Centre for Internet and Society

The Surveillance Industry in India – An Analysis of Indian Security Expos

divij — 2015-03-08T12:25:15Z

The author talks about the surveillance industry in India and analyses Indian security expos.

Introduction

The 'Spy Files', a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world - a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals.[1] These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites. Moreover, the unregulated and undiscerning nature of the industry means that it has enabled governments (and also private agencies) across the world - from repressive dictatorships to governments in western democracies with a growing track record of privacy and civil liberties infringements - to indulge in secretive, undemocratic and often illegal surveillance of their citizens. The Spy Files and related research have revealed how the mass surveillance industry utilizes the rhetoric of national security and counter-terrorism to couch technologies of surveillance.

'Security' and the Normalization Of Surveillance

New technologies undoubtedly create a potential for both malicious as well as beneficial use for society. Surveillance technologies are a prime example, having both enabled improvements in law enforcement and security, but at the same time creating unresolved implications for privacy and civil liberties. These technologies expose what Lawrence Lessig describes as 'latent ambiguities' in the law - ambiguities that require us to assess the implications and effects of new technologies and how to govern them, and most importantly, to choose between conflicting values regarding the use of technologies, for example, increased security as against decreased privacy.[2]

Unfortunately, In India, the ambiguity seems to have been resolved squarely in favour of surveillance - under the existing regulatory regime, surveillance is either expressly mandated or unregulated, and requires surveillance to be built into the architecture and design of public spaces like internet and telephone networks, or even public roads and parks. Most of these regulations or mechanisms are framed without democratic debate, through executive mechanisms and private contracts with technology providers, without and public accountability or transparency.

For example, under the telecom licensing regime in India, the ISP and UASL licenses specifically require lawful interception mechanisms through hardware or software to be installed by the licensees, for information (Call Data Records, Packet Mirroring, Call Location) to be provided to 'law enforcement agencies', as specified by the Government.[3] Section 69 of the Information Technology Act, the main legislation governing the Internet in India, read with the rules framed under the Act, makes it incumbent upon 'intermediaries' to provide surveillance facilities at the behest of government agencies.[4]

Beyond this, the State and its agencies Section 69 and 69B of the IT Act empower the government to intercept and monitor any data on the Internet. The Telegraph Act also permits wiretapping of telephony.[5] The proposed Central Monitoring System by the Central Government would give state agencies centralized access to all telecommunications in real time, on telephony or on the Internet. Other surveillance schemes include the Keyword Tracking system NETRA, as well as several state government proposed comprehensive CCTV-surveillance schemes for cities. [6] Clearly, therefore, there is a massive market for surveillance technologies in India.

Tracking the Surveillance Market

The Mass surveillance industry by its very nature is closed, secretive and without democratic oversight, Insights into the prevalence, nature and scope of the companies that form this industry, or the technologies that are utilized are far and few. No democratic debate about surveillance can take place in such a paradigm. In this context, security expos and exhibitions provide critical insight into this industry. Several of the important revelations about the industry in the past have been from examinations of large exhibitions in which the various governmental and industry actors participate, and therefore, such analysis is critical to the debate surrounding mass surveillance. Such exhibitions are a logical starting point because they are one of the few publically accessible showcases of surveillance-ware, and are also a congregation of most major players who are part of this market both as suppliers and purchasers.

Our research identified at least 13 exhibitions in India that specifically cater to the surveillance industry. A brief outline of each of these exhibitions is provided below:

1. Secutech India (Brochures: 2015 -http://www.secutechindia.co.in/pdf/secutech%20brochure.pdf)

The Secutech Expo is an exhibition held in Bombay and Delhi since 2011, to showcase Information Security, Electronic Security and Homeland Security technologies. Secutech also organizes the Global Digital Surveillance Forum, a conference amongst the stakeholders of digital surveillance industry in India.[7]

Exhibitors: Ivis; Matrix Comsec; Neoteric; Smartlink; Kanoe; Micro Technologies; Aditya Infrotech; CoreTech Solutions; Merit Lilin; Schneider Electric; Pash systems; Nettrack Technologies Pvt Ltd.; QNAP; Axxonsoft; Hk Vision (China); Alhua; Axis; Vivotech (Taiwan); Endroid (USA); Vantge (UK); Pelco (France); Advik; Hi Focus (UK); ESMS; Keeper (China); Neoteric; Vizor, etc

Visitors: The visitor profile and target audience consists of government and defense agencies, besides private agencies.

Technologies on display: Digital surveillance, biometrics, CCTV and RFID are some categories of the technologies which are showcased here.

2. IFSEC India (Brochures: 2013 - http://www.ifsecindia.com/uploads/IFSEC%20INDIA%20brochure%202013.pdf; 2014 - http://www.ubmindia.in/ifsec_india/uploads/IFSEC_INDIA_Brochure_CS5_new_low.pdf.)

IFSEC India, an extension of IFSEC UK, the 'worlds largest security exhibition', proclaims to be South Asia's largest security exhibition with 15,000 participants in its latest edition, including a special segment on surveillance. It has been held in either Bombay or Delhi since 2007.

Exhibitors: Honeywell; Infinova; Radar Vision; QNAP; Ensign; Winposee; Bosch; Comguard; Verint; ACSG; Ensign etc.

Visitors: Visitors include government agencies such as the Central Industrial Security Force, Border Security Force, Department of Internal Security, Railway Protection Force and the Department of Border Management.

Technologies on display: RFID, Video Surveillance, Surveillance Drones, IP Surveillance, Digital Surveillance and Monitoring were some of the categories of technologies on display.

3. India International Security Expo (Brochures: 2014 - http://www.indiasecurityexpo.com/images/e_brochure.pdf)

Held in New Delhi since 1996, and organized by the Ministry of Home Affairs, the expo is described as "India's largest show case of goods and services related to Homeland Security, Fire Safety, Traffic Management, Industrial Safety and Public Safety, Hospitality and Reality Security." With specific reference to the changing 'modus operandi of crime by using technology', the Expo focuses on using surveillance technologies for law enforcement purposes.

Exhibitors: Intellivision (USA); Intex (India); ESC Baz (Israel); Sparsh Securitech; Source Security (USA); Intellivision (USA); Interchain Solutions; ESSI; Kritikal; Matrix; Pace Solutions etc.

Visitors: According to the show's brochure, visitors include Central & State Police Organisations, Paramilitary Forces, Policy-makers from the Government, Industrial Establishments, Security Departments of Educational, Retail, Hospitality, Realty & other sectors, Colonisers, Builders, RWAs, System Integrators Large business houses and PSU's.

Technologies on display: Access control systems, surveillance devices, RFID, traffic surveillance and GPS Tracking.

4. Secure Cities Expo (Brochures: 2013 - http://securecitiesindia.com/Secure_Cities_2013_Brochure.pdf; 2014 - http://securecitiesindia.com/images/2014/SC_2014_Brochure.pdf.)

Secure Cities Expo has been organized since 2008, on the platform of providing homeland security solutions and technologies to government and private sector participants.

Exhibitors: Dell; Palo Alto Networks; Motorola; Konnet; Vian Technologies; Quick Heal; Intergraph, GMR, Tac Technologies, Steria, Teleste, Elcom, Indian Eye Security; Mirasys; CBC Group; Verint (USA); IBM (USA); Digitals; EyeWatch; Kanoe; NEC (Japan); ACSG Corporate; ESRI (USA), etc.

Visitors: Visitors include government and law enforcement agencies including the Ministry of Home Affairs as well as systems integrators and private firms including telecom firms.

Technologies on display: CCTV, Biometrics, Covert Tracking and Surveillance Software, Communication Interception, Location and Tracking systems, and IT Security.

5. Defexpo India (Brochures: No publically available brochures)

By far India's largest security exposition, the Ministry of Defense has organized Defexpo India since 1999, showcasing defense, border, and homeland security systems from technology providers internationally.

Exhibitors: Aurora Integrated; Airbus Defence (France); Boeing (USA); Hacking Team (Italy); Kommlabs (Germany); Smoothwall; Atlas Electronik; Cyint; Audiotel International; Cobham; Tas-Agt; Verint; Elsira (Elbit) (Israel); IdeaForge; Comint; Controp; Northrop Gruman; Raytheon; C-DoT; HGH Infrared (Israel); Okham Solutions (France); Septier (Israel); Speech Technology Centre (Russia); Aerovironment (USA); Textron; Sagem (France); Amesys (France); Exelis; ITP Novex (Israel), etc.

Visitors: The latest edition of the Expo saw participation from governmental delegations from 58 countries, besides Indian governmental and law enforcement authorities.

Technologies on display: The entire spectrum of surveillance and homeland security devices is on display at Defexpo, from Infrared Video to Mass Data Interception.

6. Convergence India Expo (Brochures: 2012 - http://convergenceindia.org/download/CI2012-PSR.pdf; 2014 -http://www.convergenceindia.org/pdf/CI-2014-Brochure.pdf; 2015 - http://www.convergenceindia.org/pdf/brochure-2015.pdf.)

Convergence India, being held in New Delhi since 1991, is a platform for interaction between Information and Communication Technology providers and purchasers in the market. In recent years, the expo has catered to the niche market for IT surveillance.

Exhibitors: ELT (UK); Comguard; Fastech; Synway (China); Saltriver; Anritsu (Japan); Cdot; Fastech; Rahul Commerce; Deviser Electronics; RVG Diginet; Blue Coat (USA); Cyberoam (USA); ZTE (China); Net Optics (USA); Controp; Comint etc.

Visitors: Visitors include Paramilitary Forces, Cable Operators, Government Ministries and PSU's and Telecom and Internet Service Providers.

Technologies on Display: Biometrics, Content Filtering, Data Mining, Digital Forensics, IP-Surveillance, Embedded Softwares, Network Surveillance and Satellite Monitoring were some of the technologies on display.

7. International Police Expo (Brochures: 2014 - http://www.nexgengroup.in/exhibition/internationalpoliceexpo/download/International_Police_Expo_2014.pdf.)

The International Police Expo held in New Delhi focuses on providing technologies to police forces across India, with specific focus on IT security and communications security.

Exhibitors: 3G Wireless Communications Pvt Ltd; Motorola Solutions; Cyint; Matrix Comsec; Cellebrite; Hayagriva; MKU; CP Plus etc.

Visitors: Visitors include State Police, Procurement Department, CISF, CRPF, RAF, BSF, Customs, GRPF, NDRF, Special Frontier Force, Para Commandos, Special Action Group, COBRA and PSU's and educational institutes, stadiums and municipal corporations, among others.

Technologies on display: Technologies include RFID and surveillance for Internal Security and Policing, CCTV and Monitoring, Vehicle Identification Systems, GPS, Surveillance for communications and IT, Biometrics and Network surveillance.

8. Electronics For You Expo (EFY Expo) ( 2014 - http://2013.efyexpo.com/wp-content/uploads/2014/03/efy_PDFisation.pdf; 2015 - http://india.efyexpo.com//wp-content/uploads/2014/03/5th%20EFY%20Expo%20India_Brochure.pdf.)

EFY Expo is a electronics expo which showcases technologies across the spectrum of electronics industry. It has been held since 2010, in New Delhi, and is partnered by the Ministry of Communications and IT and the Ministry of Electronics and IT.

Exhibitors: Vantage Security; A2z Securetronix; Avancar Security; Digitals security; Securizen Systems; Vision Security; Mangal Security Systems, etc.

Visitors: The visitors include Government Agencies and ministries as well as systems integrators and telecom and IT providers.

Technologies on display: Identification and Tracking Products and Digital Security Systems are a specific category of the technologies on display.

9. Indesec Expo (Brochures: 2009 - http://www.ontaero.org/Storage/14/897_INDESEC_Oct11-13_2009.pdf. )

An exhibition focused on homeland security, and sponsored by the Ministry of Home Affairs, the expo has been held since 2008 in New Delhi, which includes a specific category for cyber security and counter terrorism.

Exhibitors: Rohde and Schwarz; Salvation Data; AxxonSoft; KritiKal; Shyam Networks; Teledyne Dalsa; Honeywell; General Dynamics; Northrop Grumman; Interchain Solutions, etc.

Visitors: Visitors include officials of the central government, central police and paramilitary forces, Ministry of Defence, central government departments, institutes and colleges, state government and police and ports and shipping companies.

10. Next Generation Cyber Threats Expo

Held since 2012 in New Delhi and Mumbai, the Next Generation Cyber Threats Expo focuses on securing cyber infrastructure and networks in India.

Exhibitors: Ixia, CheckPoint, etc.

Visitors: Visitors include Strategic Planning Specialists, Policy Makers and Law Enforcement among others.

11. SmartCards/RFID/e-Security/Biometrics expo (Brochures: 2013 - http://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013 ; 2015 - http://www.smartcardsexpo.com/pdf/SmartCards_Expo_2015_Brochure_$.pdf)

These expos are organized by Electronics Today in Delhi or Mumbai since 1999 and supported by the Ministries of Commerce, Home Affairs and External Affairs. They showcase various identification solutions, attended by hundreds of domestic and international exhibitors.

Visitors: Target audiences include central and local level law enforcement and government organizations, Colleges and Universities, and defense forces.

12. Com-IT Expo (Brochure: 2014 - http://www.comitexpo.in/doc/Brochure.pdf)

This expo has been organized by the Trade Association of Information and Technology in Mumbai since 2008, and focuses on software and hardware Information Technology, with specific focus on IT security and surveillance.

Visitors: Visitors include Government Agencies, Airport Authorities, Police and Law Enforcement, Urban Planners, etc.

Technologies Displayed: CCTV's, Surveillance Devices and IP Cameras, etc.

13. GeoIntelligence India (Brochures: 2013 - http://www.geointelligenceindia.org/2013/Geointelligence%20India%20Brochure.pdf; 2014 - http://geointworld.net/Documents/GeoInt_Brochure_2014.pdf.)

It is an exposition held in New Delhi since 2014, organized by Geospatial Media and Communications Pvt Ltd, and is 'dedicated to showcasing the highest levels of information exchange and networking within the Asian defense and security sector.'

Exhibitors: ESRI (USA); BAE Systems (UK); Leica (Switzerland); Helyx (UK); Digital Globe; Intergraph; Trimble (USA); RSI Softech; Silent Falcon etc.

Visitors: Visitors included the Director General of Information Systems, CRPF, Manipur, Delhi, Haryana and Nagaland Police, CBI, ITBP, NSDI, SSB, National Investigation Agency, Signals Intelligence Directorate among others.

Surveillance Wares in India - The Surveillance Exhibits and what they tell us about the Indian Surveillance Industry

An analysis of the above companies and their wares give us some insight into what is being bought and sold in the surveillance industry, and by whom. Broadly, the surveillance technologies can be grouped in the following categories:

Video Surveillance and Analysis

IP Video Surveillance and CCTV are quickly becoming the norm in public spaces. Emerging video surveillance tools allow for greater networking of cameras, greater fields of vision, cheaper access and come with a host of tools such as facial recognition and tracking as well as vehicle tracking. For example, IBM has developed an IP Video Analytics system which couples monitoring with facial recognition.[8] USA's Intellivision also offers analytics systems which enable licence plate tracking, facial recognition and object recognition.[9] HGH Infrared's Spynel system allows infrared wide-area surveillance,[10] and CBC's GANZ allows long-range, hi-resolution surveillance. [11]

Video surveillance is gradually infiltrating public spaces in most major cities, with Governments promoting large-scale video surveillance schemes for security, with no legal sanctions or safeguards for protecting privacy.

Companies showcasing Video Surveillance: 3G Wireless Communications Pvt Ltd, Motorola Solutions (USA), Bosch, CP Plus, Ivis, Aditya Infotech, Micro technologies, Core Tech (Denmark), Merit Lilin , Schneider Electric, Shyam Systems, Dalsa, Honeywell, Teleste, Mirasys, CBC Group, Infinova, Radar Vision, QNAP, Ensign, Winposee, Bosch, Hik Vision (China), Alhua, Axis Communications, Vivotech (Taiwan), Endroid (USA), Vantge (UK), Pelco (France), Advik, Hi Focus (UK), ESMS, Keeper (China), Neoteric, Vizor, Verint (USA), IBM (USA), Digitals Security, Intellivision (USA), Intex, Esc Baz (Israel), Sparsh Securitech, A2zsecuretronix, Avancar Security, Securizen Systems, Vision Security, HGH Infrared (Israel).

RFID/Smart Cards/Biometric Identification

India has begun the implementation of the Unique Identification Programme for its 1.2 billion strong population, combining a host of identification technologies to provide a unique identification number and Aadhar Card - promoted as an all-purpose ID. However, this remains without legislative sanction, and continues in the face of severe privacy concerns. Such centralized, accessible databases of ostensibly private information present a grave threat to privacy. RFID, Smart Cards and Biometric Identification technologies (like the Aadhar) all make individual monitoring and surveillance significantly easier by enabling tracking of individual movements, consumer habits, attendance, etc.

Companies showcasing Identification Technologies:

AxxonSoft, Matrix Comsec, Ensign, Hi focus, Intellivision (USA), Interchain solutions, Inttelix, Kanoe, NEC (Japan), Pace, Realtime, Secugen, Source Security (USA), Spectra, Speech technology centre (Russia), BioEnable Technologies.

(For a more detailed list, see the Smart Cards Expo Brochures, linked above)

Mass Data Gathering, Monitoring and Analysis

The age of Big Data has led to big surveillance. Information and communication technologies now host significant amounts of individual data, and the surveillance industry makes all of this data accessible to a surveyor. Government mandated surveillance means any and all forms of communication and data monitoring are being implemented in India - there are network taps on telephony and deep packet inspection on internet lines, which makes telephone calls, SMS, VoIP, Internet searches and browsing and email all vulnerable to surveillance, constantly monitored through systems like the Central Monitoring System. Moreover, centralized information stores enable data mining - extracting and extrapolating data to enable better surveillance, which is what India's NATGRID aims to do.

Hacking Team Italy, Blue Coat USA and Amesys France, three of the five companies identified as 'enemies of the internet' for enabling dictatorships to use surveillance to quell dissent and violate human rights,[12] have all presented surveillance solutions at Defexpo India. Cyberoam USA and ZTE China also market Deep Packet Inspection technology,[13] while ESRI's Big Data suite allows analysis through mass surveillance and analysis of social media and publically available sources. [14]

Indian companies showcasing mass data monitoring technologies include Cyint, Fastech DPI tools,[15] Kommlabs VerbaProbe packet switching probes,[16] and ACSG's OSINT, which allows Big Data social media surveillance and Call Data Record analysis.[17]

Companies showcasing Data Gathering and Monitoring technologies:

Cobham, Comguard, Cyint, ELT (UK), Fastech, Hacking Team (Italy), Smoothwall (USA), Verint Systems (USA), Cyint technologies, Atlas Electronik (Germany), Audiotel International (UK), Avancar, Cobham (UK), ELT (UK), Eyewatch, Kommlabs, Mangal Security Systems, Merit Lilin (Taiwan), Ockham Solutions (France), Septier (Israel), Synway (China), ACSG Corporate, Amesys (France), Anritsu (Japan), Axis (Sweden), BAE Systems (UK), Blue Coat (USA), C-dot, Comint, Cyberoam (USA), Deviser Electronics, Elsira (Elbit) (Israel), Esri (USA), Exelis, General Dynamics (USA), Helyx (UK), ITP Novex (Israel), Leica (Switzerland), Net Optics (Ixia) (USA), Northrop Gruman (USA), Rahul Commerce, Rohde And Schwarz (Germany), RVG Diginet, Tas-Agt, Trueposition (USA), Zte Technologies (China).

Cell-Phone Location Tracking and Vehicle Monitoring

A number of technologies enable location tracking through vehicle GPS, GLONASS or other location technologies. RFID or optical character recognition further enables Automatic Number Plate Recognition, which can be exploited to enable vehicle surveillance to track individual movements. Embedded hardware and software on mobile phones also allows constant transmission of location data, which is exploited by surveillance agencies to track individual movements and location.

Companies showcasing Cell-Phone Location Tracking technologies: Verint, Eyewatch, Septier (Israel), True Position (USA),

Companies showcasing Vehicle Monitoring technologies: Hi-techpoint technologies pvt ltd, Axxonsoft, Essi, Fareye, Intellivision (USA), Interchain Solutions, ITP Novex (Israel), Kaneo, Kritikal, NEC (Japan), Saltriver Infosystems, Vision Security Systems.

Air/Ground Drones and Satellite Surveillance

The use of unmanned drones for security purposes is being adopted for law enforcement and surveillance purposes across the world, and India is no exception, using UAV's for surveillance in insurgency-hit areas,[18] amongst other uses, while still having no regulations for their use.[19] Drones, both aerial and ground level, are capable of large-scale territorial surveillance, often equipped with high-technology video surveillance that allows for efficient monitoring at the ground level.

Digital Globe offers satellite reconnaissance surveillance coupled with Big Data analysis for predictive monitoring. [20] Controp offers cameras specifically for aerial surveillance, while Sagem's Patroller Drone and Sperwer, and Silent Falcon's Solar Powered surveillance drone are Unmanned Aerial Vehicles (UAV's) for aerial video surveillance. Auruora Integrated, [21] and IdeaForge are Indian companies which have developed UAV surveillance drones in collaboration with Indian agencies.[22]

Companies showcasing Drone Surveillance: Aurora Integrated, Controp (Israel), Aerovironment (USA), Digital Globe (USA), ESRI (USA), Intergraph (USA), RSI Softech, Sagem (France), Silent Falcon (UAS), Textron (USA), Trimble (USA), Northrop Grumman (USA).

[1] Wikileaks, The Spy Files, available at https://www.wikileaks.org/the-spyfiles.html.

[2] Lawrence Lessig, Code V 2.0.

[3] For more information on the licensing regime, see 'Data Retention in India', available at http://cis-india.org/internet-governance/blog/data-retention-in-india.

[4] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[5] Section 5, Indian Telegraph Act, 1885.

[6] See, for example, the Bangalore Traffic Police CCTV Scheme, http://www.bangaloretrafficpolice.gov.in/index.php?option=com_content&view=article&id=66&btp=66 ; the surveillance scheme supported by the MPLAD Scheme, http://mplads.nic.in/circular08112012.pdf; Mumbai's proposed video surveillance scheme, http://www.business-standard.com/article/companies/wipro-tata-ibm-reliance-among-31-bids-for-cctv-scheme-in-mumbai-112112600160_1.html.

[7] Information on the Forum is available at http://gdsf-india.com/Global-Digital-Surveillance-Forum1/images/GDSF-Bengaluru-Conference-program.pdf.

[8] http://www-01.ibm.com/support/knowledgecenter/SS88XH_1.6.0/iva/int_i2frs_intro.dita

[9] http://www.intelli-vision.com/products/recognition-suite

[10] http://www.hgh-infrared.com/Products/Optronics-for-security

[11] http://www.ifsecglobal.com/cbc-high-end-surveillance-tech-on-display-at-ifsec-india/

[12] http://surveillance.rsf.org/en/category/corporate-enemies/

[13] http://www.cyberoam.com/firewall.html

[14] http://www.esri.com/products/arcgis-capabilities/big-data

[15] http://www.fastech-india.com/packetBrokers.html

[16] http://www.kommlabs.com/products-verbaprobe.asp

[17] http://www.acsgcorporate.com/osint-software.html

[18] http://timesofindia.indiatimes.com/india/UAV-proves-ineffective-in-anti-Maoist-operations/articleshow/20400544.cms

[19] http://dronecenter.bard.edu/drones-in-india/

[20] https://www.digitalglobe.com/products/analytic-services

[21] http://www.aurora-is.com/

[22] http://www.ideaforge.co.in/home/

For more details visit https://cis-india.org/internet-governance/blog/surveillance-industry-in-india-analysis-of-indian-security-expos

Winter School on Privacy, Surveillance and Data Protection

praskrishna — 2015-02-07T00:37:55Z

The Centre for Communication Governance (CCG) in collaboration with the UNESCO Chair on Freedom of Communication and Information at the University of Hamburg and the Hans Bredow conducted a week-long winter school on 'Privacy, Surveillance and Data Protection at National Law University, Delhi, from January 19 to 23, 2015.

