Centre for Internet and Society

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit https://cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

Counter Comments on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

amber — 2017-11-23T14:29:06Z

The Centre for Internet & Society (CIS) has commented on the Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in three main parts. The first part 'Preliminary' introduces the document. The second part 'About CIS' is an overview of the organization. The third part contains the 'Counter Comments' on the Consultation Paper taking into account the submission made by other stakeholders.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/counter-comments-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

Could better DNA testing facilities in India have saved the Talwars?

praskrishna — 2012-10-11T09:44:30Z

Over the last decade, the use of DNA tests to solve crimes has seen a significant rise in crime investigation in India. But forensic experts warn that the absence of standard practices, quality checks and regulation has resulted in irresponsible and inaccurate application of the technology.

This article by Pallavi Polanki was originally published in FirstPost on October 11, 2012. CIS press statement is mentioned.

The use of outdated technology and lack of expertise to competently collect and analyse DNA samples from the crime scene has compromised investigation and led to instances where courts have rejected DNA evidence as being unreliable or inconclusive.

Says GV Rao, DNA analyst and formerly chief staff scientist at the Hyderabad-based Centre For DNA Fingerprinting and Diagnostics (CDFD), “Today we are very much behind the rest of the World in upgradation of technology as required…Further, the backlog of cases is quite large in each of the DNA labs in India and not much is being done about it. Still we have not obtained or adopted the DNA techniques to identify difficult samples. The recent example of Bhanwari Devi case, where the CBI had to send the victim’s bones to FBI, USA for identification to get it identified. This is a sad reflection of the present status of DNA technology in India.”

Most recently, the demand for more advanced DNA tests to be conducted was unsuccessfully made by dentist couple Rajesh and Nupur Talwar, who have been charged with the murder of their teenage daughter Aarushi and domestic help Hemraj.

Perhaps, no other case has so fully exposed the pathetic state of the crime-scene investigation in India. With most of the crucial evidence either destroyed or contaminated due to shoddy police work, the prosecution’s case has come to depend entirely on circumstantial evidence, without a shred of material evidence to support it.

The police force’s lack of expertise to collect DNA evidence was flagged recently by senior scientist at the All India Institute of Medical Sciences (AIIMS) Anupama Raina at a public meeting by the Bangalore-based Centre for Internet and Society on the DNA profiling Bill, in the Capital.

Raina, speaking at the meeting, emphasized the usefulness of the technology but cautioned that the police were still perfecting the use of DNA samples for forensic purposes.

Elaborating on the inadequate training to cops on collecting DNA evidence, Rao said, “In India, there are no special crime case investigators. We have a law and order police station for each area and from bandobast duty to control crowds. It is a tall order expecting them to collect samples. In some states there are special teams which collect samples for DNA testing and then hand it over to the police….Till date none of the DNA labs have made any sample collection kits made available to police stations or other agencies.”

And what after the samples reach the DNA labs?

Painting a rather bleak picture of existing conditions under which many of the DNA labs are operating, Rao says “There is lack of standards, guidelines, accreditation, proficiency testing of the DNA labs and its experts. Each DNA lab is issuing DNA reports in its own style. Each DNA lab is again following different procedures for conducting the test. ”

“No proper records of the tests conducted are being maintained for production in a court of law for its inspection. DNA experts are not being tested for their proficiency in their expertise by a third party and presently they are getting away with such minimal expertise,” he said.

Will the new draft DNA Profiling Bill fix the problems that beset the use of DNA evidence for forensic purposes in India? And what is the context to the draft DNA profiling bill?

“India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.” (Read the full press statement by CIS here)

Raina endorsed the passing of the bill but with necessary safe-guards. The Bill has raised a degree of alarm for its sweeping proposals to collect DNA profiles and create DNA databases – a move experts believe violates the privacy of citizens.

Helen Wallace, director of GeneWatch UK (a not-for-profit group that monitors developments in genetic technologies from a public interest perspective), who participated in the public meeting on the DNA profiling bill, underlined the absence of a clear purpose for the DNA profiling system as proposed by the bill and its lack of clarity on the collection policy that wishes to profile not just those involved in criminal cases but also civil cases.

Jeremy Gruber, president and executive director of the US-based Council for Responsible Genetics, also warned against the bill’s blind faith in DNA results as the gospel truth and ignoring very real possibilities of false matches, cross-contamination and laboratory errors.

Expressing his disappointment with the draft bill, Rao said, “Unfortunately this bill does not provide for standardization, quality control and regulation except for collection of DNA samples of everybody involved in all civil and criminal cases, including suspects… We need standards, protocols, guidelines, amendments to IPC and CrPC for effective implementation of DNA testing.”

For more details visit https://cis-india.org/news/first-post-pallavi-polanki-oct-11-2012-could-better-dna-testing-facilities-in-india-have-saved-the-talwars

Cos spying on competitors, staff: Study

praskrishna — 2012-06-20T08:46:38Z

Most companies are spying on their competitors and their own employees, according to a recent survey conducted by the Associated Chambers of Commerce and Industry of India (Assocham).

The Statesman published this article on June 19, 2012. Sunil Abraham is quoted in it.

The survey's results raise questions about whether employees have enough privacy in the workplace. Rubbishing the survey's findings, head of the Indian Council of Corporate Investigators, Mr Kunwar Vikram Singh, said businesses are not spying but verifying facts.

The Assocham survey said almost 1,200 of 1,500 executives surveyed admitted to hiring people to spy on their employees and monitor their lifestyles. They said they watch former employees, too, especially those who had been laid off or kicked out for fraud.

In the survey, which was done between January and May this year in Ahmedabad, Bangalore, Chennai, the Delhi-National Capital Region and Mumbai, about 900 top industry officials said they carry out corporate espionage, bug the offices of their rivals and plant moles in other companies. About a quarter of respondents said they have hired computer experts to hack networks and track e-mails of their rivals.

Many more respondents — 1,110 of those questioned — said they use social media sites to track their rival companies and employees. “Most of the companies have mentioned their sensitive details including their data, plans, clients’ details, products and other confidential and trade-related secrets on their page and unknowingly share the same in the social media circuit,” said Mr DS Rawat, national secretary-general of Assocham, “which is why it is the most favoured spying activity being carried out by the companies.”

The practice of companies pilfering trade secrets and ideas may be bad for the country's business environment, said Mr Rawat. It “might dampen the spirit of innovation in the long-run,” he said.

The Indian Council of Corporate Investigators’ Mr Singh, however, disputed Assocham's picture of rampant corporate espionage. “I totally deny that corporates are spying on their employees,” he said. “It is not spying. It is verification of facts.”

Mr Singh said that when companies look into their employees or other companies, for example, before they enter into joint ventures, they are just carrying out “due diligence”. He said they legally gather information needed for companies to survive. He also denied there were any privacy issues.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, though, said there are growing concerns about privacy in the workplace, including about intense video surveillance. “Managers started to object to this,” he said. “What they started saying was it really undermines the morale of these locations ... friends and relatives would ask, 'In spite of you being so educated, it's funny your companies don't trust you at all.'”

Companies need to develop more nuanced ways to deal with these problems — perhaps something more similar to the military's multiple levels of clearance — and different ways for people to acquire and lose trust, Mr Abraham said.

Whether or not surveillance is legal, depends on the type, Mr Abraham said. There is some private information a person will expect to remain private, and some information that is expected to be public — like Twitter feeds.

There is no law against monitoring this second type, known as “clear view surveillance”, he said, and blanket legislation could clash with freedom of expression. He said an ideal law for this should include a “proportional relation to power” clause, which would limit the legal ability of the powerful to monitor, but allow individual citizens more leeway.

For more details visit https://cis-india.org/news/co-spying-on-competitors-staff

Copyright Enforcement and Privacy in India

Prashant Iyengar — 2012-12-14T10:27:12Z

Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse, writes Prashant Iyengar. The research examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India and concludes by examining the notion of the private that emerges from a tapestry view of the relevant sections of Copyright Act.

Introduction

Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse. This paper examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India. Chiefly, there are three kinds of situations that we will be discussing here: The first is straightforward and deals with the physical privacy intrusion caused by the execution of search and seizure orders during the investigation of infringement. The second situation involves the violation of privacy through the misappropriation of confidential information. The last situation involves the wrongful appropriation of a person’s persona or their ‘publicity’ – the photographs of celebrities, for instance – for private gain. Instances of each of these situations, and the manner in which the courts have negotiated the privacy claims that have arisen are described in the sections that follow. In addition, Copyright law, dealing as it does mainly with offences of the nature of unauthorised publicity/publication putatively inscribes certain spaces and activities as either public or private. The concluding section of this paper examines the notion of the private that emerges from a tapestry view of various sections of the Copyright Act.

Copyright Enforcement

Context setting

Over the past several decades there has been an increasing awareness globally – and within India – of the importance of 'knowledge societies' which, in contrast to earlier industrial or agrarian societies, leverage 'information' as the key raw material and output of a range of productive activity. As one UNESCO Report puts it "Knowledge is today recognized as the object of huge economic, political and cultural stakes"[1].

In this new paradigm, investment in Information and Communications Technology (ICT), the enactment of strong Intellectual Property laws, and their strict enforcement are prescribed as imperative in facilitating the transition away from the older economic modes. The promise of the knowledge society is particularly alluring for developing countries, like India, where it is viewed as a vehicle for achieving what Ravi Sundaram has termed 'temporally-accelerative' development[2], through which we would be able to transcend our "historical disabilities", and achieve parity with the incumbent masters of the world. [3]

In their eagerness to provide the best supportive conditions to usher in this coveted knowledge society, nations have been tightening their Intellectual Property regimes – including copyright law. This has entailed a two fold expansion, firstly, in the scope of copyright to include, for instance, ‘technological protection measures’ within their ambit and secondly, in the powers of investigation, search and seizure put at the disposal enforcement agencies. In addition, as we shall see, courts in India have enthusiastically bought into this vision of a knowledge economy, and this has fuelled their eagerness to craft innovative – if legally unsound – orders which put tremendously intrusive powers in the hands of copyright owners. Taken together, these developments have taken their toll on the privacy of individuals which this section will explore in further detail. We begin with a brief description of the statutory mechanism for copyright enforcement – both civil and criminal - under the Copyright Act. We then move on to the way courts have crafted new orders that magnify the powers of copyright owners to the detriment of the privacy of individuals.

Civil and Criminal Enforcement under the Copyright Act

The Copyright Act provides for both civil and criminal remedies for infringement. Section 55 provides for civil remedies and declares that, upon infringement, "the owner of the copyright shall be entitled to all such remedies by way of injunction, damages, accounts and otherwise as are or may be conferred by law for the infringement of a right." Civil suits are instituted at the appropriate district court having jurisdiction – including where the plaintiff resides.

Similarly, Chapter XIII (Sections 63-70) provides a range of criminal penalties for infringing copyrights which are typically punishable with terms of imprisonment that “may extend up to three years” along with a fine. These offences would be taken cognizance of and tried at the court of the Metropolitan Magistrate or Judicial Magistrate of the First class [Sec 70], in the same manner as all cognizable offences[4] in India i.e., by following the procedures under the Code of Criminal Procedure, 1973. Section 64 of the Copyright Act dealing with police powers was amended in 1984 to give plenary powers to police officers, of the rank of a sub-inspector and above, to seize without warrant all infringing copies of works “if he is satisfied” that an offence of infringement under section 63, “has been, is being, or is likely to be, committed”. Prior to amendment, this power could only be exercised by a police officer when the matter had already been taken cognizance of by a Magistrate. Prima facie, this is a very sweeping power since its exercise is unsupervised by the judiciary and only depends on the “satisfaction” of a police officer. To put matters in perspective, under the Income Tax Act, dealing with the far more sensitive issue of tax evasion, a search and seizure can only be conducted based on information already in the possession of the investigating authority.[5]

In Girish Gandhi & Ors. v Union of India[6], a case before the Rajasthan High Court, the petitioner, who ran a video cassette rental business, challenged the constitutional validity of the wide powers granted to police officers under this section. Citing various instances of violations of privacy that the abuse of the section could occasion, the petitioner contended:

"The provisions of section 64 itself gives arbitrary and naked powers without any guidelines to the police officer to seize any material from the shop and thus, drag the video owners to the litigation. He has given instances in the petition that police officer usually demands for video cassettes to be given to them free of charge for viewing it at their homes and in case, on any reason either the video cassette is not available or it is not given free of charge, there is likelihood that police officer shall misuse his powers and try to seize the material for prosecution under the various provisions of the Act."

Although the High Court dismissed the petition on the grounds that it did not disclose any actual injury to the petitioner, it upheld the constitutionality of the section by reading the word "satisfaction" to mean that the "police officer will not act until and unless he has got some type of information on which information he is satisfied and his satisfaction shall be objective."

