 5(7).

[45].Sub-Rule 5(6). It is unclear what would count as a ‘necessary’ circumstance and who would be the authority to determine such necessity.

[46].Sub-Rule 5(8).

[47].Sub-Rule 5(5).

[48].Sub-Rule 5(9).

[49]. Sub-Rule 6(1) There are two problems with this rule. First, it requires prior permission only from the provider of information, and not the individual to whom the data pertains. In effect this whittles down the agency of the individual in being able to control the manner in which information pertaining to her is used. Second, it is not clear whether this information includes “sensitive personal information”. The proviso to this rule includes the phrase “sensitive information”, which would suggest that such information would be included. This makes it even more important that the rule require that prior permission be obtained from the individual to whom the data pertains and not merely from the provider of information.

[50].Sub-Rule 6(3).

[51].Sub-Rule 6(4).

[52].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?

[53].This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

[54]. “Wrongful loss” and “wrongful gain” have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.” The section also includes this interesting explanation “Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property”. Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a “wrongful gain”.

[55]. Section 3(39) of the General Clauses Act defines a person to include “any company or association or body of individuals whether incorporated or not”. An interesting question here would be whether the State can be considered “a person” so that it can be held liable for unauthorized disclosure of personal information. In an early case of Shiv Prasad v. Punjab State AIR 1957 Punj 150, the Punjab High Court had excluded this possibility. However, the case law on this point has not been consistent. In Ramanlal Maheshwari v.Municipal Committee, the MP High Court held that the Municipal Council could be treated as a ‘person’ for the purpose of levying a fine attached to a criminal offence. Statutory corporate bodies (such as the proposed UID Authority of India) have been held to be ‘persons’ for purposes of law . See Commissioners, Port of Calcutta v. General Trading Corporation, AIR 1964 Cal 290. Here under the Calcutta Port Act, Port Commissioners were declared to be a “body corporate”, and hence were held to be a ‘person’.

[56].See supra n. 44.

[57]. See G.S.R.240(E) New Delhi, the 25th March, 2003 available at < http://www.mit.gov.in/content/it-act-notification-no-240> .

[58].See Section 46(1A).

[59].Schedule I, Part X of the Limitation Act “Suits for which there is no prescribed period.”

[60].The powers of the Cyber Appellate Tribunal under Section 58 include the powers of (a) summoning and enforcing the attendance of any person and examining him on oath; (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses or documents; (e) reviewing its decisions; (f) dismissing an application for default or deciding it ex parte.

[61].Information Technology (Qualification and Experience of Adjudicating Officers and Manner of holding Enquiry) Rules, 2003 [GSR 220(E)] Available at <http://cca.gov.in/rw/resource/notification-gsr220e.pdf?download=true>.

[62]. Ibid Rule 4(b).

[63]. Section 75.

[64]. Ibid, Rule 4(k).

[65]. Section 63 of the Act.

[66].Prior to amendment in 2008, contraventions listed in Section 43 were only liable to be compensated by damages through civil proceedings. Thus in 2007, the Madras High Court annulled an FIR lodged in a police station which listed an activity mentioned in 43(g). See S. Sekar vs The Principal General Manager < http://indiankanoon.org/doc/182565/> This position has however been changed with the new Section 66 which makes all actions listed in Section 43 an offence when committed with dishonest or fraudulent intent. Thus an FIR can be lodged with respect to these activities as well.

[67].An incomplete list of cyber crime cells of police in different states can be viewed at <http://infosecawareness.in/cyber-crime-cells-in-india>.

[68]. Home and Transport3 Secretariat, Notification no. HD 173 POP 99 Bangalore, Dated 13th September 2001 Available at < http://cyberpolicebangalore.nic.in/pdf/notification_1.pdf>.

[69]. Sections 468 and 469 of the Code of Criminal Procedure, 1973.

[70]. Section 77A of the Information Technology Act.

Click below to download files of your choice:

PDF [347 kb]
Open Office [51 kb]
Word File [55 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

Privacy and Surveillance Roundtable

praskrishna — 2014-06-29T14:50:20Z

The Centre for Internet and Society and the Cellular Operators Association of India invite you to a roundtable at the India International Centre, New Delhi on July 4, 2014.

Background and Context to the Roundtables

In India, lawful interception of communications may be conducted by the state in three ways: firstly, intercepting telephone calls and other telecommunications may take place under powers listed in the Telegraph Act, 1885 and procedure set out in the Telegraph Rules, 1951; secondly, intercepting written communications transmitted through the postal service or by private couriers may occur under the Post Office Act, 1898; and, thirdly, intercepting, de-crypting, and monitoring email messages and other electronic communications may take place under the Information Technology Act, 1950 and two sets of Rules issued in 2008.

The government’s intention to create a Central Monitoring System to automate the existing process of telephone tapping is significant for a number of reasons. It will bypass private telephone service providers; currently the active cooperation of TSPs is required and compelled in order to intercept and monitor a telephone conversation. This creates an extra layer of compliance activity for TSPs which is cumbersome and expensive. Interception orders from the state often do not comply with the procedure required by law. This uncertainty is compounded by the lack of an indemnity for TSPs.

However, while the CMS will release TSPs from legal liability, it will leave the government free to conduct telephone interceptions in absolute secrecy and without a credible system of oversight and checks and balances. Amongst the world’s major democratic countries, India is alone in refusing to overhaul its telephone tapping regime. The legal requirements of probable cause, judicial sanction, and warrant-based interception – which are followed with exceptions in democracies around the world – are not adequately protected in India. The same principles also apply to the interception of postal and electronic communications.