The winter school focused on the law governing privacy in the EU and in India and covered issues ranging from surveillance to data protection. German and Indian members of faculty used interactive methods of teaching and group activities in each session, to help students from Germany, India and Israel contribute to the classroom and learn from each other.

Bhairav Acharya was a speaker at the event. He spoke on 'privacy theory'. More information here.

For more details visit https://cis-india.org/internet-governance/news/winter-school-on-privacy-surveillance-data-protection

Security and Surveillance – Optimizing Security while Safeguarding Human Rights

elonnai — 2015-02-13T02:41:46Z

The Centre for Internet and Society (CIS) on December 19, 2014 held a talk on “Security and Surveillance – Optimizing Security while Safeguarding Human Rights.

The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.

During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.

Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.

Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.

A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - “There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”

The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, “We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.

For more details visit https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights

Symposium on Human Rights and the Internet in India

praskrishna — 2015-02-07T00:50:00Z

On January 17, 2015 the Center for Communication Governance at National Law University, Delhi in collaboration with the UNESCO Chair on Freedom of Communication and Information at the University of Hamburg hosted a pubic symposium on “Human Rights and Internet in India” as a Network of Centers (NoC) regional event. Bhairav Acharya was a panelist.

See the concept note here.

The event convened a diverse group of collaborators working on issues of Privacy, Surveillance, Data Protection, Freedom of Expression and Intermediary Liability in India, the surrounding region, and internationally.

Agenda | Saturday, January 17 | Public Symposium

Opening words
Prof. (Dr.) Ranbir Singh, Vice Chancellor, National Law University, Delhi
Prof. (Dr.) Wolfgang Schulz, Director, Alexander von Humboldt Institute for Internet & Society

17:45 – 19:00 Panel I: Surveillance & Databases: Experiences & Privacy
The panel will explore how surveillance in India might become more consistent with international human rights standards and Indian constitutional values. It will also discuss the consequences of ubiquitous database programs for citizens’ human rights. This will include comparative perspectives around similar problems and a discussion of privacy-compatible practices in other countries.

Panelists:
Dr. Usha Ramanathan, Independent Law Researcher

Mr. Bhairav Acharya, Lawyer, Supreme Court of India and Adviser Centre for Internet & Society, Bangalore

Mr. Saikat Datta, Editor (National Security), Hindustan Times

Professor KS Park, Former Commissioner, Korea Communications Standards Commission and Professor, Korea University Law School

19:00 – 20:15 Panel II: Unpacking the Intermediary Liability Debate in India
The panel will focus on the legal framework governing Internet platforms in India, especially with regard to online content and its implications for rights of the citizens. It has been argued that the current legal framework creates incentives for online intermediaries to take down content even when no substantive notice or legitimate reasons have been offered. The panel will consider the debate around intermediary liability in India in light of the ongoing litigation at the Supreme Court. It will reflect on the international experience with intermediary liability legislation and discuss how to ensure that laws support an innovative and competitive environment for intermediaries, while ensuring that they prioritize the preservation of their users’ human rights.

Panelists:
Dr. Joris van Hoboken, Fellow, Information Law Institute at NYU School of Law

Professor (Dr.) Wolfgang Schulz, Director, Alexander von Humboldt Institute for Internet & Society (HIIG)

Mr. Raman Jit Singh Chima, Lawyer

Chinmayi Arun and Sarvjeet Singh, Centre for Communication Governance at National Law University, Delhi

For more details visit https://cis-india.org/internet-governance/news/symposium-on-human-rights-and-internet-in-india

A Study of the Privacy Policies of Indian Service Providers and the 43A Rules

elonnai — 2015-01-13T02:37:31Z

Written by Prachi Arya and Kartik Chawla
Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra

Click to download the PDF

Contents
Executive Summary
Introduction
Objective, Methodology, and Scope of the Study
Objective of Research
Methodology
Scope
Criteria for selection of companies being studied
Overview of Company Privacy Policy and Survey Results
Vodafone
Tata Teleservices Limited
Airtel
Aircel
Atria Convergence Technologies
Observations
International Best Practices
Australia
European Union
Recommendations
Annexure 1
Annexure 2

Executive Summary

India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.^{^[1]} With over 164.8 Million people accessing the internet ^{^[2]} in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.^{^[3]}

While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.^{^[4]} Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.

The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.

The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.

Introduction

The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) ^{^[5]} pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. ^{^[6]}

Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a quid pro quo by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.

In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. ^{^[7]} In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.

However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. ^{^[8]} The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,^{^[9]} for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.

Objective, Methodology, and Scope of the Study

Objective of Research

This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.

Methodology

The Privacy Policies^{^[10]} of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.

Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.

Scope

Criteria for selection of companies being studied

For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.

The privacy policies of the following service providers have been analyzed:

1. State Owned Companies^{^[11]}

a. BSNL^{^[12]}: Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, inter alia, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. ^{^[13]} It had a monopoly in India except for Mumbai and New Delhi till 1992.

b. MTNL^{^[14]}: Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, inter alia, Telephone, Mobile, 3G, and Broadband services. ^{^[15]}

2. Multinational Companies

a. Bharti Airtel Ltd:^{^[16]} Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. ^{^[17]} The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.[18]

b. Vodafone^{^[19]}: Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. ^{^[20]} The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994^{^[21]}, and it bought out Essar's share in the same in the year 2007.^{^[22]} As of today, it has the second largest subscriber base in India. After Airtel, ^{^[23]} Vodafone is the largest provider of telecommunications and mobile internet services in India.^{^[24]}

3. Joint Ventures

a. Tata Teleservices^{^[25]} - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. ^{^[26]} Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. ^{^[27]}

b. Aircel^{^[28]}: Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. ^{^[29]} Aircel provides telecommunications and mobile internet services in the aforementioned regions.

4. India based Companies/Domestic Companies -

a. Atria Convergence Technologies (ACT)^{^[30]}: Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.

Overview of Company Privacy Policy and Survey Results

This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.

VODAFONE[31]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of publicly available documents of the body corporate that collect personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Vodafone

Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.

Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.

There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.

The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.

Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.

With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy

Tata Teleservices Limited[32]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Yes
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Yes
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	No
Whether the privacy policy provides the contact information of the grievance officer?	No
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Tata Teleservices Limited

Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.

The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.

The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.

As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.

TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.

Airtel[33]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	Yes
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Yes
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Yes
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	Yes
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	Yes
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the name and contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties?	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Airtel

Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.

While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.

Aircel[34]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	no
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	Yes
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	Yes
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Partially
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Partially
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Partially
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Aircel

Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.

Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.

In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.

In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.

Atria Convergence Technologies[35]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	information not available
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	No
Whether the privacy policy provides the contact information of the grievance officer?	No
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Partially
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	No

Atria Convergence Technologies

Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.

BSNL: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	No
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	No
Whether the privacy policy explicitly states that it is collecting SPD/I?	No
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Partially
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	No

BSNL

BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .

BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.

As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.

With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.

MTNL

MTNL does not provide a publicly available Privacy Policy.

Observations

This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.

1. Access and Location of Privacy Policy

Applicable Rule and Principle: According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.^{^[36]}

Observation : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:

a. Privacy Policy on main website: Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.

b. Privacy Policy not on website : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.

c. Privacy Policy not accessible through main website : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. ^{^[37]}

d. Privacy Policy not included in Customer Application form : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.

e. Collection of personal information before Privacy Policy: In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.

2. Sharing of information with Government

Applicable Rule and Principle: Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.

Observation : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:

a.) Listing circumstances for disclosure to law enforcement : The Privacy Policy of ACT states "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". ^{^[38]} The Privacy Policy of Airtel on the other hand states "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." ^{^[39]} Lastly, TTL states " To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". ^{^[40]}

b.) Listing authorities to whom information will be disclosed to : The privacy policy of Aircel states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".^{^[41]} Similarly, Vodafone states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." ^{^[42]} While BSNL states "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".^{^[43]}

3. Readability of Privacy Policies

Applicable Rule and Principle : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "clear and accessible". Similarly, the Notice Principle requires that the data controller give a " simple-to-understand notice of its information practices to all individuals, in clear and concise language".

Observation : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:

a. Vague terminology: For example, in the Privacy Policy of ACT, it states as a purpose of collection "conduct research" while for the collection and disclosure of information it states ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." ^{^[44]} Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect "any other information collected in relation to your use of our products and services". ^{^[45]}

b. Undefined terminology: On disclosure of information TTL's privacy policy states disclosure is "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" ^{^[46]} Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.

4. Information about security practices

Applicable Rule and Principle: The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.

Observation : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:

a. Comprehensive information about security practices in privacy policy: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.

b. Information about security practice, but not in privacy policy: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.

c. Broad reference to security practices: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only "we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL." ^{^[47]}

d. No information about security practices: Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.

5. Grievance mechanisms

Applicable Rule and Principle: Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.

Observation : It was found that adherence with this requirement varied depending on service provider. For example:

a. No Grievance Officer: ACT and MTNL do not provide details of a grievance officer on their websites.

b. Grievance Officer, but no process details: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.

c. Grievance Officer and details of process: Aircel provides details of the grievance officer and grievance process.

As a note: All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. ^{^[48]} It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.

6. Consent Mechanism

Applicable Rule and Principle : Rules 5 and 6 of the Rules^{^[49]} on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. ^{^[50]} Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules^{^[51]} and the National Privacy Principles ^{^[52]}.

Observation: Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:

a. Obtaining consent: Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.

b. No Consent or choice offered: Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.

c. Consent for limited circumstances: Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.

There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.

7. Transparency mechanism :

Applicable Rule and Principle: The Openness Principle specifically recommends transparency in all activities of the data controller. ^{^[53]} The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.

Observation: All service providers fail in implementing adequate mechanisms for transparency.

8. Scope :

Applicable Rule and Principle : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. "

Observation : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.

International Best Practices

Canada

The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' ^{^[54]} made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). ^{^[55]}

The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.

Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.^{^[56]}

ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.

Australia

The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.^{^[57]} These principles govern the following: collection,^{^[58]} use and disclosure,^{^[59]} data quality,^{^[60]} security,^{^[61]} openness,^{^[62]} access and correction,^{^[63]} identifiers,^{^[64]} anonymity,^{^[65]} trans-border data flows,^{^[66]} and sensitive information. ^{^[67]}

The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, ^{^[68]} but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.

European Union

The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). ^{^[69]} The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.^{^[70]} The Directive differentiates between Personal Data and Sensitive Personal Data, ^{^[71]} with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. ^{^[72]} The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. ^{^[73]}

In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications^{^[74]} and the Data Retention Directive. ^{^[75]} The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.

The established practices considered above have the following principles, relevant to the study at hand, in common:

1. Notice

2. Collection Limitation

3. Use Limitation

4. Access and Corrections

5. Security

6. Data Quality and Accuracy

7. Consent

8. Transparency

And the following principles are common between two of the three regimes discussed above:

1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.

2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act

3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.

Recommendations

Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.

1. Access and location of privacy policy: Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.

2. Scope of privacy policy: The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.

3. Defining consent: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.

4. Clear language: The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.

5. Transparent security practices: The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.

6. Defined and specified third parties: The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.

7. Comprehensive grievance mechanism: The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.

8. Specify laws governing disclosure to governmental agencies and law enforcement: The Privacy Policy should specify under what laws and service providers are required disclose personal information to.

9. Inclusion of data retention practices: The Privacy Policy should include provisions defining the retention practices of the company.

Annexure 1

Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.

The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.

Relevant provisions that pertain to the privacy policy of body corporate

Rule 3: This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:

i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"^{^[76]}.

ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" ^{^[77]}

iii. Physical, physiological and mental health condition

iv. Sexual orientation

v. Medical records and history

vi. Biometric information

The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. ^{^[78]}

The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.

Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person "^{^[79]}

Interpretation: While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.^{^[80]} While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. ^{^[81]} Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.

As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.

On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.

In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.

Rule 4: This rule mandates that a "body corporate that collects, receives possess, stores, deals or handles information of the provider of information". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.

The following details have to be included in the privacy policy -

"(i) Clear and easily accessible statements of its practices and policies;

(ii) Type of personal or sensitive personal data or information collected under rule 3;

(iii) Purpose of collection and usage of such information;

(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;

(v) Reasonable security practices and procedures as provided under rule 8."^{^[82]}

Interpretation : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.

Rule 5: This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. ^{^[83]}

Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -

a. The fact that the information is being collected.

b. The purpose of such collection.

c. Intended recipients of the collected information.

d. Names and addresses of the agency or agencies collecting and retaining information.

Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.

This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.

It also requires that a Grievance Officer be instated to redress the grievance " expeditiously but within one month from the date of receipt of grievance." The Grievance Redressal process has been discussed in more detail later.

Interpretation: Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]

Prima facie , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle ^{^[84]}, Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.

In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.

Rule 6: This rule lays down the conditions and procedure for disclosure of information.^{^[85]} Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -

a. The body corporate is required to obtain prior permission from the provider of the information, or

b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or

c. Disclosure is necessary for the compliance of a legal obligation.

An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.

Interpretation :

The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.

Rule 7 : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.

Interpretation : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.

Rule 8: This Rule details the criteria for reasonable security practices and procedures.^{^[86]} It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "managerial, technical, operational and physical security control measures". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.

Interpretation : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task^{^[87]}. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.

Other Relevant Policies:

Empanelled Information Technology Security Auditors - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.^{^[88]} The empanelled IT security auditing organization is required to, inter alia, conduct a " Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." ^{^[89]} and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.^{^[90]} For this purpose CERT-In maintains a list of IT Security Auditing Organizations^{^[91]}.

Criteria for analysis of company policies based on the 43A Rules

1. Clear and Accessible statements of its practices and policies^{^[92]} -

i. Whether the privacy policy is accessible through the main website of the body corporate?

ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

iii. Whether the privacy policy can be comprehended by persons without legal knowledge?

2. Type and acknowledgment of personal or sensitive personal data/information collected ^{^[93]}-

i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.

ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

3. Option to not provide information and withdrawal of consent^{^[94]} -

i. Whether the Privacy Policy specifies that the user has the option to not provide information?

ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

4. Existence of Grievance Officer -

i. Whether the privacy policy mentions the existence of a grievance officer?

ii. Whether the privacy policy provides details of the grievance redressal mechanism?

iii. Whether the privacy policy provides the names and contact information of the grievance officer?

5. Purpose of Collection and usage of information -

i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

6. Disclosure of Information -

i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?

ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?

7. Reasonable Security practices and procedures -

i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?

Annexure 2

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY

1. Bharti Airtel Ltd.

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: Airtel's Privacy Policy^{^[95]} is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.

2. Type and acknowledgement of personal or sensitive personal data/information collected: Yes

b. Rationale: Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information^{^[96]}, and specifies specific types of personal^{^[97]} and sensitive personal information ^{^[98]} that will be collected.

3. Option to not provide data or information and subsequent withdrawal of consent: Yes

c. Rationale: The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.^{^[99]}

4. Existence of Grievance Officer: Yes

a. Rationale: Airtel provides for the contact details of nodal officers^{^[100]} and appellate authorities ^{^[101]} on its website. Additionally the website provides for the 'Office of the Ombudsperson'^{^[102]}, which is an independent forum for employees and external stakeholders^{^[103]} of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.^{^[104]}

5. Comprehensive disclosure of purpose of collection and usage of information: Partial

Rationale: Airtel's Privacy Policy indicates eight purposes^{^[105]} that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.

6. Disclosure of Information^{^[106]}: Yes

a. Rationale: Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information^{^[107]}, how collected personal information may be collected internally ^{^[108]}, the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract^{^[109]}, the possible transfer of personal information and its purposes^{^[110]}, and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) ^{^[111]}

7. Existence of reasonable security practices and procedures ^{^[112]} : Yes

a. Rationale: Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant ^{^[113]}, that access is restricted to a need to know basis and that employees are bound by codes of confidentiality^{^[114]}, and that Airtel works to ensure that third parties also have strong security procedures in place.^{^[115]} The policy also provides details on the retention^{^[116]} and destruction ^{^[117]} procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.^{^[118]}

1. Tata Telecommunication Services (DoCoMo and Virgin Mobile)

1. Clear and Accessible statements of its practices and policies : Partial

a. Rationale: Though Tata DoCoMo has a comprehensive Data Privacy Policy ^{^[119]} that is applicable to Tata Teleservices Limited's ("TTL") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. ^{^[120]}

2. Type of personal or sensitive personal data/information collected: Partial

a. Rational: TTL defines personal information^{^[121]} but only provides general examples of types of personal information^{^[122]} (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. ^{^[123]}

3. Option to not provide information and withdrawal of consent: N/A

a. Rationale: The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.

4. Existence of Grievance Officer: Yes

a. Rationale: TTL has various methods to lodge complaints and provides for an appellate authority. ^{^[124]} Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.^{^[125]}

5. Purpose of Collection and usage of information: Yes

a. Rationale: In its' Privacy Policy, TTL describes the way in which collected information is used. ^{^[126]} The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, ^{^[127]} and the use of aggregate and anonymized data.^{^[128]}

6. Disclosure of Information: Yes

a. Rationale: In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties^{^[129]}, with law enforcement/governmental agencies^{^[130]}, and with other TTL companies. ^{^[131]} Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. ^{^[132]}

7. Reasonable Security practices and procedures: Partial

a. Rationale: TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. ^{^[133]} Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012^{^[134]}. Information on IT security standards adopted by other circles could not be found on the internet.

2. Vodafone

1. Clear and Accessible statements of its practices and policies: Yes

Rationale: Vodafone's Privacy Policy^{^[135]} is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. ^{^[136]}

2. Collection of personal or sensitive personal data/information: No

Rationale: Type -

a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as 'amongst other things', implying that information other than that which is notified is being collected.^{^[137]}

b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.

4. Existence of Grievance Officer: Yes

a. Rationale: The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.^{^[138]}

5. Purpose of Collection and usage of information: Partial

a. Rationale:

The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, ^{^[139]} but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.

6. Disclosure of Information: Yes

a. Rationale:

The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.^{^[140]} The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. ^{^[141]} Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website ^{^[142]} states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard^{^[143]}.

3. Aircel

1. Clear and Accessible statements of its practices and policies: Yes

Rationale:

The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.^{^[144]}

2. Type of personal or sensitive personal data/information collected: Partial

Rationale: Type -

a. Personal Information

In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. ^{^[145]} The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.

a. Sensitive Personal Data or Information

The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.

3. Option to not provide information and withdrawal of consent - Yes

Rationale : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. ^{^[146]}

4. Existence of Grievance Officer: Yes

a. Rationale:

Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. ^{^[147]}

5. Purpose of Collection and usage of information: Partial

a. Rationale: The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.^{^[148]}

6. Disclosure of Information: Yes

a. Rationale: Though the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. ^{^[149]}

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.^{^[150]}

4. Atria Convergence Technologies Private Limited (ACT)

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.^{^[151]}

2. Type of personal or sensitive personal data/information collected: Partial

a. Rationale:

Type -

a. Personal Information - Yes -

The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. ^{^[152]}

a. Sensitive Personal Data or Information -

The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.

4. Existence of Grievance Officer: No

a. Rationale: No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.^{^[153]}

5. Purpose of Collection and usage of information: Yes

a. Rationale: The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.^{^[154]} The list of purposes for collection given in the Privacy Policy is a very general list.

6. Disclosure of Information: Yes

a. Rationale: The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.^{^[155]} At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.

7. Reasonable Security practices and procedures: No

a. Rationale: - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. ^{^[156]}

[1] . Telecom Regulatory Authority of India, Press Release 143/2012,(< http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf >)

[2] . The Indian Telecom Service Performance Indicators, January-March 2013, Telecom Regulatory Authority of India,. (< http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >)

[3] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece >

[4] . In addition, the Unified Access License Framework which allows for a single license for multiple services such as telecom, the internet and television, provides certain security guidelines. As per the model UIL Agreements, privacy of communications is to be maintained and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. For internet services, the Agreement stipulates the keeping an Internet Protocol Detail Record (IPDR) and copies of packets from customer premises equipment (CPE). Accessed at < http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf>

[5] . See >> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >>

[6] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece > Accessed..

[7] . Starting with Kharak Singh v. State of UP 1963 AIR SC 1295, the right to privacy has been further confirmed and commented on in other cases, like Govind v.State of M.P (1975) 2 SCC 148: 1975 SCC (Cri) 468. A full history of the development of the Right to Privacy can be found in B.D. Agarwala, Right to Privacy: A Case-By-Case Development, (1996) 3 SCC (Jour) 9, available at http://www.ebc-india.com/lawyer/articles/96v3a2.htm.

[8] . White Paper on EU Adequacy Assessment of India, 3, ("Based on an overall

analysis against the identifiable principles under Article 25, the 2010 Report concludes that India does not at present provide adequate protection to personal data in relation to any sector or to the whole of its private sector or to the whole of its public sector. ") available at < https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf >

[9] . Planning Commission, Report of the Group of Experts on Privacy, 2012, (< http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>)

[10] . Though a company's Privacy Policy was the main document analysed for this research, when applicable a company's Terms of Service wavas also reviewed.

[11] . BSNL and MTNL are government companies as defined under section 617, Indian Companies Act, 1956, incorporated under the Indian Companies Act, 1956. Under section 43 A (i) of the Act, a 'body corporate' has been broadly defined as "any company…sole proprietorship or other association of individuals engaged in commercial or professional activities". Therefore, for the purpose of this survey, BSNL and MTNL are recognized as bodies corporate.

[12] . Documents Reviewed: http://portal.bsnl.in/portal/privacypolicy.html

[13] . A full list of its services are available here: < http://bsnl.co.in/opencms/bsnl/BSNL/services/>

[14] . The MTNL website does not provide access to a privacy policy

[15] . A full list of its services are available here <<http://mtnldelhi.in>>

[16] . Documents Reviewed: http://www.airtel.in/forme/privacy-policy , http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp, http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp , http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office

[17] . A full list of services provided by Bharti Airtel is available here: <www.airtel.in>

[18] . http://submarinenetworks.com/stations/asia/india/chennai-bharti

[19] . Documents Reviewed: http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker , http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html

[20] . See < http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html. >

[21] . Vodafone International Holdings v Union of India, WP 1325/2010, Bombay High Court

[22] . 'Vodafone to Buy Additional Essar India Stake for $5 Billion',(Bloomberg, March 31, 2011) < http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html >Accessed 26 May 2014

[23] . See <https://www.vodafone.in/pages/aboutus.aspx?cid=ker.>

[24] . Vodafone, supra note 13.

[25] . Documents Reviewed:http://www.tatadocomo.com/downloads/data-privacy-policy.pdf, http://www.tatateleservices.com/t-customercare.aspx, http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf

[26] . 'Japan's Docomo acquires 26% stake in Tata Tele'(The Hindu Business Line, November 13 2008) < http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm .>

[27] . Further details are available at: < http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx>

[28] . Documents Reviewed

http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 , http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page , http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf

[29] . See < http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book. >

[30] . Documents Reviewed: http://www.acttv.in/index.php/privacy-policy

[31] . https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker

[32] . http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[33] . http://www.airtel.in/forme/privacy-policy

[34] .http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061

[35] . http://www.acttv.in/index.php/privacy-policy

[36] . In 2012, the Minister of State for Communications & Information Technology informed the Rajya Sabha that " (a)ny change in the privacy policy is not within the purview of amended Information Technology Act, 2000",, while discussing changes to Google's privacy policy. Even though the Minister noted that the EU has reported its dissatisfaction with the changed policy, finding that the policy " makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service ", he argued that the Act and Rules therein merely stipulate the publication of a privacy policy which provide " information to the end users as to how their personal information is collected, for which it is collected, processed and secure". Further, when asked how changes to privacy policy affect end users the Minister shifted the responsibility on end users, stating that " (t)he end users… need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services ".( < http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22 >).

[37] . Available at http://portal.bsnl.in/portal/privacypolicy.htm, the privacy policy was found through a search engine and not through a link from the website. An RTI request was submitted to BSNL for a copy of its privacy policy as applicable to all its products, services and websites. BSNL responded by submitting a copy of this privacy policy even though the text of the policy does not clarify the scope.

[38] . See, <http://www.acttv.in/index.php/privacy-policy>

[39] . See <http://www.airtel.in/forme/privacy-policy>

[40] . See <www.tataindicom.com/Download/data-privacy-policy.pdf>

[41] . See <<www.aircel.com/AircelWar/appmanager/aircel/delhi?_nfpb=true&_pageLabel=P26400194591312373872061>>

[42] . See <https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar>

[43] . See<< http://portal.bsnl.in/portal/privacypolicy.htm>>

[44] . See <http://www.acttv.in/index.php/privacy-policy>

[45] . See <https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar>

[46] . See <http://www.tataindicom.com/Download/data-privacy-policy.pdf>

[47] . Ibid

[48] . The complaint center details are available here: < http://www.tccms.gov.in/Queries.aspx?cid=1>

[49] . Rules 5 and 6

[50] . Principle 2, Principle 3, Personal Information Protection and Electronic Documents Act 2000. Available at: << http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html>>

[51] . Rule 5(7),

[52] . Principle 2

[53] . P. 21

[54] . Telecom Regulatory Policy CRTC 2009-657, Review of the Internet traffic management practices of Internet service providers << www.crtc.gc.ca/eng/archive/2009/2009-657.htm>>

[55] . Alex Cameron,CRTC Imposes Super-PIPEDA Privacy Protections for Personal Information Collected by ISPs, Privacy and Information Protection Bulletin, Fasken Martineau, << http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf . >> Accessed 21 May 2014

[56] . Bram D. Abramson, Grant Buchanan, Hank Intven, CRTC Shapes Canadian "Net Neutrality" Rules, McCarthy Tetrault. < http://www.mccarthy.ca/article_detail.aspx?id=4720 > Accessed 21 May 2014

[57] . The Privacy Act, 1988, Part III, available at << http://www.comlaw.gov.au/Series/C2004A03712.>>

[58] . Id, note 28, Schedule 3, 1.

[59] . Id, schedule 3, 2.

[60] . Id, schedule 3, 3.

[61] . Id, schedule 3, 4.

[62] . Id, schedule 3, 5.

[63] . Id, schedule 3, 6.

[64] . Id, schedule 3, 7.

[65] . Id, schedule 3, 8.

[66] . Id, schedule 3, 9.

[67] . Id, schedule 3, 10.

[68] . Telecommunications Act, Part 13 (Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.)

[69] . Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[70] . Id, article 3.

[71] . Id, article 8.

[72] . Id, article 2, (d). (" (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; ")

[73] . European Commission-IP-12/46, 25 January 2012, < http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.>

[74] . Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[75] . Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

[76] . Rule 2 (h)

[77] . Rule 3 (ii)

[78] . Rule 3 (vii) and (viii)

[79] . Rule 2 (i)

[80] . Rule 4(iii), (iv)

[81] . Section 2(v) of the Act defines 'information'

[82] . Rule 4 (1).

[83] . Rule 5 (5)

[84] . Defined by Venkatarama Aiyar, J as: "The rule of construction is well settled that when there are in an enactment two provisions which cannot be reconciled with each other, they should be so interpreted that, if possible, effect could be given to both" in Venkataramana Devaru v. State of Mysore, AIR 1958 SC 255, p. 268: G. P. Singh, Principles of Statutory Interpretation, 1th ed. 2010, Lexisnexis Butterworths Wadhwa Nagpur. The principle was applied to interpret statutory Rules in A. N. Sehgal v. Raje Ram Sheoram, AIR 1991 SC 1406.

[85] . Rule 6

[86] . Rule 8

[87] . 52^nd Report, Standing Committee on Information Technology, 24, available at < http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf. >

[88] . Panel Of Information Security Auditing Organisations, CERT-IN < http://www.cert-in.org.in/PDF/background.pdf>

[89] . Section 1, Guidelines for applying to CERT-In for Empanelment of IT Security Audition Organisation, < http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf>

[90] . Section 2.0, Guidelines for auditee organizations, Version 2.0, IT Security

Auditing Assignment, http://www.cert-in.org.in/PDF/guideline_auditee.pdf

[91] . See <http://www.cert-in.org.in/PDF/Empanel_org.pdf>

[92] . Rule 4

[93] . Rule 4

[94] . Rule 5 (7)

[95] . See << http://www.airtel.in/forme/privacy-policy>>

[96] . 'Information that can be used by itself to uniquely identify, contact or locate a person, or can be used with information available from other sources to uniquely identify an individual. For the purpose of this policy, sensitive personal data or information has been considered as a part of personal information.' Accessed at << http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >>

[97] . Subscriber's name, father's name, mother's name, spouse's name, date of birth, current and previous addresses, telephone number, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Information related to your utilization of our services which may include your call details, your browsing history on our website, location details and additional information provided by you while using our services. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

[98] . Password, Financial information -details of Bank account, credit card, debit card, or other payment instrument detail s, Physical, physiological and mental health condition.

[99] . Airtel states that if a customer does not provide information or consent for usage of personal information or subsequently withdraws consent, Airtel reserves the right to not provide the services or to withdraw the services for which the said information was sought, Avaliable at: < http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >

[100] . See <www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp>

[101] . See << http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp >

[102] . See << http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office>>

[103] . Stakeholders are defined as: employee, associate, strategic partner, vendor

[104] . See << http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf >>

[105] . Verification of customer's identity; Complete transactions effectively and bill for products and service; Respond to customer requests for service or assistance; Perform market analysis, market research, business and operational analysis; Provide, maintain and improve Airtel products and services; Anticipate and resolve issues and concerns with Airtel products and services; Promote and market Airtel products and services which it may consider of interest and benefit to customers; and, Ensure adherence to legal and regulatory requirements for prevention and detection of frauds and crimes.

[106] . See << http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0 >>

[107] . "Airtel may obtain a customer's consent for sharing personal information in several ways, such as in writing, online, through "click-through" agreements; orally, including through interactive voice response; or when a customer's consent is part of the terms and conditions pursuant to which Airtel provides a service."

[108] . Airtel and its employees may utilize some or all available personal information for internal assessments, measures, operations and related activities…"

[109] . Airtel may at its discretion employ, contract or include third parties external to itself for strategic, tactical and operational purposes. Such agencies though external to Airtel, will always be entities which are covered by contractual agreements. These agreements in turn include Airtel's guidelines to the management, treatment and secrecy of personal information

[110] . Airtel may transfer subscriber's personal information or other information collected, stored, processed by it to any other entity or organization located in India or outside India only in case it is necessary for providing services to a subscriber or if the subscriber has consented (at the time of collection of information) to the same. This may also include sharing of aggregated information with them in order for them to understand Airtel's environment and consequently, provide the subscriber with better services. While sharing personal information with third parties, adequate measures shall be taken to ensure that reasonable security practices are followed at the third party."

[111] . Airtel may share subscribers' personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences.

[112] . See<< http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0 >>

[113] . Airtel adopts reasonable security practices and procedures, in line with international standard IS/ISO/IEC 27001, to include, technical, operational, managerial and physical security controls in order to protect a customer's personal information from unauthorized access, or disclosure while it is under our control.

[114] . Airtel's security practices and procedures limit access to personal information on need-only basis. Further, its employees are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal information.

[115] . Airtel takes adequate steps to ensure that its third parties adopt reasonable level of security practices and procedures to ensure security of personal information.

[116] . Airtel may retain a subscriber's personal information for as long as required to provide him/her with services or if otherwise required under any law.

[117] . When Airtel disposes of its customers' personal information, it uses reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media)."

[118] . Airtel maintains the security of its internet connections, however for reasons outside of its control, security risks may still arise. Any personal information transmitted to Airtel or from its online products or services will therefore be at a customer's own risk. It observes reasonable security measures to protect a customer's personal information against hacking and virus dissemination.

[119] . See <<http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[120] . Information that customers provide to non-TTL companies is not covered by TTL's Policy. For example: When customers download applications or make an online purchase from a non-TTL company while using TTL's Internet or wireless services, the information collected by the non-TTL company is not subject to this Policy. When you navigate to a non-TTL company from TTL websites or applications (by clicking on a link or an advertisement, for example), information collected by the non-TTL company is governed by its privacy policy and not TTL's Privacy Policy. If one uses public forums - such as social networking services, Internet bulletin boards, chat rooms, or blogs on TTL or non-TTL websites, any Personal Information disclosed publicly can be read, collected, or used by others. Once one chooses to reveal Personal Information on such a site, the information is publicly available, and TTL cannot prevent distribution and use of that information by other parties. Information on a wireless Customer 's location, usage and numbers dialed, which is roaming on the network of a non-TTL company will be subject to the privacy policy of the non-TTL company, and not TTL's Policy.

[121] . "Personal Information" is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

[122] . Personal Information - Some general examples -TTL may collect Confidential Data in different forms such as Personal and other Information based on a customer's use of its products and services. Some examples include, Contact Information that allows us to communicate with you -- including your name, address, telephone number, and e-mail address; Billing information-- including payment data, credit history, credit card number, security codes, and service history.Equipment, Performance, TTL Website Usage, Viewing and other Technical Information about use of TTL's network, services, products or websites.

Technical & Usage Information is clarified in the FAQ's as information related to the services provided, use of TTL's network, services, products or websites. Examples of the Technical & Usage Information collected include: Equipment Information that identifies the equipment used on TTL's network, such as equipment type, IDs, serial numbers, settings, configuration, and software. Performance Information about the operation of the equipment, services and applications used on TTL's network, such as IP addresses, URLs, data transmission rates and latencies, location information, security characteristics, and information about the amount of bandwidth and other network resources used in connection with uploading, downloading or streaming data to and from the Internet. TTL Website Usage Information about the use of TTL websites, including the pages visited, the length of time spent, the links or advertisements followed and the search terms entered on TTL sites, and the websites visited immediately before and immediately after visiting one of TTL's sites.TTL also may collect similar information about a customer's use of its applications on wireless devices. Viewing Information about the programs watched and recorded and similar choices under Value added TTL services and products.

[123] . Ways in which TTL collects information: On the purchase or interaction about a TTL product or service provided; Automatically collected when one visits TTL's websites or use its products and services; Other sources, such as credit agencies.

[124] . See <http://www.tatateleservices.com/t-customercare.aspx>

[125] .See< http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf >

[126] . To provide the best customer experience possible; Provide the services a customer purchases, respond to customer questions; Communicate with customers regarding service updates, offers, and promotions; Deliver customized content and advertising that may be of interest to customers; Address network integrity and security issues; Investigate, prevent or take action regarding illegal activities, violations of TTL's Terms of Service or Acceptable Use Policies

[127] . Site functionality -Cookies and other tracking tools are used to help TTL analyze, manage and improve websites and storing customer preferences. Advertising TTL and its advertising partners, including Yahoo! and other advertising networks, use anonymous information gathered through cookies and other similar technologies, as well as other information TTL or its advertising networks may have, to help tailor the ads a customer sees on its sites.

[128] . TTL collects some Information on an anonymous basis. TTL also may anonymize the Personal Information it collects about customers. It may obtain aggregate data by combining anonymous data that meet certain criteria into groups.

[129] . In Other Circumstances: TTL may provide Personal Information to non-TTL companies or other third parties for purposes such as: To assist with identity verification, and to prevent fraud and identity theft; Enforcing its agreements and property rights; Obtaining payment for products and services that appear on customers' TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; and to comply to legal and regulatory requirements. TTL shares customer Personal Information only with non-TTL companies that perform services on its behalf, and only as necessary for them to perform those services. TTL requires those non-TTL companies to protect any Personal Information they may receive in a manner consistent with this policy. TTL does not provide Personal Information to non-TTL companies for the marketing of their own products and services without a customer's consent. TTL may share aggregate or anonymous Information in various formats with trusted non-TTL entities, and may work with those entities to do research and provide products and services.

[130] . TTL provides Personal Information to non-TTL companies or other third parties (for example, to government agencies, credit bureaus and collection agencies) without consent for certain purposes, such as: To comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims, To obtain payment for products and services that appear on customer TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; To enforce its agreements, and protect our rights or property; To assist with identity verification, and to prevent fraud and identity theft; To prevent unlawful use of TTL's services and to assist in repairing network outages; To provide information regarding the caller's location to a public safety entity when a call is made to police/investigation agencies, and to notify the public of wide-spread emergencies; To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay; To display name and telephone number on a Caller ID device;

[131] . Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI), the TTL companies may share your Personal Information with each other to make sure your experience is as seamless as possible, and you have the benefit of what TTL has to offer.

[132] . Customers and Users should be aware that TTL affiliates and non-TTL companies that perform services on behalf of TTL may be located outside the country where customers access TTL's services. As a result, when customer Personal Information is shared with or processed by such entities, it may be accessible to government authorities according to the laws of those jurisdictions.

[133] . TTL has implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL. It has established electronic and administrative safeguards designed to secure the information it collects, to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately. Some examples of those safeguards include: All TTL employees are subject to the internal Code of Business Conduct. The TTL Code requires all employees to follow the laws, rules, regulations, court and/or commission orders that apply to TTL's business such as legal requirements and company policies on the privacy of communications and the security and privacy of Customer records. Employees who fail to meet the standards embodied in the Code of Business Conduct are subject to disciplinary action, up to and including dismissal. TTL has implemented technology and security features and strict policy guidelines to safeguard the privacy of customer Personal Information. TTL has implemented encryption or other appropriate security controls to protect Personal Information when stored or transmitted by it; TTL limits access to Personal Information to those employees, contractors, and agents who need access to such information to operate, develop, or improve its services and products; TTL requires caller/online authentication before providing Account Information so that only the customer or someone who knows the customer's account Information will be able to access or change the information.

[134] . See << http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf >>

[135] . See << https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker >>

[136] . "We have created this Privacy Policy to help you understand how we collect, use and protect your information when you visit our web and WAP sites and use our products and services."

[137] . Vodafone may hold information relating to customers that have been provided (such as on an application or registration form) or that it may has obtained from another source (such as its suppliers or from marketing organisations and credit agencies).

This information may include, amongst other things, a customer's name, address, telephone numbers, information on how a customer uses Vodafone's products and services (such as the type, date, time, location and duration of calls or messages, the numbers called and how much a customer spends, and information on his/her browsing activity when visiting one of Vodafone's group companies' websites), the location of a customer's mobile phone from time to time, lifestyle information and any other information collected in relation to his/her use of Vodafone's products and services ("information").

It may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts with its website, and web-related products and services.

It may use a persistent cookie to record details such as a unique user identity and general registration details on your PC. Vodafone states that most browser technology (such as Internet Explorer, Netscape etc) allows one to choose whether to accept cookies or not - a customer can either refuse all cookies or set their browser to alert them each time that a website tries to set a cookie.

[138] . In case of any concerns the privacy officer can be contacted at privacyofficer@vodafone.com. Additionally details of the Grievance Redressal Officers is provided via the TRAI website. (TRAI website: http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf _

[139] . The information that Vodafone collects from customers is held in accordance with applicable laws and regulations in India. It may be used by us for a number of purposes connected with its business operations and functions, which include:

2.1 Processing customer orders or applications;

2.2 Carrying out credit checking and scoring (unless Vodafone have agreed otherwise);

2.3 Providing the customer with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering his/her account;

2.4 Billing

2.5 Settling accounts with those who provide related services to Vodafone;

2.6 Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes;

2.7 Carrying out market and product analysis and marketing Vodafone and its group companies' products and services generally;

2.8 Contacting a customer (including by post, email, fax, short text message (SMS), pager or telephone) about Vodafone and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to customers (unless a customer asks us in writing not to). Electronic marketing messages may not include a marketing facility.

2.9 Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that a customer may have in respect of our and our group companies' schemes.

2.10 inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party (subject to any objection or preference a customer may have indicated to us in writing);

2.11 carrying out any activity in connection with a legal, governmental or regulatory requirement on Vodafone or in connection with legal proceedings, crime or fraud prevention, detection or prosecution;

2.12 carrying out activities connected with the running of Vodafone's business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Vodafone's business with respect to a customer or a potential customer.

[140] . In the need for disclosure to third parties, the personal information will only be disclosed to the third parties below:

3.1 Vodafone's group companies who may in India use and disclose your information for the same purposes as us;

3.2 those who provide to Vodafone or its group companies products or services that support the services that we provide, such as our dealers and suppliers;

3.3 credit reference agencies (unless Vodafone has agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Vodafone makes against a customer's name;

3.4 if someone else pays a customer's bill, such as a customer's employer, that person;

3.5 those providing telephone and similar directories or directory enquiry services

3.6 anyone Vodafone transfers business to in respect of which a person is a customer or a potential customer;

3.7 anyone who assists Vodafone in protecting the operation of the Vodafone India networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;

3.8 persons to whom Vodafone may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services;

3.9 any person or organisation as authorised by laws and regulations applicable in India.

If a customer has opted in to receiving marketing material from Vodafone, it may also provide customer's personal information to carefully selected third parties who we reasonably believe provide products or services that may be of interest to customers and who have contracted with Vodafone India to keep the information confidential, or who are subject to obligations to protect your personal information.

To opt-out of receiving Vodafone marketing materials,customers can send a 'Do Not Disturb' message to Vodafone. If a customer wishes to use Vodafone products or services abroad, his/her information may be transferred outside India to that country. Vodafone's websites and those of its group companies may also be based on servers located outside of India.

[141] . Vodafone takes reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, modification or disclosure.

Vodafone makes every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to it or from its online products or services will be at a customer's own risk, however, it will use its best efforts to ensure that any such information remains secure. Vodafone cannot protect any information that a customer makes available to the general public - for example, on message boards or in chat rooms.

Vodafone may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts.

[142] . See <http://www.vodafone.com>

[143] . See < http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html >

[144] . http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 (Scope - This Privacy Policy has been created to help customer's understand how Aircel collects, uses and protects customer information when one visits its web and WAP sites and use its products and services.)

[145] . This information may include, amongst other things, customer's name, father's name, mother's name, spouse's name, date of birth, address, telephone numbers, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Aircel may also hold information related to utilization of its services. This may include customer call records, browsing history while surfing Aircel's website, location details and additional information provided by customer while using our services.

Aircel may keep a log of the activities performed by a customer on its websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with Aircel's website, and web-related products and services

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on customer's Personal Computers.

[146] . In case a customer does not provide information or consent for usage of personal information or later on withdraw consent for usage of the personal information so collected, Aircel reserves the right to discontinue the services for which the said information was sought.

[147] . In case of any feedback or concern regarding protection of personal information, customers can contact Aircel's Circle Care ID. Alternatively, one may also direct your privacy-related feedback or concerns to the Circle Nodal Officer. (e.g. - Delhi Circle Nodal details are as mentioned below):

1. Name: Moushumi De

Contact Number: 9716199209

E-mail: nodalofficer.delhi@aircel.co.in

Further it provides for a general customer grievance redressal mechanism

Additionally details of the Grievance Redressal Officers is provided via the TRAI website.

To resolve all concerns, Aircel has established a 2-tier complaint handling mechanism. Level I: Our Customer Touch Points As an Aircel customer you have the convenience to contact at Customer Interface Points via email, post or telephone. Level II - Appellate AuthorityDespite the best efforts put by Aircel's executive, if a customer is still not satisfied with the resolution provided then he/she may submit his/her concern to the Appellate Authority of the circle. Comments - However this information contradicts the mechanism provided under Aircel's Manual of Practice for handling Consumer Complaints which provides for a 3-tier complaint handling mechanism.

[According to the DoT - The earlier three-tier complaint redressal mechanism - Call center, Nodal Center and Appellate Authority, has been replaced by a two-tier one by doing away with the level of Nodal Officer. This is because the Complaint Centres are essentially registration and response centres and do not deal with the resolution of complaints. They only facilitate registration of consumer complaint and the level at which a problem is resolved within a company depends upon the complexity of the issue involved.]

[148] . It may be used by us for a number of purposes connected with our business operations and functions, which include:

1. Processing customer orders or applications.

2. Carrying out credit checking and scoring (unless agreed otherwise).

3. Providing customers with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering a customer's account.

4. Billing (unless there exists another agreed method).

5. Settling accounts with those who provide related services to Aircel.

6. Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes.

7. Carrying out market and product analysis and marketing our and our group companies' products and services generally.

8. Contacting customers (including by post, email, fax, short text message (SMS), pager or telephone) about Aircel and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to a customer (unless a customer says 'no' in writing). Electronic messages need not have an unsubscribe facility.

9. Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that customers may have in respect of Aircel and its group companies' loyalty or reward programmes and other similar schemes.

10. Inclusion in any telephone or similar directory or directory enquiry service provided or operated by Aircel or by a third party (subject to any objection or preference a customer may have indicated in writing).

11. Carrying out any activity in connection with a legal, governmental or regulatory requirement on Aircel or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.

12. Carrying out activities connected with the running of business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Aircel's business with respect to a customer or potential customer. Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with our website, and web-related products and services, to:

● Understand what a customer likes and uses about Aircel's website.

● Provide a more enjoyable, customised service and experience

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on your Personal Computer.

[149] . Where Aircel needs to disclose your information to third parties, such third parties will be:

1. Group companies who may use and disclose your information for the same purposes as us.

2. Those who provide to Aircel or its group companies products or services that support the services that we provide, such as our dealers and suppliers.

3. Credit reference agencies (unless we have agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Aircel make against your name.

4. If someone else pays a customer's bill, such as an employer.

5. Those providing telephone and similar directories or directory enquiry services.

6. Anyone Aircel transfers its business to in respect of which you are a customer or a potential customer.

7. Anyone who assists Aircel in protecting the operation of the Aircel networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities.

8. Persons to whom Aircel may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services. If a customer has opted in to receiving marketing material from Aircel, it may also provide personal information to carefully selected third parties who it reasonably believes to provide products or services that may be of interest to customers and who have contracted with Aircel to keep the information confidential, or who are subject to obligations to protect customer personal information.

[150] . We adopt reasonable security practices and procedures to include, technical, operational, managerial and physical security control measures in order to protect your personal information from unauthorized access, or disclosure while it is under our control.Our security practices and procedures limit access to personal information on need to know basis. Further, our employees, to the extent they may have limited access to your personal information on need to know basis, are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal informationWe take adequate steps to ensure that our third parties adopt reasonable level of security practices and procedures to ensure security of personal information

We may retain your personal information for as long as required to provide you with services or if otherwise required under any law. We, however assure you that Aircel does not disclose your personal information to unaffiliated third parties (parties outside Aircel corporate network and its Strategic and Business Partners) which could lead to invasion of your privacy

When we dispose off your personal information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media).

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.

We make every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk, however we will use our best efforts to ensure that any such information remains secure.

[151] . http://www.acttv.in/index.php/privacy-policy

[152] . "When you register, we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests.

The Company collects information about your transactions with us and with some of our business partners, including information about your use of products and services that we offer."

[153] . Not provided for on the TRAI website as ACT is not a telecom.

[154] . The Company can use information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.

The Company collects personal information when you register with the Company, when you use the Company products or services, when you visit the Company pages or the pages of certain partners of the Company. The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you.

[155] . Aircel provide the information to trusted partners who work on behalf of or with the Company under confidentiality agreements. These companies may use customer personal information to help the Company communicate about offers from the Company and marketing partners.

Aircel believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Company's terms of use, or as otherwise required by law.

Aircel transfer information about a customer if the Company is acquired by or merged with another company under a different management. In this event, the Company will notify a customer before information about a customer is transferred and becomes subject to a different privacy policy.

The Company plans to display targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click on targeted ads meet the targeting criteria - for example, women ages 18-24 from a particular geographic area.

The Company will not provide any personal information to the advertiser when customers interact with or view a targeted ad. However, by interacting with or viewing an ad a customer consents to the possibility that the advertiser will make the assumption that he/she meets the targeting criteria used to display the ad.

[156] . Rule 8.

For more details visit https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules

Relationship Between Privacy and Confidentiality

vipul — 2014-12-30T14:27:02Z

The laws of breach of confidentiality and breach of privacy at first glance seem very similar to each other. If a doctor releases health information relating to a patient that s/he is treating then such an act would give rise to a claim both under the law of privacy as well as under the law of confidentiality.

Similar is the case with financial information released by a bank, etc. This makes one wonder exactly where and how it is that the law of breach of privacy intersects with that of the law of confidentiality. An enquiry into such a complex question of law requires a deeper appreciation of the relationship between these two different principles of law which require a better understanding of the origins and evolutions of these principles.

In this paper we shall try to explore the origins of both the law of privacy as well as confidentiality as they have evolved in the field of tort law in India. Although our primary focus is Indian law, however in order to understand the evolution of these principles it is necessary to discuss their evolution in three common law jurisdictions, viz. the United States of America, the United Kingdom and India. The reason for an analysis of these three jurisdictions will become clear as the reader goes further into this paper, however for ease of reference it would be better if the reason is clarified here itself. The concept of a right against breach of confidentiality has existed in English common law for a very long time, however the concept of a claim for breach of privacy originated only in American law, other than some statutory protection granted in the last couple of decades, has still not been granted recognition in English common law.

After a discussion of the evolution of these principles in both American and English law, we will then discuss these principles as they exist in Indian law. This discussion will (or should) at once become easier to understand and digest because of the deeper understanding of the interplay between these two principles gained from a reading of the first two chapters.

Privacy Torts: American Origins

Looking at the origins of privacy law it has been argued by many academics that the law of privacy in common law has its origins in an article published by Samuel Warren and Louis Brandies in the Harvard Law Review in 1890.[1] Warren and Brandeis suggested that one could generalise certain cases on defamation, breach of copyright in unpublished letters, trade secrets and breach of confidence as all based upon the protection of a common value which they called privacy.[2] The authors relied upon the existing body of cases relating to the law of confidentiality and interpreted it in a way so as to create a "right to privacy" which has evolved into a right quite different from the common understanding of confidentiality.

Although there are certain criticisms of the article by Warren and Brandeis, the background in which the article was written and the lacuna that these two scholars were trying to fill in the law of confidentiality as it existed at that time gives some context to the reasons why they felt the need to move away from the existing principles and propose a new principle of law. Samuel Warren and Louis Brandies were both worried about the invasion of personal space by the advent of the news and print media which was experiencing a boom during the late 19^th century. [3] Warren and Brandeis were worried that although the existing body of law on confidentiality would protect a person from having their picture put on a postcard by their photographer without their consent,[4] however if there was no relationship between the two persons there would be no remedy available to the aggrieved party. [5]

One of the criticisms of Warren and Brandeis' article is that to propose the existence of a right to privacy they relied heavily on the English case of Prince Albert v. Strange[6]. It has been proposed by some academics that this was a case which dealt with confidentiality and literary property which was characterized by Warren and Brandeis as a privacy case. [7] In this case Prince Albert sought to restrain publication of otherwise unpublished private etchings and lists of works which were made by Queen Victoria. The etchings appeared to have been removed surreptitiously from the private printer to whom these etchings were given and came into the possession of one Mr. Strange who wanted to print and sell the etchings. The case specifically rejected the existence of a right to privacy in the following words:

"The case is not put by the Plaintiff on any principle of trust or contract, but on property; there is nothing to show contract or confidence. It cannot be maintained that privacy constitutes property, or that the Court will interfere to protect the owner in the enjoyment of it; Chadler v. Thompson (3 Camp. 80). In William Aldred's case (9 Rep. 58 b.), Wray C. J. said, "The law does not give an action for such things of delight"."

Infact the case mentioned the term "privacy" only once, but that statement was made in the context of whether a delay in granting an injunction in such cases would defeat the entire purpose of the suit and was not preceeded or followed by any discussion on a distinct right to privacy:

"In the present case, where privacy is the right invaded, postponing the injunction would be equivalent to denying it altogether. The interposition of this Court in these cases does not depend upon any legal right, and to be effectual, it must be immediate."

However, Warren and Brandeis interpreted this case in a different manner and came to the conclusion that the "principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality".[8]

The article further incorporated the language of Judge Cooley's treatise (Cooley on Torts)[9] which used the phrase "the right to be let alone". They said that identifying this common element should enable the courts to declare the existence of a general principle which protected a person's appearance, sayings, acts and personal relations from being exposed in public. [10] However it has been argued by some scholars that this phrase was not used by Judge Cooley with as much import as has been given by Warren and Brandeis in their article. The phrase was used by Judge Cooley in mere passing while discussing why tort law protected against not only batteries but also assaults with no physical contact, and had no connection with privacy rights. [11]

Warren and Brandeis' article started getting almost immediate attention and some amount of recognition from various quarters,[12] though it cannot be said that it was universally well received. [13] However over time this tort of privacy slowly started getting recognized by various Courts throughout the United States and got a huge boost when it was recognized in a brief section in the First Restatement of Torts published in 1939. The right to privacy in American jurisprudence got another boost and became fully entrenched later on specially with the endorsement of Dr. William Prosser who discussed privacy in his treatise on the law of torts, the subsequent editions of which had a more and more elaborate discussion of the tort of privacy. This development of the law was further enhanced by Dr. Prosser's position as a reporter of the Second Restatement of Torts, which imported a four part taxonomy of the privacy tort which had been suggested by Dr. Prosser in his previous works.[14]

Thus we see how, beginning with the article by Warren and Brandeis in 1890, the privacy tort in American jurisprudence developed over the years and became further entrenched due to the influence of William Prosser and his works on the tort of privacy.

Privacy Torts in England: An Elaborate Principle of Confidentiality

The law of confidentiality in English law, as applied in certain specific contexts such as attorney client privileges, [15] doctor patient confidentiality,[16] etc. has been applied since hundreds and even though cases relating to the breach of confidentiality had already existed, however the case of Prince Albert v. Strange,[17] be it due to the interesting facts or the fame of the parties involved, is still considered as the clearest and most well established precedent for the tort of breach of confidence.[18] Similar cases relying upon this tort kept being decided by the English Courts but the tort of confidentiality was further cemented in English common law by the case of Saltman Engineering Co. v. Campbell Engineering Co.,[19] which expanded the application of the principle by holding that the obligation to respect confidence is not limited to only instances where parties have a contractual relationship.

The seminal case on the tort of breach of confidentiality in English law was that of Coco v. A.N Clark (Engineers) Ltd., [20] where an inventor enjoined a moped manufacturer from using design ideas communicated by the inventor during failed contractual negotiations with the manufacturer.[21] In this case Megarry J., held that a case of breach of confidence normally requires three elements to succeed, apart from contract, (i) the information itself must have the necessary quality of confidence about it, (ii) that information must have been imparted in circumstances importing an obligation of confidence, and (iii) there must be an unauthorised use of that information to the detriment of the party communicating it.

Relying on the principles enunciated in the above cases and developed by subsequent decisions, English law relating to the tort of breach of confidentiality developed into a robust and flexible body of law protecting personal and commercial information from disclosure. Infact by the late 1990s, English law was very broad and gradually expanding in its scope of the tort of breach of confidentiality and Courts had stretched the idea of an obligation of confidence so as to include cases where there was not even any communication between the parties, such as secret photography and wiretapping. Further since third parties had already been reposed with an obligation of confidence when they knowingly received confidential material even if they did not have any relationship with the plaintiff, therefore the law of confidence could be extended to parties outside the relationship in which the confidence was initially made. This, although was not as broad and overarching as the American privacy tort, still had the ability to cover a wide range of cases. [22]

While English Courts on the one hand kept trying to expand the scope of the confidentiality tort, they also categorically rejected the existence of a privacy tort on the lines developed under American jurisprudence. The suggestion of the existence of such a privacy tort in English law was most recently rejected by the House of Lords in the case of Wainwright v. Home Office,[23] by Lord Bingham in the following words:

"What the courts have so far refused to do is to formulate a general principle of "invasion of privacy" (I use the quotation marks to signify doubt about what in such a context the expression would mean) from which the conditions of liability in the particular case can be deduced."

In this case the plaintiffs made a claim against the prison authorities for strip searching them before they went to meet an inmate and since the incident occurred before the coming into force of the Human Rights Act, 1998 of the UK had not yet come into force, so the plaintiffs also argued that there was an existing tortuous remedy based on a breach of privacy in common law. While discussing whether English Courts were amenable to or had ever recognized such a common law tort of privacy, the House of Lords cited decisions such as Malone v Metropolitan Police Comr, [24] and R v Khan (Sultan),[25] in both of which the courts refused to recognize a general right to privacy in the context of tapping of telephones.

The absence of any general cause of action for invasion of privacy was also acknowledged by the Court of Appeal in the context of a newspaper reporter and photographer invading into a patient's hospital bedroom in an effort to purportedly interview him and taking photographs, in the case of Kaye v Robertson.[26]

Thus relying on the above line of cases the House of Lords concluded that a general right to privacy does not exist in English common law:

"All three judgments are flat against a judicial power to declare the existence of a high-level right to privacy and I do not think that they suggest that the courts should do so. The members of the Court of Appeal certainly thought that it would be desirable if there was legislation to confer a right to protect the privacy of a person in the position of Mr Kaye against the kind of intrusion which he suffered, but they did not advocate any wider principle."

Thus it is clear that English Courts have time and again denied the existence of an American style right to privacy as emanating from common law. The Courts have instead tried to expand and widen the scope of the tort of confidentiality so as to cover various situations which may arise due to the pervasiveness of technology and which the traditional interpretation of the law of confidentiality was not equipped to deal with.

Therefore it is now a little clearer that the reason for the existence of the confusion between the torts of privacy and confidentiality is that the right to privacy had its origins in the common law precedents but the right to privacy developed as a distinct and separate right in America, primarily due to the influence of Warren and Brandeis's article as well as the works of William Prosser, whereas the Courts in England did not adopt this principle of privacy and instead favored a much more elaborate right to confidentiality. In the Indian context, this has led to some amount of confusion because, Indian case laws, as will be seen in the following chapter, borrowed heavily from American jurisprudence when discussing the right to privacy and not all cases have been able to clearly bring out the difference between the principles of privacy and confidentiality.

Indian Law

Tort of Breach of Privacy

Any analysis of the right to privacy in India, be it in the realm of constitutional law or tort law almost always includes within its ambit a discussion of the two celebrated cases of Kharak Singh v. Union of India[27] and Govind v. State of M.P.,[28] which elevated the right to privacy to the pedestal of a fundamental right under Indian law. However, an unintended consequence of this has been that pretty much every commentator on Indian law includes a discussion of these two cases when discussing the right to privacy, be it under constitutional law or under tort law. However, there is one problem with such an analysis of the right to privacy, viz. these two cases were dealing with a pure constitutional law question and relied upon American case laws to read into Article 21 an inbuilt right to privacy. However from a strictly tort law perspective, these cases are not relevant at all, and the seminal case for the tort of breach of privacy would have to be the Apex Court decision in R. Rajagopal v. State of Tamil Nadu, [29] which specifically recognized this distinction and stated that the right to privacy has two different aspects, (i) the constitutional right to privacy, and (ii) the common law right to privacy.

The facts of the R. Rajagopal case revolve around the publishing of the autobiography written by the prisoner Auto Shankar, who had been placed in jail for committing multiple murders. The autobiography contained proof of involvement of many IAS, IPS officers in his crimes. Although Shankar had initially requested that the magazine print his autobiography, he later requested that his story not be published. The publishers held that it was their right to publish the autobiography while the IPS and IAS officers on the other hand claimed that Auto Shankar was trying to defame them and wanted to ban its publication. The Supreme Court in this case, implicitly accepts the existence of a right to privacy under Indian tort law when

"21.The question is how far the principles emerging from the United States and English decisions are relevant under our constitutional system. So far as the freedom of press is concerned, it flows from the freedom of speech and expression guaranteed by Article 19(1)(a). But the said right is subject to reasonable restrictions placed thereon by an existing law or a law made after the commencement of the Constitution in the interests of or in relation to the several matters set out therein. Decency and defamation are two of the grounds mentioned in clause (2). Law of torts providing for damages for invasion of the right to privacy and defamation and Sections 499/500 IPC are the existing laws saved under clause (2). "

Discussing the distinction between the two aspects of the right to privacy, the Court held:

"The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized. This right has two aspects which are but two faces of the same coin (1) the general law of privacy which affords a tort action for damages resulting from an unlawful invasion of privacy and (2) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful governmental invasion. The first aspect of this right must be said to have been violated where, for example, a person's name or likeness is used, without his consent, for advertising or non-advertising purposes or for that matter, his life story is written whether laudatory or otherwise and published without his consent as explained hereinafter. In recent times, however, this right has acquired a constitutional status."

After a discussion of the various arguments presented by the parties (a number of which are not relevant for the purposes of this paper), the Supreme Court laid down the following principles regarding freedom of the press and the right to privacy:

(1) The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.

(2) The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

(3) There is yet another exception to the rule in (1) above - indeed, this is not an exception but an independent rule. In the case of public officials, it is obvious, right to privacy, or for that matter, the remedy of action for damages is simply not available with respect to their acts and conduct relevant to the discharge of their official duties. This is so even where the publication is based upon facts and statements which are not true, unless the official establishes that the publication was made (by the defendant) with reckless disregard for truth. In such a case, it would be enough for the defendant (member of the press or media) to prove that he acted after a reasonable verification of the facts; it is not necessary for him to prove that what he has written is true. Of course, where the publication is proved to be false and actuated by malice or personal animosity, the defendant would have no defence and would be liable for damages. It is equally obvious that in matters not relevant to the discharge of his duties, the public official enjoys the same protection as any other citizen, as explained in (1) and (2) above. It needs no reiteration that judiciary, which is protected by the power to punish for contempt of court and Parliament and legislatures protected as their privileges are by Articles 105 and 104 respectively of the Constitution of India, represent exceptions to this rule."

The above principles have ruled the roost on the issue of privacy and freedom of the press under Indian law, with certain minimal additions. It has been held by the Delhi High Court that even though a claim for damages may be made under tort law for breach of privacy, the Court may even grant a pre-publication injunction to prevent a breach of privacy.[30] The principles laid down inR. Rajagopal were further clarified in the case of Indu Jain v. Forbes Incorporated, [31] where a case was filed by Indu Jain in the Delhi High Court to stop Forbes magazine from featuring her family in the Forbes List of Indian Billionaires. After a discussion of the various authorities and cases on the issue the Court summarized the principles relating to privacy and freedom of the press and applying those principles rejected the claim of the plaintiff. However for the purposes of our discussion these principles are extremely useful, and have been listed below:

"(V) Public or general interest in the matter published has to be more than mere idle curiosity.

(VI) Public figures like public officials play an influential role in ordering society. They have access to mass media communication both to influence the policy and to counter-criticism of their views and activities. The citizen has a legitimate and substantial interest in the conduct of such persons and the freedom of press extends to engaging in uninhibited debate about the involvement of public figures in public issues and events. (Ref. (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others Para 18).

(VII) Right to privacy that rests in an individual may be waived by him by express or implied consent or lost by a course of conduct which estops its assertions. Such implication may be deduced from the conduct of the parties and the surrounding circumstances.

(VIII) A public person or personage is one who by his standing, accomplishment, fame, mode of life or by adopting a profession or calling which gives the public a legitimate interest in his doings, affairs and character has so become a public figure and thereby relinquishes at least a part of his privacy.

(IX) The standard to be adopted for assessing as to whether the published material infracts the right to privacy of any individual is that of an ordinary man of common sense and prudence and not an out of ordinary or hyper-sensitive man. (Ref. (2007) 1 SCC 143 Ajay Goswami v. UOI & Ors.).

(X) Even though in this country, the freedom of press does not have presumptive priority as in some other jurisdictions including the United States of America, however the importance of a free media of communication to a healthy democracy has to receive sufficient importance and emphasis.

(XI) In evaluating a relief to be granted in respect of a complaint against infraction of the right to privacy, the court has to balance the rights of the persons complaining of infraction of right to privacy against freedom of press and the right of public to disclosure of newsworthy information. Such consideration may entail the interest of the community and the court has to balance the proportionality of interfering with one right against the proportionality of impact by infraction of the other.

(XII) The publication has to be judged as a whole and news items, advertisements and published matter cannot be read without the accompanying message that is purported to be conveyed to public. Pre-publication censorship may not be countenanced in the scheme of the constitutional framework unless it is established that the publication has been made with reckless disregard for truth, publication shall not be normally prohibited. (Ref.: (2007) 1 SCC 143 Ajay Goswami Vs. UOI & Ors.; (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others and AIR 2002 Delhi 58 Khushwant Singh & Anr. Vs. Maneka Gandhi)."

Thus we see that the right to privacy in Indian law, even in the realm of tort law has had an inextricable connection with constitutional principles and constitutional cases have had a very huge impact on the development of this right in India. However a perusal of these cases shows that the right to privacy is available only insofar as information which is personal in nature, however in situations where the information is non-personal in nature the right to privacy may not be as useful and this is where, as we shall see below, the tort of breach of confidentiality comes in to fill the void.

Tort of Breach of Confidentiality

While there have been a number of landmark cases in India on the issue of breach of confidence in a contractual or a statutory setting, these cases are not very relevant for a discussion on the tort of breach of confidentiality. This is not to say that the tort of breach of confidentiality is non-existent in Indian law, the Courts here have time and again accepted that there does exist such a tortuous remedy in certain situations. We shall now try to examine the contours of this principle of torts by discussing some of the landmark cases on the topic.

In the case of Petronet LNG Ltd. v. Indian Petro Group and Another, ^{^[32]} the Delhi High Court considered a claim by a corporation seeking to prevent a news and media group from reporting its confidential negotiations and contracts with counterparties. The claim was based upon both the right to privacy as well as the right to confidentiality but in this case the court, looking at the fact that the plaintiff was a corporation and also the type of information involved denied the claim on the right to privacy. However, it did allow the injunction claimed by the corporation based on the right to confidentiality. Summarizing its discussion of the right to confidentiality, the Court stated thus:

"49. It may be seen from the above discussion, that originally, the law recognized relationships- either through status (marriage) or arising from contract (such as employment, contract for services etc) as imposing duties of confidentiality. The decision in Coco (1969) marked a shift, though imperceptibly, to a possibly wider area or zone. Douglas noted the paradigm shift in the perception, with the enactment of the Human Rights Act; even before that, in Attorney General (2) (also called the Spycatcher case, or the Guardian case) the Court acknowledged that there could be situations -where a third party (likened to a passerby, coming across sensitive information, wafting from the top of a building, below) being obliged to maintain confidentiality, having regard to the nature and sensitivity of the information….."

While discussing the factors that the Court would have to consider while deciding a claim based on the breach of confidentiality, the Delhi High Court relied upon and quoted from English judgments as follows:

"50. Even while recognizing the wider nature of duty - in the light of the Human Rights Act, 1998, and Articles 8 and 10 of the European Convention, it was cautioned that the court, in each case, where breach of confidentiality, is complained, and even found- has to engage in a balancing process; the factors to be weighed while doing so, were reflected in A v. B Plc [2003] QB 195; the latest judgment in H.R.H. Prince of Wales indicates that the court would look at the kind of information, the nature of relationship, etc, and also consider proportionality, while weighing whether relief could be given:

"The court will need to consider whether, having regard to the nature of the information and all the relevant circumstances, it is legitimate for the owner of the information to seek to keep it confidential or whether it is in the public interest that the information should be made public….

..In applying the test of proportionality, the nature of the relationship that gives rise to the duty of confidentiality may be important."

Holding that the principles discussed in the English cases given in the context of individual rights of confidentiality would also hold good in the case of corporations, the Court held that:

"51. Though the reported cases, discussed above, all dealt with individual right, to confidentiality of private information (Duchess of Argyll;Frazer; Douglas; Campbell and H.R.H. Prince of Wales) yet, the formulations consciously approved in the Guardian, and Campbell, embrace a wider zone of confidentiality, that can possibly be asserted. For instance, professional records of doctors regarding treatment of patients, ailments of individuals, particulars, statements of witnesses deposing in investigations into certain types of crimes, particulars of even accused who are facing investigative processes, details victims of heinous assaults and crimes, etc, may, be construed as confidential information, which, if revealed, may have untoward consequences, casting a corresponding duty on the person who gets such information - either through effort, or unwittingly, not to reveal it. Similarly, in the cases of corporations and businesses, there could be legitimate concerns about its internal processes and trade secrets, marketing strategies which are in their nascent stages, pricing policies and so on, which, if prematurely made public, could result in irreversible, and unknown commercial consequences. However, what should be the approach of the court when the aggrieved party approaches it for relief, would depend on the facts of each case, the nature of the information, the corresponding content of the duty, and the balancing exercise to be carried out. It is held, therefore, that even though the plaintiff cannot rely on privacy, its suit is maintainable, as it can assert confidentiality in its information."

Apart from privacy, the law of confidentiality has been used in cases where there has been a definite harm to one side but none of the other laws provide for any relief. This was the situation in the case of Zee Telefilms Limited v. Sundial Communications Pvt Ltd, [33] where a company which developed television and media programming had discussed their concept of a new show with a network during negotiations which could not be finalized. The network however subsequently tried to start a new show which was based on the same concept and idea as the one presented by the plaintiff company. The plaintiff sued the network, inter alia on a claim for breach of confidential information and asked that the network be prevented from airing its show. In this case the plaintiff's claim based on copyright was rejected because copyright only subsists on the expression of an idea and not the idea itself, therefore the tort of breach of confidentiality had to be resorted to in order to give relief to the plaintiffs. Discussing the difference between confidentiality and copyright, the Division Bench of the Bombay High Court held:

"10. The law of the confidence is different from law of copyright. In paragraph 21.2 (page 721), [of Copinger and Skone-James on Copyright (13th Edn.)] the learned author has pointed out that right to restrain publication of work upon the grounds, that to do so would be breach of trust of confidence, is a broader right than proprietary right of copyright. There can be no copyright of ideas or information and it is not infringement of copyright to adopt or appropriate ideas of another or to publish information received from another, provided there is no substantial copying of the form in which those ideas have, or that information has, been previously embodied. But if the ideas or information have been acquired by a person under such circumstances that it would be a breach of good faith to publish them and he has no just case or excuses for doing so, the court may grant injunction against him. The distinction between the copyright and confidence may be of considerable importance with regard to unpublished manuscripts / works submitted, and not accepted, for publication or use. Whereas copyright protects material that has been reduced to permanent form, the general law of confidence may protect either written or oral confidential communication. Copyright is good against the world generally while confidence operates against those who receive information or ideas in confidence. Copyright has a fixed statutory time limit which does not apply to confidential information, though in practice application of confidence usually ceases when the information or ideas becomes public knowledge. Further the obligation of confidence rests not only on the original recipient, but also on any person who received the information with knowledge acquired at the time or subsequently that it was originally given in confidence."

A similar view, in a similar fact situation Single Judge Bench of the Delhi High Court had also came to a similar conclusion in the case of Anil Gupta v. Kunal Das Gupta.[34]

The law of confidentiality has also come to the rescue of employers in attempting to prevent important business and client information from being taken or copied by the employees for their personal gain. In the case of Mr. Diljeet Titus, Advocate v. Mr. Alfred A. Adebare, [35] the Delhi High Court had to decide a claim based on breach of confidentiality when some ex-employees of a law firm tried to take away client lists and drafts of legal agreements and opinions from their earlier employer-law firm. Discussing the importance of preventing employees or former employees from away which such actions, the Court held as follows:

"81. I am in full agreement with the views expressed in Margaret, Duchess of Argyll (Feme Sole) v. Duke of Argyll and Ors. (1965) 1 All ER 611, that a Court must step in to restrain a breach of confidence independent of any right under law. Such an obligation need not be expressed but be implied and the breach of such confidence is independent of any other right as stated above. The obligation of confidence between an advocate and the client can hardly be re-emphasised. Section 16 of the Copyright Act itself emphasizes the aspect of confidentiality de hors even the rights under the Copyright Act. If the defendants are permitted to do what they have done it would shake the very confidence of relationship between the advocates and the trust imposed by clients in their advocates. The actions of the defendants cause injury to the plaintiff and as observed by Aristotle: 'It makes no difference whether a good man defrauds a bad one, nor whether a man who commits an adultery be a good or a bad man; the law looks only to the difference created by the injury."

The Court allowed the claim of the law firm holding that the relationship between a law firm and its attorneys is of a nature where information passed between them would be covered by the law of confidence and would not be allowed to be copied or used by the attorneys for their individual gain.

Recently, in 2009, the principles relating to breach of confidentiality under Indian law were very succinctly summarized by the Bombay High Court in the case of Urmi Juvekar Chiang v. Global Broadcasting News Limited,[36] where in a fact situation similar to the ones in Zee Telefilms case and the Anil Gupta case, the Court discussed a number of previous cases on breach of confidentiality and laid down the following principles:

"8. The principles on which the action of breach of confidence can succeed, have been culled out as

(i) he (Plaintiff) had to identify clearly what was the information he was relying on;

(ii) he (Plaintiff) had to show that it was handed over in the circumstances of confidence;

(iii) he (Plaintiff) had to show that it was information of the type which could be treated as

confidential; and

(iv) he (Plaintiff) had to show that it was used without licence or there was threat to use it…… It is further noted that at interlocutory stage, the Plaintiff does not have to prove (iii) and (iv) referred to above, as he will at the trial. But the Plaintiff must address them and show that he has atleast seriously arguable case in relation to each of them."

From the above discussion on Indian law it is clear that the Courts in India have tried to incorporate the best of both worlds, in the sense that it has taken and adopted the principle of a right to privacy, a breach of which would give rise to an action in torts, from American jurisprudence while rejecting the stand taken by English Courts in rejecting such a right to privacy. However, Indian Courts have often referred to the decisions given by English Courts as well as American Courts in interpreting the principle of the right to confidentiality. Therefore on an overall examination it would appear that insofar as the rights to privacy and confidentiality are concerned, Indian jurisprudence has more in common with American law rather than English law.

Conclusion

The law of privacy does not seem to have existed as a recognizable principle of law before it was propounded in the article by Warren and Brandeis in the Harvard Law Review in 1890. It slowly gained traction in American jurisprudence over the twentieth century but was rejected outright by the Courts in England, which preferred to follow the principle of confidentiality rather than privacy and tried to expand that old principle to fit newer and newer situations. Since Indian law borrows heavily from English law and to a smaller extent also from American law, the Courts in India have accepted both, the principle of a right to privacy as well as a right to confidentiality. This is not to say that the Courts in America do not recognize a right to confidentiality and only accept a right to privacy. Infact American Courts, just like their Indian counterparts, recognize both a right to confidentiality as well as a right to privacy.

Since Indian courts accept both the concept of breach of privacy as well as breach of confidentiality, one should not try to figure out if a particular circumstance is more appropriate for the one over the other, but actually use both principles to supplement one another for achieving the same objective. For example in situations where the conditions required for the application of the law of confidentiality do not exist such as disclosure of personal information by a person who did not receive it in a confidential capacity, one could apply the principle of privacy to prevent such information being disclosed or claim a remedy after disclosure. On the other hand if the information to be disclosed is not of a personal nature then one could try to utilize the law of confidentiality to prevent disclosure or claim damages.

[1] Harry Kalven, Jr., Privacy in Tort Law-Were Warren and Brandeis Wrong?, "31 Law & Contemp. Problems". 326, 327 (1966). Elbridge L. Adams, The Right of Privacy, and Its Relation to the Law of Libel, 39 AM. L. REV. 37 (1905).

[2] Wainwright v. Home Office, 2003 UKHL 53.

[3] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 at 128 and 132 (2007).

[4] Pollard v. Photographic Co., (1888) 40 Ch. D. 345.

[5] It is also said that this concern arose out of the personal experience of Samuel Warren, whose wedding announcement as well as the report on his sister-in-law's death in the newspapers did not go down well with him. http://www.english.illinois.edu/-people-/faculty/debaron/380/380powerpoint/privacy.pdf

[6] (1848) 41 Eng. Rep. 1171 (Ch.).

[7] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[8] Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, "4 Harvard Law Review", 193 at 207 (1890).

[9] Thomas M. Cooley, The Law Of Torts, 2^nd Ed., 1888, p. 29.

[10] Wainwright v. Home Office, 2003 UKHL 53.

[11] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[12] As early as in 1891, the case of Schuyler v. Curtis, 45 NYS 787 (Sup. Ct., 1891) involving the erection of a statue of a dead person, recognized the principle proposed in Warren and Brandeis' article.

[13] Most famously the case of Robertson v. Rochester folding Box Co., 64 NE 442 (NY 1902) where the New York Court of appeals specifically rejected a the existence of a right to privacy as proposed by Warren and Brandeis.

[14] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[15] Bredd v. Lovelace, (1577) 21 Eng. Rep. 33 (Ch.)

[16] For doctor patient confidentiality we need look no further than the Hippocratic Oath itself which states "Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret".

[17] (1848) 41 Eng. Rep. 1171 (Ch.).

[18] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[19] [1948] 65 RPC 203.

[20] [1969] RPC 41 (UK).

[21] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[22] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[23] 2003 UKHL 53.

[24] [1979] Ch 344.

[25] [1997] AC 558.

[26] [1991] FSR 62

[27] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=3641 .

[28] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=6014 .

[29] http://www.judis.nic.in/supremecourt/imgs1.aspx?filename=11212 .

[30] Phoolan Devi v. Shekhar Kapoor and others, http://indiankanoon.org/doc/793946/.

[31] http://lobis.nic.in/dhc/GM/judgement/25-01-2010/GM12102007S21722006.pdf

[32] http://lobis.nic.in/dhc/SRB/judgement/25-04-2009/SRB13042009S11022006.pdf

[33] http://indiankanoon.org/doc/603848/ .

[34] http://indiankanoon.org/doc/1709727/ .

[35] http://delhicourts.nic.in/may06/DILJEET%20TITUS%20VS.%20ALFED%20A.%20ADEBARE.htm .

[36] http://indiankanoon.org/doc/582634/ .

For more details visit https://cis-india.org/internet-governance/blog/relationship-between-privacy-and-confidentiality

Targeting surveillance

praskrishna — 2014-12-30T14:10:58Z

In the fall of 2005, Scotland Yard raided a flat in west London and arrested a suspected al-Qaeda militant known by a teasing Arabic nickname, Irhabi (“Terrorist”) 007.

The article by Ajai Sreevatsan was published in the Hindu on December 28, 2014. Sunil Abraham gave his inputs.

The similarities between Irhabi 007, later identified as Younis Tsouli, and India’s Mehdi Masoor Biswas are uncanny.

Neither participated in any terror attack. Their reputation stems from an alleged involvement as cyber propagandists for proto-terror groups — Irhabi was distributing manuals and teaching online seminars on behalf of the emerging al-Qaeda faction in Iraq, while Mehdi is alleged to be an IS sympathiser. Both in their early 20s with cover identities during the day, and separated by a decade in technological evolution.

Such expertise within terror groups is hardly surprising, says Sunil Abraham of the Centre for Internet and Society. “Any organisation engaged in a war for hearts and minds and oil fields will exploit contemporary technology to its fullest potential,” he says.

Irhabi currently serves a 16-year jail term, while Mehdi awaits his trial. What their cases highlight is that the phenomenon of young, tech-savvy armchair radicals is nothing new.

Research done at Israel’s Haifa University, which tracks the proliferation of terrorist websites, shows that the number of such sites went up from fewer than 100 in the late-1990s to more than 4,800 in just a decade. There is also credible evidence that an al-Qaeda website posted a sketched-out proposal for the 2004 Madrid bombings three months before the attack. Another macabre example is the crowd-sourcing effort launched in 2005 by the Victorious Army Group to build its website. By the competition’s rules, the winner would get to fire a rocket at an American base.

As Indian agencies gear up to respond to similar online threats in this part of the world, Mr. Abraham says India should not repeat the mistakes made by the West over the previous decade. “We should not get caught up in big data surveillance,” he says.

“Surveillance is like salt. It could be counter-productive even if slightly in excess. Ideally, surveillance must be targeted. Indiscriminate surveillance just increases the size of the haystack, making it difficult to find the needles,” Mr. Abraham says.

“Even in the case of Mehdi, his identity was uncovered not by online spying but by Channel 4 which did some old-fashioned detective work,” he says.

In any case, recent events show that the threat of online terror propaganda might be overblown. Much like online activism, it is subject to the law of diminishing returns.

A set of letters sent by newly recruited volunteers of IS was leaked to the French newspaper Le Figaro earlier this month and it shows youngsters complaining about being made to do the dishes or the Iraqi winter. One of them wrote: “I’m fed up to the back teeth. My iPod no longer works out here. I have got to come home.” Of the estimated 1,100 young French who are believed to have joined the IS, more than 100 have already returned.

The IS may have Twitter on its side. But the harsh realities of Iraq and the gruesome ideology behind the slick doctrinal videos are a lot harder to sell.

Mr. Abraham says there is no such thing as a Twitter revolution or a social media terror group. “Such statements underestimate the role of ideology and human beings,” he says.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-december-28-2014-ajai-sreevatsan-targeting-surveillance

Locating Constructs of Privacy within Classical Hindu Law

Ashna Ashesh and Bhairav Acharya — 2015-01-01T13:56:04Z

This white paper seeks to locate privacy in Classical Hindu Law, and by doing so, displace the notion that privacy is an inherently ‘Western’ concept that is the product of a modernist legal system.

Introduction: Conceptions of Privacy

Because of the variance exhibited by the various legal, social, and cultural aspects of privacy, it cannot be easily defined. As a legal concept, privacy may form a constitutional claim, a statutory entitlement, a tortious action or an equitable remedy. As a constitutional claim, privacy is either an explicitly recognised right that is capable of independent enforcement, read into a pre-existing right , or located within the penumbra of a larger right. Statutory recognition of privacy may be afforded by both criminal and civil statutes. The offence of criminal defamation for instance, is perceived as an act of violating an individual's privacy by tarnishing his or her reputation. Similarly the provision of in camera trials for divorce proceedings is an illustration of a civil statute implicitly recognising privacy. As a tortious claim the notion of privacy is commonly understood in terms of the right against trespass of property. Equity, co-terminus with a statutory mandate or in isolation, may also be a source of privacy.

Most legal conceptions of privacy in everyday use in India originated from the English common law. Other constitutional and statutory constructions of privacy, even when not found in the common law, arise within a broader modernist system of law and justice that originated in Europe. During the European colonisation of India, the British (and, in a different manner, the French ) attempted to recreate the common law in India through the establishment of a new legal and courts system, and the wholesale importation of the European idea of law. The very notion of privacy, as well as its legal conception, is a product of this legal modernity. In post-colonial societies, the argument against the right to privacy is usually premised on its perceived alien-ness - as a foreign idea brought by colonisers and imposed on a traditionalist society that favoured communitarian living over individual rights - in an effort to discredit it.

The fallacy of this argument lies in its ignorance of the cultural plurality of privacy. To begin with, the idea that is connoted by the modernist notion of privacy pre-dated the introduction of common law in India. By the time of the Enlightenment, Hindu law and Islamic law were established legal systems with rich histories of jurisprudence and diverse schools of law within them, each with their own juristic techniques and rules of interpretation. While neither Hindu law nor Islamic law use a term that readily translates to "privacy", thereby precluding a neat transposition of meanings between them, the notion of privacy existed and can be located in both the legal traditions. In this paper, the term 'privacy' is used to describe both the modernist notion that arises from the principle of personal autonomy as well as the diverse pre-modern concepts in Hindu and Islamic jurisprudence that resemble or relate to this notion. These pre-modern concepts are diverse, and do not permit an easy analysis. For instance, the Manusmriti, which is a source of classical Hindu law, prohibits bathing in tanks that belong to other men. Additionally it prohibits the use of wells, gardens, carriages, beds, seats and houses without the owner's permission. These prohibitions are not driven by the imperatives of privacy alone. The rationale is that in using others' belongings one appropriates a portion of their sins. Hence, these privacy protections are linked to an ideal of purity. Islamic law also restricts the use or misappropriation of another's property. However, this prohibition is designed to protect private property; it has no ideological link to purity.

This paper attempts to locate constructs of privacy in classical Hindu law. The purpose of this exercise is not to privilege one legal system over another. Therefore, we do not intend to normatively assess the existing modernist discourse on privacy. We simply seek to establish the existence of alternate notions of privacy that pre-date modernity and the common law.

The scope of the paper is confined to locating privacy in classical Hindu law. The materials within the realm of classical Hindu law, relevant to this exercise are- the sruti, smriti, and acara. Sruti comprises of the Vedas, Brahmanas, Aranyakas and the Upanishads. It is considered to symbolise the spirit of Hindu law and is not the source of any positivist command as such. Smriti involves various interpretations of the sruti, We have however restricted ourselves to the Dharmashastras in this realm. Acara refers to the body of customary practices.

The review of the material at hand however, is not exhaustive. The reasons for this are twofold- first, given the vast expanse of Hindu jurisprudence, the literature review has been limited; second, there is a limited availability of reliable English translations of ancient legal treatises.

This paper is divided into two parts. The first part of this paper deals with the interface of colonisation with Hindu law and elucidates the nature of Hindu law. With the advent of colonialism, classical Hindu law was gradually substituted by a modernist legal system. Exploring the characteristics of modernity, the factors that contributed to the displacement of classical Hindu law will be identified.

One of the factors that contributed to the displacement was the uncertainty that characterised classical Hindu law. Classical Hindu law was an amalgamation of three sources, as. In an attempt to rule out the uncertainty, and the lack of positive command, the modernisation of Hindu law was brought about. Accordingly this part shall also examine the nature of Hindu law. Furthermore it shall determine whether the application of codified modern Hindu law, is informed by the precepts of classical Hindu law.

Having explicated the nature of Hindu law, the next part will focus on identifying instances of privacy in classical Hindu law.

Before ascertaining specific instances, however, this part will lay down a general understanding of privacy as it existed then. It will be demonstrated that regardless of the absence of an equivalent term, an expectation of privacy existed.

The specific illustrations of privacy will then be mapped out.

Given the different aspects wherein an expectation of privacy exists, there is also a possibility of competing claims. In the event that such conflicts arise, this part will attempt to resolve the same.

Part 1: The Transmogrification of the Nature of Hindu Law

The evolution of Hindu jurisprudence can be charted through three phases- classical, colonial, and modern.

In the classical phase, it was embodied by the Dharmashastra which elaborated on customary practices, legal procedure, as well as punitive measures. The Dharamshastra was accompanied by the Vedas, and acara. Whether this body of jurisprudence could be called 'law' in the strict modernist sense of the term is debatable.

Modernity has multifarious aspects. However, we are concerned with modernity in the context of legal systems, for the purpose of this paper. The defining attribute of a modernist legal system is the need for positivist precepts that are codified by a legislature. The underlying rationale for formalised legislation is the need for certainty in law. Law is to be uniformly applied within the territory. The formalised legislation is to be enforced by hierarchized courts. Furthermore this codified law can be modified through provisions for amendment, if need be.

This modernist understanding is what informs the English common law. With the advent of colonialism, common law was imported to India. The modernist legal system was confronted by plural indigenous legal systems here that were starkly different in nature. In the given context, the relevant indigenous system is classical Hindu law. The classical precepts were interpreted by the British. These interpretations coupled with the sources of Classical Hindu law, constituted colonial Hindu law.

It is pertinent to note that these interpretations were undertaken through a modernist lens. The implication was the attempted modernisation of a traditional legal system.

The traditional system of Classical Hindu law did not exhibit any of the introduced features. To begin with not all of classical Hindu law was text based. The problem with the textual treatises was threefold. First, they were not codes enacted by a legislature, but written by various scholars. Second, they were not phrased as positivist precepts. Third, their multiplicity was accompanied with the lack of an established hierarchy between these texts.

Additionally classical Hindu law was the embodiment of dharma, which in itself was an amorphous concept. The constitutive elements ofdharma were law, religious rites, duties and obligations of members of a community, as well as morality. These elements do not however, exhaustively define dharma. There exist varying definitions of dharma, and in some cases even ancient texts dealing with dharma fail to articulate its definition. This is on account of the fact that the meaning of dharma, varied depending on the in which it is used Owing to the fact that classical Hindu jurisprudence was informed by dharma, the former was an amalgamation of law, religion and morality. Therefore it was categorised as jurisprudence that lacked the secularity exhibited by modern positivist law.

The co-existence of law and morality in classical Hindu law has led to various debates regarding its nature. Before explicating the nature of classical Hindu law, its sources must be elaborated on. As referred to, the sources are sruti, smriti, and acara.

Sruti is constituted by the Vedas, Brahmanas, Aranyakas, and Upanishads. Vedas are divine revelations that contain no positive precept per se. They are considered as the spirit of law, and believed to be the source of the rules of dharma. The Vedas are constituted by the Rigveda, Samveda, Yajurveda and Athravaveda. Based on the Vedic texts, treatises have been written elucidating religious practices. These texts are known as the Brahmanas. The Aranyakas and the Upanishads engage in philosophical enquiries of the revelation in the Vedas.

Interpretations of the Sruti by various scholars are embodied in the Smriti. The connotations of smriti are twofold. First, it implies knowledge transmitted through memory, as opposed to knowledge directly revealed by divinity. Additionally, it is the term used to collectively reference the Dharmasutras and Dharmashastra.

Dharmasutras were essentially interpretations of revelation in only prose form, or a mixture of prose and verse. They detailed the duties and rituals to be carried out by a person, through the four stages, of his or her life. The duties laid down also varied depending on the caste of a person. They also laid down guidelines for determining punishments.

Dharmasastras on the other hand were in the verse form. Though their subject matter coincided with the Dharmasutra in terms of domestic duties and rituals, they had a wider ambit. The Dharmasastras also dealt with subjects such as statecraft, legal procedure for adjudicating disputes. In a limited way, they marked the diversification from strictly religious precepts, from those that were legal in nature. For instance the Manusmriti was an amalgamation of law and ritual. The Yajnawalkya Samhita however, has separate parts that deal with customary practices, legal procedure, and punitive measures. The Narada Smriti, in turn deals only with legal procedure and rules of adjudication.

It is opined that in due course of time, the Aryan civilisation diversified. Their life and literature were no longer limited to sacrificial practices, but took on a more 'secular' form. The Arthashastra is evidence of such diversification. Unlike the Dharmashastra, it deals with strategies to be employed in governance, regulations with regard to urban planning, commercialisation of surrogacy, espionage, among other things.

The third source of classical Hindu law, acara refers to customary practices and their authoritativeness was determined by the people. Their prevalence over textual tradition is contentious. Some opine that acara prevails over textual traditions. However, the opposing school of thought believes that customary practices prevail only if the text is unclear or disputed.

Other sources of classical Hindu law include the itihas (epics such as the Mahabharata and Ramayana), and digests written by scholars.

Given the diversity of sources and its non-conformity to positivism, the nature of classical Hindu law is a heavily contested issue. For instance, with regard to the legal procedure in the Dharmashastra, Maynes opines that these rules qualified as law in the modernist sense. Ludo Rocher however, opines that textual treatises would not qualify as law. Classical Hindu law can admittedly not be identified as strictly legal or strictly moral. However, it does in a limited way recognise the distinction between legal procedure and morality. This is to say, it is not merely a source of rituals, but also lays down precepts that are jurisprudentially relevant.

On account of its non-conformity with characteristics of a modernist legal system, classical Hindu law was displaced by its colonial version. The British attempted to accomplish this though the process of codification. The colonial attempts to codify Hindu law were carried forward by the Indian government post-independence. The result was the Hindu Code Bill. The context in which this codification took place must be examined in order to better comprehend this transmogrification. Post-independence, the idea of a Uniform Civil Code had been debated. However it was at odds with the Nehruvian notion of secularity. The codification of Hindu personal law was an attempt at modernising it, without infringing on the religious freedom of Hindus. The idea was to confine the influence of religion to the private sphere. What emerged was the Hindu Code Bill, which served as the blueprint for the Hindu Marriage Act, the Hindu Succession Act, the Hindu Minority and Guardianship Act and, the Hindu Adoption and Maintenance Act. Colonial Hindu law was thus displaced by modern Hindu law.

As Galanter observes however, modernisation through legislations may formalise or even modify classical precepts, but cannot erase them completely. For instance, Section 7 of the Hindu Marriage Act, which prescribes the ceremonial requirements for a Hindu marriage, replicates those prescribed in Classical Hindu law. Additionally a plethora of judicial decisions have relied on or taken into consideration, precepts of ancient Hindu jurisprudence.

It is evident thus that ancient precepts still inform modern Hindu law. Given their relevance, it would be erroneous to write off classical Hindu law as completely irrelevant in a modernist context.

Part II: Precepts of Privacy in Classical Hindu Law

As referred to, we have not come across a terminological equivalent of the term 'privacy' in the course of our research. The linguistic lacuna is admittedly a hurdle in articulating the pre-modern understanding of privacy as found in Hindu jurisprudence. It is not however, an argument against the very existence of privacy. The lack of pre-modern terminology necessitates the usage of modern terms in classifying the aspects of privacy detailed in Hindu jurisprudence.

Thus, broadly speaking, the aspects of privacy we have culled out from the material at hand are those of physical space/ property, thought, bodily integrity, information, communication, and identity. As will be demonstrated these aspects overlap on occasion and are by no means an exhaustive indication. In order to contextualise these aspects within the realm of Hindu jurisprudence, they are detailed below through specific illustrations.

A. Privacy of physical Space/ property

Akin to the modern legal system that first understood privacy in proprietary terms, Hindu jurisprudence too accorded importance to privacy in terms of physical space. This is further illustrated by the similarity between the common law notion of a man's house being his castle, and the institutional primacy accorded by the Naradsmriti to the household . The common denominator here is the recognition of a claim to privacy against the sovereign. This claim operated against society at large as well. For instance, an individual caught trespassing on someone else's property was liable to be fined.

These religious precepts were supplemented by those reflected in texts such as the Arthashastra. By way of illustration the house building regulations prescribed by it are largely informed by the recognition of a need for privacy. To begin with, a person's house should be built at a suitable distance from a neighbour's house, to prevent any inconvenience. In addition the house's doors and windows should ideally not face a neighbours doors and windows directly. The occupants of the house should ensure the doors and windows are suitably covered. Furthermore in the absence of a compelling justification, interference in a neighbour's affairs is penalised.Juxtaposed to religious texts that often perceived privacy as a concept driven by the imperative of purity, the Arthashastra is reflective of a secular connotation of privacy.

Though the household was privileged as the foundational institution in Hindu jurisprudence, claims of privacy extend beyond one's house to other physical objects as well, regardless of whether they were extensions of the household or not. For instance, both the Yajnawalkya Samhita and the Manusmriti condemn the usage of another person's property without his or her permission.

What is noteworthy in the context of personal property is that in an era infamous for the denigration of women, Hindu jurisprudence recognised a woman's claim over property. This property, also known as Stridhana, had varied definitions. In the Yajnawalkya Samhita for instance, it is conceptualised as, "What has been given to a woman by the father, the mother, the husband or a brother, or received by her at the nuptial fire, or given to her on her husband's marriage with another wife, is denominated Stridhana or a woman's property". In the Manusmriti, it is defined as "What was given before the nuptial fire, what was given on the bridal procession, what was given in token of love, and what was received from her brother, mother, or father, that is called the sixfold property of a woman".

Beyond mere cognizance of proprietary rights however, these precepts were also informed by the notion of exclusivity. Consequently, a woman's husband or his family were precluded from using her Stridhana, unless they were in dire straits. Additionally it was a sin for a woman's relatives to use her wealth even if the same was done unknowingly.

B. Privacy of Thought

In addition to the aspect of physical space, a claim to privacy vis-a-vis the intangible realm of thought was afforded by Hindu jurisprudence. In the modern context the link between solitude and privacy has been recognised as early as 1850 by Warren and Brandeis. The key distinction is that in the modern era this need for solitude was seen as a function of the increasing invasion of privacy. In the pre-modern era however, solitude was considered essential for self-actualisation, and not as a response to the increasing invasion of the private realm. Meditation in solitude was perceived as enabling existence in the highest state of being. In fact a life in solitude was identified as a pre-requisite for being liberated.

Though solitude itself is intangible, engaging in meditation would require a tangible solitary space. This is where the privacy of thought overlapped with the aspect of privacy of space. Accordingly, the Arthashastra prescribed that forest areas be set aside for meditation and introspection. It also recognised the need for ascetics to live within these spaces harmoniously, without disturbing each other.

It is evident, that as far as the aspects of privacy were concerned, there were no watertight compartments.

C. Privacy with respect to bodily integrity

A claim to privacy of thought can only be substantively realised when complemented by the notion of privacy with respect to bodily integrity, as corporeal existence serves as a precursor to mental well-being. The inference drawn from the relevant precepts concerning this aspect is that they were largely women-centric. Arguably they were governed by a misplaced patriarchal notion that women's modesty needed to be protected. At best they could be considered as implicit references to an expectation of privacy.

The Manusmriti states, "But she who…goes to public spectacles or assemblies, shall be fined six krishnalas". Restrictions operating during a woman's menstruation were twofold. Her family was prohibited from seeing her. Additionally cohabitation with such a woman was also forbidden. It should be pointed out that that these constructs had little to do with a woman's expectation of privacy. They were forbidden due to the attached implications of impurity that would vest in the defaulter. A woman's autonomy with regard to her body was not regarded as a factor meriting consideration.

However, there were constructs, albeit limited, which were more egalitarian in their approach and did recognise her autonomy. They established that women do have an expectation of privacy in terms of bodily integrity. Sexual assault was considered as an offence. Evidence of this is found in the Yajnawalkya Samhita which states, "If many persons know a woman against her will, each of them should be made to pay a fine of twenty four panas". In addition, the Arthashastra vested in commercial sex workers the right to not be held against their will. Further it expressly states that even a commercial sex worker cannot be forced to engage in sexual intercourse.

Women could make a claim to privacy not only against society at large, but also against their husbands. Ironically, while our contemporary legal system (i.e., the Indian legal system) fails to criminalise marital rape, the Manusmriti considered it an offence. Additionally, husbands were also prohibited from looking at their wives when the latter were in a state of relaxation.

D. Privacy of Information and Communication

While the three aspects explicated above were by and large restricted to the individual, the privacy of information and communication has been largely confined by Hindu jurisprudence to the realm of the sovereign. Both the Manusmriti and the Arthashastra acknowledge the importance of a secret council that aids the king in deliberations. These deliberations are to be carried on in a solitary place that was well-guarded. The decisions made in these deliberations are to be revealed on a need to know basis. That is to say, only persons concerned with the implementation of these decisions are to be informed. The Manusmriti also provides for private deliberation by the king on matters not involving governance. It provides, "At midday or midnight , when his mental and bodily fatigues are over, let him deliberate, either with himself alone or with his ministers on virtue, pleasure, and wealth".

Apart from governance, privacy of information also pertained to certain types of documents that were considered private in nature. These are documents that involve transactions such as partition, giving of a gift, purchase, pledge and debt. What is interesting about this precept is the resemblance it bears to the common law notion of privity. The common characteristic of the documents referred to, is that they concerned transactions undertaken between two or more persons. The rights or obligations arising from these transactions were confined to the signatories of these documents. It could be possible that the privatisation of these documents was aimed at guarding against disruption of transactions via third party intrusions.

The limited reference to private communications is found within the realm of governance, within the context of privacy of information. The only illustration of this that we have come across is the precept in the Arthashastra that requires intelligence to be communicated in code.

E. Privacy of Identity

The final aspect that warrants detailing is the privacy of identity. The notion of privacy of identity can be understood in two ways. The first deals with protection of personal information that could be traced back to someone, thus revealing his or her identity. The second recognises the component of reputation. It seeks to prevent the misappropriation or maligning of a person's identity and thus reputation. In ancient Hindu jurisprudence there is evidence of recognition of the latter. An illustration of the same is offered by the precept which states "For making known the real defects of a maiden, one should pay a fine of a hundred panas". Another precept prescribes that false accusations against anyone in general are punishable by a fine. Additionally, there is also a restriction operating against destroying or robbing a person of his or her virtue. In the modern context, the above would be understood under the rubric of defamation. These precepts are indicative of the fact that defamation was recognised as an offence way before the modern legal system afforded cognizance to the same.

Conclusion

The dominant narrative surrounding the privacy debate in India is that of the alien-ness of privacy. This paper has attempted to displace the notion that privacy is an inherently 'Western' concept that is the product of a modernist legal system. No doubt the common understanding of the legal conception of privacy is informed by modernity. In fact, the research conducted in support of this paper has been synthesised from privacy information through a modernist lens. The fact still remains however, that privacy is an amorphous context, and its conceptions vary across cultures.

To better appreciate the relevance of Classical Hindu law in a modernist context, the nature of Hindu law must be examined first. While Hindu jurisprudence might not qualify as law in the positivist sense of the term, its precepts continue to inform India's statues and judicial pronouncements.

Privacy is subjective and eludes a straitjacketed definition. On occasion this elusiveness is a function of its overlapping and varying aspects. At other times it stems from a terminological lacuna that complicates the explication of privacy. These impediments notwithstanding, it is abundantly clear that the essence of privacy is reflected in Hindu culture and jurisprudence. This may give pause to thought to those who seek to argue that 'collectivist' cultures do not value privacy or exhibit the need for it.

Daniel J. Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol. 154(3), January 2006.

Id.

Upendra Baxi, Who Bothers About the Supreme Court: The Problem of Impact of Judicial Decisions, available at http://clpr.org.in/wp-content/uploads/2013/08/whobothersabouttheSupremeCourt.pdf (Last visited on December 23, 2014) (The enforceability of rights often sets their individual enjoyment apart from their jurisprudential value); In India, the reading of privacy into Article 21 has not resulted in a mechanism to enforce a standalone right to privacy, See R.H. Clark, Constitutional Sources of the Penumbral Right to Privacy, available at http://digitalcommons.law.villanova.edu/cgi/viewcontent.cgi?article=2046&context=vlr (Last visited on December 23, 2014) (In the United States, the right to privacy was located in the penumbra of the right to personal autonomy).

See PUCL v. Union of India, AIR 1997 SC 568.

See Griswold v. Connecticut, 381 U.S. 479 (1965); Lawrence v. Texas, 539 U.S. 558 (2003).

See The Indian Penal Code, 1850, Section 499.

See The Hindu Marriage Act, 1955 Section 22; The Special Marriage Act, 1954, Section 33.

Bhairav Acharya & Vidushi Marda, Identifying Aspects of Privacy in Islamic Law, available at http://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law (Last visited on December 23, 2014).

See Robert Lingat, The Classical Law of India (1973).

Donald R. Davis, Jr., The Spirit of Hindu Law (2010) (This importation must be viewed against the backdrop of the characteristics of the era of Enlightenment wherein primacy was accorded to secular reason and the positivist conception of law. Davis observes "One cannot deny the increasing global acceptance of a once parochial notion of law as rules backed by sanctions enforced by the state. This very modern, very European notion of law is not natural, not a given; it was produced at a specific moment in history and promulgated systematically and often forcibly through the institutions of what we now call the nation-state, especially those nations that were also colonial powers.)"; But see Alan Gledhill, The Influence of Common Law and Equity on Hindu Law Since 1800, available at http://www.jstor.org/stable/755588 (Last visited on December 23, 2014); Werner Menski, Sanskrit Law: Excavating Vedic Legal Pluralism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1621384 (Last visited on December 23, 2014) (However, this replacement of traditional legal systems did not extend to personal laws. Personal laws in India continue to be community-based, sometimes un-codified, draw from a diverse set of simultaneously applicable sources and traditional schools of jurisprudence.).

Supra note 8, Acharya & Marda.

Privacy International, A New Dawn: Privacy in Asia, available at https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia/background (Last visited on December 28, 2013) ("It is only recently that the debate around privacy was stuck in this "collectivist" vs. "individualistic" cultural discourse…we discovered that privacy concerns and the need for safeguards were often embedded deeply in a nation, and not just as a response to a modern phenomenon.").

Privacy International, A New Dawn: Privacy in Asia, available at https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia/background (Last visited on December 28, 2013)

J. Duncan M. Derrett, The Administration of Hindu Law by the British, available at http://www.jstor.org/stable/177940 (Last visited on December 23, 2014).

Manusmriti, Chapter IV, 201.

Manusmriti, Chapter IV, 202.

Id.

Wael B. Hallaq, An Introduction to Islamic Law 31 (2009).

Donald R. Davis, Jr., The Spirit of Hindu Law (2010).

Marc Galanter, The Displacement of Traditional Law in Modern India, Journal of Social Issues, Vol. XXIV, No. 4, 1968.

Id.

Supra note 20, Galanter.

Supra note 10, Menski.

Werner Menski, Hindu Law: Beyond Tradition and Modernity (2003).

Id.

Ashcroft as cited in Werner Menski, Hindu Law: Beyond Tradition and Modernity (2003).

Supra note 20, Galanter.

Id.

Id .

Supra note 19, Davis.

Id.

Id .

J. Duncan M. Derrett, Introduction to Modern Hindu Law (1963); Supra note 19, Davis.

Supra note 9, Lingat.

Id.

John D. Mayne, Hindu Law (1875).

Id.

Supra note 49, Mayne.

Id.

Supra note 19, Davis.

Id.

Supra note 49, Mayne.

Ludo Rocher, Studies in Hindu Law and Dharamasastra (2012).

For instance the Yajnawalkya Samhita has clear delineations in its chapters, segregating customary practices, legal procedure and punitive measures.

Madhu Kishwar, Codified Hindu Law: Myth and Reality, available at http://www.jstor.org/stable/4401625 (Last visited on December 23, 2014).

Id .

Supra note 59.

Id.

Supra note 20, Galanter.

See The Hindu Marriage Act, 1955, Section 7.

Saroj Rani v. Sudarshan Kumar Chadda, AIR 1984 SC 1562 (reflected the importance accorded by classical Hindu law to marital stability); M Govindaraju v. K Munisami Goundu 1996 SCALE (6) 13(The Supreme Court looked to ancient Shudra custom to adjudicate on a matter of adoption); Rajkumar Patni v. Manorama Patni, II (2000) DMC 702 (The Madhya Pradesh High Court, relied on the definition of Stridhan by Manu.).

Supra note 8, Acharya & Marda.

Semayne v. Gresham, 77 Eng. Rep. 194, 195; 5 Co. Rep. 91, 195 (K.B. 1604).

As cited in Julius Jolly, The Minor Law Books 164 (1889), ("A householder's house and field are considered as the two fundamentals of his existence. Therefore let not the king upset either of them; for that is the root of the householders").

Manmath Nath Dutt, The Dharamshastra - Hindu Religious Codes, Volume 1, 103 (1978) (Yajnawalkya Samhita, Chapter II 235-236: "He…who opens the doors of a closed house [without the permission of the master]…should be punished with fifty panas. Such is the law.").

L.N. Rangarajan, Kautalya: The Arthashastra 371 (1992) ("O be built at a suitable distance from the neighbours property so as not to cause inconvenience to the neighbour").

Id ., ("…doors and windows shall be made so as not to cause annoyance by facing a neighbour's door or window directly").

Supra note 72, Rangarajan, ("when the house is occupied the doors and windows shall be suitably covered").

Id., 376.

See Manusmriti, Chapter IV, 201-202.

Supra note 71, Dutt, 27 (Yajnawalkya Samhita, Chapter I , 160: "One should avoid the bed, seat, garden-house and the conveyance belonging to another person.").

Supra note 71, Dutt, 89 (Yajnawalkya Samhita, Chapter II, 146).

Manusmriti, Chapter IX, 194.

Supra note 71, Dutt Volume 2, 276 (Angiras Samhita, Chapter I, 71).

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, Harvard Law Review, Vol. IV, December 15, 1890, No.5.

Id.

Manusmriti, Chapter IV, 258; Supra note 71, Dutt, 134 (Yajnawalkya Samhita Chapter III, 111: "Having withdrawn the mind, understanding, retentive faculty and the senses from all their objects, the soul, the lord…should be meditated upon.").

Manu Chapter VI, 44.

Supra note 71, Dutt, 186 (Harita Chapter VII, 6: "Situated in a solitary place with a concentrated mind, he should, till death mediate on the atman, that is situated both in the mind and the external world… ").

Supra note 72, Rangarajan, (Arthashastra, 2.2.2).

Supra note72, Rangarajan, (Arthashastra 3.16.33-36).

Manusmriti IX, 84

Supra note 71, Dutt, Volume 2, 350 (Samvarta Samhita,163).

Supra note 71, Dutt, Volume 1, 112 (Yajnawalkya Samhita, Chapter II, 291).

Supra note 71, Dutt, Volume 1, 113 (Yajnawalkya Samhita, Chapter II, 294).

Supra note 72, Ranjarajan (Arthashastra 2.27.14).

Supra note 72, Rangarajan (Arthashastra 4.13.38).

Manusmriti, X, 62

Manusmriti Part VII, Supra note 101, Rangarajan (Arthashastra 1.15.2-5, 1.15.13-17).

Supra note 72, Rangarajan (Arthashastra 1.15.2-5 : The scrutiny of governance related affairs was take place in a secluded and well-guarded spot, where it could not be overheard. No unauthorised person was allowed to approach these meetings.).

Supra note 72, Rangarajan (Arthashastra 1.15.13-17: "…Only those who have to implement it should know when the work is begun or when it has been completed.").

Supra note 72, Rangarajan.

Supra note 71, Dutt, Volume 1, 112 (Yajnawalkya Samhita, Chapter II, 292).

Supra note 71, Dutt, Volume 4, 919 (Vishnu Samhita, Chapter LII, 16).

For more details visit https://cis-india.org/internet-governance/blog/loading-constructs-of-privacy-within-classical-hindu-law

Security and Surveillance: A public discussion on Optimizing Security while Safeguarding Human Rights

praskrishna — 2014-12-19T08:46:34Z

The Centre for Internet and Society (CIS) invites you to a public discussion on optimizing security and safeguarding human rights at its Bangalore office on Friday, December 19th, 2014, 16:00 to 18:00.

The Centre for Internet and Society, in collaboration with Privacy International UK, has undertaken exploratory research into surveillance, security, and the security market in India.

Through this research, we hope to understand and document policy and law associated with security, surveillance, and the security market in India and learn about the regulation of security and related technologies such as encryption, filtering, monitoring software, and interception equipment. We also hope to understand the import and export policy regime for dual use technologies.

Such findings will be critical in creating evidence based research to inform security policy and regulation in India and work towards enabling regulatory frameworks that optimize the nation’s security while protecting the rights of citizens.

For more details visit https://cis-india.org/internet-governance/events/security-and-surveillance-optimizing-security-human-rights

Identifying Aspects of Privacy in Islamic Law

Vidushi Marda and Bhairav Acharya — 2015-01-01T14:04:44Z

This white paper seeks to identify aspects of privacy in Islamic Law and demonstrate that the notion of privacy was recognized and protected in traditional Islamic law.

I. Introduction

The nuances of privacy have been deliberated by numerous scholars till date, without arriving at a definite answer. It has been perceived as a right to be left alone, as mere secrecy, as the right to a legitimate area of seclusion and solitude. Privacy is a particularly nebulous concept, with a tendency of resting on intuitionist arguments. However, finding refuge in intuitionist arguments has not lent to a clear understanding of the term itself. This presents a peculiar predicament; while privacy is demanded, nobody seems to have a clear understanding of what it truly means. Daniel Solove opines that privacy is a concept in disarray, it is about everything and hence it seems to be about nothing. Solove finds agreement in a variety of literature, where privacy has been described as a "chameleon-like word", a term suffering from an "embarrassment of meanings", a "powerful rhetorical battle cry".

Traditional notions such as bodily privacy, privacy within one's home, or privacy resulting out of private property are received with far less scepticism than more recent aspects of privacy. With the burgeoning increase in information exchange, the ambit of privacy concerns is widened but not always understood. While earlier notions of privacy confined themselves to physical intrusions, it is now possible to invade a person's privacy without physically intruding on their space. As capabilities to intrude on privacy increase, the demand for respecting privacy grows stronger. In their historic article, Warren and Brandeis referred to privacy as an incorporeal notion, referring to cases of defamation, proprietary harms, contractual harms, breach of confidence to conclude that all such cases belonged to an umbrella principle of the right to privacy.

I.II Aspects of Privacy

William Prosser, a torts scholar, in 1860 attempted to classify privacy comprehensively. He contemplated four kinds of activities as impinging on a person's privacy. They were
1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.
2. Public disclosure of embarrassing private facts about the plaintiff.
3. Publicity which places the plaintiff in a false light in the public eye.
4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.
While this classification lent some structure to the understanding of privacy, it restricted itself to only tort law.

A wider taxonomy was offered by Daniel Solove, imbibing concerns of digital privacy and information technology. Focussing on activities that invade privacy, Solove argued that information collection, aggregation of information, dissemination of such aggregated information and invasion into people's private affairs are the aspects integral to understanding the privacy concerns of a data subject.

In its policy paper on privacy in India, the Data Security Council of India (DSCI) recognised privacy issues in the context of e-commerce, transactional privacy, cyber crime, national security, and cross border data flows. Similarly the Department of Personnel and Training (DoPT) in 2011 focussed on understanding privacy in the context of data protection and surveillance. Subsequently, in 2012, the Planning Commission of India set up the A.P. Shah Committee to look into issues of data protection. This Committee classified the dimensions of privacy into four main categories; interception and access, audio and video recording, access and use of personal identifiers, and bodily and genetic material.

The classification of privacy for the purpose of this paper is under the heads of bodily privacy, informational and communications privacy, and territorial and locational privacy. Bodily privacy stems from the notion of personal autonomy and inviolate personality. Battery, rape, voyeurism are all examples of the recognition of the need to protect the privacy of one's body. Communications and informational privacy refers to the protection of sensitive personal information, specific communications and private conversations. Interception of messages, spying, hacking or tapping phone lines are all activities that impinge on privacy under this head. India's ambitious biometric project, Aadhar, has brought to the fore concerns surrounding personal information. Territorial privacy is developed from the notion of private property, the tort of trespass being ample recognition of the same.

I.III Is India a Private Nation?

In October, 2010, the government published an approach paper for legislation on privacy. In explaining the need for privacy legislation in India, the paper states,

"India is not a particularly private nation. Personal information is often shared freely and without thinking twice. Public life is organized without much thought to safeguarding personal data. In fact, the public dissemination of personal information has over time, become a way of demonstrating the transparent functioning of the government."

The notion of privacy being a foreign construct carves the argument that legislation on privacy would mean subjecting India to an alien cultural value. However, this ignores the possibility of privacy being culturally subjective. Cultures have exhibited different measurements by which they measure public and private realms. This paper aims to demonstrate that while the word "privacy" does not find explicit reference in traditional Indian law, the essence of privacy as we understand it today has existed in traditional Indian culture, specifically Indian Islamic culture, pre-dating colonialism in India and modernity in India's legal system.

I.IV Displacement of traditional Indian Law

Contemporary Indian law functions within a rubric that was constructed after the "expropriation" of traditional law. India's colonial legacy rendered the displacement of traditional Indian law with a unified modern legal system abounding in European ideas of modernity and legal systems, leaving it is a state of "fractured modernity". Before the British rule, Indians were governed by their personal laws and these laws did not aim to unify the nation in ways that Western legal systems did.. The decision to establish a modern legal system stemmed from the desire to administer the law as a function of the state, which would have been impractical at best in the absence of a unified legal system.

Edward Said eloquently states that the colonial experience does not end when the last European flag comes down or when the last white policeman leaves. One cannot help but agree with Said, as the understanding of law in contemporary India is constructed on the principles of the English common law and on ideas of a modern legal system. While the word "privacy" does not arise in traditional law, this paper argues that the notions of privacy as we perceive it today did exist hitherto the modernization of India's legal system.

I.V Structure of the paper

While Part I has laid down the foundation of this paper and the arguments it endeavours to make, Part II explains the sources of Islamic law and attempts at locating privacy in them. It also explains certain pervasive concepts that will enhance an understanding of privacy in Islamic law. This paper restricts itself to Sunni Islamic law. Part III gives an indication of privacy rights in India's neighbouring Islamic countries (both predominantly Sunni), Pakistan and Bangladesh; and highlights the legal framework for privacy in these countries.

II. Privacy in Islamic Law

II.I Sources of Islamic Law

Before locating aspects of privacy in Islamic Law, an understanding of its structure and sources will be helpful. Islamic Law is composed of Shariah, and fiqh. Shariah indicates the path a faithful Muslim must undertake to attain guidance in the present world and deliverance to the next. Fiqh, the jurisprudence of Islam, refers to the rational understanding of Shariah and human reasoning to appreciate the practical implications of Islam. While Shariah is divine revelation, fiqh is the human inference of Shariah.

The principle tenet of Islam is unwavering obedience to the teachings of God. According to Muslim belief, the Quran is the divine communication from Allah to the Prophet of Islam. It is the foremost record of the word of God, and for this reason is considered the apex source of Islamic law. It is in the Quran that basic norms of Shariah are found, and it embodies the exact words of God as was revealed to the Prophet over a period of 23 years. Fiqh, or the understanding of Shariah, also finds its origins in the holy Quran.

The Sunnah or Prophetic traditions are the ingredients for the model behaviour of a Muslim as demonstrated by the Prophet. It is a "way, course, rule, mode, or manner, of acting or conduct of life." The Sunnah were compiled through the communications of Prophet Muhammad in the form of Hadiths which are communications, stories or conversations; and may be religious or secular; historical or recent. The narrators of the Hadith are known as "isnad" who convey the "matn" or the substance of the Prophet's actions or words as narrated through oral communications through the years. Due to its very nature, the accuracy of the Sunnah came under considerable scrutiny, with concerns as to its possible fabrication and dilution. However, with a well devised system of recording and verifying sources, the Sunnah accompanies the imperative source of Islamic law, the Quran.

The other sources of Islam are found in human reasoning, or ijtihad. Ijtihad assumes a variety of secondary sources such as analogical reasoning (Qiyas), unanimous consensus (Ijma), decisions in favour of public interest (isthihsan), and presumption of continuity (istishab).
Ijtihad entails a resilient effort; an exertion in interpreting the primary sources in order to understand Shariah, to infer the law which is not explicit or evident. The legitimacy of Ijma is found in the Prophetic tradition, which states that the followers of Islam would never agree on an error, and will never unite on misguidance.

The Quran and Sunnah lie at the pinnacle of Islamic jurisprudence and their authoritativeness lends a ready inference of legal principles derived from them. In exploring the concept of Privacy in Islamic Law, this paper will focus mainly on the material available in the Quran and Sunnah.

II.II The Public and Private in Islam

According to the doctrine of Shariah, every aspect of life is deemed to be private unless shown otherwise. The public sphere is that in which governmental authority operates, making it both transparent and open to scrutiny and observation. Since its inception, Islam has considered the idea of governance with reasonable scepticism, ascribing to the view that there is no concept of a human ruler beyond reproach. This perhaps gave impetus to the idea of a private sphere as one that is inhabited exclusively by an individual and the divine, excluding any interference of the State; except with permission from religious law. In Islamic belief, a pious individual had submitted himself to God, and not the worldly State. Hence, all aspects of his life will align with the tenets of Islamic law and in pursuance with the will of God. Any failure to perform religious duties on the part of a Muslim is beyond the scope of another; it is only a consideration between him and the divine. It is believed that the Prophet said, "Those, who acknowledge God in words, and not at heart, do not find fault with their fellow Muslims. The wrongdoing of those who do so become the subject of God's scrutiny, and when God looks into someone's wrongdoing then all shall be truly exposed" The individual is bestowed with complete freedom of action in the private sphere, subject only to the will of the divine. To govern another is wholly beyond the capacity of any individual, and this forms a pervasive theme in Islamic jurisprudence.

Islamic Law recognizes that it is inevitable for every society to impose certain requirements on individuals both by the law and by societal norms. In respect of a public domain, Islam prescribes an amalgam of requirements of a Muslim community and the teachings of Islam. While committing sins in private is beyond the scope of public or governmental scrutiny, committing a sin in public amounts to a crime, meriting worldly punishment.

Islamic law provides for an individual's obligations to the divine at all times, and to the state in matters within the public domain. This is the most striking difference between Islamic law and modern law, as the function of enforcement of the law and punishment are forfeited to the state in a modern legal system, by virtue of the social contract. However, in Islamic societies, the concept of social contract does not exist. Instead, an individual's obligations lie to the state only if acts meriting worldly punishment occur in the public sphere. It is this distinction in the obligations of individuals that leads to conflicts between the application of Islamic law and modern law.

The Quran is replete with rules for all believers to ordain good and forbid evil (al-amrbi al-Ma'rufwa al-nahy 'an al-munkar'). This divine injunction is a restriction of freedom in the private sphere. The notion of privacy in the public sphere was tested through the office of the muhtasib, or compliance officer. These officers were appointed to ensure that the quality of life is preserved in Islamic societies. Personal or private matters which were visible in the public realm were liable to scrutiny from the muhtasib as well. However, this does not extend to matters such as surveillance and spying even on the authority of the state. The Prophet, according to the hadith of Amir Mu'awiyah remarked, " If you try to find out the secrets of the people, then you will definitely spoil them or at least you will bring them to the verge of ruin." In fact, modern jurists admonish the idea of surveillance as "exactly what Islam has called as the root cause of mischief in politics."

II.III. Privacy in Islamic Law

Bodily Privacy

The sanctity of one's bodily privacy is well recognised in Islamic Law. The Quran (24:58) demarcates certain periods in a day which are times of privacy for an individual, and indicates the need for prior permission before one may enter the private sphere of another. These periods are before the prayer at dawn, during the afternoon where one rests, and after the night prayer. This verse also calls upon children who have not yet reached the age of puberty to get accustomed to asking for permission before entering rooms apart from their own.

As far as bodily seizure of individuals accused of crimes goes, the Traditions indicate a general disinclination towards pre-adjudication restraint of individuals. The very occurrence of it appears to be a cause of discomfort as recorded in the Traditions. One of the Prophet's closest companions, Umar, is believed to have encourages officials to speed up adjudication processes so that the accused could not be deprived of the comfort of their homes and families.

bodily privacy and modesty

Although the Quran stipulates gender equality, the norms of bodily privacy and modesty applicable to men are far less rigorous than the rules of modesty that apply to women. While staring is not contemplated as a crime in modern jurisdictions, the Quran directs "believing men to lower their gaze and be modest." At the same time, it directs women to adhere to strict rules of clothing and conduct, with directions on how to conduct oneself both in private as well as public. Interestingly, with the use of full-body scanners at airports around the world, the bodily privacy of Muslims came to the forefront with several Muslim scholars opining that such use of scanners was in direct violation of the tenets of Islam. According to the Quran, the modesty of a Muslim woman is an indication of her faith.

Communication and Informational Privacy

Privacy is, in many ways, inextricably linked to the notions of personal autonomy, and inviolate personality. Privacy in matters apart from those concerned with proprietary interests was only developed as a legal idea around the ninth century, although the Quran made ample references to it. Whilst the term "privacy" is not directly alluded to in the Quran, it contains verses emphasizing the importance of respecting personal autonomy. The Quran (49:12) rebukes those who wish to pry into matters which do not concern them, or harbour suspicions in respect of others, conceding that some suspicions can even be considered crimes. This implies an injunction against investigation; which complements the prohibition of circulation of information pertaining to an individual's private sphere (24:19). According to this verse, publication of immorality is desirous of punishment. A reasonable conclusion from the reading of these verses is that the Quran mandates respect for the private sphere, guaranteeing that a faithful believer will not violate it. The Prophet is reported to have said that non interference of individuals in matters that do not concern them is a sign of their good faith. Interestingly, the injunction against unwarranted search is for all members of a Muslim community, not just followers of Islam. An extension of the concept of informational privacy is the privacy of one's opinion, which is believed to be beyond reproach regardless of its contents. Deeds in the public sphere can be subject to worldly punishment, but thoughts and opinions everywhere, are not subject to it.

The Sunnah have also emphasized on privacy in communications. The Prophet once said, "He, who looks into a letter belonging to his brother, looks into the Hellfire" , indicating that private communications shall enjoy their privacy even in the public domain. This is evident from another saying of the Prophet,"Private encounters result in entrustment", which entails a restriction on communications arising out of private meetings.

Territorial Privacy

Domestic privacy is considered an important facet of Islamic life and this idea pervades different aspects of Shariah. Privacy in regard to proprietary interests was in fact the first legal conception of privacy recognised by Muslim jurists. The Quran (24:27-8) forbids entering another's house in lieu of permission to do the same. It seeks to ensure that a person visiting another's house is welcome in that house; reminding individuals of their rights during such visits. Further, the Quran (2:189) envisions visits made to other's houses only through the front door, indicating respect and transparency in visiting another's dwelling place. Muslim scholars are of the opinion that such rules were laid down in order to safeguard one's private sphere; to allow people to modify their behaviour to accommodate a visitor in a private domain. Clarifying the reasons for such rules, a jurist offered the following explanation, "The first greeting is for the residents to hear the visitor, the second is for the residents to be cautious( fa-ya khudhu hidhrahum),and the third is for them to either welcome the visitor or send him away."

Privacy in the domestic sphere extends to both physical privacy as well as intangible privacy. The Prophet opined that if one's gaze has entered into a private home before his body does, permission to enter the home would be redundant. This follows from the idea that if a person curiously peeps into another's home, it is equivalent to him entering it himself. The right to privacy is extended to absolve the home owner of any guilt in the event of attack on the intruder. Curiously, the right to privacy within one's home is extended to privacy in respect of sinful behaviour within his private sphere; the accountability of a Muslim to his fellow humans is only to be discerned in respect of his public actions. This is illustrated by an interesting story in the Hadith of Umar ibn al-Khattab. Khattab climbed the wall of a house on the suspicion of wine being consumed within the premises. On his suspicion being confirmed, he chided them for their conduct. They then reminded him that while he pointed out their sins, he himself was guilty of three sins; spying on them, failing to greet them and also not approaching their house through the front door. He agreed with them and walked away.

The rationale behind recognising privacy in the domestic sphere is not just illegal intrusion into one's physical space; it is also intrusion into matters of sensitivity which widens the scope for privacy in Islamic Law.

III Privacy in Shariah Based States

Locating aspects of privacy is Shariah-based states is particularly challenging due to the duality of obligations that exists in their legal framework. While Islamic law focuses on obligations of individuals to the divine in all affairs and the state only in public matters, legal obligations in modern states are understood vis-à-vis the state only. The incorporation of Islam into these modern legal systems represents the attempt at reconciling two distinct sources of law. This Part will consider the legal frameworks for privacy in Pakistan and Bangladesh.

III.I Pakistan

Islamic law has had a profound impact on the legal system of Pakistan. This Islamic Republic integrates Shariah law into its common law system, as is evident from Article 227(1) of the 1973 Constitution of Pakistan ("the 1973 Constitution"). It reads, " All existing laws shall be brought in conformity with the Injunctions of Islam as laid down in the Holy Quran and Sunnah, in this Part referred to as the Injunctions of Islam, and no law shall be enacted which is repugnant to such injunction". In addition to the Constitutional safeguards, General Zia-ul-Haq, between 1977 and 1988 provided great impetus to Pakistan's process of incorporating Islam into its common law system through the establishment of appellate religious courts and also enactment of the Hudood criminal law, which was consequently criticized for being discriminatory and arbitrary.

Constitutional Provisions

Enshrined in the 1973 Constitution is the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. While referring to the rights of individuals, Article 4(1) lays down, "To enjoy the protection of law and to be treated in accordance with law in the inalienable right of every citizen. Wherever he may be, and of every other person for the time being within Pakistan." While aspects of privacy can be read into this Article quite emphatically, the 1973 Constitution explicitly recognises the right to privacy, dignity and the inviolability of persons in Article 14(1),"The dignity of man, subject to law, the privacy of home, shall be inviolable". The sanctity of these rights is vigorously upheld as laws inconsistent with fundamental rights are declared to be void to the extent of their inconsistency.

Bodily Privacy

The 1973 Constitution recognises the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. The Pakistan Penal Code (Act XLV of 1860) refers to the protection of privacy of women in Section 509, upholding the modesty of women.

Communications and Informational Privacy

The Pakistan Telecommunication (Re-organisation) Act 1996 enables investigating authorities under the Act to take cognizance of illegalities in communications. These authorities submit their reports to the courts, ensuring the accountability of such events, as well as legitimising search and seizure in pursuance of intercepted communications. The Act also makes arrangements for authorised interception of communications in cases of national security, although the wide and sweeping powers bestowed under this Section are a cause for concern. Moreover, any person causing annoyance to another through a telephone is liable to criminal punishment under the Telegraph Act, 1885.

Medicaland Financial information is recognised as a unit of privacy in the legal system of Pakistan. The delicate balance between transparency of government action and extent of privacy of information is struck in the Freedom of Information Ordinance, which exempts divulging information regarding personal privacy of individuals, private documents and financial privacy.

As far as digital privacy is concerned, the law in Pakistan is still at a nascent stage. In 2000, Pakistan implemented the National Information Technology Policy and Action Plan, which provided for confidentiality of transactional information. In 2002, an Electronic Transactions Ordinance was passed with a view to recognise and protect electronic transactions, setting up a framework within which privacy of information can be guaranteed and authenticity can be verified. There is no devoted law on data protection yet, although a Draft Electronic Data Protection Bill was published by the Ministry of Information in 2005.

Territorial and Locational Privacy

Akin to notions of privacy of the home in Islamic law, criminal trespass is a punishable offence under the Pakistan Penal Code. Pakistan has an unfortunately intimate relationship with terrorism. The Anti Terrorism Act of 1997 incorporates some provisions which raise concerns as to the sanctity of individual privacy. The Act allows an officer of police, armed forces or civil armed forces to enter and search any premise, and to seize any property they suspect to be connected to a terrorist act, without a warrant. Perhaps what is more worrying is that the entry of an officer is not subject to review, unlike in other Islamic countries like the United Arab Emirates. The trade off between personal liberties and national security is acutely felt in Pakistan, with intelligence agencies carrying on mass surveillance, without any legal framework providing for the same.

III.II Privacy in Bangladesh

Bangladesh identifies itself as a secular nation, although Islam is the state religion. The Constitution of Bangladesh uses the word privacy in the context of both territorial and communications privacy.

Bodily Privacy

The Bangladesh Penal Code, similar to Pakistan's, contains a section guaranteeing the bodily privacy of a woman and prohibiting any form of outraging her modesty. It criminalises assault, and also provides for private defence in case of assault.

Communications Privacy

The privacy of communications is subject to interception for the purpose of public safety, as envisaged in the Telegraph Act, 1885. It also contains provisions regarding unlawful interception of messages, as well as tampering or damaging communications. The Telecommunications (Amendment) Act 2006 gives the police sweeping powers to intercept mobile communications as well. However, a notice was issued to the government after this amendment to demonstrate its legality. Bangladesh also has the Right to Information Act, 2009 to promote transparency in governance, although it has a considerable number of agencies exempt from the Act as well. Provisions for cyber crime are enshrined in the Information and Communication Technology Act, 2006.

Territorial Privacy

In the context of territorial privacy, the Bangladesh Penal Code recognises criminal trespass, house trespass, lurking house trespass and house breaking as offences under Bangladeshi law.

IV. Conclusion

Privacy is a comprehensive term that entails a plethora of claims, making an exact definition of the term difficult to come by. In the absence of an explicit reference to privacy in the Indian Constitution, the Supreme Court has brought the right to privacy within the penumbra of Article 21 through various case laws. In 2010, the Government in its approach paper on privacy claimed that India is not a particularly private nation. In order to comprehensively understand India's modern legal framework, it is imperative to analyze the concepts of traditional law as they existed hitherto the colonial era. Although the term "privacy" is a modern construct, this paper has sought to demonstrate that the notion of privacy was well recognized and protected in traditional Islamic law.

From the discussion above, it is evident that the concept of privacy in Shariah law rests convincingly within the taxonomy adopted in this paper. The Quran and Hadith accommodate concerns surrounding private property, personal autonomy, protection of private communications, domestic life, modesty and the modern idea of surveillance. In addition to this, Islamic jurisprudence ascribes to the idea of a public and private sphere. The public sphere is occupied by society and governmental action, being liable to scrutiny and observation. On the other hand, the private sphere is occupied by the individual and the divine alone, free from any interference except in accordance with Shariah law. Inspite of the term "privacy" not finding explicit mention in the Quran or Hadith, a closer analysis of Shariah reveals privacy as a pervasive theme in Islamic jurisprudence.

Daniel Solove, A Taxonomy of Privacy, Vol. 154, No.3 University of Pennsylvania Law Journal, 477 (2006).

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard Law Review 193, 193 (1890).

Richard A. Posner, Privacy, Surveillance and the Law, Vol. 75 No. 1 The University of Chicago Law Review 245, 245 (2008).

Blanca Rodríguez Ruiz, Privacy in Telecommunications: A European and an American Approach 39 (1st ed. 1997).

James Q. Whitman, The Two Western Cultures of Privacy : Dignity versus Liberty, 113 Yale Law Journal 1152, 1153 (2004).

Whitman, supra note 5, at 1153.

Solove, supra note 1, at 479.

Ibid. Referencing Lillian r. BeVier, Information About Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection, 4 WM. & MARY BILL RTS. J. 455, 458 (1995) .

Ibid. Referencing KIM LANE SCHEPPELE, LEGAL SECRETS 184-85 (1988).

Ibid. Referencing 1 J. THOMAS MCCARTHY, THE RIGHTS OF PUBLICITY AND PRIVACY § 5.59 (2d ed. 2005).

Solove, supra note 1, at 560.

Samuel D. Warren & Louis D. Brandeis, supra note 2, at 193.

William L Prosser, Privacy, 48 California Law Review 383,389 (1960).

Solove, supra note 1, at 488.

Data Security Council of India, Policy Paper: Privacy in India. Available at https://www.dsci.in/sites/default/files/Policy%20Paper%20-%20Privacy%20in%20India.pdf.

Department of Personnel and Training, (DoPT) Approach Paper for a Legislation on Privacy. Report available at http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf.

Justice Ajit.P.Shah Committee, Report of the Group of Experts on Privacy, 60. Available at - http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

Bhairav Acharya, at http://freespeechhub.thehoot.org/freetracker/storynew.php?storyid=565&sectionId=10.

DoPT, Approach Paper. supra note 16.

Whitman, supra note 5, at 1154.

Chandran Kukathas, Cultural Privacy, Vol. 91, No. 1 The Monist 68, 69 (2008).

Marc Galanter, Displacement of Traditional Law in Modern India, Vol XXIV, No. 4 Journal of Social Issues 65, 67 (1968).

Stuart Corbridge & John Harriss, Reinventing India: Liberalization, Hindu Nationalism and Popular Democracy 238 (Reprint, 2006).

Galanter, supra note 22, at 66.

Ibid. at 67.

Edward Said, Representing the Colonized: Anthropology's Interlocutors, Vol. 15 No.2 Critical Inquiry 205, 207 (1989).

Mohammad Hashim Kamali, Shari'ah Law, An Introduction 19 (2009)

M Mustafa Al Azami, Studies in Hadith Methodology and Literature 7 (2002).

Id. at 3.

NJ Coulson, A History of Islamic Law 22 (1964)

Kamali, supra note 27, at 19.

Sunan Ibn Majah , Book of Tribulations (Kitab al-Fitan) , #3950, available at http://sunnah.com/ibnmajah/36.

Mohsen Kadivar, An Introduction to the Private and Public Debate in Islam, Vol.70 , No. 3 Social Research 659, 663 (2003).

Lara Aryani, Privacy Rights in Shariah and Shariah-based States, Vol. 3, Iss.2, Journal of Islamic State Practices in International Law, 3 (2007)

Kadivar, supra note 33, at 664.

Ibid. at 665.

Ibid. at 667. Referencing Koleini, Mohammad. Al-Kaafi. Qom, Vol. 2: 353 1388.

Ibid. at 671.

Ibid. at 664.

Social Contract Theory of John Locke(1932-1704) in the Contemporary World , SelectedWorks of Daudi Mwita, Nyamaka (2011) Available at http://works.bepress.com/cgi/viewcontent.cgi?article=1009&context=dmnyamaka.

Kadivar, supra note 33, at 664.

Ibid. at 673.

Abul a'la Mawdudi, Human Rights in Islam 24 (1995). Also available online, at http://books.google.co.in/books?id=RUJWdCOmmxoC&printsec=frontcover#v=onepage&q&f=false.

Aryani, supra note 34, at 13.

This indicates Sura 24 : verse 58.

Holy Quran, 24:58 - O you who have believed, let those whom your right hands possess and those who have not [yet] reached puberty among you ask permission of you [before entering] at three times: before the dawn prayer and when you put aside your clothing [for rest] at noon and after the night prayer. [These are] three times of privacy for you. There is no blame upon you nor upon them beyond these [periods], for they continually circulate among you - some of you, among others. Thus does Allah make clear to you the verses; and Allah is Knowing and Wise. (Translation from Sahih International available at http://quran.com/24/58)

Reza Sadiq, Islam's Fourth Amendment : Search and Seizure in Islamic Doctrine and Muslim Practice, Vol. 40 Georgetown Journal of International Law 703, 730 (2008 - 2009).

Ibid. at 733. Referencing IBRAHIM ABDULLA AL-MARZOUQI, Human Rights in Islamic Law 392 (2000).

Rohen Peterson, The Emperor's New Scanner :Muslim Women at the Intersection of the First Amendment and Full Body Scanners, 22 Hastings Women's Law Journal 339, 343 (2011).

Holy Quran, 24:30 - Tell the believing men to reduce [some] of their vision and guard their private parts. That is purer for them. Indeed, Allah is Acquainted with what they do. (Translation from Sahih International available at http://quran.com/24/30-31).

Holy Quran, 24:31- And tell the believing women to reduce [some] of their vision and guard their private parts and not expose their adornment except that which [necessarily] appears thereof and to wrap [a portion of] their headcovers over their chests and not expose their adornment except to their husbands, their fathers, their husbands' fathers, their sons, their husbands' sons, their brothers, their brothers' sons, their sisters' sons, their women, that which their right hands possess, or those male attendants having no physical desire, or children who are not yet aware of the private aspects of women. And let them not stamp their feet to make known what they conceal of their adornment. And turn to Allah in repentance, all of you, O believers, that you might succeed. (Translation from Sahih Internation, available at http://quran.com/24/30-31).

David Garner, Muslims warned not to go through airport body scanners because they violate Islamic rules on nudity, The daily mail, (Feb 12, 2010). http://www.dailymail.co.uk/news/article-1250616/Muslims-warned-airport-body-scanners-violate-Islamic-rules-nudity.html#ixzz3KF8hS6q3 .

Holy Quran, 33:59 - O Prophet, tell your wives and your daughters and the women of the believers to bring down over themselves [part] of their outer garments. That is more suitable that they will be known and not be abused. And ever is Allah Forgiving and Merciful. (Translation from Sahih International, available at http://quran.com/33/59.)

Eli Alshech, "Do Not Enter Houses Other than Your Own": The Evolution of the Notion of a Private Domestic Sphere in Early Sunnī Islamic Thought Vol. 11, No. 3, Islamic Law and Society 291, 304 (2004).

Holy Quran, 49:12 - O you who have believed, avoid much [negative] assumption. Indeed, some assumption is sin. And do not spy or backbite each other. Would one of you like to eat the flesh of his brother when dead? You would detest it. And fear Allah ; indeed, Allah is Accepting of repentance and Merciful. ( Translation from Sahih International, available at http://quran.com/49/12)

Holy Quran, 24:19 - Indeed, those who like that immorality should be spread [or publicized] among those who have believed will have a painful punishment in this world and the Hereafter. And Allah knows and you do not know. ( Translation from Sahih International, available at http://quran.com/24/19)

Kadivar, supra note 33, at 666.

Ahmad Atif Ahmad, Islam Modernity violence and everyday life 176 (1^st ed. 2009)

Kadivar, supra note 33, at 667.

Ibid , at 178.

Ibid.

Alshech, supra note 54, at 291.

Holy Quran, 24:27-8 - O you who have believed, do not enter houses other than your own houses until you ascertain welcome and greet their inhabitants. That is best for you; perhaps you will be reminded. And if you do not find anyone therein, do not enter them until permission has been given you. And if it is said to you, "Go back," then go back; it is purer for you. And Allah is Knowing of what you do. ( Translation from Sahih International, available at http://quran.com/24)

Holy Quran, 2:189 - They ask you, [O Muhammad], about the new moons. Say, "They are measurements of time for the people and for Hajj." And it is not righteousness to enter houses from the back, but righteousness is [in] one who fears Allah. And enter houses from their doors. And fear Allah that you may succeed. (Translation from Sahih International, available at http://quran.com/2)

Alshech, supra note 54, at 308.

Ibid. at 306. Referencing Ibn Abi Hatim, 8 TAF5IRAL-QUR'ANAL-'ADHIM 2566 (Makiabat Nlilr Mustaffi 1999).

Ahmad, supra note 58, at 177.

Alshech, supra note 54, at 324.

Aryani, supra note 34, at 4. Also see Ahmad, supra note 24, at 178.

Alshech, supra note 54, at 310.

Kadivar, supra note 33, at 664.

Moeen Cheema, Beyond Beliefs: Deconstructing the Dominant Narratives of the Islamization of Pakistan's Law, 60 American Journal of Comparative Law 875 (2012).

The Constitution of the Islamic Republic of Pakistan, 1973. Available at http://www.na.gov.pk/publications/constitution.pdf.

Cheema, supra note 72, at 879.

The Constitution of the Islamic Republic of Pakistan, 1973, supra note 73.

Ibid.

Ibid. Article 8 - "(1) Any law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred by this Chapter, shall, to the extent of such inconsistency, be void. (2) The State shall not make any law which takes away or abridges the right so conferred and any law made in contravention of this clause shall, to the extent of such contravention, be void

Ibid. Article 4(2)(a) - "no action detrimental to the life, liberty, body, reputation or property of any person shall be taken except in accordance with law."

Section 509, Pakistan Penal Code (Act XLV of 1860), Available at http://www.oecd.org/site/adboecdanti-corruptioninitiative/46816797.pdf.

Section 32, Pakistan Telecommunication (Re-Organisation) Act, 1996. Available at http://www.pta.gov.pk/media/pta_act_140508.pdf.

Ibid. Section 54.

Section 25-D, Pakistan Telegraph Act, 1885. Available at http://www.fia.gov.pk/law/Offences/26.pdf.

Section 12, Pakistan Medical and Dental Council Code of Ethics. Available at http://www.pmdc.org.pk/LinkClick.aspx?fileticket=v5WmQYMvhz4%3D&tabid=292&mid=845.

http://www.sbp.org.pk/publications/prudential/ordinance_62.pdf

Section 8, Freedom of Information Ordinance, 2002. Available at http://infopak.gov.pk/Downloads/Ordenances/Freedom_of_%20Information_Ordinance2002.pdf.

Pakistan IT Policy and Action Plan, available at http://www.unapcict.org/ecohub/resources/pakistan-information-technology-policy.

Electronic Transactions Ordinance, available at http://www.pakistanlaw.com/eto.pdf.

For a more detailed account, see http://www.supremecourt.gov.pk/ijc/articles/10/1.pdf. Second draft available at http://media.mofo.com/docs/mofoprivacy/PAKISTAN%20Draft%20Law%202nd%20Revision%20.pdf.

Sections 441 - 462, Pakistan Penal Code (XLV of 1860) Chapter XVII, "Offences against Property".

Section 5, Anti Terrorism Act, 1997. Available at http://www.fia.gov.pk/law/ata1997.pdf.

Ibid. Section 10.

Lara Aryani, supra note 34, at 21.

Julhas Alam, Bangladesh moves to retain Islam as state religion, Cns News, http://cnsnews.com/news/article/bangladesh-moves-retain-islam-state-religion.

Article 43, Constitution of Bangladesh. Available at http://www1.umn.edu/humanrts/research/bangladesh-constitution.pdf.

Section 509, Bangladesh Penal Code,1860. Available at http://bdlaws.minlaw.gov.bd/print_sections_all.php?id=11.

Ibid. Sections 351- 358.

Ibid . Section 100.

Section 5, Bangladesh Telegraph Act, 1885. Available at http://bdlaws.minlaw.gov.bd/print_sections_all.php?id=55.

Ibid . Section 24.

Ibid. Section 25.

Bangladesh Penal Code, 1860. supra note 95. Section 441.

Ibid. Section 442.

Ibid. Section 443.

Ibid. Section 445.

See, Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 : (1964) 1 SCR 332; Govind v. State of Madhya Pradesh, AIR 1975 SC 1378; Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264; People's Union for Civil Liberties (PUCL) v. Union of India, AIR 1997 SC 568; X v. Hospital Z, AIR 1999 SC 495.

DoPT, Approach Paper. supra note 16.

For more details visit https://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law

Introduction: About the Privacy and Surveillance Roundtables

manoj — 2014-11-27T13:34:56Z

The Privacy and Surveillance Roundtables is a Centre for Internet and Society (CIS) initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. The Roundtable will be closed-door deliberation involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India.

The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The third Privacy and Surveillance Roundtable was held in New Delhi at the India International Centre by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and Vahura, legal Partner on the 1^st of September, 2014.

The aim of the discussion was to gain inputs on what would constitute an ideal surveillance regime in India working with theCIS Draft Privacy Protection Bill, the Report of the Group of Experts on Privacy prepared by the Justice Shah committee, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context: Privacy and Surveillance in India

The discussion began with the chair giving an overview of the legal framework that governs communications interception under Indian Law in the interest of the participants since many were there for the first time.

The legal system to govern the manner in which communications are intercepted in India are defined under three main acts

1. Interception of Telephonic Calls : The Telegraph Act 1885

2. Interception of Posts : The Indian Post Office Act,1898

3. Interception of Electronic communication like e-mails etc :The IT Act, 2000

While the interception of postal mail is governed by Section 26 of the Post Office Act, 1898, the interception of modern forms of communication that use electronic information and traffic data are governed under Sections 69 and 69B of the Information Technology Act, 2000, while interception of telephonic conversations are governed by section 5(2) of the Indian Telegraph Act 1885 and subsequent rules under section 419A.

The main discussion of the meeting revolved around the Telegraph Act since it is the main Act which covers the interception of telecommunications. In 1968 the 30th Law Commission Report studying Section 5(2) of this Act came to the conclusion that the standards in the Act may be unconstitutional given factors such as 'public emergency' & 'public safety' were too wide in nature and called for a relook at the provision.

Objective of Round Table Meetings

The objective of the round table meetings is to, be prepared with the proposals on the Privacy Bill which the new government intends to split into separate Bill for Surveillance and Data privacy. Thus these submissions once out in the public domain would further deliberate more discussion and shape the course of the Bill.

Discussion

Authorisation

The chair initiated the discussion continuing from the last meeting about the two models of authorisation for Interception 1. The Judiciary & 2. The Executive

The chair explained why the earlier proposed Judiciary based model, based on the efficient experience of separation of power, would not fit into the Indian context. The main reason for this being that the lower judiciary in India is not competent enough to take decisions of this nature. Providing examples, the chair explained how in many cases the lower Judiciary overlooks essential human rights in their decisions, and such rights are only addressed when the case is appealed in Higher courts. While participants felt that High Court judges would be favourable, it was expressed that the immense backlog at the High Court level and the lack of judges is a challenge and risks being inefficient. Thus an additional responsibility for the High Court would not be a feasible model. Furthermore, adopting a judicial based model would mean that the existing model of executive would need to be entirely replaced. Owing to these practical implementation issues consensus was built over adoption of the existing executive model, but with more safeguards.

Safeguards proposed:

1. A redressal tribunal: Establishing a tribunal for the redressal of interception complaints. The tribunal could be a non-active body. Such a model would be different from other models adopted around the world - for example e in UK a designated tribunal suo-motu reviews cases on a regular basis. The tribunal could also have judicial review authority, to which one of the participants raised an issue that the tribunals usually will not have the power of Judicial review, however the chair assured him that the delegation of Judicial review to a tribunal does exist in Indian law.

2. A review commission: Establishing a commission to review the interceptions carried out on the orders of home secretary. For such an overseeing body, the commissioner should be appointed independently. The commissioner must be a Judge or a senior Lawyer and should report to the Parliament.

Content data and Metadata

In the next session the chair explained the difference between content data and metadata while initiating discussion on provisions addressing them in the proposed Bill. Content data, also called as payload data, is the actual content of the communication which takes place between X and Y.

Example 1: In the VOIP call the voice is packetized and sent in different packets to the destination, the content of that packet is the content data whereas the information of this content i.e the header, footer and checksum of the packet is the metadata.

Example 2: In the serial communication of the normal phone call the content data will be what the communication happened between two or more people over the call and the metadata will be who were involved in the call, on what date and time the call was made from which place, and under which tower.

It was noted that generally it is easier to intercept metadata than content data. In the proposed bill, section 2 (C) refers to the definition of content data and section 2(E) to metadata.

Participants also pointed out that often it is with metadata that concerned governmental authorities are able to carry out tracking. Thus, when determining procedural safeguards for surveillance - and specifically for interception - the question of whether or not content data and meta data should be treated the same under law must be addressed. Participants suggested looking into German laws, which have procedure to deal with this question. Despite differences over the exact level of protection meta data should legally be afforded, participants agreed that a higher authority should be responsible for the interception, collection, and access to metadata and content data.

In India, because the existing legal framework in India has different standards for different modes of communication, it is proposed that a uniform legal framework be created by harmonizing the three Acts through amendments or overriding existing legislation regulating surveillance in India, and establishing a new framework under a Privacy legislation.

Big Data, Cloud & OTT

In this session a participant raised the issue of Big data and Cloud services, and asked whether the CIS Privacy Protection Bill or the draft Privacy Bill from the government addresses this issue. This question was of particular relevance because a number of the cloud data centres are located in locations outside India. Thus a question of jurisdiction arises. The participant opined that in the coming years and with the new government's vision to have space for every citizen in cloud and data localisation being priority, he stressed that the Bill should clearly address issues related to the cloud, big data, outsourcing, and questions of jurisdiction. Responding to this the chair was of the view that the crimes committed outside the territory of India come under Extra-territorial law, section 4 of IPC and Section 188 Cr. P.C. But it was noted that due to the fact that the crime is committed outside the territory of India, despite the provision, it is practically not implementable unless there is a contract between countries or a treaty signed. The solution could be data localisation, hosting the cloud servers in India, but that again has its own pros & cons. In response participants indicated that if a choice had to be made about data localization - the best option would be one that would be economical for Indian business and the government.

OTT (Over the Top) Services

Another participant brought to the notice of the meeting that most of the networks of service provider's are adopting IP (Internet Protocol). In the context of surveillance, this means that for an interception to take place, Deep Packet Inspection (DPI) must be adopted by service providers. This is currently placing a burden on service providers, as it is costly and the connection time of the calls for the number under surveillance increases - though not enough to be noticed by customers.

Telephone Tapping Process

In India the process of intercepting telephones can be broken down into the following three steps:

1. Authorization

a. The Home Secretary issues an authorization for an interception request.

b. The Authorization is handed over to Police Officer in charge of the investigation.

c. The Police Officer serves the order to the nodal officer in the relevant service provider.

2. The service provider conducts the interception.

3. The intercepted data is handed over to the Police officer.

Under Rule 419A, a committee to review the authorization exists, comprising of officials such as the Cabinet Secretary, Secretary of the Department of Telecommunications, Secretary of the Department of Law and Justice and the Secretary of Information Technology and Communication ministry at the Centre and the Chief Secretary, the Law Secretary and an officer not below the rank of a Principal secretary at the State level.

Since the current infrastructure of telecom and broadband is with private service providers, the government is dependent on service providers to carry out surveillance. As national security is a concern of the government and because in the past intercepted material has been leaked by various sources, the government has proposed to replace the existing system. In this regard the government has proposed to set up a Central Monitoring System (CMS) for the interception of voice and data communications.

It is proposed that the CMS infrastructure will be positioned at the service provider's facilities, and will allow governmental agencies to directly intercept traffic on the network of service providers - thus there would no longer be a need for the government to reply on service providers to carry out interception requests. During the meeting it was discussed how this system has pros & cons

Pros

1. For private companies it eliminates an entire level of compliance.

2. It will reduce the possibility of unlawful, extra legal, & fraudulent authorizations of interception requests.

3. The interception carried out would be maintained in a log, which would clearly recorded, making the interception process becomes accountable.

Cons

1. Even though the existing system gives room for leaks, ironically it is the only way through which a person who is tapped will come to know, hence accounting for some transparency eg: Nira Radia & Amar Singh phone Tap case.

2. CMS will be built upon an existing interception framework, which is not procedurally fair - because of issues such as Internal Authorization, Adhoc procedure, that it is not under the ambit of RTI etc. This will result in a system with no transparency and accountability.

To this last point the Chair noted that in 2011 there were 7.5 Lakh phone taps by a single agency which was reportedly illegal. In an attempt to minimize such brazen violations a Privacy Bill is mooted and the round table conference is a step towards making it possible.

Immunity to TSP's & ISP's

Participants also raised the issue of difficulties that TSPs face while engaged in the process of interception, as they are caught between the customers and government authorities and subjected to harassment sometimes. This places service providers in a position where they must often make a number of compromises as they are expected to store traffic data for a specified period of time, but sometimes a judge might ask for access to data that is dated past the specific retention period. In such a scenario, service providers must provide it by accessing backup data.

The question of who should be the custodian of intercepted data was raised by participants as well as who should be held accountable if intercepted data is leaked into the public domain. The chair responded that the officers investigating the case should be held accountable for the intercepted data. This would be analogous to the system under the Right to Information Act whereby the Information officer is named and held accountable for the data or information he provides. Similarly, for the case of intercepted material, an officer should be named and held accountable for the data and ensuring that it reaches those that it is legally intended to.

It was also expressed that a market regulator, responsible for the safeguarding the interest of communication service providers, could be appointed for handling the personal data. Such a role could be merged with the traditional role of a Data Protection Authority and could be the first step towards an information security and assurance regime.

Legal immunity given to service providers was also discussed, as there was a general concern about the position service providers find themselves in - being held legally liable for not complying with orders from the government and being taken to court by citizens.

Format of Interception Orders and Interception as a service

A question was also posed to participants about what information ideally - apart from the intended duration of the order - should be incorporated into interception orders. Participants suggested that the order should be as specific and precise as possible, which the existing format to a large extent confirms. On the topic, a participant noted that in some cases, despite DoPT guidelines, interception orders are issued in regional languages. This can pose as a problem as the nodal officer might not know the language, thus leading to possible ambiguity & misinterpretation of the order. Participants suggested that orders should be in English.

Participants also pointed out that in most European countries - like France and Italy - a fee for the compliance cost arising out of implementing an interception order is paid to service providers by the government. In India, huge costs are involved in carrying out interceptions which service providers presently have to bare. As law enforcement and security agencies ask for more and more accuracy in surveillance, the charges of carrying out surveillance. To address this, participants suggested that interception as a service should be accommodated in the proposed Bill.

Conclusion

The discussions in the Surveillance and Privacy Roundtable in New Delhi mainly revolved around the authorization model and the process of interception. Overall, participants agreed on an organised executive model with an established accountability and review system. Also discussed was how to ensure that service providers are legally protected from disproportionate and unwarranted penalties. Towards this, the interception process should be viewed as a service rather than an obligation.

For more details visit https://cis-india.org/internet-governance/blog/introduction-about-the-privacy-and-surveillance-roundtables

IOCOSE's talk at CIS

praskrishna — 2014-11-25T01:02:24Z

Please join us at the Centre for Internet and Society in Bangalore on Thursday, November 27, 2014 at 7 p.m. for a presentation of the work of the artists group IOCOSE, current artists in residence at T.A.J./SKE Residency.

What is the life of a drone 'in times of peace'? What are the creative potential of a drone? Drones do not have such a thing as a ‘life’. But what if?

The title of our project, 'In Times of Peace' refers to Paul Virilio's theory of logistics (Pure War, 1983).

Quoting an article published by the Pentagon in late '40s, the theorist highlighted the fact that the text presented logistics as the procedure for which the potential of a nation lies in its armed forces, 'in times of peace' as in times of war.

But what does it mean to live 'in times of peace'? And what does this mean for a drone?”

The talk will open with the announcement of the winner of the NoTube Contest 2014 which will be held at the Sree Venkateshwara Cyber Cafe in Bangalore on the very same day.

IOCOSE

IOCOSE is a collective of four artists who has been working in Italy and Europe since 2006. It organises actions in order to subvert ideologies, practices and processes of identification and production of meanings. It uses pranks and hoaxes as tactical means, as joyful and sound tools. IOCOSE thinks about the streets, internet and word of mouth as a battlefield. Tactics such as mimesis and trickery are used to lead and delude the audience into a semantic pitfall. IOCOSE’s work has been shown internationally, such as at Jeu de Paume (Paris, France; 2011); Tate Modern (London, UK; 2011), Festival Nrmal, (Monterrey, Mexico; 2011); Furtherfield Gallery (London, UK; 2012); Venice Biennal (Italy; 2011), Macro (Rome, Italy; 2012); CLICK Festival (Helsingor, Denmark; 2013); Science gallery (Dublin, Ireland, 2012), http://www.iocose.org

T.A.J. RESIDENCY & SKE PROJECTS

T.A.J. RESIDENCY & SKE PROJECTS is a residency program established in 2013 as a collaborative project between a visual artist and a gallerist. Intended as an interdisciplinary residency, it has already hosted visual artists, curators, academics, scientists, fiction writers and journalists. There is always one visual artist in residence. The residency program is also open to applicants from the fields of architecture, design, music, film, performing arts and education, http://t-a-j.in

Marialaura Ghidini

Marialaura is a curator, researcher and writer. She is the founder director of or-bits.com since 2009. Currently she is AHRC-doctoral researcher with CRUMB (Curatorial Upstart Media Bliss) at the University of Sunderland. Based in London, UK, from Brescia, Italy. She can be contacted at mlghidini@gmail.com

For more details visit https://cis-india.org/internet-governance/events/iocose-talk-at-cis

Privacy, security and surveillance: tackling international dilemmas and dangers in the digital realm

praskrishna — 2014-12-15T12:56:49Z

Pranesh Prakash was a panelist in the session "Beyond the familiar: how do other countries deal with security and surveillance oversight?" The event was organized by Wilton Park between November 17 and 19, 2014.

Complete details of the programme can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/wilton-park-november-17-19-privacy-security-surveillance

Privacy vs. Transparency: An Attempt at Resolving the Dichotomy

sunil — 2015-03-08T06:26:21Z

The right to privacy has been articulated in international law and in some national laws. In a few countries where the constitution does not explicitly guarantee such a right, courts have read the right to privacy into other rights (e.g., the right to life, the right to equal treatment under law and also the right to freedom of speech and expression).

With feedback and inputs from Sumandro Chattapadhyay, Elonnai Hickok, Bhairav Acharya and Geetha Hariharan. I would like to apologize for not providing proper citation to Julian Assange when the first version of this blog entry was published. I would also like to thank Micah Sifry for drawing this failure to his attention. The blog post originally published by Omidyar Network can be read here. Also see http://newint.org/features/2015/01/01/privacy-transparency/

In other countries where privacy is not yet an explicit or implicit right, harm to the individual is mitigated using older confidentiality or secrecy law. After the Snowden affair, the rise of social media and the sharing economy, some corporations and governments would like us to believe that “privacy is dead”. Privacy should not and cannot be dead, because that would mean that security is also dead. This is indeed the most dangerous consequence of total surveillance as it is technically impossible to architect a secure information system without privacy as a precondition. And conversely, it is impossible to guarantee privacy without security as a precondition.

The right to transparency [also known as the right to information or access to information] – while unavailable in international law – is increasingly available in national law. Over the last twenty years this right has become encoded in national laws – and across the world it is being used to hold government accountable and to balance the power asymmetry between states and citizens. Independent and autonomous offices of transparency regulators have been established. Apart from increasing government transparency, corporations are also increasingly required to be transparent as part of generic or industry specific regulation in the public interest. For instance, India’s Companies Act, 2013, requires greater transparency from the private sector. Other areas of human endeavor such as science and development are also becoming increasingly transparent though here it is still left up to self-regulation and there isn’t as much established law. Within science and research more generally, the rise of open data accompanied the growth of the Open Access and citizen science movement.

So the question before us is: Are these two rights – the right to transparency and the right to privacy – compatible? Is it a zero-sum game? Do we have to sacrifice one right to enforce the other? Unfortunately, many privacy and transparency activists think this is the case and this has resulted in some conflict. I suggest that these rights are completely compatible when it comes to addressing the question of power. These rights do not have to be balanced against one another. There is no need to settle for a sub-optimal solution. Rather this is an optimization problem and the solution is as follows: privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power.[*]

In most privacy laws, the public interest is an exception to privacy. If public interest is being undermined, then an individual privacy can be infringed upon by the state, by researchers, by the media, etc. And in transparency law, privacy is the exception. If the privacy of an individual can be infringed, transparency is not required unless it is in the public interest. In other words, the “public interest” test allows us to use privacy law and transparency law to address power asymmetries rather than exacerbate them. What constitutes “public interest” is of course left to courts, privacy regulators, and transparency regulators to decide. Like privacy, there are many other exceptions in any given transparency regime including confidentiality and secrecy. Given uneven quality of case law there will be a temptation by the corrupt to conflate exceptions. Here the old common-law principle of “there is no confidence as to the disclosure of iniquity” – which prevents confidentiality law from being used to cover malfeasance or illegality – can be adopted in appropriate jurisdictions.

Around 10 years ago, the transparency movement gave birth to yet another movement – the open government data movement. The tension between privacy and transparency is most clearly seen in the open government data movement. The open government data movement in some parts of the world is dominated by ahistorical and apolitical technologists, and some of them seem intent on reinventing the wheel. In India, ever since the enactment of the Right to Information Act, 2003, 30 transparency activists are either killed, beaten or criminally intimidated every year. This is the statistic from media coverage alone. Many more silently suffer. RTI or transparency is without a doubt one of the most dangerous sectors within civil society that you could choose to work in. In contrast, not a single open data activist has ever been killed, beaten or criminally intimidated. I suspect this is because open data activists do not sufficiently challenge power hierarchies. Let us look a little bit closely at their work cycle. When a traditional transparency activist asks a question, that is usually enough to get them into trouble. When an open data activist publishes an answer [a dataset nicely scrubbed and machine readable, or a visualization, or a tool] they are often frustrated because nobody seems interested in using it. Often even the activist is unclear what the question is. This is because open data activist works where data is available. Open data activists are obsessed with big datasets, which are easier to find at the bottom of the pyramid. They contribute to growing surveillance practices [the nexus between Internet giants, states, and the security establishment] rather that focusing on sousveillance [citizen surveillance of the state, also referred to as citizen undersight or inverse surveillance]. They seem to be obsessed only with tools and technologies, rather than power asymmetries and injustices.

Finally, a case study to make my argument easier to understand – Aadhaar or UID, India’s ambitious centralized biometric identity and authentication management system. There are many serious issues with its centralized topology, proprietary technology, and dependence on biometrics as authentication factors – all of which I have written about in the past. In this article, I will explain how my optimization solution can be applied to the project to make it more effective in addressing its primary problem statement that corruption is a necessary outcome of power asymmetries in India.

In its current avatar – the Aadhaar project hopes to assign biometric-based identities to all citizens. The hope is that, by doing authentication in the last mile, corruption within India’s massive subsidy programmes will be reduced. This, in my view, might marginally reduce retail corruption at the bottom of the pyramid. It will do nothing to address wholesale corruption that occurs as subsidies travel from the top to the bottom of the pyramid. I have advocated over the last two years that we should abandon trying to issue biometric identities to all citizens, thereby making them more transparent to the state. Let us instead issue Aadhaar numbers to all politicians and bureaucrats and instead make the state more transparent to citizens. There is no public interest in reducing privacy for ordinary citizens – the powerless – but there are definitely huge public interest benefits to be secured by increasing transparency of politicians and bureaucrats, who are the powerful.

The Indian government has recently introduced a biometric-based attendance system for all bureaucrats and has created a portal that allows Indian citizens to track if their bureaucrats are arriving late or leaving early. This unfortunately is just bean counting [for being corrupt and being punctual are not mutually exclusive] and public access to the national portal was turned off because of legitimate protests from some of the bureaucrats. What bureaucrats do in office, who they meet, and which documents they process is more important than when they arrive at or depart from work. The increased transparency or reduced privacy was not contributing to the public interest.

Instead of first going after small-ticket corruption at the bottom of the pyramid, maximization of public interest requires us to focus on the top, for there is much greater ROI for the anti-corruption rupee. For example: constructing a digital signature based on audit trails that track all funds and subsidies as they move up and down the pyramid. These audit trails must be made public so that ordinary villagers can be supported by open data activists, journalists, social entrepreneurs, and traditional civil society in verification and course correction.

I hope open data activists, data scientists, and big data experts will draw inspiration from the giants of the transparency movement in India. I hope they will turn their attention to power, examine power asymmetries and then ask how the Aadhaar project can be leveraged to make India more rather than less equal.

Videos

Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights

Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector

The videos can also be watched on Vimeo:

[*].http://prospect.org/article/real-significance-wikileaks “Transparency should be proportional to the power that one has.”

Read the presentation on Risky Business: Transparency, Technology, Security and Privacy made at the Pecha Kucha session here. (ODP File, 35 kb)

Disclaimer: The views, opinions, and positions expressed by the author(s) of this blog are theirs alone, and do not necessarily reflect the views, opinions, or positions of Omidyar Network. We make no representations as to accuracy, completeness, timeliness, suitability or validity of any information presented by individual authors of the blogs and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use.

For more details visit https://cis-india.org/openness/blog-old/privacy-v-transparency

Fourth Discussion Meeting of the Expert Committee to Discuss the Draft Human DNA Profiling Bill

praskrishna — 2014-12-08T16:07:24Z

The fourth expert committee meeting was held on November 10, 2014 at the Department of Biotechnology to discuss the potential privacy concerns of the draft Human DNA Profiling Bill. Sunil Abraham however was unable to participate because of technical problems.

Agenda

Welcome and opening remarks by the Secretary, DBT
Remarks by the Chairman - Dr. T.S. Rao, Senior Adviser, DBT
A brief overview on deliberations and decisions of Hon’ble Supreme Court - Dr. Alka Sharma, Director, DBT
Discussion and finalization of the Bill by the members
Recommendations of the Expert Committee
Any other item with the permission of the Chairman.

Resources

Click here (Zip file, 2698 Kb) to download the following resources from earlier meetings:

Record note of discussions of the Expert Committee Meeting held on January 31, 2013 at DBT, New Delhi, to discuss the potential privacy concerns on draft Human DNA Profiling Bill.
Annexure 1 to Record note: Draft Human DNA Profiling Bill 2012: The Privacy Issues and Concerns
Annexure 2 to Record note: Short background note on the draft Human DNA Profiling Bill
Record note of the 2nd discussion meeting of the Expert Committee held on May 13, 2013 in DBT to discuss the draft Human DNA Profiling Bill
Minutes of the 3rd meeting of the Expert Committee held on November 25, 2013 in DBT to discuss the draft Human DNA Profiling Bill
Record note of the discussions of the Experts Sub-committee Meeting on Human DNA Profiling Bill held on September 3, 2013 at CPFD, Hyderabad
Affidavit on behalf of DBT
Human Draft DNA Profiling Bill 2012 (Working Draft Version, April 29, 2012)

For more details visit https://cis-india.org/internet-governance/news/fourth-discussion-meeting-of-expert-committee-to-discuss-draft-human-dna-profiling-bill