[Section 64] is also not arbitrary for the reason that guidelines and safeguards are provided under Sections 51, 52 and 52A and Section 64(2) of the Copyright Act, coupled with the fact that it is expected of the police officer that he would not act arbitrarily and his satisfaction shall always based on some material or knowledge and he shall only proceed for action under Section 64 in a bona fide manner and not for making a roving inquiry. (emphasis added)

Despite the pious hopes expressed in this decision, they do not appear to have influenced the actual behaviour of police officers. In May 2011, the Delhi High Court struck down a notification issued by the Commissioner of Police which had instructed all subordinate functionaries of the police to "attend to and provide assistance" whenever any complaint "in respect of violation of the provisions of Copyright Act, 1957" was received from three companies: Super Cassettes Industries Limited, Phonographic Performance Ltd and Indian Performance Right Society Ltd. This virtually amounted to the commandeering of the criminal enforcement system by a few private owners for their own private interests. In their suit, the petitioner — Event and Entertainment Management Association — had contended that the police machinery "cannot be made to act at the behest of certain privileged copyright owners". Striking the notification down, as unconstitutional, Justice Muralidhar of the Delhi High Court held:

"To the extent the impugned circular privileges the complaints from SCIL over other complaints from owners of copyright it is unsustainable in law for the simple reason that there has to be equal protection of the law in terms of Article 14 of the Constitution. The police are not expected to act differently depending on who the complainant is. All complaints under the Act require the same seriousness of response and the promptitude with which the police will take action, Likewise, the caution that the Police is required to exercise by making a preliminary inquiry and satisfying itself that prima facie there is an infringement of copyright will be no different as regards the complaints or information received under the Act[7]."

The Judge also issued some welcome remarks on the manner in which complaints under Section 64 were to be handled:

In order that the power to seize in terms of Section 64 of the Act is not exercised in an arbitrary and whimsical manner, it has to be hedged in with certain implied safeguards that constitute a check on such power. Consequently, prior to exercising the power of seizure under Section 64(1) of the Act the Police officer concerned has to necessarily be prima facie satisfied that there is an infringement of copyright in the manner complained of. In other words, merely on the receipt of the information or a complaint from the owner of a copyright about the infringement of the copyrighted work, the Police is not expected to straightway effect seizure. Section 52 of the Act enables the person against whom such complaint is made to show that one or more of the circumstances outlined in that provision exists and that therefore there is no infringement. During the preliminary inquiry by the Police, if such a defence is taken by the person against whom the complaint is made it will be incumbent on the Police to prima facie be satisfied that such defence is untenable before proceeding further with the seizure.(emphasis added)[8]

This decision significantly tempers the severity of possible searches and seizures conducted by the police under Copyright Law. It advances the cause of privacy by reining in the power of the state to arbitrarily intrude on citizens.

Parallel to the attempt at ‘hedging in’ of police powers in criminal enforcement by this High court, there has been a move to expand powers of investigative bodies in civil suits. The next sub-section looks at two innovations by courts – Anton Piller Orders and John Doe orders – which are mechanisms unwarranted by civil procedural law, but crafted by high courts specifically to deal with copyright investigation.

'Anton Piller' orders and 'John Doe' Orders

In addition to the extensive police powers under the Copyright Act mentioned above, plaintiffs have other, equally intrusive powers at their disposal. In the past decade it has become common for copyright owners and owners-associations to employ civil procedure to emulate the same kind of invasiveness. This is done via the mechanism of so-called ‘Anton Piller’ orders - orders obtained unilaterally ‘ex-parte’ (in the absence of the defendant) from civil courts which permit court-appointed officers, accompanied by representatives of the plaintiffs themselves, to search premises and seize evidence without prior warning to the defendant. Frequently, courts have also issued ‘John Doe’ orders[9] –orders to search and seize against unnamed/unknown defendants - which virtually translates into untrammelled powers in the hands of the plaintiffs, aided by court-appointed local commissioners, to raid any premises they set their eyes on.

Although the authority of the courts under Indian law to grant these orders is suspect[10], they have virtually been regularized in practice over the past decade through routine issual by the High Courts, especially the Delhi High Court. This has led to a widespread phenomenon of powerful copyright owning groups such as the Business Software Alliance and the Indian Performing Right Society Limited managing to successfully assume for themselves almost plenary powers of search and seizure as they go about knocking on the doors of small businesses and demanding to be allowed to audit their software. An anonymous post on the popular Indian Intellectual Property Weblog ‘Spicy IP’ graphically conveys the invasiveness inherent in the execution of these orders:

Ghost Post on IP (Software) Raids: Court Sponsored Extortion?[11]

Picture this:

You are working in your office one day, when all of a sudden, a group of people arrive unannounced brandishing a court order. The order allows them to walk into your office and conduct an audit of all your office computers to collect evidence of the use of unlicensed software in your office.

This group consists of a court-appointed commissioner, lawyers representing the plaintiff, and technical persons who will carry out the actual software audit.

Knowing that to disobey the order will amount to a contempt of court, you allow the group to carry out the audit.

The audit lasts several hours and continues well into the night. Needless to say, it is physically and emotionally draining on you as your work has come to a stand-still. Everyone around you knows there is some court proceeding going on. You have already lost face with your employees, and possibly even clients who have visited your office during the audit.

As you have several dozen computers purchased over a period of time, and the audit is conducted unannounced, you may not have the time to gather documentation and invoices demonstrating the purchase of licensed software.

While the court order allows you to back up your valuable client and business data, the plaintiff’s lawyers don’t allow you to do so, stating that documents/ data found on machines that contain any unlicensed software may not be backed up.

All computers found with copies of what the plaintiff’s lawyers are calling unlicensed software are seized and sealed. You do not have the time, presence of mind or legal representation to argue that such copies may be backup copies allowed under the law, or that therefore several, or all of the seized machines are not liable to be seized, or that such copies are actually allowed under the software license.

Even more importantly, your licensed servers are seized because they are found to contain back-up copies of software, allowed under the law, but deemed infringing by the plaintiff’s lawyers.

At the end of the audit, you are informed that your computers contain copies of unlicensed software to varying degrees. You are made to sign a report prepared by the commissioner, along with sheets that represent the software audit of each computer in your office.

Most of your computers and servers are seized and sealed. You are told that you cannot touch them till the court allows you to. You are not even allowed to separate the hard drives of those machines that contain the alleged unlicensed software, for the purpose of seizure, so as to enable you to continue using the rest of the machine, even though the court order clearly states that only storage media containing the unlicensed software is to be seized.

In a 2008 case, Autodesk Inc vs. AVT Shankardass[12], the Delhi High Court – which happens to be the most enthusiastic issuer of Anton Piller orders[13] –issued guidelines on the considerations which judges should weigh before granting such orders in software piracy cases. Worryingly, the guidelines stipulate that "The test of reasonable and credible information regarding the existence of pirated software or incriminating evidence should not be subjected to strict proof". Instead the court prescribes that "It has to be tested on the touchstone of pragmatism and the natural and normal course of conduct and practice in trade."

The Court also included a few guidelines meant to safeguard the defendant. These include the possibility of requiring the plaintiff to deposit costs in the court "so that in case pirated software or incriminating evidence is not found then the defendant can be suitably compensated for the obtrusion in his work or privacy." Although on the face of it, these guidelines threatened to open up the floodgates for the granting of Anton Pillar orders, in fact, these fears seem not to have been realized. The privacy-invasive ambitions of IP owners have been subverted by a combination of the security requirements stipulated in the Autodesk guidelines above, the judiciary’s own inefficiency/inconsistency and a greater assertiveness and defiance on the part of defendants. The following passage from the 2011 Special 301 India Country Report on Copyright Protection and Enforcement[14], prepared by the IIPA, records the industry’s frustrations in obtaining Anton Pillar orders from the courts over the past year:

Unfortunately, in 2010, such enforcement efforts have become much less effective due to judges imposing conditions on such orders.

With periodic changes to the roster of judges on the Original Side Jurisdiction of the Delhi High Court (which is done as a matter of routine and procedure where the roster changes every 6 months), BSA reports: 1) the imposition of security costs on Plaintiffs; 2) the grant of local commission orders without orders to seize and seal computer systems containing pirated/unlicensed software; 3) granting the right to Defendants to obtain back up copies of their proprietary data while at the same time ensuring that the evidence of infringement is preserved in electronic form; 4) assigning a low number of technical experts for large inspections, making carrying out orders more time-consuming and raising court commissioners’ fees; and 5) ineffective implementation and lack of deterrence from contempt proceedings against defendants who disrupt or defy Anton Pillar orders.[15]

Notwithstanding this temporary setback, Anton Piller orders and John Doe orders remain powerful weapons in the arsenal of large copyright owners who continue to use it in ways that are extremely intrusive. These orders exemplify an instance of how courts rarely reflect on the privacy implications of the orders that they themselves issue –similar action undertaken by the executive would have most likely invited the court’s consideration on whether they violate privacy.

In the next section we move on to private ‘technological’ measures of enforcing copyright which are likely to receive statutory sanction.

Technological Measures

In the light of the industry’s perception of a weakening of its enforcement options due to the judiciary’s waning enthusiasm, it remains to be seen what new manoeuvres they would make to strengthen enforcement. One foreseeable arena of conflict would be the new measures proposed to be included in the Copyright Act that criminalise the circumvention of ‘technological protection measures’ (TPMs) built into software by manufacturers. The proposed new Section 65A criminalises the circumvention of “an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act," "with the intention of infringing such rights”. This is punishable with imprisonment up to two years and a fine. However the section also creates a vast list of exceptions including research, testing, national security etc which make it a comparatively soft tool in the hands of prosecutors. Among the list of exceptions is a clause that enables the circumvention of TPMs in order to facilitate purposes that are 'not expressly prohibited' – including, conceivably, to exercise fair dealing rights under Section 52. Although this is a welcome provision, it requires, as a condition of its exercise, that the person ‘facilitating the circumvention’ maintain a record of the persons for whose benefit this has been done. This has led to apprehensions of violations of privacy especially from disability rights groups, who would potentially be the biggest users of this section as it would enable them to make electronic content more widely accessible. However, the lawful exercise of this right would mean that each instance of use of electronic content – say an e-book – by a disabled person would be recorded, which could deter them from accessing content. It would also clearly amount to a violation of their privacy compared to other analog users who are not required to similarly maintain logs each time they share books, for instance.

On the whole, despite the effect these measures have of diminishing absolute control over our electronic resources, the fact that the IIPA - which has been one the most rapid ‘defenders’ of IP - has consistently complained about their inadequacy in its Special 301 Reports[16] gives us some cause for optimism that the privacy invasions it could occasion would not be too severe.

Meanwhile, in a first of its kind, in 2005 the High Court of Andhra Pradesh permitted the prosecution, under the Copyright Act, of persons accused of having circumvented technological protection measures in mobile devices.

In Syed Asifuddin and Ors. v The State of Andhra Pradesh [17] the accused had altered the software on the mobile handsets provided by one service provider (Reliance), so that the same handset could be used to access the network of a rival provider (Tata Indicom). The Court observed that "if a person alters computer programme of another person or another computer company, the same would be infringement of the copyright." The matter was then relegated to the trial court to receive evidence on whether in fact such alteration had occurred.

This ruling, if correct, effectively negates the need for any amendment to the law since circumvention of technological measures typically involves an unauthorized alteration of copyrighted code. Of course it would always be open to the defendant to assert his fair dealing rights in defence, but that issue was not deliberated upon by the High Court in this instance.

Portents

With the terrain of copyright infringement increasingly shifting from ‘street piracy’ to online piracy, it remains to be seen how innovations in copyright enforcement impact privacy. Three events are particularly interesting in this context.

In August 2007, a techie from Bangalore was arrested on charges of having posted incendiary images of a popular folk hero on a website. He had been traced based on the IP Address details provided by a leading ISP. It later turned out that the IP address information was incorrect. By the time the error was noticed, he had already been held in jail illegally for a period of 50 days.[19] Shocking as this incident is, it offers a portent of the gravity of the possible privacy abuses that we are likely to witness in the years to come as copyright owners begin to hunt down infringers on the Internet.
In 2006, the Delhi High Court the pioneer among the Indian Judiciary in issuing John Doe orders added another feather to its cap by permitting the filing of a suit against an IP address. In a case of defamation by email from an unknown sender, a company was able to successfully file a suit against the IP address and obtain an order against the ISP to track down the user who was later impleaded as a party to the suit. This case and the growing number of John Doe orders issued, indicates that the judiciary in India has been quite willing to partner with litigants in their fishing expeditions. While it cannot be gainsaid that this has aided the legitimate interests of litigants, this has come at the price of a callous disregard for the interests of consumer privacy in India, which, as the incident described above highlights, could easily descend into a full blown human rights violation.
With the arrest in November 2010 of a four-member gang from Hyderabad for uploading media content – including popular film titles - on Bittorrent, the popular online file sharing tool, the industry has signalled its capacity and willingness to take the battle over copyright to the Internet.[20] New rules notified under the Information Technology Act make it mandatory for 'intermediaries' (ISPs) to co-operate in locating and removing ‘infringing content’ that is stored or transmitted by them.[21] This will facilitate untrammelled access to users by copyright industries.

Although it is too early to predict the future for the Internet that these developments will result in, they are definitely a source of apprehension from the perspective of privacy.