There are several intelligence and police agencies in India that conduct interceptions of communications without central coordination. Previous cases in the Supreme Court of India and a few Indian High Courts reveal many cases of improper and even illegal surveillance. The sheer number of interested state agencies, the concerns of inadequate oversight, the lack of a credible legal regime, the constant leaks of private communications, and the poor legal protection given to TSPs and ISPs must be legally addressed.

Information about the Roundtables

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI). From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The Report of the Group of Experts on Privacy

In January 2012 Justice A.P. Shah formed a committee to create a report of recommendations for privacy legislation in India. The committee met seven times from January 2012 to September 2012. The Report is made up of six chapters and begins by reviewing the international best practices around privacy and the relevant Indian jurisprudence. The Report then recommends nine National Privacy Principles to be adopted by each sector in India. The Nine National Privacy Principles reflect international standards, as well as taking into consideration the Indian context. Along with the National Privacy Principles, the Report lays out a regulatory framework for privacy including privacy commissioners at the regional and national level, self regulating organizations at the industry level, and a system of complaints. Finally the report demonstrates how the National Privacy Principles could be used to harmonize existing legislation and practices.

The Draft CIS Citizens Privacy (Protection) Bill 2013

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness, completing in depth research, and driving a privacy legislation in India. As part of this work, the Centre for Internet and Society has drafted the Privacy (Protection) Bill 2013. The Citizens Privacy Protection Bill contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the privacy commissioner, and lays out offenses and penalties for contravention of the Act. The Bill represents a citizens’ version of a privacy legislation, and will be shared with civil society, industry, and government. It is hoped that the review and revision of the Bill will be a participatory process, and thus comments and feedback to it’s’ provisions will be included as annex’s to the Bill.

The International Principles on the Application of Human Rights to Communication Surveillance

These principles were defined in 2013 in response to rapidly changing technologies and surveillance practices. The principles are the outcome of a global consultation with civil society groups, industry and international experts in communications surveillance law, policy and technology, spearheaded by the Electronic Frontier Foundation US and Privacy International UK. As technologies that facilitate State surveillance of communications advance, States are failing to ensure that laws and regulations related to communications surveillance adhere to international human rights and adequately protect the rights to privacy and freedom of expression. These principles attempt to explain how international human rights law applies in the current digital environment, particularly in light of the increase in and changes to communications surveillance technologies and techniques. These principles can provide civil society groups, industry, States and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with human rights.

Tentative Agenda

Time	Detail
10.00 11.00	Introduction
11.00 11.30	Tea
11.30 13.00	Discussion
13.00 14.00	Lunch
14.00 16.00	Discussion
16.00 16.15	Tea

Resources

For more details visit https://cis-india.org/internet-governance/events/privacy-and-surveillance-roundtable-new-delhi

Privacy and Surveillance Roundtable

praskrishna — 2014-06-20T05:26:10Z

The Centre for Internet and Society and the Cellular Operators Association of India in collaboration with the Council for Fair Business Practices invite you to a "Privacy Roundtable" at IMC Building, IMC Marg, Churchgate, Mumbai on June 28, 2014, 10.00 a.m. to 4.00 p.m.

Time	Details
10:00 – 11:00	Introduction
11:00 - 11:30	Tea
11:30 - 13:00	Discussion
13:00 - 14:00	Lunch
14.00 - 16.00	Discussion
16.00 - 16.15	Tea

Background and Context to the Roundtables

Information about the Roundtables

The Report of the Group of Experts on Privacy

The Draft CIS Citizens Privacy (Protection) Bill 2013

The International Principles on the Application of Human Rights to Communication Surveillance

Tentative schedule for the Roundtables:

Mumbai – June 28th
New Delhi – July 4th
Ahmedabad/Hyderabad – August 1st
Bangalore – September 5th
New Delhi – October 3rd
Chennai – October 24th
New Delhi – November 7th

Resources

For more details visit https://cis-india.org/events/privacy-surveillance-roundtable

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit https://cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india

Privacy and Security Implications of Public Wi-Fi - A Case Study

vanya — 2016-12-12T12:29:49Z

Today internet is an essential necessity in everyday work and recognizing its vital role, governments across the world including the Indian government, are giving access to public Wi-Fi. However, use of public Wi-Fi brings along with it certain privacy and security risks. This research paper analyses some of these concerns, along with the privacy policies of key ISPs in India providing public Wi-Fi service in Bangalore-namely D-VoIS and Tata Docomo, as a case study to provide suitable recommendations.

Download (PDF)

1. Introduction

2. Global Scenario

3. Overview of Public Wi-Fi in India

4. Indian Policy and Legal Conundrum

5. Public Wi-Fi and Privacy Concerns

5.1. Data Theft

5.2. Tracking an Individual

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

5.4. Illegal Use of Data

6. Ranking Digital Rights Project

6.1. D-VoIS, Bangalore

6.2. Tata Docomo, Bangalore

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

8. Conclusion and Recommendations

8.1. Commitment

8.2. Freedom of Expression

8.3. Privacy

1. Introduction

Recognizing internet as a critical tool for day-to-day work and facilitating increased access to it in the past few years,^[1] the Indian Government as well as Governments across the world have rolled out plans for offering public Wi-Fi. However, privacy risks of using public Wi-Fi have also been flagged across jurisdictions, which will be discussed in this paper. Apart from highlighting key privacy concerns associated with the use of free public Wi-Fi, this case study aims to analyse the privacy policies of two of the Internet Service Providers in India-namely Tata Docomo^[2] and D-VoiS^[3], which offer public Wi-Fi services in Bangalore city against the indicators listed under the Ranking Digital Rights project^[4], as well as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011^[5]. Based on this analysis, this paper shall list key recommendations to these ISPs to ensure sound privacy policies and practices with a view to have a balanced framework and ecosystem in light of key privacy considerations, especially in light of public Wi-Fi.

