Centre for Internet and Society

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act

divij — 2014-07-03T05:43:23Z

Tribunals and quasi-judicial bodies are a regular feature of the Indian judicial system, as they provide for easier and less onerous methods for dispute resolution, especially disputes which relate to technical areas and often require technical knowledge and familiarity with specialised factual scenarios.

Further, quasi-judicial bodies do not have the same procedural restrictions as proper courts, which makes the adjudication of disputes easier. The Information Technology Act of India, which regulates several important aspects of electronic information, including the regulation of private electronic transactions as well as detailing civil and criminal offences relating to computers and electronic information, contemplates a specialised dispute resolution mechanism for disputes relating to the offences detailed under the Act. The Act provides for the establishment of quasi-judicial bodies, namely adjudicating officers under S.46, to hear disputes arising out of Chapter IX of the Act, namely, offences of a civil nature under S.43, 43A, 44 and 45 of the Act, as well as criminal offences described under Chapter XI of the Act. The adjudicating officer has the power to both award compensation as damages in a civil remedy, as well as impose penalties for the contravention of the Act,[1] and therefore has powers of both civil and criminal courts. The first appellate body provided in the Act, i.e. the authority that any party not satisfied by the decision of the adjudicating officer can appeal to, is the Cyber Appellate Tribunal, consisting of a Chairperson and any other members so prescribed by the Central Government.[2] The second appeal, if a party is aggrieved by the decision of the Cyber Appellate Tribunal, may be filed before the High Court having jurisdiction, within 60 days from the date of communication of the order.[3]

Functioning of the Offices of the State Adjudicating Officers and the Cyber Appellate Tribunal

The office of the adjudicating officer is established under S.46 of the IT Act, which provides that the person appointed to such a post must be a government officer of a rank not below that of a Director or an equivalent rank, and must have experience both in the field of Information Technology as well as legal or judicial experience.[4] In most cases, the appointed adjudicating officer is the Principle Secretary to the Department of Information Technology in the state.[5] The decisions of these adjudicating officers determine the scope and meaning of several provisions of the IT Act, and are instrumental in the development of the law in this field and filling a lacuna regarding the interpretation of these important provisions, particularly in areas such as data protection and privacy.[6] However, despite the large number of cyber-crime cases being registered across the country,[7] there is a lack of available judgements on the adjudication of disputes under Sections 43, 43A, 44 and 45 of the Act. Of all the states, only the websites of the Departments of Information Technology in Maharashtra,[8], Tamil Nadu[9], New Delhi[10], and Haryana[11] have reported judgements or orders of the Adjudicating Officers. The adjudicating officer in Maharasthra, Rajesh Aggarwal, has done a particularly commendable job, having disposed of 51 cases under the IT Act, with 20 cases still pending.

The first Cyber Appellate Tribunal set up by the Central Government is located at New Delhi. Although a second branch of the Tribunal was to be set up in Bangalore, no efforts seem to have been made in this regard.[12] Further, the position of the Chairperson of the Appellate Tribunal, has been left vacant since 2011, after the appointed Chairperson attained the age of superannuation and retired. Although judicial and technical members have been appointed at various points, the tribunal cannot hold hearings without a chairperson. A total of 17 judgements have been passed by the Cyber Appellate Tribunal prior to the retirement of the chairperson, while the backlog of cases is continuously growing.[13] Despite a writ petition being filed before the Karnataka High Court and the secretary of the Department of IT coming on record to state that the Chairperson would be appointed within 6 months (of September 2013), no action seems to have been taken in this regard, and the lacunae in the judicial mechanism under the IT Act continues. The proper functioning of adjudicating officers and the Cyber Appellate Tribunal is particularly necessary for the functioning of a just judicial system in light of the provisions of the Act (namely, Section 61) which bar the jurisdiction of ordinary civil courts in claims below the amount of Rs. 5 Crores, where the adjudicating officer or the CAT is empowered.[14]

Analysis of Cases Filed under Section 43A

Section 43A of the Information Technology Act was inserted by the 2008 Amendment, and is the principle provision governing protection of information held by intermediaries under the Act. Section 43A provides that “body corporates” handling “sensitive personal data” must implement reasonable security practices for the protection of this information. If it is negligent in providing or maintaining such reasonable security practices, the body corporate is to be held liable and must pay compensation for the loss occurred.[15] Rule 3 of the Draft Reasonable Security Practices Rules, defines sensitive personal data as including – passwords, user details as provided at the time of registration or thereafter, information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users, physiological and mental health conditions, medical records and history, biometric information, information received by body corporate for processing, stored or processed under lawful contract or otherwise and call data records.[16]

All the decisions of appointed adjudicators are available for an analysis of Section 43A are from the adjudicating officer in Maharashtra, Mr. Rajesh Tandon, who despite having no judicial experience, has very cogent analysis and knowledge of legal issues involved in the cases, which is commendable for a quasi-judicial officer.

One class of cases, constituting a major chunk of the claims, is where the complainant is claiming against a bank for the fraudulent transfer of funds from the claimants account to another account. In most of these cases, the adjudicating officer examined the compliance of the bank with “Know Your Customer” norms and guidelines framed by the Reserve Bank of India for prevention of banking fraud and, where such compliance was found to be lacking and information which allowed the bank accounts of the complainant was allowed to be accessed by fraudsters, the presumption is that the bank was negligent in the handling of “sensitive personal information”,[17] by failing to provide for reasonable security practices and consequently was liable for compensation under S.43A, notwithstanding that the complainant also contributed to compromising certain personal information by responding to phishing mails,[18] or divulging information to other third parties.[19] These instances clearly fall within the scope of Section 43A, which protects “information related to financial information such as Bank account/ credit card /debit card /other payment instrument details of the users” as sensitive personal data from negligent handling by body corporates. The decisions of the adjudicating officer must be applauded for placing a higher duty of care on banks to protect informational privacy of its customers, given that they are in a position where they ought to be well equipped to deal with intimate financial information and holding them accountable for lack of proper mechanisms to counter bank fraud using stolen information, which reflects in the compensation which the banks have been liable to pay, not only as indemnification for losses, but also punitive damages.[20]

In Nirmalkumar Bhagerwal v IDBI Bank and Meenal Bhagerwal, the sensitive financial information of the complainant, namely, the bank statement, had been accessed by the complainants wife. In holding the bank to be liable for divulging the same, and that access to personal information by a spouse is also covered under S.43A, the officer seems to have imputed the loss of privacy on account of such negligence as ‘wrongful loss’ which deserves compensation. One anomalous decision of the officer was where the operator of an ATM was held liable for fraudulent credit card transactions in that Machine, due to “reasonable security practices” such as security personnel or CCTV footage, and therefore causing the loss of “sensitive personal data”. However, it is difficult to see how ATM operators can be held liable for failing to protect sensitive information from being divulged, when the case is simply of a person fraudulently using a credit card.

Another class of cases, generally linked with the above cases, is complaints against cell phone providers for divulging information through falsely procured Sim Cards. In such instances, the officer has held that by negligently allowing the issuance of duplicate sim cards, the phone company has led to the access of sensitive personal data and thus caused wrongful loss to the complainant. This interpretation of Section 43A is somewhat confusing. The officer seems to have interpreted the provisions of Section 43A to include carriers of the information which was originally sent through the computer resource of the banking companies. In this way, they are imputed the status of “handlers” of sensitive personal information, and their communications infrastructure through which the information is sent is the “computer resource” which it operates for the purpose of the Act. Therefore, through their negligence, they are abetting the offence under 43A.[21]

For example, in the case of Sanjay Govind Dhandhe v ICICI and Vodafone, the officer remarked that –“A SIM card is a veritable key to person’s sensitive financial and personal information. Realizing this, there are clear guidelines issued by the DOT regarding the issuance of SIM cards. The IT Act also intends to ensure that electronic personal and sensitive data is kept secured and reasonable measures are used to maintain its confidentiality and integrity. It is extremely crucial that Telecom companies actively follow strict security procedures while issuing SIM cards, especially in wake of the fact that mobiles are being increasingly used to undertake financial transactions. In many a case brought before me, financial frauds have been committed by fraudsters using the registered mobile numbers of the banks’ account holders.” Therefore, intermediaries such as telecom companies, which peripherally handle the data, are also liable under the same standards for ensuring its privacy. The adjudicating officer has also held telephone companies liable for itemized phone bills as Call Data Records negligently divulged by them, which again clearly falls under the scope of the Reasonable Security Practices Rules.[22]

Note:

"Credentek v Insolutions (http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_Credentek_Vs_Insolutions-28012014.pdf) . This case holds that banks and the National Payments Corporation of India were liable under S. 43A for divulging information relating to transactions by their customers to a software company which provides services to these banks using the data, without first making them sign non-disclosure agreements. The NCPI was fined a nominal amount of Rs. 10,000."

[1]. Section 46, Information Technology Act, 2000.

[2]. Section 48 and 49 of the Information Technology Act, 2000 (Amended as of 2008).

[3]. Section 62, IT Act. However, The High Court may extend this period if there was sufficient cause for the delay.

[4]. S. 46(3), Information Technology Act, “No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and Legal or Judicial experience as may be prescribed by the Central Government.”

[5]. From whatever data is available, the adjudicating officers in the states of Maharashtra, New Delhi, Haryana, Tamil Nadu and Karnataka are all secretaries to the respective state departments relating to IT.

[6]. See http://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra; Also see the decision of the Karnataka adjudicating officer which held that body corporates are not persons under S.43 of the IT Act, and thus cannot be liable for compensation or even criminal action for offences under that Section, available at http://www.naavi.org/cl_editorial_13/adjudication_gpl_mnv.pdf.

[7]. Maharashtra Leads in War Against Cyber Crime, The Times of India, available at http://timesofindia.indiatimes.com/city/mumbai/Maharashtra-leads-in-war-against-cyber-crime/articleshow/30579310.cms. (18^th February, 2014).

[8]. https://it.maharashtra.gov.in/1089/IT-Act-Judgements

[9]. http://www.tn.gov.in/documents/atoz/J

[10]. http://www.delhi.gov.in/wps/wcm/connect/DoIT_IT/doit_it/it+home/orders+of+adjudicating+officer

[11]. http://haryanait.gov.in/cyber.htm

[12]. Bangalore Likely to host southern chapter of Cyber Appellate Tribunal, The Hinduk http://www.thehindu.com/news/national/karnataka/bangalore-is-likely-to-host-southern-chapter-of-cyber-appellate-tribunal/article3381091.ece (2^nd May, 2013).

[13]. http://catindia.gov.in/Judgement.aspx

[14]. Section 61 of the IT Act – ‘No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. Provided that the court may exercise jurisdiction in cases where the claim for injury or damage suffered by any person exceeds the maximum amount which can be awarded under this Chapter.’

[15]. Section 43A, Information Technology Act, 2000 – ‘Compensation for failure to protect data (Inserted vide ITAA 2006) Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. (Change vide ITAA 2008)

Explanation: For the purposes of this section (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

[16]. Draft Reasonable Security Practices Rules under Section 43A of the IT Act, available at http://www.huntonfiles.com/files/webupload/PrivacyLaw_Reasonable_Security_Practices_Sensitive_Personal_Information.pdf.

[17]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013.PDF. Ram Techno Pack v State Bank of India, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RamTechno_Vs_SBI-22022013.pdf.

Srinivas Signs v IDBI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SreenivasSigns_Vs_IDBI-18022014.PDF.

Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf

Pravin Parkhi v SBI Cards, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PravinParkhi_Vs_SBICardsPayment-30122013.PDF.

[18]. Sourabh Jain v ICICI, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SourabhJain_Vs_ICICI&Idea-22022013.PDF.

[19]. Poona Automobiles v Punjab National Bank, https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_PoonaAuto_Vs_PNB-22022013.PDF

[20]. Amit Patwardhan v Bank of Baroda, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudicaton_AmitPatwardhan_Vs_BankOfBaroda-30122013.PDF.

[21]. Ravindra Gunale v Bank of Maharashtra, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RavindraGunale_Vs_BoM&Vodafone_20022013; Raju Dada Raut v ICICI Bank, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RajuDadaRaut_Vs_ICICIBank-13022013.pdf.

[22]. Rohit Maheshwari v Vodafone, http://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RohitMaheshwari_Vs_Vodafone&ors-04022014.PDF.

For more details visit https://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-tribunal-and-adjudicatory-officers-under-it-act

Content Removal on Facebook — A Case of Privatised Censorship?

jessie — 2014-06-16T05:23:09Z

Any activity on Facebook, be it creating an account, posting a picture or status update or creating a group or page, is bound by Facebook’s Terms of Service and Community Guidelines. These contain a list of content that is prohibited from being published on Facebook which ranges from hate speech to pornography to violation of privacy.

Facebook removes content largely on the basis of requests either by the government or by other users. The Help section of Facebook deals with warnings and blocking of content. It says that Facebook only removes content that violates Community Guidelines and not everything that has been reported.

I conducted an experiment to primarily look at Facebook’s process of content removal and also to analyse what kind of content they actually remove.

I put up a status which contained personal information of a person on my Friend List (the information was false). I then asked several people (including the person about whom the status was made) to report the status — that of being harassed or for violation of privacy rights. Seven people reported the status. Within half an hour of the reports being made, I received the following notification:
"Someone reported your post for containing harassment and 1 other reason."

The notification also contained the option to delete my post and said that Facebook would look into whether it violated their Community Guidelines.

A day later, all those who had reported the status received notifications stating the following:

"We reviewed the post you reported for harassment and found it doesn't violate our Community Standards."

I received a similar notification as well.
I, along with around thirteen others, reported a Facebook page which contained pictures of my friend and a few other women with lewd captions in various regional languages. We reported the group for harassment and bullying and also for humiliating someone we knew. The report was made on 24 March, 2014. On 30 April, 2014, I received a notification stating the following:

"We reviewed the page you reported for harassment and found it doesn't violate our Community Standards.

Note: If you have an issue with something on the Page, make sure you report the content (e.g. a photo), not the entire Page. That way, your report will be more accurately reviewed."

I then reported each picture on the page for harassment and received a series of notifications on 5 May, 2014 which stated the following:

"We reviewed the photo you reported for harassment and found it doesn't violate our Community Standards."

These incidents are in stark contrast with repeated attempts by Facebook to remove content which it finds objectionable. In 2013, a homosexual man’s picture protesting against the Supreme Court judgment in December was taken down. In 2012, Facebook removed artwork by a French artist which featured a nude woman. In the same year, Facebook removed photographs of a child who was born with defect and banned the mother from accessing Facebook completely. Facebook also removed a picture of a breast cancer survivor who posted a picture of a tattoo that she had following her mastectomy. Following this, however, Facebook issued an apology and stated that mastectomy photographs are not in violation of their Content Guidelines. Even in the sphere of political discourse and dissent, Facebook has cowered under government pressure and removed pages and content, as evidenced by the ban on the progressive Pakistani band Laal’s Facebook page and other anti-Taliban pages. Following much social media outrage, Facebook soon revoked this ban. These are just a few examples of how harmless content has been taken down by Facebook, in a biased exercise of its powers.

After incidents of content removal have been made public through news reports and complaints, Facebook often apologises for removing content and issues statements that the removal was an “error.” In some cases, they edit their policies to address specific kinds of content after a takedown (like the reversal of the breastfeeding ban).

On the other hand, however, Facebook is notorious for refusing to take down content that is actually objectionable, partially evidenced by my own experiences listed above. There have been complaints about Facebook’s refusal to remove misogynistic content which glorifies rape and domestic violence through a series of violent images and jokes. One such page was removed finally, not because of the content but because the administrators had used fake profiles. When asked, a spokesperson said that censorship “was not the solution to bad online behaviour or offensive beliefs.” While this may be true, the question that needs answering is why Facebook decides to draw these lines only when it comes to certain kinds of ‘objectionable’ content and not others.

All of these examples represent a certain kind of arbitrariness on the part of Facebook’s censorship policies. It seems that Facebook is far more concerned with removing content that will cause supposed public or governmental outrage or defy some internal morality code, rather than protecting the rights of those who may be harmed due to such content, as their Statement of Policies so clearly spells out.

There are many aspects of the review and takedown process that are hazy, like who exactly reviews the content that is reported and what standards they are made to employ. In 2012, it was revealed that Facebook outsourced its content reviews to oDesk and provided the reviewers with a 17-page manual which listed what kind of content was appropriate and what was not. A bare reading of the leaked document gives one a sense of Facebook’s aversion to sex and nudity and its neglect of other harm-inducing content like harassment through misuse of content that is posted and what is categorised as hate speech.

In the process of monitoring the acceptability of content, Facebook takes upon itself the role of a private censor with absolutely no accountability or transparency in its working. A Reporting Guide was published to increase transparency in its content review procedures. The Guide reveals that Facebook provides for an option where the reportee can appeal the decision to remove content in “some cases.” However, the lack of clarity on what these cases are or what the appeal process is frustrates the existence of this provision as it can be misused. Additionally, Facebook reserves the right to remove content with or without notice depending upon the severity of the violation. There is no mention of how severe is severe enough to warrant uninformed content removal. In most of the above cases, the user was not notified that their content was found offensive and would be liable for takedown. Although Facebook publishes a transparency report, it only contains a record of takedowns following government requests and not those by private users of Facebook. The unbridled nature of the power that Facebook has over our personal content, despite clearly stating that all content posted is the user’s alone, threatens the freedom of expression on the site. A proper implementation of the policies that Facebook claims to employ is required along with a systematic record of the procedure that is used to remove content that is in consonance with natural justice.

For more details visit https://cis-india.org/internet-governance/blog/content-removal-on-facebook

Right to be forgotten poses a legal dilemma in India

praskrishna — 2014-06-09T10:02:25Z

The “right to be forgotten” judgment has raised a controversy, while some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

The article by Leslie D' Monte was published in Livemint on June 5, 2014. Sunil Abraham gave his inputs.

Medianama.com has become perhaps the first Indian website to be asked by an individual to remove a link, failing which the user would approach Google Inc. to delete the link under the “right to be forgotten” provision granted by a European court. There’s one hitch: India doesn’t have any legal provision to entertain or process such request.

In his request to the media website, the individual cited a landmark 13 May judgment by the Court of Justice of the European Union (EU), which said users could ask search engines like Google or Bing to remove links to web pages that contain information about them.

According to the judgement, the user is also free to approach “the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results” if the search engines do not comply.

“...this individual told us of a plan to appeal to Google on the basis of the judgment of the European Court of Justice, and asked us to either convert the public post into a non-indexable post, such that it may not be surfaced by search engines, or to modify the individual’s name, place and any references to his/her employer in the post that we’ve written, so that it cannot be linked directly to the individual,” said Nikhil Pahwa, founder of medianama.com.

Pahwa did not reveal the identity of the individual, who made the request on 31 May. Medianama, according to Pahwa, had written about the individual “a few years ago, protesting against attacks on his/her freedom of speech.” It did not give details. The media website reported about the request on 2 June.

Under legal pressure, the individual eventually relented and retracted the request.

The individual, Pahwa said, requested medianama.com to retain only his last name on the web page, cautioning that if the website does not do so, he would submit the URL (uniform resource locator or address of that link) of that web page to Google in a “right to be forgotten” request.

This, Pahwa said, “might hurt our search ranking, or lead to a blanket removal of our website from Google’s search index.”

“This is a tricky one, and we’ve declined this request,” said Pahwa. He added that “the implications for media are immense, since digital data, which is a recording of online history, will be affected.”

The EU ruling came after a Spanish national complained in 2010 that searching his name in Google threw up links to two newspaper webpages which reported a property auction to recover social security debt he once owed, even though the information had become irrelevant since the proceedings had since been resolved.

Following the ruling, Google put up an online form (mintne.ws/1oYVP5Y), inviting users in Europe to submit their requests.

“...we will assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information,” the form reads.

“When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials...”

A Google spokesman said on Tuesday that the company had received over 41,000 requests to be forgotten so far.

On the first day itself, Google had received 12,000 requests.

“Almost a third of the requests were in relation to accusations of fraud, 20% were in relation to violent/serious crimes, and around 12% regarded child pornography arrests. More than 1,500 of these requests are believed to have come from people in the UK. An ex-politician seeking re-election, a paedophile and a GP (general practitioner) were among the British applicants”, according to a 2 June report inThe Telegraph of London.

The “right to be forgotten” judgment has raised a controversy. While some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

In an interview to Mint on 26 May, Anupam Chander, director of the California International Law Center, reasoned that if a person could simply scrub all the bad information about him from being searchable on the Internet, she/he could do so by claiming that such information was “no longer relevant”.

“Do we want search engines to then judge whether information remains “relevant” or is somehow “inadequate” under the threat of liability for leaving information accessible? An Internet sanitized of accessible negative information will only tell half the truth,” he argued.

The ruling is not binding on India and applies only to EU countries.

According to legal experts, the country has no provision for a right to be forgotten, either in the Information Technology (IT) Act 2000 (amended in 2008) or the IT Rules, 2011. India, for that matter, does not even have a privacy act as yet.

“In India, we do not have a concept of the right to be Forgotten. It’s a very Western concept,” said Pavan Duggal, a cyberlaw expert and Supreme Court advocate.

Still, intermediaries like search engines and Internet services providers, under the country’s IT Act and IT Rules, have the obligation to exercise due diligence if an aggrieved party sends them a written notice, he said.

According to Sunil Abraham, executive director of the Centre for Internet and Society, an Internet rights lobby group, “right to be forgotten” cases should pass the “public interest” test.

“Privacy protection should not have a chilling effect on transparency. The question is: Does the content (which a user wants to be removed) serve a public interest that outweighs the harm that it is doing to the individual concerned? If no public interest is being served, there is no point in knowing what the content is all about. The complication with the EU ruling is that it wants intermediaries and over-the-top providers to play the role of judges,” said Abraham.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-june-5-2014-right-to-be-forgotten-poses-legal-dilemma-in-india

FOEX Live: June 1-7, 2014

geetha — 2014-06-07T13:33:45Z

A weekly selection of news on online freedom of expression and digital technology from across India (and some parts of the world).

Delhi NCR:

Following a legal notice from Dina Nath Batra, publisher Orient BlackSwan “set aside… for the present” Communalism and Sexual Violence: Ahmedabad Since 1969 by Dr. Megha Kumar, citing the need for a “comprehensive assessment”. Dr. Kumar’s book is part of the ‘Critical Thinking on South Asia’ series, and studies communal and sexual violence in the 1969, 1985 and 2002 riots of Ahmedabad. Orient BlackSwan insists this is a pre-release assessment, while Dr. Kumar contests that her book went to print in March 2014 after extensive editing and peer review. Dina Nath Batra’s civil suit led Penguin India to withdraw Wendy Doniger’s The Hindus: An Alternative History earlier this year.

The Delhi Police’s Facebook page aimed at reaching out to Delhi residents hailing from the North East proved to be popular.

Goa:

Shipbuilding engineer Devu Chodankar’s ordeal continued. Chodankar, in a statement to the cyber crime cell of the Goa police, clarified that his allegedly inflammatory statements were directed against the induction of the Sri Ram Sene’s Pramod Muthalik into the BJP. Chodankar’s laptop, hard-disk and mobile Internet dongle were seized.

Jammu & Kashmir:

Chief Minister Omar Abdullah announced the withdrawal of a four-year-old SMS ban in the state. The ban was instituted in 2010 following widespread protests, and while it was lifted for post-paid subscribers six months later, pre-paid connections were banned from SMSes until now.

Maharashtra:

In a move to contain public protests over ‘objectionable posts’ about Chhatrapati Shivaji, Dr. B.R. Ambedkar and the late Bal Thackeray (comments upon whose death led to the arrests of Shaheen Dhada and Renu Srinivasan under Section 66A), Maharashtra police will take action against even those who “like” such posts. ‘Likers’ may be charged under the Information Technology Act and the Criminal Procedure Code, say Nanded police.

A young Muslim man was murdered in Pune, apparently connected to the online publication of ‘derogatory’ pictures of Chhatrapati Shivaji and Bal Thackarey. Members of Hindu extremists groups celebrated his murder, it seems. Pune’s BJP MP, Anil Shirole, said, “some repercussions are natural”. Members of the Hindu Rashtra Sena were held for the murder, but it seems that the photographs were uploaded from foreign IP addresses. Across Maharashtra, 187 riotingcases have been registered against a total of 710 persons, allegedly in connection with the offensive Facebook posts.

On a lighter note, Bollywood hopes for a positive relationship with the new government on matters such as film censorship, tax breaks and piracy.

News & Opinion:

Shocking the world, Vodafone reported the existence of secret, direct-access wires that enable government surveillance on citizens. India is among 29 governments that sought access to its networks, says Vodafone.

I&B Minister Prakash Javadekar expressed his satisfaction with media industry self-regulation, and stated that while cross-media ownership is a matter for debate, it is the legality of transactions such as the Reliance-Network18 acquisition that is important.

Nikhil Pahwa of Medianama wrote of a ‘right to be forgotten’ request they received from a user in light of the recent European Court of Justice ruling. The right raises a legal dilemma in India, LiveMint reports. Medianama also comments on Maharashtra police’s decision to take action against Facebook ‘likes’, noting that at the very least, a like and a comment do not amount to the same thing.

The Hindu was scorching in its editorial on the Pune murder, warning that the new BJP government stands to lose public confidence if it does not clearly demonstrate its opposition to religious violence. The Times of India agrees.

Sanjay Hegde wrote of Section 66A of the Information Technology Act, 2000 (as amended in 2008) as a medium-focused criminalization of speech. dnaEdit also published its criticism of Section 66A.

Ajit Ranade of the Mumbai Mirror comments on India as a ‘republic of hurt sentiments’, criminalizing exercises of free speech from defamation, hate speech, sedition and Section 66A. But in this hurt and screaming republic, dissent is crucial and must stay alive.

A cyber security expert is of the opinion that the police find it difficult to block webpages with derogatory content, as servers are located outside India. But data localization will not help India, writes Jayshree Bajoria.

Dharma Adhikari tries to analyze the combined impact of converging media ownership, corporate patronage of politicians and elections, and recent practices of forced and self-censorship and criminalization of speech.

Elsewhere in the world:

In Pakistan, Facebook has been criticized for blocking pages of a Pakistani rock band and several political groups, primarily left-wing. Across the continent in Europe, Google is suffering from a popularity dip.

The National Council for Peace and Order, the military government in Thailand, has taken over not only the government,but also controls the media. The military cancelled its meetings with Google and Facebook. Thai protesters staged a quiet dissent. The Asian Human Rights Commission condemned the coup. For an excellent take on the coup and its dangers, please redirect here. For a round-up of editorials and op-eds on the coup, redirect here.

China has cracked down on Google, affecting Gmail, Translate and Calendar. It is speculated that the move is connected to the 25^th anniversary of the Tiananmen Square protests and government reprisal. At the same time, a Tibetan filmmaker who was jailed for six years for his film, Leaving Fear Behind, has been released by Chinese authorities. Leaving Fear Behind features a series of interviews with Tibetans of the Qinghai province in the run-up to the controversial Beijing Olympics in 2008.

Japan looks set to criminalize possession of child pornography. According to reports, the proposed law does not extend to comics or animations or digital simulations.

Egypt’s police is looking to build a social media monitoring system to track expressions of dissent, including “profanity, immorality, insults and calls for strikes and protests”.

Human rights activists asked Facebook to deny its services to the election campaign of Syrian President Bashar al-Assad, ahead of elections on June 3.

Call for inputs:

The Law Commission of India seeks comments from stakeholders and citizens on media law. The consultation paper may be found here. The final date for submission is June 19, 2014.

____________________________________________________________________________________________________________

For feedback and comments, Geetha Hariharan is available by email at geetha@cis-india.org or on Twitter, where her handle is @covertlight.

For more details visit https://cis-india.org/internet-governance/blog/foex-live-june-1-7-2014

WSIS+10 High-Level Event: Open Consultation Process

praskrishna — 2014-06-04T10:14:01Z

Jyoti Panday represented the Centre for Internet and Society (CIS) at the WSIS+10 High-Level Event:Open Consultation Process held in Geneva from May 28 to 31, 2014.

The Fifth Physical Meeting marked Phase Six of the Open Consultation Process for the WSIS+10 High-Level Event (HLE) to be held in Geneva from June 10 to 13, 2014.

The meeting saw the culmination of the multistakeholder review process on the WSIS+10 Statement on the Implementation of the WSIS Outcomes and the WSIS+10 Vision for WSIS Beyond 2015.

CIS made interventions on text related to increasing women's participation, freedom of expression, media rights, data privacy, network security and human rights.

CIS also endorsed text on action line 'Media' which reaffirmed committment to freedom of expression, data privacy and media rights offline and online including protection of sources, publishers and journalists.

Download the final agreed draft of the WSIS+10 Statement on the Implementation of WSIS Outcomes that will be deliberated upon and agreed at the HLE, for your reference.

For more details visit https://cis-india.org/news/wsis-high-level-event-open-consultation-process

Search and Seizure and the Right to Privacy in the Digital Age: A Comparison of US and India

divij — 2014-06-02T06:45:14Z

The development of information technology has transformed the way in which individuals make everyday transactions and communicate with the world around us. These interactions and transactions are recorded and stored – constantly available for access by the individual and the company through which the service was used.

For example, the ubiquitous smartphone, above and beyond a communication device, is a device which can maintain a complete record of the communications data, photos, videos and documents, and a multitude of other deeply personal information, like application data which includes location tracking, or financial data of the user. As computers and phones increasingly allow us to keep massive amounts of personal information accessible at the touch of a button or screen (a standard smartphone can hold anything between 500 MB to 64 GB of data), the increasing reliance on computers as information-silos also exponentially increases the harms associated with the loss of control over such devices and the information they contain. This vulnerability is especially visceral in the backdrop of law enforcement and the use of coercive state power to maintain security, juxtaposed with the individual’s right to secure their privacy.

American Law - The Fourth Amendment Protection against Unreasonable Search and Seizure

The right to conduct a search and seizure of persons or places is an essential part of investigation and the criminal justice system. The societal interest in maintaining security is an overwhelming consideration which gives the state a restricted mandate to do all things necessary to keep law and order, which includes acquiring all possible information for investigation of criminal activities, a restriction which is based on recognizing the perils of state-endorsed coercion and its implication on individual liberty. Digitally stored information, which is increasingly becoming a major site of investigative information, is thus essential in modern day investigation techniques. Further, specific crimes which have emerged out of the changing scenario, namely, crimes related to the internet, require investigation almost exclusively at the level of digital evidence. The role of courts and policy makers, then, is to balance the state’s mandate to procure information with the citizens’ right to protect it.

The scope of this mandate is what is currently being considered before the Supreme Court of the United States, which begun hearing arguments in the cases Riley v. California,[1] and United States v Wurie,[2]on the 29^th of April, 2014. At issue is the question of whether the police should be allowed to search the cell phones of individuals upon arrest, without obtaining a specific warrant for such search. The cases concern instances where the accused was arrested on account of a minor infraction and a warrantless search was conducted, which included the search of cell phones in their possession. The information revealed in the phones ultimately led to the evidence of further crimes and the conviction of the accused of graver crimes. The appeal is for a suppression of the evidence so obtained, on grounds that the search violates the Fourth Amendment of the American Constitution. Although there have been a plethora of conflicting decisions by various lower courts (including the judgements in Wurie and Riley),[3] the Federal Supreme Court will be for the first time deciding upon the issue of whether cell phone searches should require a higher burden under the Fourth Amendment.

At the core of the issue are considerations of individual privacy and the right to limit the state’s interference in private matters. The fourth amendment in the Constitution of the United States expressly grants protection against unreasonable searches and seizure,[4]however, without a clear definition of what is unreasonable, it has been left to the courts to interpret situations in which the right to non-interference would trump the interests of obtaining information in every case, leading to vast and varied jurisprudence on the issue. The jurisprudence stems from the wide fourth amendment protection against unreasonable government interference, where the rule is generally that any warrantless search is unreasonable, unless covered by certain exceptions. The standard for the protection under the Fourth Amendment is a subjective standard, which is determined as per the state of the bind of the individual, rather than any objective qualifiers such as physical location; and extends to all situations where individuals have a reasonable expectation of privacy, i.e., situations where individuals can legitimately expect privacy, which is a subjective test, not purely dependent upon the physical space being searched.[5]

Therefore, the requirement of reasonableness is generally only fulfilled when a search is conducted subsequent to obtaining a warrant from a neutral magistrate, by demonstrating probable cause to believe that evidence of any unlawful activity would be found upon such search. A warrant is, therefore, an important limitation on the search powers of the police. Further, the protection excludes roving or general searches and requires particularity of the items to be searched. The restriction derives its power from the exclusionary rule, which bars evidence obtained through unreasonable search or seizure, obtained directly or through additional warrants based upon such evidence, from being used in subsequent prosecutions. However, there have evolved several exceptions to the general rule, which includes cases where the search takes place upon the lawful arrest of an accused, a practice which is justified by the possibility of hidden weapons upon the accused or of destruction of important evidence.[6]

The appeal, if successful, would provide an exception to the rule that any search upon lawful arrest is always reasonable, by creating a caveat for the search of computer devices like smartphones. If the court does so, it would be an important recognition of the fact that evolving technologies have transmuted the concept of privacy to beyond physical space, and legal rules and standards that applied to privacy even twenty years ago, are now anachronistic in an age where individuals can record their entire lives on an iPhone. Searching a person nowadays would not only lead to the recovery of calling cards or cigarettes, but phones and computers which can be the digital record of a person’s life, something which could not have been contemplated when the laws were drafted. Cell phone and computer searches are the equivalent of searches of thousands of documents, photos and personal records, and the expectation of privacy in such cases is much higher than in regular searches. Courts have already recognized that cell phones and laptop computers are objects in which the user may have a reasonable expectation of privacy by making them analogous to a “closed container” which the police cannot search and hence coming under the protection of the Fourth Amendment.[7]

On the other hand, cell phones and computers also hold data which could be instrumental in investigating criminal activity, and with technologies like remote wipes of computer data available, such data is always at the risk of destruction if delay is occurred upon the investigation. As per the oral arguments, being heard now, the Court seems to be carving out a specific principle applicable to new technologies. The Court is likely to introduce subtleties specific to the technology involved – for example, it may seek to develop different principles for smartphones (at issue in Riley) and the more basic kind of cell-phones (at issue in Wurie), or it may recognize that only certain kinds of information may be accessed,[8]or may even evolve a rule that would allow seizure, but not a search, of the cell phone before a search warrant can be obtained.[9] Recognizing that transformational technology needs to be reflected in technology-specific legal principles is an important step in maintaining a synchronisation between law and technology and the additional recognition of a higher threshold adopted for digital evidence and privacy would go a long way in securing digital privacy in the future.

Search and Seizure in India

Indian jurisprudence on privacy is a wide departure from that in the USA. Though it is difficult to strictly compartmentalize the many facets of the right to privacy, there is no express or implicit mention of such a right in the Indian Constitution. Although courts have also recognized the importance of procedural safeguards in protecting against unreasonable governmental interference, the recognition of the intrinsic right to privacy as non-interference, which may be different from the instrumental rights that criminal procedure seeks to protect (such as misuse of police power), is sorely lacking. The general law providing for the state’s power of search and seizure of evidence is found in the Code of Criminal Procedure, 1973.

Section 93 provides for the general procedure of search. Section 93 allows for a magistrate to issue a warrant for the search of any “document or thing”, including a warrant for general search of an area, where it believes it is required for the purpose of investigation. The particularity of the search warrant is not a requirement under S. 93(2), and hence a warrant may be for general or roving search of a place. Section 100, which further provides for the search of a closed place, includes certain safeguards such as the presence of witnesses and the requirement of a warrant before a police officer may be allowed ingress into the closed place. However, under S. 165 and S. 51 of the code, the requirements of a search warrant are exempted. S. 165 dispenses with the warrant requirement and provides for an officer in charge of a police station, or any other officer duly authorized by him, to conduct the search of any place as long as he has reasonable grounds to believe that such search would be for the purpose of an investigation and a belief that a search warrant cannot be obtained without undue delay. Further, the officer conducting such search must as far as possible note down the reasons for such belief in writing prior to conducting the search. Section 51 provides another express exception to the requirement of search warrants, by allowing the search of a person arrested lawfully provided that the arrested person may not or cannot be admitted to bail, and requires any such seized items to be written in a search memo. As long as these conditions are fulfilled, the police has an unqualified authority to search a person upon arrest. Therefore, where the arrestee can be admitted to bail as per the warrant, or, in cases of warrantless arrest, as per the law, the search and seizure of such person may not be regular, and the evidence so collected would be subject to greater scrutiny by the court. However, besides these minimal protections, there is no additional procedural protection of individual privacy, and the search powers of the police are extremely wide and discretionary. In fact, there is a specific absence of the exclusionary rule as a protection as well, which means that, unlike under the Fourth Amendment, the non-compliance with the procedural requirements of search would not by itself vitiate the proceedings or suppress the evidence so found, but would only amount to an irregularity which must be simply another factor considered in evaluating the evidence.[10]

The extent of the imputation of the Fourth Amendment protection against unreasonable governmental interference in the Indian constitution is also uncertain. A direct imputation of the Fourth Amendment into the Indian Constitution has been disregarded by the Supreme Court.[11]Though the allusions to the Fourth Amendment have mostly been invoked on facts where unreasonable intrusions into the homes of persons were challenged, the indirect imputation of the right to privacy into the right under Article 21 of the Constitution, invoking the right to privacy as a right to non-interference and a right to live with dignity, would suggest that the considerations for privacy under the Constitution are not merely objective, or physical, but depend on the subjective facts of the situation, i.e. its effect on the right to live with dignity (analogous to the reasonable expectation of privacy test laid down in Katz).[12] Further, the court has specifically struck down provisions for search and seizure which confer particularly wide and discretionary powers on the executive without judicial scrutiny, holding that searches must be subject to the doctrine of proportionality, and that a provision probable cause to effect any search.[13] The Fourth Amendment protection against unreasonable interference in private matters by the state is a useful standard to assess privacy, since it imputes a concept of privacy as an intrinsic right as well as an instrumental one, i.e. privacy as non-interference is a good in itself, notwithstanding the rights it helps achieve, like the freedom of movement or speech.

Regarding digital privacy in particular, Indian law and policy has failed to stand up to the challenges that new technologies pose to privacy and has in fact been regressive, by engaging in surveillance of communications and by allowing governmental access to digital records of online communications (including emails, website logs, etc.) without judicial scrutiny and accountability.[14] In an age of transformative technology and of privacy being placed at a much greater risk, laws which were once deemed reasonable are now completely inadequate in guaranteeing freedom and liberty as encapsulated by the right to privacy. The disparity is even more pronounced in cases of investigation of cyber-crimes which rely almost exclusively on digital evidence, such as those substantively enumerated under the Information Technology Act, but investigated under the general procedure laid down in the Code of Criminal Procedure, which is already mentioned. The procedures for investigation of cyber-crimes and the search and seizure of digital evidence require special consideration and must be brought in line with changing norms. Although S.69 and 69B lay down provisions for investigation of certain crimes,[15] which requires search upon an order by competent authority, i.e. the Secretary to the Department of IT in the Government of India, the powers of search and seizure are also present in several other rules, such as rule 3(9) of the Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011 which allows access to information from intermediaries by a simple written order by any agency or person who are lawfully authorised for investigative, protective, cyber security or intelligence activity; or under rule 6 of the draft Reasonable Security Practices Rules, 2011 framed under Section 43A of the Information Technology Act, where any government agency may, for the prevention, detection, investigation, prosecution, and punishment of offences, obtain any personal data from an intermediate “body corporate” which stores such data. The rules framed for investigation of digital evidence, therefore, do not inspire much confidence where safeguarding privacy is concerned. In the absence of specific guidelines or amendments to the procedures of search and seizure of digital evidence, the inadequacies of applying archaic standards leads to unreasonable intrusions of individual privacy and liberties – an incongruity which requires remedy by the courts and legislature of the country.

[1]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-132_h315.pdf

[2]. http://www.supremecourt.gov/oral_arguments/argument_transcripts/13-212_86qd.pdf

[3]. In Wurie, the motion to supress was allowed, while in Riley it was denied. Also see US v Jacob Finley, US v Abel Flores-Lopez where the motion to suppress was denied.

[4]. The Fourth Amendment to the Constitution of the United States of America: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

[5]. Katz v United States, 389 U.S. 347, 352 (1967).

[6]. Stephen Saltzer, American Criminal Procedure

[7]. United States v Chan, 830 F. Supp. 531,534 (N.D. Cal. 1993).

[8]. A factor considered in US v Abel Flores-Lopez, where the court held that the search of call history in a cell phone did not constitute a sufficient infringement of privacy to require the burden of a warrant.

[9]. The decision in Smallwood v. Florida, No. SC11-1130, before the Florida Supreme Court, made such a distinction.

[10]. State Of Maharashtra v. Natwarlal Damodardas Soni, AIR 1980 SC 593; Radhakrishnan v State of UP, 1963 Supp. 1 S.C.R. 408

[11]. M.P. Sharma v Satish Chandra, AIR 1954 SC 300

[12]. Kharak Singh v State of UP, (1964) 1 SCR 332; Gobind v State of Madhya Pradesh, 1975 AIR 1378

[13]. District Registrar and Collector v. Canara Bank, AIR 2005 SC 186, which related to S.73 of the Andhra Pradesh Stamps Act which allowed ‘any person’ to enter into ‘any premises’ for the purpose of conducting a search.

[14]. S. 69 and 69B of the Information Technology (Amendment) Act, 2008.

[15]. Procedures and Safeguards for Monitoring and collecting traffic data or information rules 2009, available at http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009

For more details visit https://cis-india.org/internet-governance/blog/search-and-seizure-and-right-to-privacy-in-digital-age

Legislating for Privacy - Part II

bhairav — 2014-05-28T09:59:56Z

Apart from the conflation of commercial data protection and privacy, the right to privacy bill has ill-informed and poorly drafted provisions to regulate surveillance.

The article was published in the Hoot on May 20, 2014.

In October 2010, the Department of Personnel and Training ("DOPT") of the Ministry of Personnel, Public Grievances and Pensions released an ‘Approach Paper’ towards drafting a privacy law for India. The Approach Paper claims to be prepared by a leading Indian corporate law firm that, to the best of my knowledge, has almost no experience of criminal procedure or constitutional law. The Approach Paper resulted in the drafting of a Right to Privacy Bill, 2011 ("DOPT Bill") which, although it has suffered several leaks, has neither been published for public feedback nor sent to the Cabinet for political clearance prior to introduction in Parliament.

Approach Paper and DOPT Bill

The first article in this two-part series broadly examined the many legal facets of privacy. Notions of privacy have long informed law in common law countries and have been statutorily codified to protect bodily privacy, territorial or spatial privacy, locational privacy, and so on. These fields continue to evolve and advance; for instance, the legal imperative to protect intimate body privacy from violation has now expanded to include biometric information, and the protection given to the content of personal communications that developed over the course of the twentieth century is now expanding to encompass metadata and other ‘information about information’.

The Approach Paper suffers from several serious flaws, the largest of which is its conflation of commercial data protection and privacy. It ignores the diversity of privacy law and jurisprudence in the common law, instead concerning itself wholly with commercial data protection. This creates a false equivalency, albeit not one that cannot be rectified by re-naming the endeavour to describe commercial data protection only.

However, there are other errors. The paper claims that no right of action exists for privacy breaches between citizens inter se. This is false, the civil wrongs of nuisance, interference with enjoyment, invasion of privacy, and other similar torts and actionable claims operate to redress privacy violations. In fact, in the case of Ratan Tata v. Union of India that is currently being heard by the Supreme Court of India, at least two parties are arguing that privacy is already adequately protected by civil law. Further, the criminal offences of nuisance and defamation, amongst others, and the recently introduced crimes of stalking and voyeurism, all create rights of action for privacy violations. These measures are incomplete, – this is not contested, the premise of these articles is the need for better privacy protection law – but denying their existence is not useful.

The shortcomings of the Approach Paper are reflected in the draft legislation it resulted in. A major concern with the DOPT Bill is its amateur treatment of surveillance and interception of communications. This is inevitable for the Approach Paper does not consider this area at all although there is sustained and critical global and national attention to the issues that attend surveillance and communications privacy. For an effort to propose privacy law, this lapse is quite astonishing. The Approach Paper does not even examine if Parliament is competent to regulate surveillance, although the DOPT Bill wades into this contested turf.

Constitutionality of Interceptions

In a federal country, laws are weighed by the competence of their legislatures and struck down for overstepping their bounds. In India, the powers to legislate arise from entries that are contained in three lists in Schedule VII of the Constitution. The power to legislate in respect of intercepting communications traditionally emanates from Entry 31 of the Union List, which vests the Union – that is, Parliament and the Central Government – with the power to regulate “Posts and telegraphs; telephones, wireless, broadcasting and other like forms of communication” to the exclusion of the States. Hence, the Indian Telegraph Act, 1885, and the Indian Post Office Act, 1898, both Union laws, contain interception provisions. However, after holding the field for more than a century, the Supreme Court overturned this scheme in Bharat Shah’s case in 2008.

The case challenged the telephone interception provisions of the Maharashtra Control of Organised Crime Act, 1999 ("MCOCA"), a State law that appeared to transgress into legislative territory reserved for the Union. The Supreme Court held that Maharashtra’s interception provisions were valid and arose from powers granted to the States – that is, State Assemblies and State Governments – by Entries 1 and 2 of the State List, which deal with “public order” and “police” respectively. This cleared the way for several States to frame their own communications interception regimes in addition to Parliament’s existing laws. The question of what happens when the two regimes clash has not been answered yet. India’s federal scheme anticipates competing inconsistencies between Union and State laws, but only when these laws derive from the Concurrent List which shares legislative power. In such an event, the ‘doctrine of repugnancy’ privileges the Union law and strikes down the State law to the extent of the inconsistency.

In competitions between Union and State laws that do not arise from the Concurrent List but instead from the mutually exclusive Union and State Lists, the ‘doctrine of pith and substance’ tests the core substance of the law and traces it to one the two Lists. Hence, in a conflict, a Union law the substance of which was traceable to an entry in the State List would be struck down, and vice versa.

However, the doctrine permits incidental interferences that are not substantive. For example, as in a landmark 1946 case, a State law validly regulating moneylenders may incidentally deal with promissory notes, a Union field, since the interference is not substantive. Since surveillance is a police activity, and since “police” is a State subject, care must be taken by a Union surveillance law to remain on the pale of constitutionality by only incidentally affecting police procedure. Conversely, State surveillance laws were required to stay clear of the Union’s exclusive interception power until Bharat Shah’s case dissolved this distinction without answering the many questions it threw up.

Since the creation of the Republic, India’s federal scheme was premised on the notion that the Union and State Lists were exclusive of each other. Conceptually, the Union and the States could not have competing laws on the same subject. But Bharat Shah did just that; it located the interception power in both the Lists and did not enunciate a new doctrine to resolve their (inevitable) future conflict. This both disturbs Indian constitutional law and goes to the heart of surveillance and privacy law.

Three Principles of Interception

Apart from the important questions regarding legislative competence and constitutionality, the DOPT Bill proposed weak, ill-informed, and poorly drafted provisions to regulate surveillance and interceptions. It serves no purpose to further scrutinise the 2011 DOPT Bill. Instead, at this point, it may be constructive to set out the broad contours of a good interceptions regulation regime. Some clarity on the concepts: intercepting communications means capturing the content and metadata of oral and written communications, including letters, couriers, telephone calls, facsimiles, SMSs, internet telephony, wireless broadcasts, emails, and so on. It does not include activities such visual capturing of images, location tracking or physical surveillance; these are separate aspects of surveillance, of which interception of communications is a part.

Firstly, all interceptions of communications must be properly sanctioned. In India, under Rule 419A of the Indian Telegraph Rules, 1951, the Home Secretary – an unelected career bureaucrat, or a junior officer deputised by the Home Secretary – with even lesser accountability, authorises interceptions. In certain circumstances, even senior police officers can authorise interceptions. Copies of the interception orders are supposed to be sent to a Review Committee, consisting of three more unelected bureaucrats, for bi-monthly review. No public information exists, despite exhaustive searching, regarding the authorisers and numbers of interception orders and the appropriateness of the interceptions.

The Indian system derives from outdated United Kingdom law that also enables executive authorities to order interceptions. But, the UK has constantly revisited and revised its interception regime; its present avatar is governed by the Regulation of Investigatory Powers Act, 2000 ("RIPA") which creates a significant oversight mechanism headed by an independent commissioner, who monitors interceptions and whose reports are tabled in Parliament, and quasi-judicially scrutinised by a tribunal comprised of judges and senior independent lawyers, which hears public complaints, cancels interceptions, and awards monetary compensation. Put together, even though the current UK interceptions system is executively sanctioned, it is balanced by independent and transparent quasi-judicial authorities.

In the United States, all interceptions are judicially sanctioned because American constitutional philosophy – the separation of powers doctrine – requires state action to be checked and balanced. Hence, ordinary interceptions of criminals’ communications as also extraordinary interceptions of perceived national security threats are authorised only by judges, who are ex hypothesi independent, although, as the PRISM affairs teaches us, independence can be subverted. In comparison, India’s interception regime is incompatible with its democracy and must be overhauled to establish independent and transparent authorities to properly sanction interceptions.

Secondly, no interceptions should be sanctioned but upon ‘probable cause’. Simply described, probable cause is the standard that convinces a reasonable person of the existence of criminality necessary to warrant interception. Probable case is an American doctrine that flows from the US Constitution’s Fourth Amendment that protects the rights of people to be secure in places in which they have a reasonable expectation of privacy. There is no equivalent standard in UK law, except perhaps the common law test of reasonability that attaches to all government action that abridges individual freedoms. If a coherent ‘reasonable suspicion’ test could be coalesced from the common law, I think it would fall short of the strictness that the probable cause doctrine imposes on the executive. Therefore, the probable cause requirement is stronger than ordinary constraint of reasonability but weaker than the standard of reasonable doubt beyond which courts may convict. In this spectrum of acceptable standards, India’s current law in section 5(2) of the Indian Telegraph Act, 1885 is the weakest for it permits interceptions merely “on the occurrence of any public emergency or in the interest of public safety”, which determination is left to the “satisfaction” of a bureaucrat. And, under Rule 419A(2) of the Telegraph Rules, the only imposition on the bureaucrat when exercising this satisfaction is that the order “contain reasons” for the interception.

Thirdly, all interceptions should be warranted. This point refers not to the necessity or otherwise of the interception, but to the framework within which it should be conducted. Warrants should clearly specify the name and clear identity of the person whose communications are sought to be intercepted. The target person’s identity should be linked to the specific means of communication upon which the suspected criminal conversations take place. Therefore, if the warrant lists one person’s name but another person’s telephone number – which, because of the general ineptness of many police forces, is not uncommon – the warrant should be rejected and the interception cancelled. And, by extension, the specific telephone number, or email account, should be specified. A warrant against a person called Rahul Kumar, for instance, cannot be executed against all Rahul Kumars in the vicinity, nor also against all the telephones that the one specific Rahul Kumar uses, but only against the one specific telephone number that is used by the one specific Rahul Kumar. Warrants should also specify the duration of the interception, the officer responsible for its conduct and thereby liable for its abuse, and other safeguards. Some of these concerns were addressed in 2007 when the Telegraph Rules were amended, but not all.

A law that fails to substantially meet the standards of these principles is liable, perhaps in the not too distant future, to be read down or struck down by India’s higher judiciary. But, besides the threat of judicial review, a democratic polity must protect the freedoms and diversity of its citizens by holding itself to the highest standards of the rule of law, where the law is just.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-may-20-2014-bhairav-acharya-legislating-for-privacy

Does Size Matter? A Tale of Performing Welfare, Producing Bodies and Faking Identity

praskrishna — 2014-06-04T09:45:49Z

Malavika Jayaram gave a talk.

This was published by the website of Berkman Center for Internet and Society

Big Data doesn’t get much bigger than India’s identity project. The world’s largest biometric database - currently consisting of almost 600 million enrolled - seduces with promises of inclusion, legitimacy and visibility. By locating this techno-utopian vision within the larger surveillance state that a unique identifier facilitates, Malavika will describe the ‘welfare industrial complex’ that imagines the poor as the next emerging market. She will highlight the risks of the body as password, of implementing e-governance in a legal vacuum, and of digitization reinforcing existing inequalities. The export of technologies of control - once they have been tested on a massive population that has little agency and limited ability to withhold consent - transforms this project from a site of local activism to one with global repercussions. By offering a perspective that is somewhat different from the traditional western focus of privacy, she hopes to generate a more inclusive discourse about what it means to be autonomous and empowered in the face of paternalistic development projects. She will highlight, in particular, the varied ways in which the project is already being subverted and re-purposed, in ways that are humorous and poignant.

About Malavika

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers - one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. She is working on a PhD about the development of a privacy jurisprudence and discourse in India, viewed partly through the lens of the Indian biometric ID project.

Podcast

Watch the podcast at this link.

For more details visit https://cis-india.org/news/harvard-university-may-13-2014-does-size-matter

Civil Society Pushes for Privacy Panel

praskrishna — 2014-05-27T11:39:20Z

The article was published in the Times of India on May 6, 2014. Sunil Abraham is quoted.

Civil society organizations are pushing for a 'privacy commission' to provide protection to individuals from illegal breach of their privacy, with guidelines imposing penal sanction against the violators. This assumes significance

This assumes significance at a time when the Centre has decided to set up a judicial panel to probe the snoopgate scandal wherein the BJP government in Gujarat was allegedly involved in illegal surveillance of a woman architect and especially when the Right to Privacy Bill is pending in Parliament.

However, industry consortia, including CII and FICCI, prefer lesser regulation, though calling for a cautious approach.

Among civil society organizations pressing for a stringent privacy bill is the International Centre for Free and Open Source Software (ICFOSS), the only representative from Kerala to attend the NETmundial conference held recently in Brazil. The meet focused on privacy issues to ensure basic human rights, including freedom of expression.

NETmundial is the first step towards pushing for a privacy law against the snooping and spying on individuals by those in power, including agencies within and outside the country Privacy guidelines should be clear as to what data can be collected without infringing on the dignity of an individual as 'data' represents the duration of a call, while 'metadata' reveals the content of the caH," said ICFOSS director SatishBabu.

Bangalore-based Centre for Internet and Society (CIS), another NETmundial participant, also stands for a strong privacy law. "The two-day conference that concluded on April 24 was a baby step towards a privacy law with a road map for global internet governance. It is the first step towards a multi-stakeholder model offering an equal footing for all civil society organizations, academia, government, private sector and the UN fora," said CIS executive director Sunil Abraham

“We are pushing for a privacy law in the country aimed at national privacy regulation and constituting a privacy commission on the lines of the information commission," he added.

Click to read the full story

For more details visit https://cis-india.org/news/the-times-of-india-may-6-2014-laxmi-ajai-prasanna-civil-society-pushes-for-privacy-panel

Filtering content on the internet

chinmayi — 2014-05-06T09:33:08Z

The op-ed was published in the Hindu on May 2, 2014.

On May 5, the Supreme Court will hear Kamlesh Vaswani’s infamous anti-pornography petition again. The petition makes some rather outrageous claims. Watching pornography ‘puts the country’s security in danger’ and it is ‘worse than Hitler, worse than AIDS, cancer or any other epidemic,’ it says. This petition has been pending before the Court since February 2013, and seeks a new law that will ensure that pornography is exhaustively curbed.

Disintegrating into binaries

The petition assumes that pornography causes violence against women and children. The trouble with such a claim is that the debate disintegrates into binaries; the two positions being that pornography causes violence or that it does not. The fact remains that the causal link between violence against women and pornography is yet to be proven convincingly and remains the subject of much debate. Additionally, since the term pornography refers to a whole range of explicit content, including homosexual adult pornography, it cannot be argued that all pornography objectifies women or glamorises violent treatment of them.

Allowing even for the petitioner’s legitimate concern about violence against women, it is interesting to note that of all the remedies available, he seeks the one which is authoritarian but may not have any impact at all. Mr. Vaswani could have, instead, encouraged the state to do more toward its international obligations under the Convention on the Elimination of Discrimination against Women (CEDAW). CEDAW’s General Recommendation No. 19 is about violence against women and recommends steps to be taken to reduce violence against women. These include encouraging research on the extent, causes and effects of violence, and adopting preventive measures, such as public information and education programmes, to change attitudes concerning the roles and status of men and women.

Child pornography

Although different countries disagree about the necessity of banning adult pornography, there is general international consensus about the need to remove child pornography from the Internet. Children may be harmed in the making of pornography, and would at the very minimum have their privacy violated to an unacceptable degree. Being minors, they are not in a position to consent to the act. Each act of circulation and viewing adds to the harmful nature of child pornography. Therefore, an argument can certainly be made for the comprehensive removal of this kind of content.

Indian policy makers have been alive to this issue. The Information Technology Act (IT Act) contains a separate provision for material depicting children explicitly or obscenely, stating that those who circulate such content will be penalised. The IT Act also criminalises watching child pornography (whereas watching regular pornography is not a crime in India).

Intermediaries are obligated to take down child pornography once they have been made aware that they are hosting it. Organisations or individuals can proactively identify and report child pornography online. Other countries have tried, with reasonable success, systems using hotlines, verification of reports and co-operation of internet service providers to take down child pornography. However, these systems have also sometimes resulted in the removal of other legitimate content.

Filtering speech on the Internet

Child pornography can be blocked or removed using the IT Act, which permits the government to send lists of URLs of illegal content to internet service providers, requiring them to remove this content. Even private parties can send notices to online intermediaries informing them of illegal content and thereby making them legally accountable for such content if they do not remove it. However, none of this will be able to ensure the disappearance of child pornography from the Internet in India.

Technological solutions like filtering software that screens or blocks access to online content, whether at the state, service provider or user level, can at best make child pornography inaccessible to most people. People who are more skilled than amateurs will be able to circumvent technological barriers since these are barriers only until better technology enables circumvention.

Additionally, attempts at technological filtering usually even affect speech that is not targeted by the filtering mechanism. Therefore, any system for filtering or blocking content from the Internet needs to build in safeguards to ensure that processes designed to remove child pornography do not end up being used to remove political speech or speeches that are constitutionally protected.

In the Vaswani case, the government has correctly explained to the Supreme Court that any greater attempt to monitor pornography is not technologically feasible. It has pointed out that human monitoring of content will delay transmission of data substantially, will slow down the Internet, and will also be ineffective, since the illegal content can easily be moved to other servers in other countries.

Making intermediaries liable for the content they host will undo the safe harbour protection granted to them by the IT Act. Without it, intermediaries like Facebook will actually have to monitor all the content they host, and the resources required for such monitoring will reduce the content that makes its way online. This would seriously impact the extensiveness and diversity of content available on the Internet in India. Additionally, when demands are made for the removal of legitimate content, profit-making internet companies will be disinclined to risk litigation much in the same way as Penguin was reluctant to defend Wendy Doniger’s book.

If the Supreme Court makes the mistake of creating a positive obligation to monitor Internet content for intermediaries, it will effectively kill the Internet in India.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore)

For more details visit https://cis-india.org/internet-governance/blog/filtering-content-on-the-internet

The Embodiment of the Right to Privacy within Domestic Legislation

tanvi — 2014-09-08T02:37:39Z

The Right to Privacy is a pivotal construct, essential to the actualization of justice, fairness and equity within any democratic society. It is an instrument used to secure the boundaries of an individual’s personal space, in his interaction with not only the rest of society but also the State.

It is within this realm of the social transaction that there exists an unending conflict between the Right to Privacy of an individual and the overbearing hand of the State as a facilitator of public interest. This right thus acts as a safety valve providing individuals with a sacred space within which their interactions in their personal capacity have no bearing on their conduct in the public sphere. The preservation of this space is incredibly important in order to ensure a willingness of individuals to engage and cooperate with the State in its fulfillment of public welfare measures that would otherwise be deemed as intrusive. It is in this regard that the Right to Privacy, one of the last sustaining rights that an individual holds against a larger State interest, ought to be protected by the law.

There are numerous dimensions to the idea of the Right to Privacy. These include but are not limited to the privacy of person, privacy of communication, personal privacy, transactional privacy, privacy of information and the privacy of personal data.

The Supreme Court of India has come to the rescue of individuals, time and again by construing "Right to Privacy" as an extension of the Fundamental Right to “Protection of Life and Personal liberty” under Article 21 of the Constitution. This has been reflected in the adjudicatory jurisprudence of the Constitutional courts in the country. However, there exists no Constitutional remedy to redress the breach of privacy by a nongovernmental actor, except under tortuous liability. The power and authority of public and private institutions to use an individual’s personal data for larger interests of national security or effectuation of socio-economic policies is still under extensive scrutiny. It is in this regard that we have compiled a number of sectoral legislations, regulating domains ranging from Finance and Telecom to Healthcare, Freedom of Expression, Consumer rights and Procedural codes. The highlighted provisions under each Act pertain to the mechanisms embodied within the legislation for the regulation of privacy within their respective sectors. Through this we aim to determine the threshold for permissible collection of confidential data and regulatory surveillance, provided a sufficient need for the same has been established. The determination of such a threshold is imperative to formulating a consistent and effective regime of privacy protection in India.

Click to download the below resources:

Legislations
Master Circulars
Finance and Privacy
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

Case Laws
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

For more details visit https://cis-india.org/internet-governance/blog/the-embodiment-of-right-to-privacy-within-domestic-legislation

Round-table on User Safety on the Internet

praskrishna — 2014-05-06T09:55:07Z

Elonnai Hickok participated in this round-table meeting organized by Consumer Voice in collaboration with Google at Infantry Road, Bangalore on April 24, 2014.

Click to download the agenda.

For more details visit https://cis-india.org/news/round-table-on-user-safety-on-internet

Banking Policy Guide

Kartik Chawla — 2015-01-22T14:54:57Z

To gain a practical perspective on the existing banking practices and policies in India in this project, an empirical study of five separate and diverse banks has been conducted. The forms, policy documents, and other relevant and available documents of these banks have been analysed in this project.

These documents were obtained from the websites of the respective banks, and wherever they were lacking, from the branches of the banks themselves. Attempts were made to obtain any information required for the project that was not available on the website or in the forms from the officers of the respective banks.

The State Banks of India (hereinafter ‘SBI’), Central Bank of India (hereinafter ‘CBI’), ICICI Bank (hereinafter ‘ICICI’), IndusInd Bank (hereinafter ‘IndusInd’) and Standard Chartered Bank (hereinafter ‘SCB’) are the banks chosen for this project. As mentioned, these banks have been chosen to ensure a diverse sample pool. SBI is an Indian public multinational bank, CBI is an Indian public bank and it is not multinational, ICICI is an Indian private and multinational bank, IndusInd is an Indian private bank which isn’t multinational, and SCB is a British bank operating in India.

The forms and other documents of each of the banks have been compared against a template of twenty nine questions created from the nine principles given in Justice A.P. Shah Group of Experts’ Report on Privacy.

The two services provided by these banks that have been analysed are Opening an Account and Taking out a Personal Loan. This comparison has been done keeping in mind the obligations of the banks under the Master Circular and the KYC Norms detailed in it, Code of Conduct, and the Rules under Section 43A of the IT Act. Attempts have been made to clarify the basis of the response as much as possible. An analysis of the obligations of the banks is present below, along with an explanation of the relevance of various parts of the two services that are analysed.

Click to download:

For more details visit https://cis-india.org/internet-governance/blog/banking-policy-guide

6th Biannual Surveillance and Society Conference

praskrishna — 2014-05-05T04:57:59Z

Malavika Jayaram is a speaker at the conference organized by Eticas Research and Consulting at the University of Barcelona and CCCB from April 24 to 26, 2014.

Malavika will present on the UID and biometrics at the session on “Surveillance: Ambiguities and Uncertainties". Malavika's talk title is "Biometrics in beta: experimenting on a nation (while normalising surveillance for 1.2 billion people)" and is being held on April 26. See the full event details on this page.

In the developing world, privacy is often portrayed as a luxury, as something alien to local culture and of interest only to the elite. This ignores the probability of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The hype about ‘big data’, ‘open data’, ‘data for development’, ‘ICT4D’ and other buzzwords often ignores the fact that the global south is particularly vulnerable to data collection and processing. Literacy issues (lingual and technical), a massive digital divide, desperate socioeconomic conditions and the lack of a robust data protection law render ideas of consent or tradeoffs all but meaningless.

Techno-utopian welfare schemes present technology as progressive, neutral and frictionless – a seductive and compelling narrative in a region wracked by inequalities, corruption, lack of transparency and structural violence. This vision underpins the world’s largest biometric ID project, which has already registered the irises and fingerprints of 540 million people without even being completed. Yet the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, ignores embedded biases and normative baselines within such technologies. Welfare projects are further complicated when they are architected as public-private partnerships: the collusion of governmental and corporate agendas in creating massive databases and profiles, in a manner that transforms the citizen-state relationship in profound ways, has sweeping implications for choice, autonomy, anonymity and ultimately, democracy. This is true even when the systems function as intended, without mechanical failure, data breaches, or other consequences of trading privacy for convenience, welfare and security.

I would like to discuss the risks of using technologies such as biometrics to solve socioeconomic problems, and their potential for excluding the very demographics that they seek to include. I intend to locate my presentation in the context of India’s growing surveillance state, which deliberately intends to use the unique identification number to link disparate databases. I propose to describe the new Centralised Monitoring System, the relative legal vacuum in which data is mined and harvested, and the shaky constitutional foundations on which many of these new regimes stand. In so doing, I will effectively have provided a tour of India’s Rogue’s Gallery of recent incursions into the zone of privacy, free speech, informational self-determination and dignity. I hope also to redress in some small measure the largely western focus of academic and policy debates in this field, despite the risks of developing countries seeking to commoditize and export identity schemes, normalize censorship or opportunistically benefit from the west no longer having the moral ground to resist third country surveillance practices.

For more details visit https://cis-india.org/news/ssn-2014-sixth-biannual-surveillance-and-society-conference

South African Protection of Personal Information Act, 2013

divij — 2014-05-05T06:59:51Z

As the rapid spread of technology in developing countries allows exponentially increasing availability of and access to personal data through automatic data processing, governments are beginning to recognize the necessity to evolve policies addressing data security and privacy concerns.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368

For more details visit https://cis-india.org/internet-governance/blog/south-african-protection-personal-information-act-2013