Copyright and Confidential Information

Although the protection of 'confidential information' and 'copyright' occupy distinct realms in the law[22], they converge occasionally, and copyright has been used as an instrument by people and organisations to protect their confidential information. In fact it has become quite routine for written pleadings by plaintiffs in cases to assert the omnibus infringement of their ‘copyrights, confidential information, trade secrets, trademarks designs etc’ without specifying which of the claims is urged. For instance in Mr. M. Sivasamy v M/S. Vestergaard Frandsen[23] a case before the Delhi High Court, the plaintiffs claimed that. "Defendants are violating the trade secrets, confidential information and copyrights of the plaintiffs.”; Similarly in Dietrich Engineering Consultant v Schist India & Ors , before the Bombay High Court, the plaintiffs contended"..the suit is filed to prevent unauthorized and illegal use of the plaintiffs confidential information and infringement of the 1st plaintiffs Copyright".[24]

In one of the earliest cases of this kind, Zee Telefilms Ltd. v Sundial Communications Pvt. Ltd, the Bombay High Court delivered a ruling in favour of the plaintiffs on both grounds of copyright infringement and confidential information. Here the employees of the plaintiffs – a company engaged in the business of producing television serials - had developed the concept for a program which they had registered with the Film Writers Association. Subsequently, they made a confidential pitch of the concept to the representatives of the defendants, a well known TV channel. Although initially the defendants appeared reluctant to take the concept forward, they proceeded later on, without the authorization of the plaintiffs, to produce a TV serial that closely mirrored the ideas contained in the show conceived by the plaintiff. In an action seeking to restrain the defendants from proceeding with their production, the High Court agreed with the plaintiff’s claims both on the count of copyright infringement and confidentiality. Curiously, the determination of both issues turned on the similarities between the plaintiff’s and defendant’s concepts – which is traditionally a determination relevant only to copyright cases. On the issue of confidentiality, the court held "Keeping in view numerous striking similarities in two works and in the light of the material produced on record, it is impossible to accept that the similarities in two works were mere coincidence...the plaintiffs' business prospect and their goodwill would seriously suffer if the confidential information of this kind was allowed to be used against them in competition with them by the defendants."

Although a clear line is demarcated between the claims of confidentiality and copyright in this case, this distinction is less sharp in other cases of the same nature.

In a more recent case Diljeet Titus, Advocate v Mr. Alfred A. Adebare & Ors[25] four associates of the plaintiff’s law firm quit together to start their own practice. While leaving they took documents they had drafted including agreements, due diligence reports and a list of clients along with them. The plaintiff filed a suit for injunction, asserting both that this material was confidential and that he owned the copyrights over them. The Delhi High Court agreed and issued an injunction restraining the defendants from “utilizing the material of the plaintiff forming subject matter of the suit and from disseminating or otherwise exploiting the same including the data for their own benefit.” What is interesting in this case is the conflation of confidentiality and copyright – both in the allegations of the plaintiff and the rebuttals of the defendant who sought to resist claims of confidentialty on grounds that they had themselves authored the papers in question.

Curiously, where copyright and confidentiality claims coincide, it would appear that the parameters of determining copyright infringement end up determining the issue of confidentiality as well.

In the next section we move on to the last copyright/privacy issue that we had flagged in the introduction – the invocation of copyright in aid of the ‘right to publicity’ of individuals which can be read as a kind of privacy claim.

Copyright and Publicity

Do we have a copyright over our identities – our names, our appearances, our life histories, our reputation and our bodies - so that we have an actionable interest in preventing their deployment in public without our express authorization?

This question has arisen in a limited set of cases in India that raise interesting questions. As with the confidentiality cases discussed above, the lines separating ‘defamation’ actions from ‘copyright’ claims is not brightly drawn in these cases. Neither is the line linking copyright to the protection of privacy clearly evident. All one can say with confidence is that copyright and privacy are two words tossed into the plaints by the plaintiffs while asserting their claims.

In one of the most high-profile cases of its kind, Phoolan Devi v Shekhar Kapoor[26] the Delhi High Court was faced with the question of whether ‘public figures’ are entitled to any degree of control over the representation of their lives. Here the petitioner, Phoolan Devi, a reformed bandit, had 'licensed'[27] the production of a biopic on her life to the defendant, a film director of note, who was to consult the plaintiff’s own writings and those of her authorised biographer in making the film. However, the defendant – the director of the biopic – had exceeded this mandate and also depicted incidents that emerged from various newspaper accounts – including a graphic gang rape scene where the plaintiff was the victim, and a massacre which she had allegedly orchestrated. Although generally well-known, neither of these incidents were either admitted to by the plaintiff herself or mentioned in the plaintiff’s own writings and those of her biographer. Even worse, the film had not been shown to her even several months after it had been released to national and international audiences.[28] In Arundhati Roy’s moving words the producers of the film “[R]e-invent her life. Her loves. Her rapes. They implicate her in the murder of twenty-two men that she denies having committed. Then they try to slither out of showing her the film!”[29]

One of the contentions that the petitioner’s advocate had advanced was that the defendant had no right “to mutilate or distort the facts as based upon prison diaries” and that any such distortion would fall afoul of her right under Sec 57 of the Indian Copyright Act. This section confers certain ‘special rights’ on the author including the right to claim authorship and to restrain any distortion/mutilation or modification of the work that would be prejudicial to his/her honour or reputation.[30]

These rights survive any assignment of the copyright made by the author i.e. they can e asserted by the author above any contract entered into by her with third parties such as the producer in this case. The Court framed the question it was faced with in these terms:

[T]he question before me is whether such person like the plaintiff has no right to defend when someone enlarges the terrible facts, enters the realm of her private life, depicts in graphic details rape, sexual intercourse, exhibits nudity, portrays the living person which brings shame, humiliation and memories of events which haunts and will go on haunting the plaintiff, more so the person is still living. Whether the plaintiff has no right and her life can become an excuse for film makers and audience to participate in an exercise of legitimate violence with putting all inhibitions aside.

Ultimately, the High Court sided with the petitioner and issued an injunction restraining the defendant from exhibiting his film.[31] This decision was based more on a consideration of constitutional right to privacy principles than an evaluation of the plaintiff’s case under Copyright law. However, it does provide an interesting factual matrix for the exploration of the way in which protection of copyright and privacy might overlap.

In a contrasting case before the Bombay High Court, Manisha Koirala v Shashilal Nair & Ors [32] an injunction was sought against the release of a film in which the petitioner, a noted actress, was depicted in the nude through the device of a ‘body double’. Here the plot was entirely fictional and the plaintiff, a noted actress, had agreed to perform in the film with ‘substituted shots’ during the scenes in the story that involved nudity. Subsequently, she appears to have reconsidered this decision and objected to the very inclusion of these scenes in its final version. In her petition before the court, she alleged defamation and malicious injurious falsehood, arguing that the exhibition of the film would result in a violation her right to privacy "as the objectionable shots, attempt to expose the body of a female which is suggested to be that of the plaintiff". She contended that “the right to portray her on screen can only be exercised in a manner, which is subject to the fundamental principle that such portrayal can only be with her unconditional consent." "The present rendition" of her part in the film, she alleged was “an invasion of privacy as it is embarrassing and will cause irreparable damage to her reputation which remains untarnished thereby causing irreparable loss and injury”. Although Copyright is not invoked in this case by the petitioner, there is an audible echo of some of the reputational anxieties that had animated Phoolan Devi’s case mentioned above. The difference, however, is that in this case the petitioner’s claim was not grounded in a quest for control over her biography, but over the image of her body. Unlike the previous case, here the Court was unsympathetic to the petitioner’s claims. The court treated her previous ‘consents’ as determinative of all issues and dismissed her case holding:

"The Court ...cannot be a moral guardian in this context. ..It is.. clear to my mind that once having agreed to act in the film it will be too late for the plaintiff .. to hold that a case of defamation has been made out.. To maintain a case of malicious falsehood it must be held out that the statement was false. In the instant case what is sought to be contended is that the scenes involving the film artist would result in an action of malicious injurious falsehood or malicious falsehood by associating the plaintiff's with the scenes which she had not enacted.. The plaintiff was prima facie aware as earlier held and that the scenes formed part of the story board have been enacted by a double and consequently it cannot be said that in the present case the plaintiff has been able to establish a case of malicious falsehood."[33]

One of the facts that was relevant in the court’s decision was that the defendant, as the ‘holder of the copyright in the film’, had incurred vast expenditure in publicising its release. Here, in a reversal of the Phoolan Devi case, copyright is held up as a shield against a competing privacy claim. The issue of the extent of overlap between copyright and privacy however remains unsettled in law. In April 2007, the Madras High Court granted a temporary injunction against the publishers of an unauthorised biography of former Tamil Nadu Chief Minister Jayalalitha. In her petition she alleged that the biography “had been written without any verification of facts. Such a publication would spoil her image and damage her status in politics and public life.” Her petition contended that “No one has a right to publish anything concerning personal private matters without consent, whether truthful or otherwise, whether laudatory or critical.[34]

Although it does not reference Copyright law, this case is another illustration of the enduring relevance of the question of whether we are entitled to the exclusive authorship of our private life-stories.

The Private under the Copyright Act

In its various sections, the Copyright Act inscribes certain spaces and actions as either public or private. Specified activities are labelled public even though they are conducted within the domestic confines of one’s home. Similarly, activities that infringe copyright are nevertheless immunised from prosecution due to the fact that they are conducted for a ‘private’ purpose. In this concluding section of this paper, we try to piece together a narrative of privacy and the private domain that emerges from a combined reading of various sections and decisions under the Copyright Act.

We begin, here, by collating the Copyright Act’s various articulations of the ‘public’ and ‘private’. By treating them as intertwining, mutually constitutive terms, we proceed to analyse these various articulations in the Copyright Act with a view to seeing what account of the private realm may emerge.

Public/Publish

One of the key rights that most owners of copyrights enjoy is the exclusive right to "publish" or "communicate their work to the public".

The Act defines "publication" to mean “making a work available to the public by issue of copies or by communicating the work to the public”. Significantly, in case of dispute, if the issue of copies or communication to the public is “of an insignificant nature” it is deemed not to constitute a publication [Section 6]. This signals that the notions of publicity and publication under the Copyright Act are in some senses moored to the magnitude of the receiving public. The ‘private’ then is constituted, reciprocally, as the ‘insignificant public’.

Under the Indian Copyright Act, "communication to the public" occurs when a person makes any work “available for being seen or heard or otherwise enjoyed by the public directly or by any means of display or diffusion other than by issuing copies of such work”. Such communication occurs “regardless of whether any member of the public actually sees, hears or otherwise enjoys the work so made available.”[Section 2(ff)][35]

Private

The word ‘private’ is expressly referenced in four provisions of the Copyright Act.

Section 39 declares that “the making of any sound recording or visual recording for the private use of the person making such recording, or solely for purposes of bona fide teaching or research” would not violate the broadcast reproduction right or performer's right;
Section 51 which stipulates when copyrights are infringed declares that the “imports into India, any infringing copies of the work” would constitute an infringement except if it is only a single copy of any work that is imported “for the private and domestic use of the importer”.
Section 52(1) of the Copyright Act lists certain acts as not infringing of copyright. These include:

(a) a fair dealing with a literary, dramatic, musical or artistic work, not being a computer programme, for the purposes of private use, including research. A proposed amendment to this section seeks to extend this protection to all ‘personal’ uses in addition to ‘private uses including research[36]. ‘Personal use’ has been interpreted in non-copyright contexts to include the family members of the person living with him.[37] The definition of ‘person’ under the General Clauses Act includes a “company or association or body of individuals, whether incorporated or not”. Although the case law on the point is scant[38], it would be interesting to see if ‘personal use’ can be read to include the use by companies internally, thereby casting a shroud of privacy on corporations for the purpose of copyright.
(p) the reproduction, for the purpose of research or private study or with a view to publication, of an unpublished literary, dramatic or musical work kept in a library, museum or other institution to which the public has access.

In addition to the provisions listed above, Section 52 the Act also shields certain spaces and occasions as immune from the charge of copyright infringement (although they are not specially designated as ‘private’). These include educational institutions[39], non-profit clubs, societies[40], religious institutions[41] and religious ceremonies including marriages.[42]

Perhaps the most elaborate calibration of the boundaries between the 'private' and 'public' under the Indian Ccopyright Act by the judiciary occurs in the case Garware Plastics and Polyester vs Telelink & Ors[43]., decided by the Bombay High Court in 1989. The case called for the determination of whether films transmitted via neighbourhood cable networks and viewed in the privacy of customers’ homes would constitute an unauthorised ‘communication to the public’ under the Copyright Act. Here the defendants had purchased video tapes of popular films and begun transmitting them over cable networks owned by them. For this they charged a monthly maintenance fee from their customers. Under the Copyright Act then in force, ‘communication to the public’ was defined simply as "communication to the public in whatever manner, including communication through satellite.” After an extensive review of English law on the subject, the court ruled that this did constitute an unauthorised communication to the public:

"Whether a communication is to the public or whether it is a private communication depends essentially on the persons receiving the communication. If they can be characterized as the public or a protein of the public , the communication is to the public…From the authorities the principal criteria which emerge for determining the issue are(1) the character of audience and whether it can be described as a private or domestic audience consisting of family members or members of the household, (2) whether the audience in relation to the owner of the copyright can be so considered…Applying the test of the character of the audience watching these video films , can this audience be called a Section of the public or is this audience a private or domestic audience of the defendants ? In the present case it cannot be said that the audience which watches video films shown by the defendants consists of family members and guests of the defendants. The video film may be watched by a large Section of the public in the privacy of their homes. But this does not make it a private communication so as to take it our of the definition of "broadcast" under the Copyright Act, 1957.