2. Global Scenario

Security and privacy concerns around the use of free and public Wi-Fi have been raised in India^[6] as well as across the globe. In various cities like Bangalore, Delhi, Hyderabad, New York, London, Paris, etc., privacy experts have raised concerns over the public Wi-Fi systems at metro stations, malls, payphones and other such public places.^[7]

For many years, New York City has been in the process of developing a “free” public Wi-Fi project called LinkNYC^[8] to bring wireless Internet access to the residents of the city. However, privacy concerns have been raised by the users and privacy advocates like the New York Civil Liberties Union, where the latter also issued a letter to the Mayor's office regarding this^[9] as the collection of potentially sensitive personal, locational and behavioral data, without adequate safeguards could result in sharing of such data without the data subject’s consent or knowledge. For example, one of the concerns raised has been regarding retention of user's data by CityBridge, the company behind the LinkNYC kiosks, often indefinitely, for building a massive database which carries a risk of security breaches and unwarranted surveillance by the police. ^[10] Also, users are concerned that their internet browsing history may reveal sensitive information about their political views, religious affiliations or medical issues^[11], since registration is required to use LinkNYC by submitting their email addresses and by agreeing to allow CityBridge to collect information about the websites they visit, the duration for which they linger on certain information on a webpage and the links they click on. On the contrary, the privacy policy of CityBridge states that this massive amount of personally identifiable user information would be cleared only if there have been 12 months of user inactivity, raising an alarm in light of privacy concerns.^[12]

In the year 2015, the Information Commissioner’s Office (ICO) conducted a review of public Wi-Fi services on a UK high street, where it was found that the Wi-Fi networks requested for varying levels of personal data, which was also processed for marketing purposes. The results highlighted that while some networks did not request any personal data, others asked for varying amounts, including information regarding name, postal and email address, mobile number, gender, as well as asking for a date of birth as a mandatory requirement (except for gender). During the sign-up process, though some Wi-Fi networks provided users with the choice to opt-in or opt-out for receiving electronic newsletters and updates, others offered no choice at all.^[13] As a result of the review process, the ICO notified Wi-Fi network providers that it had reviewed and advised them of improvements that they could make to their service and issued guidance^[14] regarding the dangers of using public Wi-Fi^[15]. ICO also recommended users to take time to read all the information given by providers of Wi-Fi services before connecting.

In 2006, the European Data Retention Directive 2006/24/EC^[16] was introduced for the retention of communications data by providers of public electronic communications services for national security. The Directive provides an obligation for providers of publicly available electronic communications services and public communications networks to retain traffic and location data for the purpose of the investigation, detection, and prosecution of serious crime.^[17] Also, the Data Retention (EC Directive) Regulations 2009^[18] were introduced to implement the Directive in the UK. However, this was challenged on grounds of insufficient safeguards for the privacy rights of individuals, given the substantial interference which it facilitated with those rights.^[19]

To ensure protection of user’s data and information, the Data Protection Act 1998^[20] in UK obliges businesses retaining people’s data to comply with the law, which involves informing people about what data is being collected and ensure that the data is stored securely.^[21] . Therefore, in case of ISP’s providing public Wi-Fi service, this would relate to the information people provide when they log on, such as their email address. Under the Act, the data protection principles must be complied with by the data controllers and it needs to be ensured that the information is used fairly and lawfully, for limited and stated purposes, used in a way that is adequate, relevant and not excessive, kept for no longer than is absolutely necessary, handled according to people’s data protection rights, kept safe and secure and not transferred outside the European Economic Area without adequate protection.^[22] This would soon be updated and synced with the European Union’s General Data Protection Directive (GDPR).

3. Overview of Public Wi-Fi in India

In India, the public Wi-Fi in some cases has been offered free for a limited duration, in several cities across the country. For example, in 2014, Bangalore became the first city in the country to establish free public Wi-Fi- Namma Wi-Fi (802.11N) to make Bangalore a smart and connected city. The service is offered at MG Road, Brigade Road and four other locations in Bangalore including Traffic and Transit Management Centres (TTMCs) at Shanthinagar, Yeshwanthpur, Koramangala and CMH Road in Indiranagar.^[23] The internet and Wi-Fi service provider for Namma Wi-Fi is D-VoiS Broadband Ltd,a city-based firm.^[24] However, it seems the State Government plans to pull the plug on the project, funds, lack of awareness and difficulty in access as key constraints.^[25] Tata Docomo has inked an agreement with GMR Airports to offer Wi-Fi services at several International Airports in the country, including the Bangalore International Airport. It offers access to access free Wi-Fi service for 45 minutes, following which they users are required to pay for the service online, to continue using the Wi-Fi service.^[26]