It is true that the network operates through the connection of a cable to all these various apartments or houses. But this cannot in any way affect the character of the audience. The viewers are not members of one family or their guests. They do not have even the homogeneity of club members of one family or their guests. They do not have even the homogeneity of a club membership.[44] (emphasis added)

A central feature emerging from this case that distinguishes public form private in Copyright law is homogeneity or affiliation: that space is marked ‘private’ where a pre-affiliated group – united either by kinship or association in pursuit of a common goal – comes together in pursuit of a non-commercial common interest. Conversely, ‘Public’ is where the unaffiliated congregate. On the face, this accords with the spirit of the various fair dealing rights under the Copyright Act which carve out immunised spaces for institutions that correspond to these definitions – educational institutions, religious institutions and ceremonies, amateur clubs etc are immune from infringement actions because, one could say, their activities are ‘private’.

In 1994 the Copyright Act was amended to fortify this conclusion by expanding the definition of ‘communication to the public’ to include ‘communication through satellite or cable or any other means of simultaneous communication to more than one household or place of residence including residential rooms of any hotel or hostel shall be deemed to be communication to the public;” (Sec 2(ff), Explanation)

Conclusion

I would like to conclude this paper with some reflections on the assertion I made in the introduction about copyright law being both an instrument for the protection and violation of privacy. From the discussion in the previous sections, it follows:

Firstly, that 'property' – as embodied by copyright law – is, at best, an unreliable guarantor of privacy. It works when bussed along with dignity claims– for instance the Phoolan Devi case where the petitioner’s suffering underlay her property claim– but fails when asserted as ‘property’ per se (as in Manisha Koirala’s case[45]). One does not (under the Indian Copyright Act, at least) have a reliable ‘property’ interest in one’s life story, bodily representation, name etc. This stands in contrast with other regimes such as the US where several states have enacted ‘Right to publicity’ statutes or have recognised publicity rights through common law processes.[46]

These rights can be read to offer people a 'property' means for protecting their privacy (by preventing unauthorised publicity) in those jurisdictions. Analogous claims are unavailable in India.

Secondly, that ‘property’ operates frequently as a license for the violation of privacy with impunity. This emerges most clearly from the cases of copyright investigation that we examined in Section 1.2 above. Pecuniary copyright interests appear to completely overwhelm any regard for competing privacy concerns.

Thirdly, that, notwithstanding the preceding two points, the copyright act does protect privacy in limited ways. Chiefly these are a) By conferring limited copyright on 'unpublished works', it enables authors to restrict their publication except on terms acceptable to them. b) The Act grants a very wide “Performer’s right” to performers and no sound or visal recording may be made of them without their express consent. No such recording can broadcast or communicated to the public without their consent. This gives a very powerful weapon of control in the hands of performers to restrict the extent to which representations of them are publicised. C) As mentioned above in the penultimate section of this paper, various fair dealing exceptions carve out spaces of privacy where infringing acts are granted immunity – for instance private uses, uses in educational institutions and libraries, etc.

Lastly, with the arena of copyright infringement shifting gradually to the internet, it is foreseeable that the IT Act will be employed with greater frequency in the coming years to do the work of copyright enforcement. The legal regime already supports this change through provisions in the IT Act which preserve all existing rights available under the Copyright Act [Section 81 (proviso) of the IT Act] and put new powers of take-down [see Intermediary Guidelines] in the hands of Copyright Owners. Thus on the one hand, copyright owners would be able to lawfully hack into potential infringers’ computers while enjoying immunity under the IT Act. On the other hand, ‘intermediaries’ would be legally bound to co-operate in copyright enforcement including, conceivably, handing over a number of personal details of those accused of copyright infringement. In other jurisdictions, such as the EU, such ‘co-operation’ is heavily policed by judicial oversight where personally identifiable information is involved[47]. Contrastingly, in India, with its diminished concerns for privacy and limited awareness of how IP address data can seriously imperil privacy, there is a very real threat that these provision will license the wholesale violation of online privacy.

Notes

[1]Anon, 2005. Towards Knowledge Societies, Paris: UNESCO. Available at: http://unesdoc.unesco.org/images/0014/001418/141843e.pdf [Accessed April 20, 2011].

[2]Sundaram says "Temporal acceleration was a significant part of the imaginary of developmentalism - this was inherent in the logic of 'catching up' with the core areas of the world economy by privileging a certain strategy of growth that actively delegitimized local and 'traditional' practices."

[3]This aspiration underlies several of the policy documents prepared in India in the last decade – Illustratively, the report submitted by the National Task Force on Information Technology (NTFIT) in 1998 captures this sentiment well: “For India, the rise of Information Technology is an opportunity to overcome historical disabilities and once again become the master of one's own national destiny. IT is a tool that will enable India to achieve the goal of becoming a strong, prosperous and self-confident nation. In doing so, IT promises to compress the time it would otherwise take for India to advance rapidly in the march of development and occupy a position of honor and pride in the comity of nations” Tiwari, Ghanshyam et al. Government of India. Central Advisory Board of Education, Ministry of Human Resource Development .Report of the Central Advisory Board of Education Committee On Universalisation of Secondary Education. New Delhi: 2005

[4]There is some ambiguity on whether offences under the Copyright Act punishable with imprisonment “which may extend to three years” are 'cognizable' or not. The Code of Criminal Procedure 1973 classifies all offences which prescribe a penalty of three years and above as cognizable and non bailable [First Schedule]. Offences which are punishable with imprisonment of less than three years are classified as ‘non-cognizable’ and ‘bailable’. In the absence of a definitive ruling from the Supreme Court on this issue, different High Courts have offered conflicting interpretations. See Singh, S. & Aprajita, 2008. Insight into the nature of offence of Copyright Infringement. Journal of Intellectual Property Rights, 13(6), pp.583-589. Available at: http://nopr.niscair.res.in/bitstream/123456789/2433/1/JIPR%2013%286%29%20583-589.pdf [Accessed May 12, 2011]. See also Agarwal, D.K., 2010. Arrest under the customs act ? Bailable or non-bailable offence. Translation Interpreting Services. Available at: http://translation-tech.com/blog/213/arrest-under-the-customs-act-bailable-or-non-bailable-offence/ [Accessed May 12, 2011]. The determination of this issue would have wide ranging implications since the police have a wider assortment of powers with respect to interrogation, arrest, search and seizure in the course of investigating cognizable offences than they have with respect to non-cognizable offences.

[5]"Where Director of Inspection or Commissioner in consequence of information in his possession, has reason to believe that any person having in possession of any money, etc.." has not disclosed it for purposes of Income Tax.

[6]AIR 1997 Raj 78 < http://indiankanoon.org/doc/661363/>

[7]Event and Entertainment Management Association v. Union of India (Delhi HC) Order dated 2nd May 2011 <http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=84697&yr=2011>. Harkauli, S., 2011. HC nullifies police circular on copyright issue. The Pioneer. Available at: http://www.dailypioneer.com/336974/HC-nullifies-police-circular-on-copyright-issue.html [Accessed May 9, 2011].

[8]Ibid

[9]As recently as April 2011, the Delhi high court restrained “cable operators nationwide from telecasting matches of the Indian Premier League (IPL) without authorization from MSM Satellite (Singapore) Pte Ltd, which owns the broadcasting rights. See Bailay, R., 2011. Cable operators can’t telecast IPL without authorization, says HC. Livemint. Available at: http://www.livemint.com/articles/2011/04/27212449/Cable-operators-can8217t-te.html?atype=tp [Accessed May 13, 2011]. For an early history of John Doe orders in India, see Krishnamurthy, N. & Anand, P., 2003. India Trade marks in a state of change. Managing Intellectual Property. Available at: http://www.managingip.com/Article/1321770/India-Trade-marks-in-a-state-of-change.html [Accessed May 13, 2011].

[10]These orders are granted by the Court supposedly under Section 75 read with Order 26 of the Code of Civil Procedure which empowers the court to appoint “Local Commissioners” to record evidence in special cases. I have stated my opinions elsewhere on why I believe these powers may not be invoked for the purpose of effecting routine searches and seizures in the manner as is currently being practiced by the higher judiciary – especially the Delhi High Court. See Iyengar, P., 2009. BSA’s response on Spicy IP – in perspective. Original Fakes. Available at: http://originalfakes.wordpress.com/2009/04/04/bsas-response-on-spicy-ip-in-perspective/ [Accessed May 10, 2011].

[11]Anon, 2009. Ghost Post on IP (Software) Raids: Court Sponsored Extortion? SPICY IP. Available at: http://spicyipindia.blogspot.com/2009/03/ghost-post-on-ip-software-raids-court.html [Accessed May 10, 2011].

[12]Autodesk Inc Vs. AVT Shankardass, Available at: http://delhicourts.nic.in/Jul08/Autodesk%20Inc%20Vs.%20AVT%20Shankardass.pdf [Accessed May 10, 2011].

[13]The 2011 Special 301 Country Report on India prepared by the IIPA specifically cites the Delhi High Court in this context, statng “The industry enjoys a very high success rate with respect to the grant of such orders at the Delhi High Court”. According to this report, the Business Software Alliance was able to obtain 34 such orders in 2009.

[14]Anon, 2011. Special 301 Report on Copyright Protection and Enforcement: 2011 India Country Report, International Intellectual Property Alliance. Available at: http://www.iipa.com/rbc/2011/2011SPEC301INDIA.pdf [Accessed May 9, 2011].

[15]Ibid at. Pp 41-42.

[16]The 2010 Special 301 Country Report lists the following defects of the proposed Section 65A: “(a) does not cover access controls and is limited only to TPMs protecting the exercise of exclusive rights; (b) covers only the “act” of circumvention and does not also cover manufacturing, trafficking in, or distributing circumvention devices or services; (c) does not define an “effective technological measure”; (d) contains an exception which would appear to permit circumvention for any purpose that would not amount to infringement under the act (thereby almost completely eviscerating any protection); (e) creates other overbroad exceptions; and (f) provides for only criminal and not civil remedies."

[17]Syed Asifuddin And Ors. v The State Of Andhra Pradesh, 2005 CriLJ 4314 (Andhra Pradesh HC ).

[18]Ibid.

[19]Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011]. See also Nanjappa, V., 2008. “I have lost everything.” Rediff.com News. Available at: http://www.rediff.com/news/2008/jan/21inter.htm [Accessed March 23, 2011].

[20]Pahwa, N., 2010. Hyderabad Police Arrests Torrent Uploaders - MediaNama. MediaNama. Available at: http://www.medianama.com/2010/11/223-hyderabad-police-arrests-torrent-uploaders/ [Accessed May 12, 2011].

[21]GSR 314(E) Dated 11 April 2011: Information Technology (Intermediaries guidelines) Rules, 2011 http://www.mit.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf [Accessed May 12, 2011].

[22]See Zee Telefilms Ltd. v Sundial Communications Pvt. Ltd., 2003 (5) BomCR 404 (Bombay High Court 2003).

[23]Mr. M. Sivasamy v M/S. Vestergaard Frandsen (Delhi High court 2009).< http://indiankanoon.org/doc/916718/>

[24]Dietrich Engineering Consultant v Schist India & Ors (Bombay High Court, 2009) < http://indiankanoon.org/doc/1634545/>

[25]Mr. Diljeet Titus, Advocate vs Mr. Alfred A. Adebare And Ors, 130 DLT 330 (Delhi High Court 2006).

[26]Phoolan Devi v Shekhar Kapoor And Ors. (1994). DLT (Vol. 57 (1995), p. 154). Retrieved from http://indiankanoon.org/doc/793946/

[27]The conditions under which this license were obtained speak eloquently to the ills of the current copyright system. According to Phoolan Devi’s lawyer, the noted advocate Indira Jaisingh, the contract was signed by Phoolan Devi while she was behind prison bars. She did not speak or understand Hindi or English and only spoke in a local dialect. The copyright contract was written entirely in English and gave her a paltry sum or Rs. 2 lakh – which was a pittance considering the budget and projected returns from the film. Jaisingh, I., 2001. Supreme Court lawyer Indira Jaisingh pays tribute to Phoolan Devi. Available at: http://www.rediff.com/news/2001/jul/26spec.htm [Accessed June 10, 2011]. Arundhati Roy’s two superb critiques of the film and its director movingly capture why this is not a simple case of copyright assignment. See Roy, A., 1994. The Great Indian Rape Trick - I. Sawnet. Available at: http://www.sawnet.org/books/writing/roy_bq1.html [Accessed June 10, 2011].; Roy, A., 1994. The Great Indian Rape Trick - II. Sawnet. Available at: http://www.sawnet.org/books/writing/roy_bq2.html [Accessed June 10, 2011].

[28]Ibid, Roy, A., 1994. The Great Indian Rape Trick - I.

[29]Ibid, Roy, A., 1994. The Great Indian Rape Trick - II

[30]Section 57 of the Act reads “Author’s Special Rights: ‘Independently of the author's copyright and even after the assignment either wholly or partially of the said copyright, the author of a work shall have the right-

(a) to claim authorship of the work; and
(b) to restrain or claim damages in respect of any distortion, mutilation, modification or other act in relation to the said work which is done before the expiration of the term of copyright if such distortion, mutilation, modification or other act would be prejudicial to his honour or reputation:”

[31]The case was later settled out of court with Phoolan Devi being able to secure a substantially higher compensation. Ultimately, the case was not about the depiction of rape generally, but primarily about Phoolan Devi’s sovereign right to decide the terms on which her own life would be represented.

[32]Manisha Koirala v Shashilal Nair & Ors. (2002). BomCR (Vol. 2003 (2), p. 136). Retrieved from http://indiankanoon.org/doc/1913646/

[33]Ibid

[34]Anon, 2011. High Court Grants Injunction Till June 7 Against Publishing Book on Jayalalithaa. The Hindu, p.01. Available at: http://www.hindu.com/2011/04/27/stories/2011042762360100.htm [Accessed May 12, 2011].

[35]For a more dispersed account on the concept of the ‘public’ under Indian law, See Iyengar, P, ‘Where the private and the public collide’, iCommons Lab Report, September- October 2007, pp. 7-8, Icommons.org, < http://archive.icommons.org/articles/what-is-public> last visited May 2011

[36]Copyright (Amendment) Bill 2010 http://prsindia.org/uploads/media/Copyright%20Act/Copyright%20Bill%202010.pdf

[37]See Sivasubramania Iyer v. S.H. Krishnaswamy AIR 1981 Ker 57 , a case under Kerala Buildings (Lease & Rent Control) Act 1965.

[38]Goods purchased for the private use of a corporation would be goods purchased for the ”personal use” of the corporation. 158 IC 703.

[39]52(1)(g), (h) and (i)

[40]52(1)(k) and (l)

[41]52(1)(l)

[42]52(1)(za)

[43]AIR 1989 Bom 331, 1989 (2) BomCR 433, (1989) 91 BOMLR 139 <http://indiankanoon.org/doc/858705/>

[44]Ibid.

[45]At first glance this distinction may seem facile since even Manisha Koirala invoked ‘reputational harm’ as a prop to buttress her property claim. However, I believe this case was complicated by the fact that the court had to consider whether the display of someone else’s body could have implicated Manisha Koirala’s privacy/dignity. Koirala was, in effect, arguing that she had absolute ‘proprietorial’ control over all representations of her body – a property argument which the court was unwilling to concede.

[46]See Footnote 90 and accompanying text in Samuelson, P., 2000. Privacy as Intellectual Property? SSRN eLibrary; Stanford Law Review. Available at: http://ssrn.com/paper=239412 [Accessed on June 14, 2011].

[47]Lebatard, F.-R., Copyright Enforcement and the Protection of Privacy in France. Translegal. Available at: http://www.translegal.com/feature-articles/copyright-enforcement-and-the-protection-of-privacy-in-france [Accessed June 14, 2011].

For more details visit https://cis-india.org/internet-governance/blog/privacy/copyright-enforcement

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

jyoti — 2015-10-14T14:40:08Z

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

The European Court of Justice (ECJ) has invalidated a European Commission (EC) decision¹ which had previously concluded that the 'Safe Harbor Privacy Principles'² provide adequate protections for European citizens’ privacy rights³ for the transfer of personal data between European Union and United States. This challenge stems from the claim that public law enforcement authorities in America obtain personal data from organisations in safe harbour for incompatible and disproportionate purposes in violation of the Safe Harbour Privacy Principles. The court's judgment follows the advice of the Advocate General of the Court of Justice of the European Union (CJEU) who recently opined⁴ that US practices allow for large-scale collection and transfer of personal data belonging to EU citizens without them benefiting from or having access to judicial protection under US privacy laws. The inadequacies of the framework is not news for the Commission and action by ECJ has been a long time coming. The ruling raises important questions about how increasingly the contestations of personal data are being employed in asserting claims of citizenship in context of the internet.

As the highest court in Europe, the ECJ's decisions are binding on all member states. With this ruling the ECJ has effectively restrained US firms from indiscriminate collection and sharing of European citizens’ data on American soil. The implications of the decision are significant, because it shifts the onus of evaluating protections of personal data for EU citizens from the 4,400 companies⁵ subscribing to the system onto EU privacy watchdogs. Most significantly, in addressing the rights of a citizen against an established global brand, the judgement goes beyond political and legal opinion to challenge the power imbalance that exists with reference to US based firms.

Today, the free movement of data across borders is a critical factor in facilitating trade, financial services, governance, manufacturing, health and development. However, to consider the ruling as merely a clarification of transatlantic mechanisms for data flows misstates the real issue. At the heart of the judgment is the assessment whether US firms apply the tests of ‘necessity and proportionality’ in the collection and surveillance of data for national security purposes. Application of necessity and proportionality test to national security exceptions under safe harbor has been a sticking point that has stalled the renegotiation of the agreement that has been underway between the Commission and the American data protection authorities.⁶

For EU citizens the stake in the case are even higher, as while their right to privacy is enshrined under EU law, they have no administrative or judicial means of redress, if their data is used for reasons they did not intend. In the EU, citizens accessing and agreeing to use of US based firms are presented with a false choice between accessing benefits and giving up on their fundamental right to privacy. In other words, by seeking that governments and private companies provide better data protection for the EU citizens and in restricting collection of personal data on a generalised basis without objective criteria, the ruling is effectively an assertion of ‘data sovereignty’. The term ‘data sovereignty’, while lacking a firm definition, refers to a spectrum of approaches adopted by different states to control data generated in or passing through national internet infrastructure.⁷ Underlying the ruling is the growing policy divide between the US and EU privacy and data protection standards, which may lead to what is referred to as the balkanization⁸ of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between the EU and US was negotiated in the late 1990s as an attempt to bridge the different approaches to online privacy. Privacy is addressed in the EU as a fundamental human right while in the US it is defined under terms of consumer protection, which allow trade-offs and exceptions when national security seems to be under threat. In order to address the lower standards of data protection prevalent in the US, the pact facilitates data transfers from EU to US by establishing certain safeguards equivalent to the requirements of the EU data protection directive. The safe harbor provisions include firms undertaking not to pass personal information to third parties if the EU data protection standards are not met and giving users right to opt out of data collection.⁹

The agreement was due to be renewed by May 2015¹⁰ and while negotiations have been ongoing for two years, EU discontent on safe harbour came to the fore following the Edward Snowden revelations of collection and monitoring facilitated by large private companies for the PRISM program and after the announcement of the TransAtlantic Trade and Investment Partnership (TTIP).¹¹ EU member states have mostly stayed silent as they run their own surveillance programs often times, in cooperation with the NSA. EU institutions cannot intervene in matters of national security however, they do have authority on data protection matters. European Union officials and Members of Parliament have expressed shock and outrage at the surveillance programs unveiled by Snowden's 2013 revelations. Most recently, following the CJEU Advocate General’s opinion, 50 Members of European Parliament (MEP) sent a strongly worded letter the US Congress hitting back on claims of ‘digital protectionism’ emanating from the US¹². In no uncertain terms the letter clarified that the EU has different ideas on privacy, platforms, net neutrality, encryption, Bitcoin, zero-days, or copyright and will seek to improve and change any proposal from the EC in the interest of our citizens and of all people.

Towards Harmonization

In November 2013, as an attempt to minimize the loss of trust following the Snowden revelations, the European Commission (EC) published recommendations in its report on 'Rebuilding Trust is EU-US Data Flows'.¹³ The recommendations revealed two critical initiatives at the EU level—first was the revision of the EU-US safe harbor agreement¹⁴ and second the adoption of the 'EU-US Umbrella Agreement¹⁵'—a framework for data transfer for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. The Umbrella Agreement was recently initialed by EU and US negotiators and it only addresses the exchange of personal data between law enforcement agencies.¹⁶ The Agreement has gained momentum in the wake of recent cases around issues of territorial duties of providers, enforcement jurisdictions and data localisation.¹⁷ However, the adoption of the Umbrella Act depends on US Congress adoption of the Judicial Redress Act (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that the EC is pushing for in an attempt to address the gap between privacy rights and remedies available to US citizens and those extended to EU citizens, including allowing EU citizens to sue in American courts. The JRA seeks to extend certain protections under the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses. The JRA protections would extend to records shared under the Umbrella Agreement and while it does include civil remedies for violation of data protection, as noted by the Center for Democracy and Technology, the present framework does not provide citizens of EU countries with redress that is at par with that which US persons enjoy under the Privacy Act.¹⁹

For example, the measures outlined under the JRA would only be applicable to countries that have outlined appropriate privacy protections agreements for data sharing for investigations and ‘efficiently share’ such information with the US. Countries that do not have agreements with US cannot seek these protections leaving the personal data of their citizens open for collection and misuse by US agencies. Further, the arrangement leaves determination of 'efficiently sharing' in the hands of US authorities and countries could lose protection if they do not comply with information sharing requests promptly. Finally, JRA protections do not apply to non-US persons nor to records shared for purposes other than law enforcement such as intelligence gathering. JRA is also weakened by allowing heads of agencies to exercise their discretion to seek exemption from the Act and opt out of compliance.

Taken together the JRA, the Umbrella Act and the renegotiation of the Safe Harbor Agreement need considerable improvements. It is worth noting that EU’s acceptance of the redundancy of existing agreements and in establishing the independence of national data protection authorities in investigating and enforcing national laws as demonstrated in the Schrems and in the Weltimmo²⁰ case point to accelerated developments in the broader EU privacy landscape.

Consequences

The ECJ Safe Harbor ruling will have far-reaching consequences for the online industry. Often, costly government rulings solidify the market dominance of big companies. As high regulatory costs restrict the entrance of small and medium businesses the market, competition is gradually wiped out. Further, complying with high standards of data protection means that US firms handling European data will need to consider alternative legal means of transfer of personal data. This could include evolving 'model contracts' binding them to EU data protection standards. As Schrems points out, “Big companies don’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses.”²¹

The ruling is good news for European consumers, who can now approach a national regulator to investigate suspicions of data mishandling. EU data protection regulators may be be inundated with requests from companies seeking authorization of new contracts and with consumer complaints. Some are concerned that the ruling puts a dent in the globalized flow of data²², effectively requiring data localization in Europe.²³ Others have pointed out that it is unclear how this decision sits with other trade treaties such as the TPP that ban data localisation.²⁴ While the implications of the decision will take some time in playing out, what is certain is that US companies will be have to restructure management, storage and use of data. The ruling has created the impetus for India to push for reforms to protect its citizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking place over the internet simultaneously and that has led to ubiquity of data transfers o ver the Internet, exposing individuals to privacy risks. There has also been an enhanced economic importance of data processing as businesses collect and correlate data using analytic tools to create new demands, establish relationships and generate revenue for their services. The primary concern of the Schrems case may be the protection of the rights of EU citizens but by seeking to extend these rights and ensure compliance in other jurisdictions, the case touches upon many underlying contestations around data and sovereignty.

Last year, Mr Ram Narain, India Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.”²⁵ In the absence of the recognition of privacy as a right and empowering citizens through measures or avenues to seek redressal against misuse of data, the demand of data sovereignty rings empty. The kind of framework which empowered an ordinary citizen in the EU to approach the highest court seeking redressal based on presumed overreach of a foreign government and from harms abetted by private corporations simply does not exist in India. Securing citizen’s data in other jurisdictions and from other governments begins with establishing protection regimes within the country.

The Indian government has also stepped up efforts to restrict transfer of data from India including pushing for private companies to open data centers in India.²⁶ Negotiating data localisation does not restrict the power of private corporations from using data in a broad ways including tailoring ads and promoting products. Also, data transfers impact any organisation with international operations for example, global multinationals who need to coordinate employee data and information. Companies like Facebook, Google and Microsoft transfer and store data belonging to Indian citizens and it is worth remembering that the National Security Agency (NSA) would have access to this data through servers of such private companies. With no existing measures to restrict such indiscriminate access, the ruling purports to the need for India to evolve strong protection mechanisms. Finally, the lack of such measures also have an economic impact, as reported in a recent Nasscom-Data Security Council of India (DSCI) survey²⁷ that pegs revenue losses incurred by the Indian IT-BPO industry at $2-2.5 billion for a sample size of 15 companies. DSCI has further estimated that outsourcing business can further grow by $50 billion per annum once India is granted a “data secure” status by the EU.²⁸ EU’s refusal to grant such a status is understandable given the high standard of privacy as incorporated under the European Union Data Protection Directive a standard to which India does not match up, yet. The lack of this status prevents the flow of data which is vital for Digital India vision and also affects the service industry by restricting the flow of sensitive information to India such as information about patient records.