Delhi has also introduced free Wi-Fi at its premier shopping hubs of Connaught Place and Khan Market in the year 2014, and BSNL launched a free WiFi service at Karnataka’s Malpe beach in the year 2016 making it the first WiFi beach in the three coastal districts of the state.^[27] The State Governments of Mumbai, Kolkata, Patna and Ahmedabad also offer free Wi-Fi services in limited areas.^[28] As part of the flagship programme by Indian Government, Digital India, the Government announced the rollout of Wi-Fi services by June 2015 at select public places in 25 Indian cities with population of over 10 lakh and tourist destinations by December 2015.^[29] Also, the Government has plans to digitise India by rolling out free Wi-Fi in 2500 towns and cities over a span of 3 years.^[30] Google plans to deploy WiFi at 100 railway stations in partnership with Railtel. Under this scheme, Mumbai Central was the first station to get free Wi-Fi in the year 2016.^[31] Also, Google's Project Loon aims to provide internet connectivity in remote and rural areas in India, which is currently being tested in other countries.^[32].

4. Indian Policy and Legal Conundrum

In light of national security concerns around the misuse of public Wi-Fi, the Department of Telecommunication, GoI, published a regulation^[33] dated February 2009, defining procedures for the establishment and use of public Wi-Fi to prevent misuse of public Wi-Fi and to be able to track the perpetrator in case of abuse. Indeed, the DOT has stated that “Insecure Wi-Fi networks are capable of being misused without any trail of user at later date”.^[34]

As per the 2009 Regulations, DoT has instructed ISPs to enforce centralized authentication using Login ID and Password for each user to ensure that the identity of the user can be traced.^[35] Regarding Wi-Fi services provided at public places, the Regulations state that bulk login IDs shall be created for controlled distribution, with authentication done at a centralized server. The subscribers are required to use public Wi-Fi by registering with temporary user ID and password, in the following methods:

Obtaining copy of photo identity of the subscriber, to be maintained by Licensee for one year; or
Providing details of user ID and password via SMS on subscriber's mobile phone , to be used as his/her identity by keeping the mobile number for one year.

Additionally, the data protection regime in India is governed by section 43A of the Information Technology Act, 2000 and the Rules^[36] notified under it. It obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain reasonable security practices, failing which they would be held liable to compensate those affected by any negligence attributable to this failure. The said Rules also define requirements and safeguards that every Body Corporate is legally required to incorporate into the company's privacy policy. The Rules put restrictions on body corporates on collecting sensitive personal information, and also states that it must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information, along with limiting disclosure of such information.^[37] Most of the ISPs in India being a private company, like D-VoiS and Tata Docomo, are obliged to comply with these provisions. Also, under the model License Agreement for Unified License^[38] by Ministry of Communication & IT, Department of Telecommunications, Government of India, where the Unified Access License Framework allows for a single license for multiple services such as telecom, the internet and television and provides certain security guidelines, privacy of communications is to be maintained by the Licensee (the ISPs in this case) and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. It also provides for ensuring unauthorized interception of messages does not take place. Therefore, the ISPs providing public Wi-Fi services in various cities across India would be governed by the data protection regime and could be held liable under these provisions in case of non-compliance with the security measures so stated.

In July 2016, the Telecom Regulatory Authority of India (hereinafter referred as “TRAI”) floated a Consultation paper on Proliferation of Broadband through Public Wi-Fi Networks^[39] with an objective to examine the need of encouraging public Wi-Fi networks in the country from a public policy point of view and discuss the issues as well as solutions in its proliferation. The paper recognises the fact that India is still in a green field deployment phase in terms of adoption of public Wi-Fi services and requires solutions for resolving the challenges and risks being faced in the process and lay a strong foundation to evolve towards a meaningful position in the advancement of initiatives related to Internet of Things, Smart Cities, etc.^[40] This is an important step towards fulfilment of the Digital India scheme of the Indian Government to ensure better connectivity. In the paper, TRAI has advocated development of a payment platform which allows easy access to Wi-Fi services across internet service providers (ISPs) and through any payment instrument.^[41] Besides that, the paper raises issues of various regulatory, licensing or policy measures required to encourage ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas, along with the issue of encouraging interoperability between the Wi-Fi networks of different service providers, both within the country and internationally, as well as between cellular and Wi-Fi networks.^[42]

5. Public Wi-Fi and Privacy Concerns

Since proliferation of public Wi-Fi in India is happening at a moderate pace, the paper discusses key issues towards this, one of them being the logistics of deploying this service. This section briefly states and acknowledges privacy and security concerns as an important factor that may be posing issues in the adoption of public Wi-Fi services in the country. Since there have been numerous cases of security vulnerabilities in public Wi-Fi networks worldwide, security of networks and cyber crimes is a key issue for consideration.^[43]

Deployment of public wireless access points has made it more convenient for people to access the Internet outside of their offices or homes. Despite advantages like ease of accessibility, connectivity and convenience, public Wi-Fi connection pose serious concerns as well. “The proliferation of public Wi-Fi is one of the biggest threats to consumer data”, says David Kennedy, founder of TrustedSec, a specialised information security consulting company based in the United States of America.^[44] Also, the networks become an easier target with little public awareness about the existence of such threats wherein users expose valuable personal data over Wi-Fi hotspots. The recently released Norton Cyber Security Report 2016^[45] shows how the benefit of constant connectivity is often outweighed by consumer complacency, leaving consumers and their Wi-Fi networks at risk. For the purpose of this report, Norton surveyed 20,000 people (over a 1,000 from India ) which reflects that though users in India may be increasingly becoming aware of the cyber threats they face due to use of public Wi-Fi, they don’t fully understand the accompanying risks and their online behaviour is often contradictory.^[46] Also, it is important to consider that the services which claim to be free, actually generate revenue by advertisements, where the model works by providing free access to internet in exchange for user's’ personal and behavioral data, which is subsequently used to target ads to them.^[47]

Some of the privacy harms stemming from use of public Wi-Fi are listed below.