Data and information structures are controlled and owned by private corporations and networks transcend national borders, therefore the foremost emphasis needs to be on improving national frameworks. While, enforcement mechanisms such as the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation may seem respectful of international borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes such agreements are a considerable risk. Data is also increasingly being stored across multiple jurisdictions and therefore merely applying data location lens to protection measures may be too narrow. Further it should be noted that when companies begin taking data storage decisions based on legal considerations it will impact the speed and reliability of services.³⁰ Any future regime must reflect the challenges of data transfers taking place in legal and economic spaces that are not identical and may be in opposition. Fundamentally, the protection of privacy will always act as a barrier to the free flow of information even so, as the Schrems case ruling points out not having adequate privacy protections could also restrict flow of data, as has been the case for India.

The time is right for India to appoint a data controller and put in place national frameworks, based on nuanced understanding of issues of applying jurisdiction to govern users and their data. Establishing better protection measures will not only establish trust and enhance the ability of users to control data about themselves it is also essential for sustaining economic and social value generated from data generation and collection. Suggestions for such frameworks have been considered previously by the Group of Experts on Privacy constituted by the Planning Commission.³¹ By incorporating transparency in mechanisms for data and access requests and premising requests on established necessity and proportionality Indian government can lead the way in data protection standards. This will give the Indian government more teeth to challenge and address both the dangers of theft of data stored on servers located outside of India and restrain indiscriminate access arising from terms and conditions of businesses that grant such rights to third parties.

1 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0007 -0047 2000/520/EC: http ://eur -lex .europa .eu /LexUriServ /LexUriServ .do ?uri =CELEX :32000 D 0520:EN :HTML

2 Safe Harbour Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

3 Megan Graham, Adding Some Nuance on the European Court ’s Safe Harbor Decision , Just security

https ://www .justsecurity .org /26651/adding -nuance -ecj -safe -harbor -decision /

4 Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner Court of Justice of the European Union, Press Release, No 106/15 Luxembourg, 23 September 2015 http ://curia .europa .eu /jcms /upload /docs /application /pdf /2015-09/cp 150106 en .pdf

5 Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour alternatives’, The Register, October 7, 2015 http ://www .theregister .co .uk /2015/10/07/eu _pushes _safe _harbour _alternatives /

6 Draft Report, General Data Protection Regulation, Committee on Civil Liberties, Justice and Home Affairs, European Parliament, 2009-2014 http ://www .europarl .europa .eu /meetdocs /2009_2014/documents /libe /pr /922/922387/922387 en .pdf

7 Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS Characteristics: Data Sovereignty and the Balkanisation of the Internet’, University of Oxford, July 7, 2014 https ://www .usenix .org /system /files /conference /foci 14/foci 14-polatin -reuben .pdf

8 Sasha Meinrath, The Future of the Internet: Balkanization and Borders, Time, October 2013 http ://ideas .time .com /2013/10/11/the -future -of -the -internet -balkanization -and -borders /

9 Safe Harbour Privacy Principles, Issued by the U.S. Department of Commerce, July 2001 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

10 Facebook case may force European firms to change data storage practices, The Guardian, September 23, 2015 http ://www .theguardian .com /us -news /2015/sep /23/us -intelligence -services -surveillance -privacy

11 Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013 https ://iapp .org /news /a /us -eu -safe -harbor -under -pressure

12 Kieren McCarthy, Privacy, net neutrality, security, encryption ... Europe tells Obama, US Congress to back off, The Register, 23 September, 2015 http ://www .theregister .co .uk /2015/09/23/european _politicians _to _congress _back _off /

13 Communication from the Commission to the European Parliament and the Council, Rebuilding Trust in EU-US Data Flows, European Commission, November 2013 http ://ec .europa .eu /justice /data -protection /files /com _2013_846_en .pdf

14 Safe Harbor on trial in the European Union, Access Blog, September 2014 https ://www .accessnow .org /blog /2014/11/13/safe -harbor -on -trial -in -the -european -union

15 European Commission - Fact Sheet Questions and Answers on the EU-US data protection "Umbrella agreement", September 8, 2015 http ://europa .eu /rapid /press -release _MEMO -15-5612_en .htm

16 McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data transfers’, Lexology, September 14, 2015 http ://www .lexology .com /library /detail .aspx ?g =422 bca 41-2 d 54-4648-ae 57-00 d 678515 e 1 f

17 Andrew Woods, Lowering the Temperature on the Microsoft-Ireland Case, Lawfare September, 2015 https ://www .lawfareblog .com /lowering -temperature -microsoft -ireland -case

18 Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement and the Judicial Redress Act: Small Steps Forward for EU Citizens’ Privacy Rights’, October 5, 2015 https ://cdt .org /blog /the -eu -us -umbrella -agreement -and -the -judicial -redress -act -small -steps -forward -for -eu -citizens -privacy -rights /

19 Ibid 18.

20 Landmark ECJ data protection ruling could impact Facebook and Google, The Guardian, 2 October, 2015 http ://www .theguardian .com /technology /2015/oct /02/landmark -ecj -data -protection -ruling -facebook -google -weltimmo

21 Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian, Octover 9, 2015 http ://www .theguardian .com /technology /2015/oct /09/facebook -data -privacy -max -schrems -european -court -of -justice

22 Adam Thierer, Unintended Consequences of the EU Safe Harbor Ruling, The Technology Liberation Front, October 6, 2015 http ://techliberation .com /2015/10/06/unintended -consequenses -of -the -eu -safe -harbor -ruling /#more -75831

23 Anupam Chander, Tweeted ECJ #schrems ruling may effectively require data localization within Europe, https ://twitter .com /AnupamChander /status /651369730754801665

24 Lokman Tsui, Tweeted, “If the TPP bans data localization, but the ECJ ruling effectively mandates it, what does that mean for the internet?” https ://twitter .com /lokmantsui /status /651393867376275456

25 Statement from Indian Head of Delegation, Mr Ram Narain for WGPL, Indian statement on ITU and Internet at the Working Group Plenary November 4, 2014 https ://ccgnludelhi .wordpress .com /author /asukum 87/page /2/

26 Sounak Mitra, Xiaomi bets big on India despite problems, Business Standard, December 2014 http ://www .business -standard .com /article /companies /xiaomi -bets -big -on -india -despite -problems -114122201023_1.html

27 Neha Alawadi, Ruling on data flow between EU & US may impact India’s IT sector, Economic Times,October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49250738.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

28 Pranav Menon, Data Protection Laws in India and Data Security- Impact on India and Data Security-Impact on India - EU Free Trade Agreement, CIS Access to Knowledge, 2011 http ://cis -india .org /a 2 k /blogs /data -security -laws -india .pdf

29 Surendra Kumar Sinha, India wants Mutual Legal Assistance treaty with Bangladesh, Economic Times, October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49262294.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

30 Pablo Chavez, Director, Public Policy and Government Affairs, Testifying before the U.S. Senate on transparency legislation, November 3, 2013 http ://googlepublicpolicy .blogspot .in /2013/11/testifying -before -us -senate -on .htm

31 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court), Planning Commission, October 2012 http ://planningcommission .nic .in /reports /genrep /rep _privacy .pdf

For more details visit https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

Content Removal on Facebook — A Case of Privatised Censorship?

jessie — 2014-06-16T05:23:09Z

Any activity on Facebook, be it creating an account, posting a picture or status update or creating a group or page, is bound by Facebook’s Terms of Service and Community Guidelines. These contain a list of content that is prohibited from being published on Facebook which ranges from hate speech to pornography to violation of privacy.

Facebook removes content largely on the basis of requests either by the government or by other users. The Help section of Facebook deals with warnings and blocking of content. It says that Facebook only removes content that violates Community Guidelines and not everything that has been reported.

I conducted an experiment to primarily look at Facebook’s process of content removal and also to analyse what kind of content they actually remove.

I put up a status which contained personal information of a person on my Friend List (the information was false). I then asked several people (including the person about whom the status was made) to report the status — that of being harassed or for violation of privacy rights. Seven people reported the status. Within half an hour of the reports being made, I received the following notification:
"Someone reported your post for containing harassment and 1 other reason."

The notification also contained the option to delete my post and said that Facebook would look into whether it violated their Community Guidelines.

A day later, all those who had reported the status received notifications stating the following:

"We reviewed the post you reported for harassment and found it doesn't violate our Community Standards."

I received a similar notification as well.
I, along with around thirteen others, reported a Facebook page which contained pictures of my friend and a few other women with lewd captions in various regional languages. We reported the group for harassment and bullying and also for humiliating someone we knew. The report was made on 24 March, 2014. On 30 April, 2014, I received a notification stating the following:

"We reviewed the page you reported for harassment and found it doesn't violate our Community Standards.

Note: If you have an issue with something on the Page, make sure you report the content (e.g. a photo), not the entire Page. That way, your report will be more accurately reviewed."

I then reported each picture on the page for harassment and received a series of notifications on 5 May, 2014 which stated the following:

"We reviewed the photo you reported for harassment and found it doesn't violate our Community Standards."

These incidents are in stark contrast with repeated attempts by Facebook to remove content which it finds objectionable. In 2013, a homosexual man’s picture protesting against the Supreme Court judgment in December was taken down. In 2012, Facebook removed artwork by a French artist which featured a nude woman. In the same year, Facebook removed photographs of a child who was born with defect and banned the mother from accessing Facebook completely. Facebook also removed a picture of a breast cancer survivor who posted a picture of a tattoo that she had following her mastectomy. Following this, however, Facebook issued an apology and stated that mastectomy photographs are not in violation of their Content Guidelines. Even in the sphere of political discourse and dissent, Facebook has cowered under government pressure and removed pages and content, as evidenced by the ban on the progressive Pakistani band Laal’s Facebook page and other anti-Taliban pages. Following much social media outrage, Facebook soon revoked this ban. These are just a few examples of how harmless content has been taken down by Facebook, in a biased exercise of its powers.

After incidents of content removal have been made public through news reports and complaints, Facebook often apologises for removing content and issues statements that the removal was an “error.” In some cases, they edit their policies to address specific kinds of content after a takedown (like the reversal of the breastfeeding ban).

On the other hand, however, Facebook is notorious for refusing to take down content that is actually objectionable, partially evidenced by my own experiences listed above. There have been complaints about Facebook’s refusal to remove misogynistic content which glorifies rape and domestic violence through a series of violent images and jokes. One such page was removed finally, not because of the content but because the administrators had used fake profiles. When asked, a spokesperson said that censorship “was not the solution to bad online behaviour or offensive beliefs.” While this may be true, the question that needs answering is why Facebook decides to draw these lines only when it comes to certain kinds of ‘objectionable’ content and not others.

All of these examples represent a certain kind of arbitrariness on the part of Facebook’s censorship policies. It seems that Facebook is far more concerned with removing content that will cause supposed public or governmental outrage or defy some internal morality code, rather than protecting the rights of those who may be harmed due to such content, as their Statement of Policies so clearly spells out.

There are many aspects of the review and takedown process that are hazy, like who exactly reviews the content that is reported and what standards they are made to employ. In 2012, it was revealed that Facebook outsourced its content reviews to oDesk and provided the reviewers with a 17-page manual which listed what kind of content was appropriate and what was not. A bare reading of the leaked document gives one a sense of Facebook’s aversion to sex and nudity and its neglect of other harm-inducing content like harassment through misuse of content that is posted and what is categorised as hate speech.

In the process of monitoring the acceptability of content, Facebook takes upon itself the role of a private censor with absolutely no accountability or transparency in its working. A Reporting Guide was published to increase transparency in its content review procedures. The Guide reveals that Facebook provides for an option where the reportee can appeal the decision to remove content in “some cases.” However, the lack of clarity on what these cases are or what the appeal process is frustrates the existence of this provision as it can be misused. Additionally, Facebook reserves the right to remove content with or without notice depending upon the severity of the violation. There is no mention of how severe is severe enough to warrant uninformed content removal. In most of the above cases, the user was not notified that their content was found offensive and would be liable for takedown. Although Facebook publishes a transparency report, it only contains a record of takedowns following government requests and not those by private users of Facebook. The unbridled nature of the power that Facebook has over our personal content, despite clearly stating that all content posted is the user’s alone, threatens the freedom of expression on the site. A proper implementation of the policies that Facebook claims to employ is required along with a systematic record of the procedure that is used to remove content that is in consonance with natural justice.

For more details visit https://cis-india.org/internet-governance/blog/content-removal-on-facebook

Consumer Privacy in e-Commerce

sahana — 2012-03-28T04:53:17Z

Looking at the larger picture of national security versus consumer privacy, Sahana Sarkar says that though consumer privacy is important in the world of digital technology, individuals must put aside some of their civil liberties when it comes to the question of national security, as it is necessary to prevent societal damage.

What is Consumer Privacy?

In today’s digital economy generating consumer information is inevitable. Though some companies use the personal information they obtain to improve and provide more services to consumers, many companies use the information in an irresponsible manner.

In countries that do provide legal protection for consumer privacy, it is never protected as an absolute right. Consumer privacy is not considered an absolute right for three reasons:

What constitutes consumer privacy is culturally, contextually, individually defined
Consumer privacy often conflicts with other market rights
The ownership of a consumer's private information is debated — as consumer's believe they own the information and businesses believe they own the information.