5.1. Data Theft

With hackers finding it easy to access personal information of the data subjects, data can be hijacked by unauthorized internet access by spoofing the MAC and IP addresses of the authenticated user’s device or by use of default settings (saved passwords or IPs).^[48] The following kinds of data is at a risk of being stolen and further misused:

demographic and locational data^[49]
forms of personal information acting as identifiers like financial information, social and personal information^[50]
private information like passwords to social networking sites, email accounts and banking websites^[51]
historical data from the devices^[52]

5.2. Tracking an Individual

Like cell phones, Wi-Fi devices have unique identifiers that can be used for tracking purposes which can cause potential security issues. Tracking by using a Wi-Fi hotspot can also lead to third party harms like stalking.^[53] To receive or use a service, often websites require the user to share their personal information such as name, age, ZIP code, or personal preferences, which is many times shared with advertisers and other third parties, without the knowledge or consent of the users.^[54]

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

A recent experiment conducted by the chief scientist at mobile security firm Appknox at the Bengaluru International Airport, India, found that the wireless devices could be easily hacked over the airport’s free Wi-Fi network due to the easily exploitable security holes in the software made by Apple, Google, and Microsoft.^[55] A similar experiment was backed by the European law enforcement agency, Europol, where a mobile hotspot was created in central London^[56] and the hacker was able to gain access to passwords, apps, and even credit card and banking information with ease.^[57] Lack of secure softwares and prevalence of open, unprotected Wi-Fi has made it fairly easy for hackers to set up fake twin access points that give them access to data histories and personal information.^[58] This makes is easy to track data histories of users. Even if certain softwares use encryption codes, a simple decryption software can be used to obtain the information.^[59]

5.4. Illegal Use of Data

By authorities: the authorities have easier access to people’s browsing details and habits, and with justification in the name of national security, could be used to monitor the people without their consent.^[60]

Wi-Fi provider: can sell the user’s demographic and location information. ^[61] Also, it was revealed in a study that the personal information of users is often transmitted by service providers without encryption. Anyone along the path between the user and the service’s data center can then intercept this information, opening users to grave privacy and security risks.^[62]

By hackers: steal information and hack into unsuspecting victim’s bank accounts and misuse corporate financial information and secrets^[63]

6. Ranking Digital Rights Project

The "Ranking Digital Rights" project, an ongoing international non-profit research initiative, aims to promote greater respect for freedom of expression and privacy by focusing on the policies and practices of companies in the information communications technology (ICT) sector^[64], rank such companies in this light, and undertake research to develop the ranking methodology.^[65]

In November 2015, the Ranking Digital Rights project launched the Corporate Accountability Index. Since several actors like the Internet and telecommunications companies, software producers, and device and networking equipment manufacturers exert growing influence over the political and civil lives of people all over the world, it is important to state that these organisations share a responsibility to respect human rights. For this purpose, 16 Internet and telecommunications companies were evaluated according to 31 indicators, which focused on corporate disclosure of policies and practices that affect users’ freedom of expression and privacy.^[66]

The data produced by the index can help companies improve their policies, practices and help them identify challenges faced by companies in meeting their corporate obligations to respect human rights like Freedom of Expression and Privacy in the digital space.^[67] Some of the key corporate practices which affect these rights are :

How companies handle government requests to hand over user data or restrict content;
How companies enforce their own terms of service;
What information companies collect about users and how long they retain it; and
To whom they share or sell user information.^[68]

The 2015 Corporate Accountability Index assesses transparency levels of the World’s most powerful Internet and telecommunications companies regarding their commitments, policies and practices that affect users’ freedom of expression and privacy and evaluates what companies share about these practices and offers recommendations for improvement. The methodology adopted relies on publicly available information so that advocates, researchers, journalists, policy makers, investors, and users can understand the extent to which different companies respect freedom of expression and privacy, and make appropriate policy, investment, and advocacy decisions. Also, public disclosures would enable researchers and journalists to investigate and verify the accuracy of company statements.^[69]

For the purpose of this research, we would apply this index and the indicators to the internet service provider of public Wi-Fi in Bangalore-D-VoiS Ltd. and Tata Docomo to understand how comprehensive their privacy policies are when compared to global standards and make informed recommendations. Analysing policies against the index can help these companies identify best practices, as well as the obstacles they face in meeting their corporate obligations to respect human rights in the very digital spheres they helped to create.^[70] The information has been gathered and analysed on the basis of publicly available information, and this can help companies empower users to make informed decisions about how they use technology, which would help build trust between users and companies in the long run.^[71]

6.1. D-VoIS^[72], Bangalore

For the purpose of this case study, the Privacy Policies of D-VoIS have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 1.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

The Company has a freely available and understandable Privacy Policy and Terms of Use, though only in the English language.

The company does not commit to notify users in case of changes in the privacy policy of the company.

The company states circumstances in which it would restrict use of its services, along with reasons for content restriction.

The Company commits to the principle of data minimization, discloses circumstances when it shares information with third parties, and provides users with options to control the company’s collection and sharing of their information

Deploys industry standards for security of products and services.

Analysis

Commitment: D-VoIS fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. The Company lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lacks stakeholder engagement and a grievance mechanism.

Freedom of Expression: The Company also fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.

Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal^[73], but it does not prevent the company from publishing more information about private requests for content restriction. D-VoIS does not provide any information with respect to this.

Privacy: D-VoIS is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. Also, D-VoIS does not disclose what user information is collected, how and why, nor does it offer users meaningful access to their information. D-VoIS does not disclose any information regarding retention of user information, and the company could improve its disclosures about what user information it collects and how long it is retained.

Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

6.2. Tata Docomo^[74], Bangalore

The Privacy Policy and Terms & Conditions of Tata Docomo have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 2.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

The Company has a freely available and understandable Data Privacy Policy and Terms of Use, though only in English language.

The Company has established electronic and administrative safeguards designed to secure the information collected to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately.

The company states circumstances in which it would restrict use of its services, along with reasons for content restriction. The company’s disclosed policies and practices demonstrate how it works to avoid contributing to actions that may interfere with the right to freedom of expression, except where such actions are lawful, proportionate and for a justifiable purpose.

The Company clearly states the kind of information collected, ways of collection and the reasons for collection as well as sharing.

Deploys industry standards for security of products and services

Analysis

Commitment: Tata Docomo fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. Though the Company has established electronic and administrative safeguards designed to secure the information collected, it lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lack of stakeholder engagement.

Freedom of Expression: The Company fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.

Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal, it does not prevent the company from publishing more information about private requests for content restriction. Tata Docomo does not provide any information with respect to that.

Privacy: Tata Docomo is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. No information is publically available regarding users option to control company's collection of information. Tata Docomo discloses that user information shall be retained as long as required and does not mention a specific duration for the same. Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Privacy Policy and Terms & Conditions of D-VoIS and Tata Docomo have been analysed on the basis of the security measures and procedures stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 to ascertain how sound and compliant the framework is with the existing data protection regime in India. The comparison can be accessed in Annex 3.

Comparing the requirements listed under the Rules with the policies of both the companies, it can be said that though the websites of both companies provide privacy policies and are easily accessible, they lack crucial information regarding consent of the user before collection as well as sharing of information. Also, though the policies state the purpose of sharing such data with third parties, it does not state the purpose of collection of the information. The policies are also silent regarding the requirements to be complied with before transferring personal data into another jurisdiction . There is also no information about the companies having a grievance officer. Additionally, though the terms of services of D-VoIS state that the customer may choose to restrict the collection or use of their personal information, both companies do not specifically provide for an opt out mechanism to its users.

8. Conclusion and Recommendations

To allay the numerous concerns regarding privacy and security with respect to public Wi-Fi’s, the ISPs must have a sound Privacy Policy in place. For this purpose, adherence to the indicators as listed under the Corporate Accountability Index, along with requirements for security of personal information stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and improving the policies accordingly shall greatly contribute to protection of Freedom of Expression and ensure Privacy of user information. Ensuring compliance with the existing data protection regime in the country becomes more important in light of the growing privacy and security concerns due to proliferation of free and public Wi-Fi service in India. Adequate measures like acquiring consent for collection and sharing of user data, commitment by company executives to ensure protection of rights of individuals, adoption of security standards, creating awareness about security concerns, etc. by such corporate must be considered to ensure protection of personal information and reduce the likelihood of a data breach. Both D-VoIS and Tata Docomo must consider the following recommendations in order to meet the criteria set by the Ranking Digital Rights project, ensuring commitment towards protection of right to freedom of expression and privacy of the users.

8.1. Commitment

Set in place an oversight mechanism to monitor how the company’s policies and practices affect freedom of expression and privacy. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.
Also, they must conduct regular, comprehensive, and credible due diligence, such as human rights impact assessments, to identify how all aspects of their business impact freedom of expression and privacy.
In addition to that, they must Provide for a remedy or grievance mechanism. The Telecom Regulatory Authority of India also requires that all service providers have redress mechanisms. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.

8.2. Freedom of Expression

The Companies must make an effort to make the Terms of Service available in the most commonly spoken languages by its users, besides English.
Also, it is recommended that the Companies must ensure to provide meaningful notice to users regarding change in terms of service.
Besides disclosing what content and activities the companies prohibit, they must disclose information regarding how it enforces these prohibitions and should provide examples regarding the circumstances under which it may suspend service to individuals or areas to help users understand such policies.
The Companies must also disclose information regarding the process for evaluating and responding to requests from third parties to restrict content or service. Additionally, it must disclose how long it retains user information, publish process for evaluating and responding to requests from government and other third parties for stored user data and/or real-time communications.

8.3. Privacy

Though both the Companies disclose that the user information shall be shared with third parties, and Tata Docomo discloses what information is collected and how, yet there should be no legal impediment for the companies to improve its disclosures about what user information it collects, with whom it is shared, and how long it is retained to protect the privacy of the users.
Though Tata Docomo allows the users to review and correct their Personal Information collected by the Company, D-VoIS must release information regarding whether the users are able to view, download or otherwise obtain all of the information about them that the company holds. In case it does not allow, the Company must duly change its policy regarding the same.
The Companies must also publish information to help users defend against cyber threats.

^[1] The Financial Express, ‘Free wi-fi: Digital Dilemma’, February 22, 2015,

http://www.financialexpress.com/article/economy/free-Wi-Fi-digital-dilemma/45804/

^[2] Tata Docomo, http://www.tatadocomo.com/

^[3] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[4] Ranking Digital Rights, https://rankingdigitalrights.org/

^[5] the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Available at : http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf

^[6] See : http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/, http://www.aljazeera.com/indepth/features/2016/03/india-unlocking-public-wi-fi-hotspots-160308072320835.html , http://www.business-standard.com/article/technology/indians-most-willing-to-share-personal-data-over-public-wifi-116083000673_1.html and http://articles.economictimes.indiatimes.com/2015-05-20/news/62413108_1_corporate-espionage-hotspots-bengaluru-airport

^[7] Scroll, ‘Free wifi in Delhi is good news but here is the catch’, November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[8] LinkNYC, https://www.link.nyc/

^[9] See : http://www.nyclu.org/files/releases/city%20wifi%20letter.pdf

^[10] The Huffingtonpost, ‘Maybe You Shouldn't Use Public Wi-Fi In New York City’, March 16, 2016, http://www.huffingtonpost.in/entry/public-wifi-nyc_us_56e96b1ce4b0b25c9183f74a

^[11] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[12] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[13]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[14]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[15]Marketing Law, ‘The ICO sounds a warning on public wi-fi and privacy’, November 24, 2015,

http://marketinglaw.osborneclarke.com/data-and-privacy/the-ico-sounds-a-warning-on-public-Wi-Fi-and-privacy/

^[16]Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32006L0024

^[17] Feiler, L., "The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection", European Journal of Law and Technology, Vol. 1, Issue 3, 2010, http://ejlt.org/article/view/29/75

^[18] The Data Retention (EC Directive) Regulations 2009 http://www.legislation.gov.uk/ukdsi/2009/9780111473894/pdfs/ukdsi_9780111473894_en.pdf

^[19] Purple, ‘Update on the legal implications of offering public WiFi in the UK’, September 10, 2014, http://purple.ai/update-legal-implications-offering-public-wifi-uk/

^[20] Data Protection Act 1998, http://www.legislation.gov.uk/ukpga/1998/29/contents

^[21] Wireless Social, http://www.wireless-social.com/how-it-works/legal-compliance/

^[22] Data Protection Act 1998, https://www.gov.uk/data-protection/the-data-protection-act

^[23]The Hindu, ‘Free wifi on M.G. Road and Brigade Road from Friday’, January 23, 2014, http://www.thehindu.com/news/cities/bangalore/free-wifi-on-mg-road-and-brigade-road-from-friday/article5606757.ece

^[24]The Telegraph, ‘Free Wi-fi on tech city streets- Bangalore offers five public hotspots’, January 25, 2014, http://www.telegraphindia.com/1140125/jsp/nation/story_17863705.jsp#.VwIv_Zx97IU

^[25]Economic Times, ‘Karnataka Govt pulls the plug on public Wi-Fi spots in Bengaluru’, March 15, 2016, http://tech.economictimes.indiatimes.com/news/internet/karnataka-govt-pulls-the-plug-on-public-Wi-Fi-spots-in-bengaluru/51404414

^[26] Medianama, ‘Why Don’t Indian Airports Offer Free WiFi To Passengers?’, May 22, 2013, http://www.medianama.com/2013/05/223-indian-airports-free-wifi/

^[27]Hindustan Times, ‘BSNL launches free public WiFi at Karnataka’s Malpe beach’, January 25, 2016, http://www.hindustantimes.com/tech/bsnl-launches-free-public-wifi-on-karnataka-s-malpe-beach/story-XVM06KQKIcoyqV8CLJoYzJ.html

^[28]TechTree, ‘Problems With Free City-Wide Wi-Fi Hotspots In India’, September 28, 2015,

http://www.techtree.com/content/features/9914/problems-free-city-wide-Wi-Fi-hotspots-india.html#sthash.2ZSf9kq7.dpuf

^[29]India Today, ‘25 Indian cities to get free public Wi-Fi by June 2015’, December 17, 2014, http://indiatoday.intoday.in/technology/story/25-indian-cities-to-get-free-public-Wi-Fi-by-june-2015/1/407214.html

^[30]Business Insider, ‘Modi Government To Roll Out Free Wi-Fi In 2,500 Towns And Cities To Make India Digital’, January 23, 2015, http://www.businessinsider.in/Modi-Government-To-Roll-Out-Free-Wi-Fi-In-2500-Towns-And-Cities-To-Make-India-Digital/articleshow/45989339.cms

^[31]RailTel launches free high-speed public Wi-Fi service with Google at Mumbai Central, http://www.railtelindia.com/images/Mumbai.pdf

^[32]Economic Times, ‘Google may get government nod to conduct pilot for Project Loon in India’, May 24, 2016,

http://economictimes.indiatimes.com/tech/internet/google-may-get-government-nod-to-conduct-pilot-for-project-loon-in-india/articleshow/52408455.cms

^[33]Department of Telecommunications, Ministry of Communications & IT, Government of India, February 23, 2009, http://www.dot.gov.in/sites/default/files/Wi-%20fi%20Direction%20to%20UASL-CMTS-BASIC%2023%20Feb%2009.pdf

^[34] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[35]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’, http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[36] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

^[37]The Centre for Internet & Society, ‘Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?’, April 7, 2011, http://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

^[38]License Agreement for Unified License, http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf

^[39] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[40] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[41] The Economic Times, ‘Trai floats consultation paper to boost broadband through Wi-Fi in public places’, July 14, 2016, http://economictimes.indiatimes.com/articleshow/53195586.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^[42] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[43]Mint, ‘Trai issues paper on public Wi-Fi networks’ July 14, 2016, http://www.livemint.com/Industry/1jVgso2R2Lz4NR5IYFaCtN/Trai-issues-paper-on-public-WiFi-networks.html

^[44]Forbes,’How To Avoid Data Theft When Using Public Wi-Fi’, March 4, 2014, http://www.forbes.com/sites/amadoudiallo/2014/03/04/hackers-love-public-wi-fi-but-you-can-make-it-safe/#373c75e32476

^[45]Symantec, ‘Norton Cyber Security Insights Report’, 2016, https://www.symantec.com/content/dam/symantec/docs/reports/2016-norton-cyber-security-insights-report.pdf

^[46]The Indian Express, ‘Indian cybercrime victims don’t learn from past experience: Norton Report’, November 18, 2016, http://indianexpress.com/article/technology/tech-news-technology/indian-users-complacent-when-it-comes-to-cyber-security-norton-report/

^[47]Mashable, ‘This is the real price you pay for 'free' public Wi-Fi’, January 26, 2016, http://mashable.com/2016/01/25/actual-cost-free-Wi-Fi/?utm_cid=mash-com-Tw-main-link#WmAJGJ_COiq5

^[48]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’, http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[49]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[50]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[51]The Indian Express, ‘Public Wifi can be used to steal private information: IT Security Expert’, May 19, 2015, http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/#sthash.xiuWtL6v.dpuf

^[52]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[53]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[54]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[55]Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[56]The Guardian, ‘Londoners give up eldest children in public Wi-Fi security horror show’, September 29, 2014, https://www.theguardian.com/technology/2014/sep/29/londoners-Wi-Fi-security-herod-clause

^[57] Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[58]ABC13, ‘Hackers set up fake Wi-Fi hotspots to steal your information, July 10, 2015, http://abc13.com/technology/hackers-set-up-fake-Wi-Fi-hotspots-to-steal-your-information/835223/

^[59]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[60] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[61] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[62]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[63] Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[64] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[65] Business & Human Rights Resource Centre, ‘Ranking Digital Rights Project’, http ://business-humanrights.org/en/documents/ranking-digital-rights-project

^[66] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[67] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[68] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[69] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[70] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[71] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[72] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[73]Section 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 states that all request and complaints must be kept confidential.

^[74] Tata Docomo, http://www.tatadocomo.com/

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security-implications-of-public-wi-fi-a-case-study

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security

Privacy and Governmental Databases

elonnai — 2012-03-22T05:41:38Z

In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases.

Government Databases and recommendations for privacy practices

Citizen-State relationships and privacy standards
Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.
Specific privacy policy

Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:
- data collection
- digitization
- usage
- storage
- security
- disclosure
- retrieval
- access (inter departmental and public)
- anonymization, obfuscation and deletion.
Personal vs. personal sensitive and public vs. non-public data categories

Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct

categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.
Standardization of Privacy Policies and Access Control

Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.
Record of breach notification

If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.
Anonymization/obfuscation and deletion policies

Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.
Accountability for accuracy of data

Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.
Appropriate uses of government databases

Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."
Access, updation and control of personal information

Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.

Bibliography

Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.
Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.

Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada

joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Privacy after Big Data - Workshop Report

amber — 2017-01-27T01:09:17Z

The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, organised a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12, 2016 at Centre for the Study of Developing Societies in New Delhi.

This workshop aimed to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It was an open event.

In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few. With the UID project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision. Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.

This workshop sought to discuss some of the emerging problems due to the advent of big data and possible ways to address these problems. The workshop began with Amber Sinha of CIS and Sandeep Mertia of Sarai introducing the topic of big data and implications for privacy. Both speakers tried to define big data and brief history of the evolution of the term and raised questions about how we understand it. Dr. Usha Ramanathan spoke on the right to privacy in the context of the ongoing Aadhaar case and Vipul Kharbanda introduced the concept of Habeas Data as a possible solution to the privacy problems posed by big data. Amelia Andersotter discussed national centralised digital ID systems and their evolution in Europe, often operating at a cross-functional scale, and highlighted its implications for discussions on data protection, welfare governance, and exclusion from public and private services. Srikanth Lakshmanan spoke of the issues with technology and privacy, and possible technological solutions. Dr. Anupam Saraph discussed the rise of digital banking and Aadhaar based payments and its potential use for corrupt practices. Astha Kapoor of Microsave spoke about her experience of implementation of digital money solution in rural India.

Post lunch, Dr. Anja Kovacs and Mathew Rice spoke on the rise of mass communication surveillance across the world, and the evolving challenges of regulating surveillance by government agencies. Mathew also spoke of privacy movements by citizens and civil society in regions. In the final speaking session, Apar Gupta and Kritika Bhardwaj traced the history of jurisprudence on the right to privacy and the existing regulations and procedures. In the final session, the participants discussed various possible solutions to privacy threats from big data and identity projects including better regulation, new approached such as harms based regulation and privacy risk assessments, and conceiving privacy as a horizontal right. The workshop ended with vote of thanks from the organizers.

The agenda for the event can be accessed here, and the transcript is available here.

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-workshop-report