In order to understand consumer privacy it is useful to outline the privacy expectations and strategies of both consumers and businesses, and to also examine the protection measures taken by firms to safeguard consumer information. The major privacy concerns held by consumer's can be broken down into three main domains:

Consumers want to be informed about the type of information that is being collected from them.
Consumers need to know that they a certain degree of control over the personal information that is being collected.
Consumers need to be assured that their personal information will be secure and will not be abused or stolen.

Though privacy has been defined by many as the "right to be let alone", its application in today’s modern world is not that straightforward. We live in a world where our purchasing behavior, both online and offline, is shared and used invisibly. For instance, if an individual uses a social networking site, it is possible for a third party application to access personal information that is shared. Similarly, if an individual uses a warranty card or loyalty card during a purchase, it is possible for third parties, like data brokers, to collect and use the individuals' personal information.

For instance,15 consumer privacy groups have filed a complaint against Facebook for limiting user's ability to browse anonymously. The complaint was regarding the fact that users only had the choice to designate personal information as publicly linkable, or to not provide information at all. Though Facebook claims to ensure users control over their personal data by allowing users to choose their privacy settings, it does not clarify that these setting can change at any given point. Moreover, the latest privacy embarrassment that hit Facebook proves again that Facebook does not protect users’ privacy. A few weeks ago Facebook admitted to passing personal information of its users onto different gaming applications. These gaming applications have in turn passed the information on to advertisers who otherwise could not have accessed the information.[1]

Breach of Privacy in Information Collection

Internet users often fear the loss of personal privacy, because of the ability businesses and their websites have to collect, store, and process personal data. For example, sites extract information from consumers through a form, and then record data about their user’s browsing habit. After collecting user information, the sites match the data with their personal and demographic information to create a profile of the user’s preferences, which is then used to promote targeted advertisements or provide customized services. The sites might also engage in web lining through which they price a consumer according to their profiles.

Online there are two main ways in which sites collect user information:

Sites collect information directly through a server software. Sites often use automatic software logs to do this.
A third party extracts information from the site without the consumer’s knowledge. Sites often place cookies on websites to extract user information.

Automatic software logs and third party cookie placement are two overlooked aspect of information collection. Cookies work by collecting personal information while a user surfs the net, and then feeds the information back to a Web server. Cookies are either used to remember the user, or are used by network advertising agencies to target product advertisements based on long term profiles of user’s buying and surfing habits. An example of a website that uses cookies is 'double click'. Web bugs are used by advertising networks to add information to the personal profiles stored in cookies. Web bugs are also used in junk email campaigns to see how many visits the site gets. Cookies and web bugs are just two out of hundreds of technologies used to collect personal information. [2]

Challenges Posed by Protection of Consumer Privacy

In conclusion, I would like to talk about the difficulty in maintaining a balance between the legal collections of information and protecting privacy of consumers. Above I demonstrated how this conflict arises between businesses and consumers — and is rooted in businesses wanting personal information for commercial reasons, and a user wanting protection and control over their own information. This conflict can also arise between consumers, businesses, and political bodies. An example that demonstrates this is the ongoing conflict between RIM (Research in Motion) and the Government of India. The Government of India has issued a warning against RIM saying that it would suspend its blackberry operations if they do not adhere to the Indian laws and regulations.

The Ministry of Home Affairs is demanding that RIM allow access to encrypted content that flows in and out of India. In other words the Government of India wants RIM to allow the security forces to have access to data sent using Blackberries by reducing encryption levels, or by providing the government with the decryption keys. The demand by the government is somewhat ironic as Blackberry manufacturers have developed the Blackberry encryption key to protect the consumers’ privacy during any business deal, so that information is not compromised. On the other side of the debate, the government is demanding access to Blackberry communications, because their inability to decrypt the codes makes countering the threats to national security difficult. This is especially true for a country like India, which is constantly facing threats from Maoists, and extremist Islamic groups.

This example highlights an important question: what is more important — national security or consumer privacy? In 2010, RIM agreed to negotiate access to consumer messages only where access requests are within local laws. Blackberry also agreed to not make any specific deals with consumers, and to make its enterprise systems security and confidentiality non-negotiable.

Conclusion

Though, consumer privacy is very important especially in a world of digital technology, however, when we speak of national security, I feel that individuals must set aside some of their civil liberties — at least to the extent that it is necessary to prevent societal damage. For a clearer understanding of national security vs consumer privacy look at the case of RIM Vs Indian Government in the following sites:

[1]http://www.ft.com/cms/s/0/198599e6-dc5f-11df-a0b9-00144feabdc0.html#axzz1O00LowtN

[2]http://cyber.law.harvard.edu/olds/ecommerce/privacytext.htmlFor an overview of some of these new data-collection technologies, along with some information on privacy-enhancing technologies such as P3P, see Developing Technologies.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy-e-commerce

Consumer Privacy - How to Enforce an Effective Protective Regime?

elonnai — 2012-03-21T10:06:04Z

In a typical sense, when people think of themselves as consumers, they just think about what they purchase, how they purchase and how they use their purchase. But while doing this exercise we are always exchanging personally identifiable information, and thus our privacy is always at risk. In this blog post, Elonnai Hickok and Prashant Iyengar through a series of questions look through the whole concept of consumer privacy at the national and international levels. By placing a special emphasis on Indian context, this post details the potential avenues of consumer privacy in India and states the important elements that should be kept in mind when trying to find at an effective protective regime for consumer privacy.

Who is a consumer?

According to the Consumer Protection Act,1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. In the typical sense, when people think of themselves being a consumer, they might think about what they purchase through a physical exchange of money for goods or services, ranging from things as simple as fruit or grain to home appliances to cable television, either in a store or through an online exchange where you enter in your credit card information and receive your purchase. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors. Typical examples include hospitals, banks and telecommunications.

What is Consumer Privacy and how may it be breached?

Consumer privacy is concerned with the manner in which information disclosed by a consumer to a vendor is collected and used. Specific issues include: behavioral advertising, spyware, identity management, and data security/breach, Increasingly, data that is collected from consumers is stored in databanks. This is then used for both legitimate purposes (such as marketing, research etc) and illegitimate extraneous purposes (as when this data is sold in bulk to third parties). Additionally, the privacy of consumers may be compromised by actions of third parties that are facilitated by the negligence of the vendors (as for instance hacking into databases). The following international examples illustrate the kinds of privacy threats that the collection of data from consumers may pose[1]

Example 1) Toysmart – an online company- collected personal information from its users, promising to keep it private. In 2000, Toysmart entered bankruptcy and in an attempt to avoid losing everything tried to sell its database despite its strict privacy policy. This example illustrates how vendors may attempt to monetize the personal information of customers exceeding the terms of the contract entered into with them.

Example 2) In 2006 it was found that AOL's research site had a stored file that contained information collected from more than 600,000 users between March to May of 2006. Though the file did not indicate each user by name, it was eventually found that there was enough information to correlate specific individuals to their user number. The example of AOL’s demonstrates the danger of online privacy breaches through either oversight or negligence of the vendor in adopting adequate security measures.

Example 3) Similar to the previous example ChoicePoint – an all-purpose information broker, whose database contains information about nearly every adult American citizen, had its system hacked. The thieves had access to the names, addresses and social security.

How is consumer privacy protected- internationally ?

Broad guidelines: The OECD Privacy Guidelines

Though not a law, the OECD Guidelines drafted in 1980 provide a useful set of ‘fair information practices’ within which privacy of consumers may be evaluated. Briefly, the eight principles declared were: 1) Collection limitation principle (there should be limits to the collection of data), 2) data quality principle (data should be accurate and relevant to the purpose collected), 3) purpose specification principle, 4) use limitation principle, 5) security safeguards principle, 6) openness principle (there should be openness about data policies and changes thereof), 7) individual participation principle (enabling the individual to find out if data is being held about him and to obtain a copy of the data and make corrections) and 8) accountability principle [2].

The EU Data Protection Directive (Directive 95/46/EC)

This is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes, specifically as it relates to processing, using, or exchanging such data. The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. The basic guidelines of the Directive are [3]:

Notice: Data subjects must be notified of the: identity of the collector of their personal information, the uses for which the information is being collected, how the data subjects may exercise any available choices regarding the use or disclosure of personal information, where and to whom information may be transferred, and how data subjects may access their personal information.

Consent: “Unambiguous consent” of a data subject is required before any personal information may be processed. Special categories such as race, religion, political of philosophical beliefs, health, union membership, sex life, and criminal history have additional processing requirements.

Consistency: Controllers and processors may only use information in accordance with the terms of the notice given.

Access: Controllers must give data subjects access to personal information.

Security:Organizations must provide adequate security, using both technical and other means to protect the confidentiality and integrity of the data.

Onward transfer: Personal information may not be transferred to a third party unless that third party has signed a contract with the individual or organization which binds them to use the information consistently with the notice given to the data subjects.

Enforcement: Each EU country has established a Data Protection Authority that has the power to investigate complaints, levy fines, initiate criminal actions, and demand changes in businesses information handling practices.

Specific Sectoral Legislation and privacy policies

The US takes a sectoral approach to protecting consumer privacy. Legislation that protects consumer privacy includes: Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act. Also, the CAN-SPAM Act bans the sending of commercial electronic messages that contain false information. The most comprehensive act for the consumer in the U.S is the Fair Credit Report Act, which was passed in 1970. Enforcement of the Act is vested in the Federal Trade Commission. The FCRA applies to how consumers information is collected and used, and applies to insurance, employment, and other non-credit consumer transactions. Under the FCRA the information that is protected is broadly defined as 1. Consumer Report- any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer' s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumers eligibility for credit, insurance, and employment purposes.

Furthermore the FCRA:

(a) provides the right for consumers to ensure the accuracy of their data.

(b) includes “right to know” provisions to enable consumers to know all information in their files

(c ) grants consumer dispute rights

(d) requires opt-out options [ibid 4]

Consumer Privacy in India

Broadly, there are four potential avenues for the protection of consumer privacy in India.

1. Individual organizations may voluntarily commit to protect the information of their clients through “Privacy Policies” These become a component of the contractual commitments between the service providers and customers and are enforced through ordinary civil litigation.

2. Certain professions and industries have codes of privacy that they must statutorily abide by. This is true of such professions as the medical profession and the legal profession in India and the entire banking industry and the telecom industry. Rigorous privacy norms are set for each of these industries by their respective apex governing bodies. Penalties for breach include derecognition and monetary penalties.

3. Consumer privacy may be enforced by the specialized Consumer Dispute Tribunals under the Consumer Protection Act in India.

4. The newly amended Information Technology Act imposes an obligation on anyone controlling data to indemnify against losses caused by the leakage/improper use of that data.

Each of these mechanisms is discussed in some details below:

Privacy Policies:

Several Indian companies have publicly stated privacy policies that they display on their website. We have profiled the privacy policies of two such companies as a sample.

Airtel: Defines personal information, informs users how their information will be used, describes which third parties will have access to your information, provides the ability to opt-out of commercial SMSs, provides an email address for privacy concerns.

Rediff: Provides email for customer support, states what personal information is collected from you, what information is collected from you by cookies, what information is collected about you and stored, who will collect the information about you, how the information will be used to advertise to you and tailor to your preferences, states the rights that advertisers have to your information, disclaimer of responsibility for any other websites linked to the page, states that the information released in a chat room is considered public information, defines third party usage, defines security measures taken, lays out what choices the consumer has regarding collection and distribution of their information, contains opt-out clauses, defines personal information, defines cookies, explains that consumers have the ability to correct inaccurate information, requires youth consent [5].

Examples of Indian organizations without a privacy policy on websites: Canara bank, Andhra Bank, Indian railways, Air-India, BSNL, State Bank of India.

Note: The International Guide to Privacy suggests the following be included in privacy policies: description of the personal information collected by the website and third party, description of how the information is used and list of parties with whom it may be shared, a list of the options available regarding the collection, use, sharing and distribution of the information, a description of how inaccuracies can be corrected, a list of the websites that are linked to the organization’s site and a disclaimer that the organization is not responsible for the privacy practices of other sites, a description of how the information is safeguarded (both physically and electronically) against loss, misuse, and alteration, consent for use of personal information [6].

Professional/Industrial Regulations

As mentioned above, several professional bodies have privacy guidelines which their members must abide by.

Advocates

Rules of Professional Conduct have been framed under the Advocates Act and establishes a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. It is important to note that the obligation of confidentiality continues even after the client relationship is terminated. The Evidence Act further buttresses the confidentiality of clients by making information passed between lawyer and client subject to a special privilege [7].

Medical Practitioners

Similarly, in 2002, the Medical Council of India notified the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breaches. Several of these relate to privacy, for instance : Every physician is required to maintain medical records pertaining to indoor patients for a period of 3 years from the date of commencement of the treatment [8].

Article 2.2: Requires physicians to maintain Confidences concerning individual or domestic life entrusted by patients to a physician. Defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. The rule also requires the physician, controversially to evaluate “whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed”. In such an instance, the rules advice the physician to “act as he would wish another to act toward one of his own family in like circumstances.”

Article 7.14: Enjoins the registered medical practitioner not to disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –

1. in a court of law under orders of the Presiding Judge;

2. in circumstances where there is a serious and identified risk to a specific

person and / or community; and

3. notifiable diseases.

Article 7.17: Forbids a medical practitioner from publishing photographs or case reports of patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, however, the consent is not needed.

Important Case Law

In one of the most important cases to have come up on the issue of privacy, a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. In Mr. X vs Hospital Z, the Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. The supreme court while affirming the duty of confidentiality owed to patients, ruled that the right to privacy was not absolute and was “subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others.”[9] This case raises certain questions which might be worthwhile to consider:

1. Are there other ways in which the situation could have been handled – such as through proper counselling. Furthermore, it is important to establish what the role of a hospital is, and where their primary interest lies in protecting their patient and their patients data, and take into consideration the importance of consent in handling and disclosing personal information.

2. The argument that there is no absolute for privacy raises questions of who is determining the limits for disclosure of the man's HIV status. If his fiancé should be informed of his results, should his workplace , community, church? Do they face the same risks as his fiancé? Who is to be the judge of this risk?

Banking and Telecom Industry

The Banking and Telecom industry each have regulatory authorities which have periodically issued guidelines seeking to protect the privacy of customers. Thus, for instance, RBI's Customer Service statement obliges bankers to maintain secrecy, and not to divulge any information to third parties. Likewise, the TRAI has issued regulations on unsolicited commercial communications and has initiated steps to monitor confidentiality measures taken by telecom operators. More details are provided in the accompanying briefs that exclusively deal with the banking and telecom industries.

Consumer Protection Act 1986:

The Consumer Protection Act which was enacted with the objective to provide for better protection of the interests of the consumer has emerged as a major source of relief to those who have suffered violations of their privacy {10}.

Important Case Laws

In Rajindre Nagar Post Office vs. Sh Ashok Kriplani a post master was accused of not delivering a registered letter, opening it, and then returning it in a torn condition. It was determined that the tearing of the letter without delivery to addressee was a grave “deficiency in service” on the part of the appellant. It was ruled that the right of privacy of the respondent was infringed upon by the postman. Under the Consumer Protection Act 1986, compensation of Rs. 1000 was awarded as to the mental agony, harassment, and loss arising from the charge of deficiency in service. The importance of this case lies in the willingness of the courts to treat breach of privacy as a “deficiency of service”[11].

In January 2007, the Delhi State Consumer Disputes Redressal Commission imposed a fine of Rs. 75 lakh on a group of defendants including Airtel, ICICI and the American Express Bank for making unsolicited calls, messages and telemarketing. Although this decision was reversed on appeal by the Delhi High Court it confirms a trend of Consumer Dispute Redressal Commissions willing to take up cudgels on behalf of consumers for violations of their privacy.

Information Technology Act 2000 (Amended 2008)

In 2008, the Information Technology Act was amended to include an extremely salutary relief to people when a breach of privacy is occasioned by the leakage of data from computerised databases maintained by corporates. Thus, the newly inserted Section 43A states that if a “body corporate” is possessing, dealing, or handling any “sensitive personal data or information” in a computer resource which it owns, controls, or operates, and is negligent in implementing and maintaining “reasonable security practices and procedures” and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.

The Section further stipulates that the Central Government would come up with the reasonable security practices and procedures and would also define what constituted ‘personal sensitive information’.

Likewise, the newly introduced Section 72A declares that if “any person including an intermediary” secures access to any personal information about another person while providing services under the terms of lawful contract, and if he, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses such information without the consent of the person concerned, or in breach of a lawful contract, he is liable to be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both [12].

Conclusion

In conclusion it is important to consider many elements when looking at an effective protective regime for consumer privacy :
1. Is a comprehensive data protection of a sectoral approach more suited to the needs of India?

2. Does India want to become compliant with international standards for data protection ?

3. How will privacy policies be enforced and how will organizations be held accountable for protection of client privacy under the legislation ?

4. Will consumers be notified if their information is breached? If so – what will be included in the breach notification?

5. How can a legislation ensure that consumers are aware of their privacy rights?

6. How can a privacy legislation address the need for different levels of protection for different types of data?

Bibliography:

1. Examples drawn from: Oussayef, karim. Selective Privacy: Facilitating Market Based Solutions to Data Breaches by Standardizing Internet Privacy Policies. 14 B U Journal Sci and Tech Law. 105 2008.

2. Organisation for Economic Co-operatioin and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security , July 25, 2002

3. Directive 95/46/EC of European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processting of personal data and on the ree movement of data

4. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg.34-4

5http://www.rediff.com/w3c/policy.html

6. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg. 161-164

7. The Advocates Act 1961http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf

8 Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations. Published in Part III, Section 4 of the Gazette of India, dated 6th April, 2002http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf.

9. (1998) 8 SCC 296:http://indiankanoon.org/doc/382721/

10. Indian Consumer Protection Act 1986http://www.legalhelpindia.com/consumer-protection-act.html.

11.http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm

12. Information Technology Act 2000: Amended 2008http://www.mit.gov.in/content/information-technology-act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy

Consumer Privacy

praskrishna — 2012-09-13T09:21:26Z

This chapter will examine the present legal state of consumer privacy in India and seek to understand the gap between policy and implementation of policy. In doing so, it will look at what are the existing avenues for protection of consumer privacy in India, how is the definition of consumer privacy evolving through case law and public opinion, and what are the current challenges to consumer privacy in India. Traditionally speaking, and according to the Consumer Protection Act, 1986, in India, a consumer is a broad label for any person who buys goods or services with the intent of using them for non-commercial purposes. In the typical sense, when people think of themselves as being consumers, they think about transactions with a vendor through a physical exchange of money in a store or through an online exchange for a product or service. Certain services that consumers use put an extraordinary amount of sensitive personal information into the hands of vendors.

For more details visit https://cis-india.org/internet-governance/consumer-privacy.pdf

Consumer Care Society: Silver Jubilee Year Celebrations

Arindrajit Basu — 2018-08-27T13:51:13Z

Arindrajit Basu delivered a talk the Silver Jubilee Celebrations of the Consumer Care Society (CCS )on 'Privacy and Security in the Age of the Internet.

CONSUMER CARE SOCIETY (CCS) is an active volunteer based not-for-profit organization involved in Consumer activities. Established as a registered society in the year 1994, CCS has for the past 3 decades functioned as the voice of consumer in many forums. Today CCS is widely recognized as an premier consumer voluntary organization (CVO) in Bangalore and Karnataka. CCS is registered with many goverenmental agencies and regulators like TRAI,BIS, Petroleum and Natural Gas Regulatory Board, DOT, ICMR at the Central Government levels and with almost all service providers at the State Level like BWSSB, BESCOM, BDA, BBMP.

Shreenivas.S. Galgali, ITS, Adviser, TRAI Regional Office, Bangalore and Aradhana Biradar, User Education and Research Specialist, Google were the other speakers at the event held at CCS.

For more details visit https://cis-india.org/internet-governance/blog/consumer-care-society-silver-jubilee-year-celebrations

Consultation to Frame Rules under the Whistle Blowers Protection Act, 2011

praskrishna — 2014-07-02T08:03:55Z

The National Campaign for People's Right to Information (NCPRI) and Centre for Communication Governance at National Law University, Delhi (CCG at NLUD) invite you to a consultation to draft rules under the Whistle Blowers Protection Act, 2011.

The consultation will bring together various stakeholders to discuss the initial stages of framing the draft rules for the legislation. It will take place from 10:00 a.m. to 5:00 p.m. on July 5, 2014 at National Law University, Delhi. Bhairav Acharya will be participating in this event.

Click to download:

For more details visit https://cis-india.org/news/consultation-to-frame-rules-under-whistle-blowers-protection-act-2011

Constitution of Group of Experts to Deliberate on Privacy Issues

praskrishna — 2012-01-04T07:49:37Z

It has been decided to constitute a Small Group of Experts under the Chairmanship of Justice A.P. Shah, Former Chief Justice, Delhi High Court, to identify the privacy issues and prepare a paper to facilitate authoring the Privacy Bill. The constitution of the proposed group and ToR are as follows:

Constitution of the Group

S.No.	Name	Designation
1	Justice A.P. Shah, Former Chief Justice, Delhi High Court	Chairman
2	Shri. R S Sharma, DG UIDAI	Member
3	Dr. Gulshan Rai, Director General CERT-In, DIT	Member
4	Sh. Rajiv Kapoor, JS, DOPT	Member
5	Representative, Department of Legal Affairs	Member
6	Sh. Som Mittal, President, NASSCOM	Member
7	Ms. Barkha Dutt, NDTV	Member
8	Dr. (Ms) Usha Ramanathan, Researcher & Advocate	Member
9	Sh. PraneshPrakash, Programme Manager, Centre for Internet & Society	Member
10	Dr. Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)	Member
11	Dr. Nagesh Singh, Adviser, Planning Commission	Member
12	Sh. R K Gupta, Adviser (CIT&I), Planning Commission	Member

Terms of Reference
- To study the Privacy laws and related bills promulgated by various countries.
- To make an in-depth analysis of various programmes being implemented by GoI from the point of view of their impact on Privacy.
- To make specific suggestions for consideration of the DOPT for incorporation in the proposed draft Bill on Privacy.
The Chairman may co-opt other Members to the group for their specific inputs.
The expenditure towards TA/DA in connection with the meetings of the Group in respect of the official members will be borne by their respective Ministries/Departments. Domestic travel in respect of non-Official Members of the group would be permitted by Air India (economy class) and the expenditure would be met by the Planning Commission.
The group will be serviced by the CIT & I Division, Planning Commission.
The group shall submit its report by 31st March 2012.

(S Bose)
Under Secretary to the Government of India

To:
The Chairman and all Members of the Group of Experts
Copy forwarded to:

PS to Deputy Chairman, Planning Commission
PS to MOS (Planning, PA, S&T and ES), Planning Commission
PS to all Members of the Planning Commission
PS to Member Secretary, Planning Commission
Director (PC), IFA unit,Deputy Secretary (Admn.),Planning Commission
Administration/Accounts/General Branches, Library, CIT & I Division, Planning Commission
Information Officer, Planning Commission

(S Bose)
Under Secretary to the Government of India

Download the PDF we got from the Planning Commission.

For more details visit https://cis-india.org/news/constitution-of-group-of-experts

Consilience – 2013

praskrishna — 2013-11-20T06:15:15Z

The Law and Technology Committee of National Law School of India University, Bangalore is organising ‘Consilience – 2013′, an annual conference on law and technology, to be held on May 25 and 26, 2013. The Centre for Internet and Society is a co-partner for this event.

Theme: Data Protection and Cyber Security in India. Click to read the report here.

Topics:
Frameworks for Data Protection in India: The J. A.P. Shah “Report of the Group of Experts on Privacy”

a. What is the scope of the principles/framework?

b. What could be the strengths and limitation of their application?

c. How does Report define privacy for India?

d. Would an alternative framework for privacy in India be better? If so, what would this framework look like?

India and the EU: The Privacy Debate

a. How does the Indian data protection regime differ from the EU regime?

b. Was the EU is justified in not accepting India as a data secure country? Reason for or against.

c. In what way does the Indian regime on data protection not meet the requirements of EU’s data protection directive?

d. What changes need to be made in the Indian regime to become EU compliant? Are these changes feasible? Should India make these changes?

Governmental Schemes, Data Protection, and Security

a. In India, do private public partnerships between government and the private sector adequately incorporate data protection standards?

b. What have been concerns related to data protection and security that have arisen from government schemes? (Please use two governmental schemes as case studies)

c. Are these concerns related to the policy associated with the project – the architecture of the project as well as the implementation?

d. Should the larger question of data protection for governmental schemes be incorporated into a privacy legislation? If yes, how so?

Contracts and Data Protection in India

a. How are contracts used to ensure data protection in India? What actors use contracts?

b. Are there weaknesses in using contracts to ensure data protection standards?

c. Do contracts address questions brought about from technology like the cloud?

Cyber security in India

a. What are the perceived challenges and threats to cyber security in India?

b. Are these currently being addressed through policy/projects? If yes, how so?

c. How does India’s cyber security regime compare to other countries?

Surveillance and Cyber Security

a. Does policy in India enable the Government of India to surveil individuals for reasons related to cyber security?

b. If so – through what policy, projects, legislation?

c. Do the relevant policies, projects, and legislation impact privacy? How so?

The Draft National Cyber Security Policy

a. What is the scope of the National Cyber Security Policy of India? Does the draft policy adequately address all of the concerns within the ambit of cyber security?

b. Would the Draft National Cyber Security Policy of India be effective in meeting the goal of enhancing cyber security levels in India?

c. How does the Draft National Cyber Security Policy compare to other countries cyber security policies?

Word Limit:

Abstract: 750-800 words

Paper: 2,500 words

Deadlines:

Abstract Submission: April 30, 2013

Paper Submission: May 15, 2013

Contact Details:

consilience2013[at]gmail[dot]com

Mohak Arora: +91-90359-21926

Shivam Singla: +91-99167-08701

Each participant is required to submit an abstract on any one of the seven topics above and can choose the specific issue within the selected topic to discuss.

For additional details, click here.

For more details visit https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore