The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
Comparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada
https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions
<b>A comparison of section 35(1) of the Draft Human DNA Profiling Bill, section 4 of the Identification Act, Revised Statute of Canada, and a review of international best practices. </b>
<p style="text-align: justify; ">In continuance of research around the <a href="https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012">Draft Human DNA Profiling Bill</a> that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Indian Provision</h3>
<p style="text-align: justify; ">35 (1) “<i>On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely – </i></p>
<p style="text-align: justify; "><i>(a) </i><i>As to whether the DNA profile received is already contained in the Data Bank; and </i></p>
<p style="text-align: justify; "><i>(b) </i><i>Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. </i></p>
<p style="text-align: justify; "><i>(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”</i></p>
<h3 style="text-align: justify; ">Canadian Provision vs. Indian Provision</h3>
<p style="text-align: justify; ">According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:</p>
<ol>
<li style="text-align: justify; ">The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals. </li>
<li style="text-align: justify; ">The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank. </li>
<li style="text-align: justify; ">The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including: </li>
</ol> <ol><ol>
<li>(<i>a</i>) if the DNA profile is not already contained in the data bank, the fact that it is not;</li>
<li style="text-align: justify; ">(<i>b</i>) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;</li>
<li style="text-align: justify; ">(<i>c</i>) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and</li>
<li style="text-align: justify; ">(<i>d</i>) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (<i>c</i>) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.</li>
</ol></ol>
<p>While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.</p>
<h3>Concerns with 35(1) and Best Practices</h3>
<p style="text-align: justify; ">The Centre for Internet and Society finds 35(1) problematic because a DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “<i>1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.</i>”<a name="fr1"></a></p>
<p style="text-align: justify; ">Though it is common for DNA Banks to communicate responses such as “match”, “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:</p>
<ul>
<li style="text-align: justify; ">“The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability. </li>
<li style="text-align: justify; ">Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations. </li>
<li style="text-align: justify; ">The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made. </li>
<li style="text-align: justify; ">The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large. </li>
<li style="text-align: justify; ">Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”<a name="fr2"></a></li>
</ul>
<h3>Recommendations</h3>
<p style="text-align: justify; ">Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:</p>
<ul>
<li style="text-align: justify; "><strong>Response to Law enforcement agency and DNA Laboratory:</strong> The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .</li>
<li style="text-align: justify; "><strong>Response to Court and tribunal:</strong> When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:</li>
</ul>
<ol>
<li style="text-align: justify; ">The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random. </li>
<li>The frequency with which the matching DNA characteristics are likely to be found in the population at large.</li>
<li>The probability of contamination. </li>
</ol>
<p style="text-align: justify; ">The Bill should also provide for the database upon which the calculations were based to be made available when requested. In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.</p>
<ul>
</ul>
<hr />
<p>[<a name="fn1"></a>]. <a class="external-link" href="http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx">http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx</a></p>
<p><a class="external-link" href="http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx">[<span>2</span>].</a> <a class="external-link" href="http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf">http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions'>https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2014-03-03T08:20:55ZBlog EntryDraft Human DNA Profiling Bill (April 2012): High Level Concerns
https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012
<b>In 2007 the Draft Human DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, with the objective of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked. The February 2012 Bill was drafted by the Department of Biotechnology. Another working draft of the Bill was created in April 2012. The most recent version of the Bill seeks to create DNA databases at the state, regional, and national level. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized. Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Broad offences and instances of when DNA can be collected</h3>
<p style="text-align: justify; ">The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.</p>
<p style="text-align: justify; ">In the schedule under section C <b>Civil disputes and other civil matters </b>the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:</p>
<ul style="text-align: justify; ">
<li><i>(v) Issues relating to immigration or emigration </i></li>
<li><i>(vi) Issues relating to establishment of individual identity </i></li>
<li><i>(vii) Any other civil matter as may be specified by the regulations of the Board </i></li>
</ul>
<p style="text-align: justify; ">In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes</p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.</p>
<h3 style="text-align: justify; ">Inadequate level of authorization for sharing of information</h3>
<p style="text-align: justify; ">The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.</p>
<ul style="text-align: justify; ">
<li>Section 35 (1): “…<i>shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.</i>”</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.</p>
<h3 style="text-align: justify; ">Inaccurate understanding of infallibility of DNA</h3>
<p>The preamble to the Bill inaccurately states:</p>
<p style="text-align: justify; "><i>The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.</i></p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.</p>
<p style="text-align: justify; "><i>The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.</i></p>
<h3 style="text-align: justify; ">Inadequate access controls</h3>
<p style="text-align: justify; ">The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.</p>
<p style="text-align: justify; "><i>Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.</i></p>
<p style="text-align: justify; "><b>Recommendation:</b> Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.</p>
<h3 style="text-align: justify; ">Lack of standards and process for collection of DNA samples</h3>
<p style="text-align: justify; ">In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.</p>
<ul>
<li style="text-align: justify; "><i>Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
</ul>
<ul>
<li style="text-align: justify; "><i>Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12. </i></li>
<li style="text-align: justify; "><i>Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling</i>.</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.</p>
<h3 style="text-align: justify; ">Inadequate appeal process</h3>
<p style="text-align: justify; ">The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.</p>
<p style="text-align: justify; "><i>Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.</i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.</p>
<h3 style="text-align: justify; ">Inclusion of population testing</h3>
<p style="text-align: justify; ">Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.</p>
<p style="text-align: justify; "><i>Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member. </i></p>
<p style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms. </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.</p>
<h3 style="text-align: justify; ">Provisions delegated to regulation that need to be incorporated into text of Bill</h3>
<p style="text-align: justify; ">The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established. Aspects that need to be included as provisions include:</p>
<p style="text-align: justify; "><i>Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely </i></p>
<ul>
<li style="text-align: justify; "><i>Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.</i></li>
<li style="text-align: justify; "><i>Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
<li style="text-align: justify; "><i>Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction. </i></li>
</ul>
<p style="text-align: justify; "><i>Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act</i></p>
<ul>
<li style="text-align: justify; "><i>Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35</i></li>
<li style="text-align: justify; "><i>Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37</i></li>
<li style="text-align: justify; "><i> Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37 </i></li>
<li style="text-align: justify; "><i>Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43 </i></li>
<li style="text-align: justify; "><i>Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule. </i></li>
</ul>
<h3>Broad Language that needs to be specified or deleted</h3>
<p style="text-align: justify; ">There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:</p>
<p>Preamble: <i>There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.</i></p>
<ul>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time. </i></li>
<li style="text-align: justify; "><i>Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.</i></li>
<li style="text-align: justify; "><i>Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.</i></li>
<li style="text-align: justify; "><i>Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board. </i></li>
<li style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed. </i></li>
<li style="text-align: justify; "><i>Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board. </i></li>
</ul>
<p><b>Recommendation</b>: All broad and vague language should be deleted and replaced with specific language.</p>
<h3>Jurisdiction</h3>
<ul>
<li>Section 1(2) It extends to the whole of India.</li>
</ul>
<ul>
<li style="text-align: justify; ">Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed. </li>
</ul>
<p style="text-align: justify; ">The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.</p>
<h3>Inconsistent provisions</h3>
<p style="text-align: justify; ">The Bill contains provisions that are inconsistent including:</p>
<ul>
<li style="text-align: justify; "><i>Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto. </i></li>
<li style="text-align: justify; "><i>Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…</i></li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.</p>
<h3 style="text-align: justify; ">Inadequate qualifications of DNA Data Bank Manager</h3>
<p style="text-align: justify; ">Section 33: “<i>The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.</i>”</p>
<p style="text-align: justify; "><b>Recommendation</b>: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.</p>
<h3 style="text-align: justify; ">Lack of restrictions on labs seeking certification</h3>
<p style="text-align: justify; ">According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.” <br /><b>Recommendation</b>: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.</p>
<h3 style="text-align: justify; ">Incomplete terms for use of DNA in courts</h3>
<p style="text-align: justify; ">Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court. <br /><b>Recommendation</b>: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.</p>
<h3 style="text-align: justify; ">Inadequate privacy protections</h3>
<p style="text-align: justify; ">Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.</p>
<p style="text-align: justify; "><i>Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.” </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.</p>
<h2 style="text-align: justify; ">Missing Provisions</h2>
<ol> </ol><ol>
<li style="text-align: justify; "><b>Notification to the individual:</b> There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.</li>
<li style="text-align: justify; "><b>Consent: </b>There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.</li>
<li style="text-align: justify; "><b>Right to request deletion of DNA profile from database: </b>There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts. </li>
<li style="text-align: justify; "><b>Right of individuals to bring a private cause of action: </b>There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Right to review one's personal data: </b>There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Independence of DNA laboratories and DNA banks from the police: </b>There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence. </li>
<li style="text-align: justify; "><b>Established profiling standard: </b>The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling. </li>
<li style="text-align: justify; "><b>Destruction of DNA samples: </b>There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.</li>
</ol>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012'>https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:36:59ZBlog EntryUnique Identification Scheme (UID) & National Population Register (NPR), and Governance
https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note
<b>This post examines the UID, NPR and Governance as it exists in India. The background note gives a summary of what is the NPR, the legal grounding of NPR, its objectives, and the information which could be collected under the NPR. The post also throws light on the UID, its objectives, process of enrollment in UID, how UID is being adopted by different states in India, and finally the differences and controversies in UID and NPR.</b>
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h2 style="text-align: justify; ">Video</h2>
<p><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/P1CdCkdKtcU" width="315"></iframe></p>
<p><i>The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore</i>.</p>
<hr />
<p style="text-align: justify; "><b>What is the NPR?<br /></b>In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; "><b>What is the legal grounding of the NPR? </b><br />The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is <i>mandatory </i>for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.</p>
<p style="text-align: justify; "><b>What are the objectives of the NPR? </b><br />The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; "><b>What is the process of enrollment for the NPR?</b><br />NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.<a href="#fn2" name="fr2">[2]</a> Collected information will then be printed and <i>displayed in the local area </i>where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.<a href="#fn4" name="fr4">[4]</a> This process of social audit is meant to bring in transparency, equity, and ensure accuracy.</p>
<p style="text-align: justify; "><b>What information will be collected under the NPR?</b><br />The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,<a href="#fn5" name="fr5">[5]</a> which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.</p>
<p style="text-align: justify; "><b>What is the Resident Identity Card? </b><br />The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; "><b>What is the UID?<br /></b>The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; "><b>What is the objective of the UID?<br /></b>According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS). Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; "><b>What is the process for enrollment in the UID?</b><br />To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.<a href="#fn9" name="fr9">[9]</a> The UIDAI will enroll up to 600 million residents in 16 States and territories.<a href="#fn10" name="fr10">[10]</a> Online registration prior to enrollment at a Center is also now being offered.</p>
<p style="text-align: justify; "><b>How is UID being adopted by different States? </b><br />The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default. Some ways in which states are using the UID include:</p>
<ul>
<li style="text-align: justify; "><i>Gas and vehicles</i>: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.<a href="#fn11" name="fr11">[11]</a></li>
<li style="text-align: justify; "><i>Education</i>: The Kerala government has required that all students must have UID number in order to be tracked through the system.<a href="#fn12" name="fr12">[12] </a>This mandate was questioned by the National Commission for Protection of Child Rights.</li>
<li style="text-align: justify; "><i>First Information Reports (FIR’s)</i>: The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.<a href="#fn13" name="fr13">[13]</a> </li>
<li style="text-align: justify; "><i>Banks</i>: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.<a href="#fn14" name="fr14">[14]</a></li>
<li style="text-align: justify; "><i>Railway</i>: Railways are proposing to use the UID database for bookings and validation of passengers.<a href="#fn15" name="fr15">[15]</a></li>
<li style="text-align: justify; "><i>Social Security</i>: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district</li>
</ul>
<p><b>Has there been duplication of UID numbers?</b><br />According to news reports:</p>
<ul>
<li style="text-align: justify; ">The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.</li>
</ul>
<ul>
<li style="text-align: justify; ">The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.</li>
</ul>
<ul>
<li>The UIDAI has received two received complaints regarding duplication of UID numbers.<a href="#fn17" name="fr17">[17]</a></li>
</ul>
<p><b>What are the differences between the UID and NPR?<br /></b></p>
<ul>
<li style="text-align: justify; "><i>Voluntary vs. Mandatory:</i> It is compulsory for <i>all </i>Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means. </li>
<li style="text-align: justify; "><i>Number vs. Register:</i> UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.</li>
<li style="text-align: justify; "><i>Statute vs. Bill:</i> The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme. </li>
<li style="text-align: justify; "><i>Authentication vs. Identification:</i> The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in. </li>
<li style="text-align: justify; "><i>UIDAI vs. RGI:</i> The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government. </li>
<li style="text-align: justify; "><i>Door to door canvassing vs. center enrollment</i>: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme. </li>
<li style="text-align: justify; "><i>Prior documentation vs. census material:</i> The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.</li>
<li style="text-align: justify; "><i>Online vs. Offline:</i> For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card. </li>
</ul>
<p><b>What is the controversy between the UID and NPR? </b></p>
<ul>
<li style="text-align: justify; "><i>Effectiveness:</i> There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.<a href="#fn18" name="fr18">[18]</a></li>
<li style="text-align: justify; "><i>Legality of sharing data</i>: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.<a href="#fn19" name="fr19">[19]</a> Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.</li>
<li style="text-align: justify; "><i>Accuracy</i>: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on 'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.<a href="#fn20" name="fr20">[20]</a> To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.</li>
<li style="text-align: justify; "><i>Biometrics</i>: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.<a href="#fn21" name="fr21">[21]</a></li>
</ul>
<p><b>What court cases have been filed against the UID?<br /></b>The following cases are currently filed in courts around the country:</p>
<ul>
<li><i>Supreme Court:</i></li>
</ul>
<p style="padding-left: 30px; text-align: justify; ">K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme Court challenging the legality of UIDAI.<a href="#fn22" name="fr22">[22]</a></p>
<ul style="text-align: justify; ">
<li><i>Chandigarh</i>: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.<a href="#fn23" name="fr23">[23]</a><span> </span></li>
<li style="text-align: justify; "><span><i>Karnataka:</i></span> <span>Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).</span></li>
<li style="text-align: justify; "><i>Chennai</i>: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.<a href="#fn24" name="fr24">[24]</a></li>
<li style="text-align: justify; "><i>Bombay</i>: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and Vickram Crishna & Ors.</li>
</ul>
<p style="text-align: justify; "><b>What is the relationship between UID, NPR, and National Security<br /></b>The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.<a href="#fn25" name="fr25">[25]</a></p>
<p style="text-align: justify; "><b>What is the relationship between UID and Big Data?<br /></b>Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.<a href="#fn26" name="fr26">[26]</a></p>
<p style="text-align: justify; "><b>How is UID being used for BPL direct cash transfers?<br /></b>Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:</p>
<ul>
<li style="text-align: justify; ">The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.<a href="#fn27" name="fr27">[27]</a> It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction. Most importantly, the transaction is mediated though a banking correspondent.</li>
<li style="text-align: justify; ">The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.<a href="#fn28" name="fr28">[28]</a></li>
<li style="text-align: justify; ">Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.<a href="#fn29" name="fr29">[29]</a> Though these schemes have been identified, as of yet, adoption has happened in very few districts. </li>
</ul>
<p style="text-align: justify; "><b>What are the concerns regarding the use of biometrics in the UID and NPR scheme? <br /></b>Both the UID and the NPR rely on biometrics as a way to identify individuals. Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology. With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:</p>
<ul>
<li style="text-align: justify; "><i>Biometrics are not infallible:</i> Inaccuracies can arise from variations in individuals attributes and inaccuracies in the technology. </li>
<li style="text-align: justify; "><i>Environment matters</i>: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.</li>
<li style="text-align: justify; "><i>Population size matters</i>: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is. </li>
<li style="text-align: justify; "><i>Technology matters:</i> The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.</li>
<li style="text-align: justify; "><i>Spoofing:</i> It is possible to spoof a fingerprint and fool a biometric reader.<a href="#fn30" name="fr30">[30]</a></li>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner. <a class="external-link" href="http://bit.ly/IiySDh">http://bit.ly/IiySDh</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. This is according to a 2010 Cabinet note and the official website of the NPR.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include: (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.</p>
<p>[<a href="#fr4" name="fn4">4</a>]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: <a class="external-link" href="http://bit.ly/IiySDh">http://bit.ly/IiySDh</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Department of Information Technology. National Population Register. Question 22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. Unique Identification Authority of India. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at:<a class="external-link" href="http://bit.ly/13UMiSv"> http://bit.ly/13UMiSv</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. For more information see: How to get an Aadhaar. <a class="external-link" href="http://bit.ly/R2jBOP">http://bit.ly/R2jBOP</a></p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: <a class="external-link" href="http://bit.ly/ZC3Yv">http://bit.ly/ZC3Yv</a>e. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18<sup>th</sup> 2013. Available at: <a class="external-link" href="http://bit.ly/150BXRj">http://bit.ly/150BXRj</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: <a class="external-link" href="http://bit.ly/15Oiq8J">http://bit.ly/15Oiq8J</a></p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: <a class="external-link" href="http://bit.ly/tVsInl">http://bit.ly/tVsInl</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: <a class="external-link" href="http://bit.ly/tJwZG1">http://bit.ly/tJwZG1</a></p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: <a class="external-link" href="http://bit.ly/YcW5wl">http://bit.ly/YcW5wl</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr16" name="fn16">16</a>]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: <a class="external-link" href="http://bit.ly/YqPlK1">http://bit.ly/YqPlK1</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers.<a class="external-link" href="http://bit.ly/ZORowg"> http://bit.ly/ZORowg</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: <a class="external-link" href="http://bit.ly/16ud3gm">http://bit.ly/16ud3gm</a>. Last accessed: February 28th 2013</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: <a class="external-link" href="http://bit.ly/Y638JS">http://bit.ly/Y638JS</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr20" name="fn20">20</a>]. Ibid 17.</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at <a class="external-link" href="http://bit.ly/UTH2JS">http://bit.ly/UTH2JS</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: <a class="external-link" href="http://bit.ly/13UNs0i">http://bit.ly/13UNs0i</a>. Last accessed: February 2013.</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: <a class="external-link" href="http://bit.ly/WJq43M">http://bit.ly/WJq43M</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr24" name="fn24">24</a>]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: <a class="external-link" href="http://bit.ly/zB1H07">http://bit.ly/zB1H07</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr25" name="fn25">25</a>]. Times of India. UID poses national security threat: BJP. January 2012. Available at:<a class="external-link" href="http://bit.ly/WeM6KA"> http://bit.ly/WeM6KA</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: <a class="external-link" href="http://bit.ly/T9NdX3">http://bit.ly/T9NdX3</a>. Last Accessed: November 12th 2012.</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: <a class="external-link" href="http://bit.ly/1024Dwo">http://bit.ly/1024Dwo</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: <a class="external-link" href="http://bit.ly/UYbtw4">http://bit.ly/UYbtw4</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at: <a class="external-link" href="http://bit.ly/Xymx9d.">http://bit.ly/Xymx9d.</a> Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: <a class="external-link" href="http://bit.ly/13UMiSv">http://bit.ly/13UMiSv</a>. Last accessed February 28th 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note'>https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note</a>
</p>
No publisherelonnaiVideoInternet GovernancePrivacy2014-04-30T05:03:51ZBlog EntryDraft International Principles on Communications Surveillance and Human Rights
https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights
<b>These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles. </b>
<hr />
<p>The principles are still in draft form. The most recent version can be accessed <a class="external-link" href="http://necessaryandproportionate.net">here</a>. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.</p>
<p style="text-align: justify; ">These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.</p>
<p style="text-align: justify; "><b>Preamble</b><br />Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.<a href="#fn2" name="fr2">[2]</a> Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. <a href="#fn5" name="fr5">[5]</a> When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. <a href="#fn6" name="fr6">[6]</a> Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.</p>
<p style="text-align: justify; ">It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:</p>
<ol>
<li style="text-align: justify; ">Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.</li>
<li style="text-align: justify; ">Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media. </li>
</ol>
<p style="text-align: justify; ">We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.</p>
<p style="text-align: justify; ">These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.<a href="#fn7" name="fr7">[7]</a> Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,<a href="#fn8" name="fr8">[8]</a> we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.</p>
<p><b>The Principles</b></p>
<p style="text-align: justify; "><b>Legality</b>: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process</p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.</p>
<p style="text-align: justify; "><b>Competent Authority</b>: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</p>
<p style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.</p>
<p style="text-align: justify; "><b>Due process</b>: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.<a href="#fn9" name="fr9">[9]</a>While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. <a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; "><b>User notification</b>: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</p>
<p style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. <a href="#fn11" name="fr11">[11]</a></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, <i>a priori</i> data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.</p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.</p>
<p style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</p>
<p><b>Signatories</b></p>
<p><b>Organisations</b></p>
<ul>
<li>Article 19 (International)</li>
<li>Bits of Freedom (Netherlands)</li>
<li>Center for Internet & Society India (CIS India)</li>
<li>Derechos Digitales (Chile)</li>
<li>Electronic Frontier Foundation (International)</li>
<li>Privacy International (International)</li>
<li>Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)</li>
<li>Statewatch (UK)</li>
</ul>
<p><b>Individuals</b></p>
<ul>
<li>Renata Avila, human rights lawyer (Guatemala)</li>
</ul>
<hr />
<p><b>Footnotes</b></p>
<ol>
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance<br />[<a href="#fr2" name="fn2">2</a>]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.<br />[<a href="#fr3" name="fn3">3</a>]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at <a href="http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf">http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf</a>. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at <a href="http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument">http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument</a>.<br />[<a href="#fr4" name="fn4">4</a>]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.<br />[<a href="#fr5" name="fn5">5</a>]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.<br />[<a href="#fr6" name="fn6">6</a>]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at <a href="http://www2.technologyreview.com/article/409598/tr10-reality-mining/">http://www2.technologyreview.com/article/409598/tr10-reality-mining/</a> and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.<br />[<a href="#fr7" name="fn7">7</a>]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at <a href="http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf">http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf</a><br />[<a href="#fr8" name="fn8">8</a>]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See <a href="http://www.globalnetworkinitiative.org/">http://www.globalnetworkinitiative.org/</a><br />[<a href="#fr9" name="fn9">9</a>]As defined by international and regional conventions mentioned above.<br />[<a href="#fr10" name="fn10">10</a>]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.<br />[<a href="#fr11" name="fn11">11</a>]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See <a href="http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx">http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx</a>. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See <a href="http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top">http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top</a>.</p>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights'>https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:55:45ZBlog EntryRethinking Privacy Principles
https://cis-india.org/internet-governance/files/rethinking-privacy-principles
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/rethinking-privacy-principles'>https://cis-india.org/internet-governance/files/rethinking-privacy-principles</a>
</p>
No publisherelonnai2017-09-11T02:17:02ZFileHere’s why we need a lot more discussion on India’s new DNA Profiling Bill
https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill
<b>The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. </b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.hindustantimes.com/analysis/here-s-why-we-need-a-lot-more-discussion-on-india-s-new-dna-profiling-bill/story-CojTDv2vfMMMBsW0CaLxIP.html">Hindustan Times</a> on August 7, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The first step towards a DNA Profiling Bill was taken in 2007 with the ‘<a href="http://www.prsindia.org/uploads/media/draft/DNA_Bill.pdf">Draft DNA Profiling Bill</a>” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a <a href="http://www.prsindia.org/uploads/media/draft/DNA_Bill.pdf">2012</a>, <a href="http://www.prsindia.org/uploads/media/draft/Draft%20Human%20DNA%20Profiling%20Bill%202015.pdf">2015</a>, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an <a href="https://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">Expert Committee </a>to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.</p>
<p style="text-align: justify; ">Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.</p>
<p style="text-align: justify; ">Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.</p>
<p style="text-align: justify; ">It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.</p>
<p style="text-align: justify; ">The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.</p>
<p style="text-align: justify; ">As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.</p>
<p style="text-align: justify; ">Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill'>https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2017-08-21T23:48:03ZBlog EntryIs Data Protection Enough?
https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough
<b>The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.</b>
<p>In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.</p>
<p>Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.</p>
<p><strong>Sources</strong></p>
<ul><li><a class="external-link" href="http://www.thehindu.com/news/national/article905944.ece">http://www.thehindu.com/news/national/article905944.ece</a></li></ul>
<ul><li><a class="external-link" href="http://is.gd/hJWD8 http://is.gd/hJWSX">http://is.gd/hJWD8 http://is.gd/hJWSX</a></li></ul>
<ul><li><a class="external-link" href="http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage">http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage</a></li></ul>
<ul><li>Matthan, Rahul. The Mint:Technology. Nov. 24 2010</li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough'>https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:28:51ZBlog EntrySeventh Privacy Round-table
https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table
<b>On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.</b>
<p style="text-align: justify; ">The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.</p>
<p style="text-align: justify; ">Previous Privacy Round-tables were held in:</p>
<ul>
<li style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting" class="external-link">New Delhi</a>: (April 13, 2013) with 45 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/162t8rU">Bangalore</a>: (April 20, 2013) with 45 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/12ICGYD">Chennai</a>: (May 18, 2013) with 25 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/12fJSvZ">Mumbai</a>, (June 15, 2013) with 20 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/11dgINZ">Kolkata</a>: (July 13, 2013) with 25 participants; and</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/195cWIf">New Delhi</a>: (August 24, 2013) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.</p>
<p style="text-align: justify; ">The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="external-link">the Privacy Protection Bill, 2013</a>, drafted by the Centre for Internet and Society, <a href="https://cis-india.org/internet-governance/blog/strengthening-privacy-protection.pdf" class="external-link">Strengthening Privacy through Co-regulation by the Data Security Council of India</a>, and the <a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy by the Justice A.P. Shah committee</a> were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.</p>
<p style="text-align: justify; ">The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under <a href="https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy" class="external-link">section 43A of the Information Technology Act</a>, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.</p>
<hr />
<p>Presentation: <b>Jacob Kohnstamm</b>, <i>Dutch Data Protection Authority and Chairman of the Article 29 Working Group </i></p>
<hr />
<p style="text-align: justify; ">Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded. <br /><br />Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.<br /><br /> In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.<br /> <br />Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.</p>
<p style="text-align: justify; ">Key Points:</p>
<ul>
</ul>
<ol>
<li style="text-align: justify; ">Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.</li>
<li style="text-align: justify; ">Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data. </li>
<li style="text-align: justify; ">India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.</li>
</ol>
<ul>
</ul>
<hr />
<p>Discussion: <b>National Security, Surveillance and Privacy</b></p>
<hr />
<p style="text-align: justify; ">Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.</p>
<p style="text-align: justify; ">Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.</p>
<p style="text-align: justify; ">While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.</p>
<p style="text-align: justify; ">Key Points:</p>
<ul>
</ul>
<ol>
<li>The Indian surveillance regime currently does not have strong enough safeguards.</li>
<li>The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.</li>
<li>A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.</li>
</ol>
<ul>
</ul>
<hr />
<p>Presentation: <b>Chantal Bernier</b>, <i>Deputy Privacy Commissioner, Canada</i></p>
<hr />
<p style="text-align: justify; ">In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.</p>
<p style="text-align: justify; ">Bernier described three main characteristics of the Canadian privacy regime including:</p>
<ol>
<li style="text-align: justify; ">It is comprehensive and applies to both the public and the private sectors.</li>
<li style="text-align: justify; ">The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.</li>
<li style="text-align: justify; ">The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing. </li>
</ol>
<p style="text-align: justify; ">Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.</p>
<p style="text-align: justify; ">Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.</p>
<p style="text-align: justify; ">Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:</p>
<ol>
<li>The importance of having strong regulators.</li>
<li>Privacy regulators must work and cooperate together.</li>
<li>Privacy has become a condition of trade.</li>
<li>In today’s age, issues around surveillance cannot be underestimated.</li>
<li>Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.</li>
<li>Privacy frameworks must be clear and flexible.</li>
<li>Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments. </li>
</ol>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The Right to Privacy is a fundamental right in Canada.</li>
<li style="text-align: justify; ">The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.</li>
<li style="text-align: justify; ">The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest. </li>
</ol>
<hr />
<p>Discussion: <b>The Data Protection Authority</b></p>
<hr />
<p style="text-align: justify; ">Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.</p>
<p style="text-align: justify; ">When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.</li>
<li style="text-align: justify; ">The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.</li>
<li style="text-align: justify; ">The Data Protection Authority could be established as a small regulator with an appellate body attached. </li>
</ol>
<hr />
<p style="text-align: justify; ">Presentation: <b>Christopher Graham</b>,<i> Information Commissioner, United Kingdom</i></p>
<hr />
<p style="text-align: justify; ">Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the <a class="external-link" href="https://www.gov.uk/data-protection">UK Data Protection Act</a> and the<a class="external-link" href="http://www.legislation.gov.uk/ukpga/2000/36/contents"> Freedom of Information Act</a>. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.</p>
<p style="text-align: justify; ">Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.</p>
<p style="text-align: justify; ">Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.</p>
<p style="text-align: justify; ">Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.</p>
<p style="text-align: justify; ">Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.</li>
<li style="text-align: justify; ">Penalties must be proportionate and scalable to the offense. </li>
<li style="text-align: justify; ">Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective. </li>
</ol>
<hr />
<p style="text-align: justify; ">Discussion: <b>Collection of Data with Consent and Collection of Data without Consent</b></p>
<hr />
<p style="text-align: justify; ">Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.</li>
<li style="text-align: justify; ">The Privacy Protection Bill should explicitly address transfer of information to other countries. </li>
<li style="text-align: justify; ">The Privacy Protection Bill should address consent in the context of changing terms of service. </li>
</ol>
<hr />
<p>Discussion: <b>Penalties and Offences</b></p>
<hr />
<p style="text-align: justify; ">The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.</p>
<p style="text-align: justify; ">The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.</li>
<li style="text-align: justify; ">Instead of levying penalties, the Bill should include incentives to ensure compliance. </li>
<li style="text-align: justify; ">Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach. </li>
</ol>
<hr />
<p>Discussion: <b>Cultural Aspects of Privacy</b></p>
<hr />
<p style="text-align: justify; ">The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.</li>
<li style="text-align: justify; ">Given India’s diversity, a principle based model might not be adequate. </li>
<li style="text-align: justify; ">Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India. </li>
</ol>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table'>https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-11-20T09:58:39ZBlog EntryPrivacy, Free/Open Source, and the Cloud
https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing
<b>A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture. </b>
<h3>Introduction</h3>
<p>Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.</p>
<p>There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.</p>
<h3>Privacy Concerns:</h3>
<p> Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?</p>
<p>These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.</p>
<h3>How are privacy, free/open source, and the cloud related ?</h3>
<p>Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.</p>
<h3>Is free/open software the solution?</h3>
<p> Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.</p>
<h3>Conclusion</h3>
<p> Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing'>https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing</a>
</p>
No publisherelonnaiOpennessInternet GovernancePrivacy2012-03-22T05:50:10ZBlog EntryData Retention in India
https://cis-india.org/internet-governance/blog/data-retention-in-india
<b>As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h3>The Debate around Data Retention</h3>
<p style="text-align: justify; ">According to the EU, data retention <i>“refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”</i>.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or <i>a priori </i>data<i> </i>retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.<a href="#fn2" name="fr2">[2] </a>Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.</p>
<h3 style="text-align: justify; ">Data Retention vs. Data Preservation</h3>
<p style="text-align: justify; ">Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.<a href="#fn3" name="fr3">[3]</a> Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.<a href="#fn4" name="fr4">[4]</a> Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.<a href="#fn5" name="fr5">[5]</a> Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.<a href="#fn6" name="fr6">[6]</a></p>
<h3>Data Retention in India</h3>
<p style="text-align: justify; ">In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.</p>
<h3>ISP License</h3>
<p style="text-align: justify; ">According to the ISP License,<a href="#fn7" name="fr7">[7]</a> there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.</p>
<p>According to the ISP License, each ISP must maintain:<b><span> </span></b></p>
<p><span> </span></p>
<ul>
<span> </span>
<li><span><b><span>Users and Services</span></b></span>: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><span><b><span>Outward Logins or Telnet</span></b></span>: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Packets</span>:</span></b> Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Subscribers</span>:</span></b> A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).</li>
<li style="text-align: justify; "><b><span><span>Internet Leased Line Customers</span>:</span></b> A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).</li>
</ul>
<ul>
<li style="text-align: justify; "><b><span><span>Diagram Records and Reasons</span>:</span></b> A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span><span>Commercial Records</span>:</span></span></b><span> All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span><span>Location</span>:</span></span></b> The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).</p>
<span> </span></li>
<span> </span>
<li style="text-align: justify; "><span> </span><b><span><span><span>Remote Activities</span>:</span></span></b><span> A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).</span></li>
</ul>
<h3>UASL License</h3>
<p style="text-align: justify; ">According to the UASL License<a href="#fn8" name="fr8">[8]</a>, <span>there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept. </span></p>
<p style="text-align: justify; "><span>According to the license, service providers must maintain and make available: </span></p>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; "><span><span><span> </span></span></span><b><span><span>Numbers</span></span><span>: </span></b><span>Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).</span></li>
<li style="text-align: justify; "> <b><span><span>Interception records: </span></span></b><span>Time, date and duration of interception when required (Section 41.10).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span>All call records:</span></span></b><span> All call data records handled by the system when required (Section 41.10). This includes:</span><b><span><span><br /></span></span></b></p>
<ol>
<li><b><span><span>Failed call records:</span></span></b><span> Call data records of failed call attempts when required. (Section 41.10).</span></li>
<li><b><span><span>Roaming subscriber records</span></span></b><span>: Call data records of roaming subscribers when required. (Section 41.10)</span></li>
</ol></li>
<li style="text-align: justify; "><b><span><span>Commercial records: </span></span></b><span>All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).</span></li>
<li style="text-align: justify; "> <b><span><span>Outgoing call records: </span></span></b><span>A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).</span></li>
<li style="text-align: justify; "> <b><span><span>Calling line Identification:</span></span></b><span> A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).</span></p>
</li>
<li style="text-align: justify; "> <b><span><span>Remote access activities:</span></span></b><span><span> </span>Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section<span> </span>41.20 (xv)).</span></li>
</ul>
<h3>RTI Request to <a href="https://cis-india.org/internet-governance/blog/bsnl-rti" class="internal-link">BSNL</a> and <a href="https://cis-india.org/internet-governance/blog/mtnl-rti-request.pdf" class="internal-link">MTNL</a><span> </span></h3>
<p style="text-align: justify; "><span>On September 10,<sup></sup> 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices: </span></p>
<p style="text-align: justify; "> </p>
<ul type="disc">
<li class="MsoNormal"><span>Does MTNL/BSNL store the following information/data:</span></li>
<ul type="circle">
<li class="MsoNormal"><span>Text message detail (To and from cell numbers, timestamps)</span></li>
<li class="MsoNormal"><span>Text message content (The text and/or data content of the SMS or MMS)</span></li>
<li class="MsoNormal"><span>Call detail records (Inbound and outbound phone numbers, call duration)</span></li>
<li class="MsoNormal"><span>Bill copies for postpaid and recharge/top-up billing details for prepaid</span></li>
<li class="MsoNormal"><span>Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)</span></li>
</ul>
<li class="MsoNormal"><span>If it does store data then</span></li>
<ul type="circle">
<li class="MsoNormal"><span>For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?</span></li>
<li class="MsoNormal"><span>What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
</ul>
</ul>
<h3>BSNL Response</h3>
<p>BSNL replied by stating that it stores at least three types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li style="text-align: justify; "><span><span> </span>IP session information - connection start end time, bytes in and out (three years offline)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>MAC address of the modem/router/device (three years offline)</span></li>
<li class="MsoNormal"><span>Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).</span></li>
</ol>
<h3>MTNL Response</h3>
<p>MTNL replied by stating that it stores at least () types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li class="MsoNormal" style="text-align:justify; "><span>Text message details (to and from cell number, timestamps) in the form of CDRs<span> </span>(one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Call detail records including inbound and outbound phone numbers and call duration (one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Bill copies from postpaid (one year) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Recharge details for prepaid (three months) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)</span></li>
</ol>
<p class="MsoNormal" style="text-align:justify; "><span>It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.<span> </span></span></p>
<h3><span><span>Conclusion </span></span></h3>
<p> <span>The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:</span></p>
<ul>
<li><span><span><span> </span></span></span><span>What constitutes a ‘commercial record’ which must be stored for one year by service providers?</span><span> </span></li>
<li><span>How much data is retained by service providers on an annual basis?</span><span> </span></li>
<li><span>What is the cost involved in retaining data? For the service provider? For the public?</span><span> </span></li>
<li><span>How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?</span><span> </span></li>
<li><span>How many criminal and civil cases rely on retained data?</span><span> </span></li>
<li><span>What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?</span></li>
</ul>
<p class="MsoListParagraph" style="text-align:justify; "><span>Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation. </span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection, <span> </span></span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level.<span> </span>If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:</span></p>
<p></p>
<ul>
<li><span><span><span> </span></span></span><span>Any request for preservation and access to records must be legitimate and proportional</span></li>
<li><span>Accessed and preserved records must be used only for the purpose indicated </span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Accessed and preserved records can only be shared with authorized authorities</span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Any access to preserved records that do not pertain to an investigation must be deleted </span></li>
</ul>
<p></p>
<p> </p>
<p class="MsoListParagraph" style="text-align:justify; "><span>These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place. </span></p>
<p></p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>].<span><span><span> </span></span></span>European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21st 2013<br />[<a href="#fr2" name="fn2">2</a>].Draft International Principles on Communications Surveillance and Human Rights: <a class="external-link" href="http://bit.ly/UpGA3D">http://bit.ly/UpGA3D</a><br />[<a href="#fr3" name="fn3">3</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a><a href="http://europa.eu/rapid/press-release_IP-12-530_en.htm"></a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr4" name="fn4">4</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr5" name="fn5">5</a>]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: <a class="external-link" href="http://bit.ly/WOfzaX">http://bit.ly/WOfzaX</a>. Last Accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr6" name="fn6">6</a>]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: <a class="external-link" href="http://bit.ly/VoQxQ9">http://bit.ly/VoQxQ9</a>. Last accessed: January 21<sup>st</sup> 2013<br />[<a href="#fr7" name="fn7">7</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.<br />[<a href="#fr8" name="fn8">8</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3<sup>rd</sup> 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-retention-in-india'>https://cis-india.org/internet-governance/blog/data-retention-in-india</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:51:13ZBlog Entry2012: Privacy Highlights in India
https://cis-india.org/internet-governance/privacy-highlights-in-india
<b>In this blog post, Elonnai Hickok summarizes the top privacy moments of 2012 in India. In doing so she lists out the major ones like the Report of Group of Experts on Privacy, the RIM Standoff, the Nira Radia controversy, the Centralized Monitoring System, Unmanned Aerial Vehicles, NATGRID, CCTNS, the growth of CCTVs, the leaked DNA Profiling Bill, and the UID project.</b>
<p style="text-align: justify; "><b>The Report of Group of Experts on Privacy:</b> In October 2012 the "Report of Group of Experts on Privacy" was published by a governmental committee chaired by Justice A.P. Shah. The report contains recommendations for comprehensive privacy legislation, including defining nine privacy principles, establishing a regulatory framework consisting of privacy commissioners at the regional and central level, and self regulatory organizations, and analyzing the present challenges to privacy in India.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Before the report was published, two draft privacy bills had been leaked to the public, and a concept paper drafted in 2010. The report received mixed reviews from the media, including questions about the relationship between the Right to Information and the Right to Privacy. Before the publishing of the Report, Prime Minister Manmohan Singh recognized that disclosures under the RTI Act could, in some instances, violate individual privacy. In a statement to the public, the Prime Minister stated <i>"citizens<ins cite="mailto:Author" datetime="2012-11-16T15:34">’</ins> right to know should definitely be circumscribed if disclosure of information encroaches upon someone's personal privacy. But where to draw the line is a complicated question"</i>.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">Three months before the report was published, the EU had publicly stated that current data protection provisions in India are not sufficient enough, and that India is not considered to be 'data secure'.<a href="#fn3" name="fr3">[3]</a> If the recommendations in the report are turned into legislation, among other things, individuals in India will have a right to privacy and a right to redress for violations of privacy.</p>
<p style="text-align: justify; "><b>Governmental Interception</b>: In early 2013 it was revealed that the Ministry of Home Affairs ordered interception of 10,000 phones and 1300 email ids during October 2012 to December 2012.<a href="#fn4" name="fr4">[4]</a> Continuing its efforts to access all communications, in May 2012, the Government of India gave service providers a month to develop a method for intercepting calls using VoIP services.<a href="#fn5" name="fr5">[5]</a> In February 2012 the Telecom Department proposed a new set of security guidelines that would allow for real time interception of communications and the tracking of the location of users. Among other things, the proposal establishes telecom security assurance and testing labs for the purpose of testing and certifying telecom equipment.<a href="#fn6" name="fr6">[6]</a> Additionally, in October of 2012, Bharti Airtel refused to wiretap telephones for RAW. The Department of Telecommunications eventually ordered Bharti Airtel to comply with the order, which they did.<a href="#fn7" name="fr7">[7]</a> The events around interception in 2012 show that the Indian government is still trying to gain access to as much information as possible. The constant push for real time access by the government is concerning, as many safeguards are missing from the Indian interception regime such as, penalty to security agencies for unauthorized interception and avenues of redress for the individual.</p>
<p style="text-align: justify; "><b>The RIM Standoff</b>: Since 2008, the Indian government has been negotiating with RIM access to BlackBerry communications. Over the years, a number of solutions have been proposed by RIM and the GoI, yet a final agreement was never reached. Continuing the negotiations, In October 2012, RIM agreed to set up a server in Mumbai, which would allow security agencies to access Blackberry Messenger services.<a href="#fn8" name="fr8">[8]</a> Blackberry also provided a solution that would allow access to Blackberry Internet Services.<a href="#fn9" name="fr9">[9]</a> Following this, the Government of India mandated that Telecom Service Providers must incorporate the Blackberry interception solution, or risk being forced to shut their service by December 31, 2012. In compliance with this order, many service providers have set time frames for incorporation of the interception solution including and installed the necessary software.<a href="#fn10" name="fr10">[10]</a> It is important to note that the lawful access solutions provided do not extend to the Blackberry Enterprise Server.<a href="#fn11" name="fr11">[11]</a> Though it seems that the BlackBerry controversy might be resolved, the solution does not appear to be a long term solution, as BES communications are still not accessible, and the solution is not universal for all international providers. Thus, the Indian government will have to negotiate individually with each provider and service that they currently cannot access communications of.</p>
<p style="text-align: justify; "><b>The Nira Radia Controversy:</b> Continuing the Nira Radia controversy, which began in 2008-2009, in September 2012 the Supreme Court ordered the Income Tax Department to transcribe the 5,831 recorded conversations that were originally intercepted by the department. In January this year, the Supreme Court of India ordered that a "random check" be run through the Radia Tapes to check for instances of possible criminality.<a href="#fn12" name="fr12">[12]</a> This case has become an important moment for privacy in India, as it intersects the dilemma between the right to privacy and public interest. Since 2010, Ratan Tata has been claiming that his right to privacy was violated by the publishing of the leaked tapes.<a href="#fn13" name="fr13">[13]</a> The Supreme Court’s final decision will be important for drawing another contour of how the right to privacy is shaped in India.</p>
<p style="text-align: justify; "><b>The Centralized Monitoring System</b>: In 2012 the Telecom Ministry set aside Rs. 400 crore for the Central Monitoring System, which is projected to be finished by August 2014.<a href="#fn14" name="fr14">[14]</a> The project, which first began in 2007, is envisioned to allow security agencies to bypass service providers and intercept communications on their own. The system is designed to have regional databases and a central database which will be accessible to law enforcement and security agencies. Privacy concerns related to the project include how the system will incorporate current legal regulations for interception in India, as a system that bypasses service providers essentially means that every communication can be read by law enforcement. Furthermore, it is not clear exactly who, and on what conditions will officials be allowed and authorized to access and use the system. The exact capabilities of the system have also not been identified. For example, will the CMS be able to intercept VoIP calls, will it be able to decrypt messages, and will it employ techniques such as Deep Packet Inspection.</p>
<p style="text-align: justify; "><b>Unmanned Aerial Vehicles (UAVs):</b> Since the late 90’s the Defense Research Development Organisation (DRDO) has been developing UAV’s for military purposes, and before this, India was acquiring UAV’s from Israel.<a href="#fn15" name="fr15">[15]</a> Since that time there has been an increase in domestic companies and institutes developing UAVs, and an increase in the procurement of the technology by state police for generic reasons purposes as crowd control, traffic management, and security. For example, in August of 2012 the city of Mumbai used the UAV "Netra", as part of their security protocol during the Raj Thackeray rally to capture and send real time images back to the police. Netra is manufactured by the company Idea Forge.<a href="#fn16" name="fr16">[16]</a> The Mumbai police also used the Netra in September 2012 after the Azad Maidan riots, and again on New Year’s Eve to monitor and track crime such as sexual harassment.<a href="#fn17" name="fr17">[17]</a> Similarly, Chennai city police are looking to procure from Anna University a UAV developed by the Madras Institute of Technology. The UAV will be used to assist in traffic monitoring and control.<a href="#fn18" name="fr18">[18]</a> The increased procurement and use of UAV’s by state police is concerning as there is no clear legal regulation over the deployment of the vehicles. Thus, they have shifted from being used as a tool by the military, and are being used for monitoring traffic, crowd monitoring, etc. Furthermore, the process for authorization for use of the vehicles is not clear, and it is not clear how the captured information is protected and handled. Though UAV’s are clearly a useful tool for the military, for military purposes, the permitted use of them by other actors should be defined and regulated. The use of UAV’s for generic purposes could place individual privacy at risk, because of the amount of information and the level of detail that the vehicles are able to capture without the knowledge of the individual.</p>
<p style="text-align: justify; "><b>The National Intelligence Grid (NATGRID):</b> Plans for the NATGRID project, which was first piloted after the Mumbai attacks, has been continuing forward through 2012 and is envisioned to be operational sometime in 2013. During 2012, a detailed project report was submitted for the project, and in June the government approved Rs. 1,100 crore for purchase of technological equipment.<a href="#fn19" name="fr19">[19]</a> NATGRID is a project that envisions networking 21 databases for purposes of crime investigation including tax, health, and travel information. The information will be accessible to 11 security agencies and law enforcement agencies. Though it has been clarified that NATGRID will ensure that privacy is protected, the design of NATGRID is one that could create potential risks – as it brings together large amounts of personal data for easy access by security agencies. In doing so it could potentially eliminate the steps security agencies must take currently to access information – such as submitting a request and obtaining permission for access. Furthermore, it is unclear how current legal protections such as secrecy clauses in banking legislation will be incorporated and upheld by the NATGRID system. Other questions that the project raises include – though currently there are only eleven agencies listed that will have access to NATGRID – will this list expand? Without a policy in place how will this standard and other standards be enforced?</p>
<p style="text-align: justify; "><b>The Crime and Criminal Tracking Network & System (CCTNS): </b>Though the CCTNS project has been in the works since 2009, a call for companies to develop the technology for the system was taken in early 2012, and pilot projects were launched later that year. The CCTNS is being headed by the National Crime Records Bureau, and will allow for the sharing of crime related information on a national level, in real time. In 2012, the system was allocated 2,000 crores by the government, and currently 2,000 police stations and other offices have been connected under the system.<a href="#fn20" name="fr20">[20]</a></p>
<p style="text-align: justify; ">For example, police in Chhattisgarh,<a href="#fn21" name="fr21">[21]</a> Uttarakhand<a href="#fn22" name="fr22">[22]</a> and Odisha have all been connected to the CCTNS system.<a href="#fn23" name="fr23">[23]</a> Though it will be beneficial for the police to have access to a networked system, it has not been made clear yet what type of security system the project will adopt to ensure that the information is not compromised or accessed without authorization. It has also not been clarified what information will be placed on the database, and will all records be accessible to any individual accessing the system. Because the project is still in pilot stages it is hard to tell if it could put individual privacy at risk. Hopefully, before the project is realized in its full, many of the details will be clarified.</p>
<p style="text-align: justify; "><b>The Growth of CCTVs:</b> Throughout 2012 the use of CCTV’s has continued to grow across India. For example, the Maharashtra government has undertaken a "CCTV surveillance project" in which it is in the process of taking bids for.<a href="#fn24" name="fr24">[24]</a> The state of Karnataka is also planning on installing CCTV cameras in Bangalore and other major cities to help detect incidents of crime.<a href="#fn25" name="fr25">[25]</a> While the Delhi Transport Department is contemplating installing CCTVs in buses,<a href="#fn26" name="fr26">[26]</a> and the Indian Rail Authorities have also decided to install CCTVs throughout stations to increase security.<a href="#fn27" name="fr27">[27]</a> There still does not exist regulation of the use of CCTV cameras, thus it is unclear who can operate a CCTV camera, which departments of the government can mandate for the installation of CCTVs, if public notice must be given that a CCTV camera is in use, and who can access the footage from a CCTV.</p>
<p style="text-align: justify; "><b>Study on Privacy Perceptions</b>: In a study that came out in December 2012 by Ponnurangam K, among other things, it was found that 75 per cent of participants never read the privacy policy on a website – including social networking sites, participants also thought that there was a privacy legislation in place in India, and that individuals in India are most concerned about financial privacy.<a href="#fn28" name="fr28">[28]</a></p>
<p style="text-align: justify; "><b>The National Counter Terrorism Centre (NCTC):</b> The NCTC was originally created in response to the Mumbai terror attacks, under the Unlawful Prevention Act, 1967. The NCTC was meant to be realized in 2012, but in March, plans for the Centre were put on hold, because of the controversial nature of the project.<a href="#fn29" name="fr29">[29]</a> The Centre was meant to bring Indian intelligence agencies under one umbrella, and analyze and store information related to terrorism. The proposed body has been highly controversial, as states object to the powers given to the Centre and see it as intruding on their powers and jurisdiction. If passed, the NCTC will have the powers of arrest, search and seizure, and the ability to access information from other intelligence agencies.<a href="#fn30" name="fr30">[30]</a></p>
<p style="text-align: justify; "><b>The Leaked DNA Profiling Bill:</b> In 2012, a version of the DNA Profiling Bill, originally drafted in 2007, was leaked to the public. The Bill is being piloted by the department of biotechnology, and seeks to establish DNA databases at the regional and central level for forensic purposes, yet the Bill does not establish strong protections for the privacy of DNA samples taken and important technical standards for ensuring that DNA samples are not misused or tampered with.<a href="#fn31" name="fr31">[31]</a> What will happen to the Bill in 2013 is yet to be seen, but hopefully it will not be passed without the appropriate safeguards incorporated into its provisions.</p>
<p style="text-align: justify; "><b>The Unique Identification Project and the National Population Registrar:</b> Throughout 2012, the UID has continued to carry out enrollments across the country, and sign MoU's with private sector companies for the adoption of the UID platform. Parallel to the UID project, the NPR project is also being implemented. The NPR seeks to provide every citizen of India with an identity that will be stored in an identity database maintained by the Registrar General and Census Commissioner of India.<a href="#fn32" name="fr32">[32]</a> According to the NPR scheme, individuals who had already enrolled with the UID and given their biometrics would not need to re-submit their biometrics with the NPR. Yet, this has not been the case, and instead individuals are now being required to provide their biometrics for enrollment with the UID and the NPR.<a href="#fn33" name="fr33">[33]</a></p>
<p style="text-align: justify; ">Privacy has been raised as a concern of the UID since the start of the project. For both the UID and the NPR now the transaction record will be stored by agencies, and whether it will be possible to track individuals across databases using their NPR or UID identity?</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. The Report of Group of Experts on Privacy. See <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Tikku, A., "RTI doesn’t trample upon privacy, says expert panel", Hindustan Times, October 29, 2012, available at <a class="external-link" href="http://bit.ly/TNAzRF">http://bit.ly/TNAzRF</a>, last accessed on January 8, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Sen, A. India protests European Union study of data laws. Economic Times. July 9, 2012, available at <a class="external-link" href="http://bit.ly/Y9ahHs">http://bit.ly/Y9ahHs</a>, last accessed on January 8, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. Harismran, J., Thomas, J. "Home Ministry ordered 10k wire taps in last 90 days, order tapping of 1300 email Ids", The Economic Times, January 3,<sup></sup> 2013, available at <a class="external-link" href="http://bit.ly/TKk7yN">http://bit.ly/TKk7yN</a>, last accessed on January 7th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>].The Economic Times, "Provide solution to intercept VoIP within a month: Govt", May 6, 2012, available at <a class="external-link" href="http://bit.ly/VQDQ4k">http://bit.ly/VQDQ4k</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Economic Times, "New policy for real time interception to security agencies", February 1, 2012, available at <a class="external-link" href="http://bit.ly/11DrlvB">http://bit.ly/11DrlvB</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. The Economic Times, "RAW irked as Airtel keeps its request for phone tapping on hold", October 21, 2012, available at <a class="external-link" href="http://bit.ly/12IujhF">http://bit.ly/12IujhF</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Reyes, D., "RIM installs BlackBerry server in Mumbai", CrackBerry, February 23, 2012, available at <a class="external-link" href="http://bit.ly/yBQsSo">http://bit.ly/yBQsSo</a></p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. Economic Times, "DoT makes telecom operators fall in line on Blackberry issue", December 30, 2012, available at <a class="external-link" href="http://bit.ly/1169ufn">http://bit.ly/1169ufn</a></p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Economic Times, "MTNL, BSNL fail to give dates for Blackberry interception", October 29, 2012, available at <a class="external-link" href="http://bit.ly/1169ufp">http://bit.ly/1169ufp</a>, last accessed on January 7, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. The Economic Times, "Telecom companies agreed to provide real-time intercept facilities for BlackBerry smartphones", December 31, 2012, available at <a class="external-link" href="http://bit.ly/Y9gjYt">http://bit.ly/Y9gjYt</a>, last accessed on January 7, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Mahapatra, D., "SC to examine Radia tapes for criminality", Times of India, January 9, <sup></sup> 2013, available at <a class="external-link" href="http://bit.ly/VD7eWX">http://bit.ly/VD7eWX</a></p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Times of India, "Ratan Tata softens stand on Radia tapes", August 23, 2012, available at <a class="external-link" href="http://bit.ly/158CZxl">http://bit.ly/158CZxl</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. The Economic Times, "Govt. to place phone tapping system worth Rs. 400 cr by 2014", March 21, 2012, available at <a class="external-link" href="http://bit.ly/V2P9q6">http://bit.ly/V2P9q6</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Monsonis, G., "UAVs gaining currency with Indian Armed Forces", Indian Defence Review, October 30, 2012, available at <a class="external-link" href="http://bit.ly/KVYyIr">http://bit.ly/KVYyIr</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Mumbai Mirror, "Raj Thackeray’s mega rally: Unmanned Aerial Vehicle kept an eye on Azed Maidan", Economic Times, August 22, 2012, available at <a class="external-link" href="http://bit.ly/PYTGAG">http://bit.ly/PYTGAG</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>].Ali, A. & Narayan. V., "Netra cameras to keep a close watch , over New Year’s Eve hotspots", Times of India, December 31, 2012, available at <a class="external-link" href="http://bit.ly/Z7orxt">http://bit.ly/Z7orxt</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Venugopal, V., "It flies, it swoops, it records and monitors", The Hindu, December 20, 2012, available at <a class="external-link" href="http://bit.ly/V89sLo">http://bit.ly/V89sLo</a>, last accessed January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. The Economic Times, "Cabinet Committee on Security approves Rs. 1,100 crore for NATGRID", June 14, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Mohan, V., "Centre launches pilot project to track criminals", The Times of India, January 5, 2013, available at <a class="external-link" href="http://bit.ly/UPk2fh">http://bit.ly/UPk2fh</a></p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. The Pioneer, "Civil Lines Police Station gets connected with CCTNS", January 2012, available at <a class="external-link" href="http://bit.ly/VRXKGJ">http://bit.ly/VRXKGJ</a></p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. CIOL Bureau, "CCTNS to be made public through internet: Dehradun DGP", January 4, 2012, available at <a class="external-link" href="http://bit.ly/X4JISx">http://bit.ly/X4JISx</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Hindu, "Odisha to launch CCTNS on January 12", January 7, 2013, available at <a class="external-link" href="http://bit.ly/Vd9Ay1">http://bit.ly/Vd9Ay1</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. Padmakshan, M., "Maharashtra plans to invite new bids for CCTV surveillance project", September 18, 2012, available at <a class="external-link" href="http://bit.ly/VRYrQm">http://bit.ly/VRYrQm</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. Ashoka, R., "Karnataka to install CCTV cameras in Bangalore, major cities", Economic Times. July 26, 2012, available at <a class="external-link" href="http://bit.ly/11Dxt6Z">http://bit.ly/11Dxt6Z</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Economic Times, "Buses to come with CCTV cameras for safety of women: Delhi government", December 17, 2012, available at <a class="external-link" href="http://bit.ly/158Gtjo">http://bit.ly/158Gtjo</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Economic Times, "Railways to step by security apparatus at stations", February 15, 2012, available at <a class="external-link" href="http://bit.ly/11DxSX8">http://bit.ly/11DxSX8</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. Times of India, "Most Indians ignorant about privacy issues on Facebook, Twitter: Study", December 10, 2012, available at <a class="external-link" href="http://bit.ly/X4KVt1">http://bit.ly/X4KVt1</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Kumar, H., "Does India Need a National Counter Terrorism Center?", The New York Times, India Ink, February 28, 2012, available at <a class="external-link" href="http://nyti.ms/A5VU5P">http://nyti.ms/A5VU5P</a></p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. Times of India. CM to attend National Counter- Terrorism Centre Meet in Delhi. May 4, 2012, available at <a class="external-link" href="http://bit.ly/12IDoH9">http://bit.ly/12IDoH9</a>, last accessed on January 8, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. Hickok, E., "Rethinking DNA Profiling in India", Economic Political Weekly, October 27, 2012, available at <a class="external-link" href="http://bit.ly/TUrH7j">http://bit.ly/TUrH7j</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. Department of Information Technology, "National Population Register", available at <a class="external-link" href="http://bit.ly/12rzyOh">http://bit.ly/12rzyOh</a></p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. Pandit, A., "NPR must even if you have Aadhar number", Times of India, October 31, 2012, available at <a class="external-link" href="http://bit.ly/Y9oXGq">http://bit.ly/Y9oXGq</a>, last accessed on January 8, 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/privacy-highlights-in-india'>https://cis-india.org/internet-governance/privacy-highlights-in-india</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-12T12:39:05ZBlog EntryA Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications
https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications
<b>This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: <a class="external-link" href="http://necessaryandproportionate.net/">http://necessaryandproportionate.net/</a></p>
<p>The Principles:</p>
<p style="text-align: justify; "><b>1. </b><b>Principle - Legality</b><b>:</b><i> Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.</p>
<li><b>The Indian Telegraph Act, 1885</b>
<ul>
<li style="text-align: justify; "> <i>The Indian Telegraph Amendment Rules 2007: </i>These<i> </i>Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL)</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Internet Services</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li><b>The Information Technology Act, 2000</b>
<ul>
<li style="text-align: justify; "><i>Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource. </li>
<li style="text-align: justify; "><i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.</li>
</ul>
</li>
</ul>
</li>
<p><i> </i></p>
<p><b>2. </b><b>Principle - Legitimate Purpose</b>:<i> Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.</p>
<p style="text-align: justify; ">Below are the circumstances for which access is allowed by each Act, Rule, and License:</p>
<li><b>The TA Rules 2007</b>: Interception is allowed in the following circumstances: <br />
<ul>
<li>On the occurrence of any public emergency</li>
</ul>
<ul>
<li>In the interest of the public safety</li>
</ul>
<ul>
<li>In the interests of the sovereignty and integrity of India</li>
</ul>
<ul>
<li>The security of the state</li>
</ul>
<ul>
<li>Friendly relations with foreign states</li>
</ul>
<ul>
<li>Public order</li>
</ul>
<ul>
<li>Preventing incitement to the commission of an offence</li>
</ul>
</li>
<li><b>ITA Interception and Monitoring Rules</b>: Interception, monitoring, and decryption of communications is allowed in the following circumstances:</li>
<ul>
<li>In the interest of the sovereignty or integrity of India, </li>
<li>Defense of India</li>
<li>Security of the state</li>
<li>Friendly relations with foreign states</li>
<li>Public order </li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above </li>
<li>For investigation of any offence </li>
</ul>
<li style="text-align: justify; "><b>ITA Monitoring of Traffic Data Rules:</b> Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security: </li>
<ul>
<li>Forecasting of imminent cyber incidents </li>
<li>Monitoring network application with traffic data or information on computer resources </li>
<li>Identification and determination of viruses or computer contaminant </li>
<li>Tracking cyber security breaches or cyber security incidents </li>
<li>Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants </li>
<li style="text-align: justify; ">Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security. </li>
<li style="text-align: justify; ">Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.</li>
<li style="text-align: justify; ">Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.</li>
<li>Any other matter relating to cyber security. </li>
</ul>
<li><b>UASL License</b>: Assistance must be provided to the government for the following reasons and times: </li>
<ul>
<li>Reasons defined in the Telegraph Act. <b>(Section 41.20 (xix))</b></li>
<li>National Security. <b>(Section 41.20 (xvii))</b></li>
<li style="text-align: justify; ">To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)</li>
<li style="text-align: justify; ">Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. <b>(Section 40.4)</b></li>
<li>In the interests of security. <b>(Section 41.7)</b></li>
<li>For security reasons. <b>(Section 41.20 (iii))</b></li>
</ul>
<li><b>ISP License: </b>Assistance must be provided to the government for the following reasons and times:</li>
<ul>
<li>To counteract espionage, subversive act, sabotage, or any other unlawful activity. <b>(Section 34.1)</b></li>
<li>In the interests of security. <b>(Section 34.4)</b></li>
<li>For security reasons. <b>(Section 34.28 (iii))</b></li>
<li>Reasons defined in the Telegraph Act. <b>(Section 35.2)</b></li>
</ul>
<p style="text-align: justify; "><b>3. </b><b>Principle - Necessity</b>: <i>Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA <i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules</i>, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.</p>
<p>Below are summaries of the relevant provisions:</p>
<ul>
<li style="text-align: justify; "><b>TA Rules 2007</b>: Any order for interception issued by the competent authority must contain reasons for the direction <b>(Section 2).</b> While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means <b>(Section 3).</b></li>
<li style="text-align: justify; "><b>ITA Interception and Monitoring Rules: </b>Any direction issued by the competent authority must contain reasons for such direction <b>(Section 7). </b>The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means <b>(Section 8).</b></li>
<li style="text-align: justify; "><b>ITA Traffic Monitoring Rules:</b> Any direction issued by the competent authority must contain reasons for the direction <b>(Section 3(3)).</b></li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b></li>
</ul>
<p><b>4. </b><b><i>Principle - Adequacy</i></b><i>:</i> <i>Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure. </i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.</p>
<p style="text-align: justify; "><b>5. </b><b>Principle - Competent Authority</b>: <i>Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.</p>
<p>Below are summaries of relevant provisions:</p>
<li style="text-align: justify; "><b>The TA Rules 2007</b>: Under the Telegraph Act the authorizing authorities are:
<ul>
<li>The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level</li>
<li>The Secretary to the State Government in charge of the Home Department in the case of the State Government. </li>
<li>In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.</li>
<li>In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. <b>(Section 1(2))</b>. </li>
<li><b>ITA Interception and Monitoring Rules: </b>Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
<ul>
<li>The Secretary in the Ministry of Home Affairs in case of the Central Government.</li>
<li>The Secretary in charge of the Home Department, in case of a State Government or Union Territory. </li>
<li>In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority. </li>
<li>In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. <b>(Section 3)</b>.</li>
</ul>
</li>
<li><b>ITA Monitoring and Collecting Traffic Data Rules:</b> Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
<ul>
<li>The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. <b>(Section 2(d))</b>.</li>
<li>An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. <b>(Section 9 (2))</b>. </li>
</ul>
</li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b> </li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>6. </b><b>Principle - Proportionality</b>:<i> Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation. </i></p>
<p style="text-align: justify; "><b>Indian Legislation</b>: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA <i>Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA <i>Safeguards for Monitoring and Collecting Traffic Data or Information Rules</i>.</p>
<p style="text-align: justify; ">Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.</p>
<p>Below is a summary of the relevant provisions:</p>
<li><b>TA Rules 2007: </b>
<ul>
<li style="text-align: justify; ">Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. <b>(Section 19)</b>.</li>
<li style="text-align: justify; ">Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. <b>(Section 3)</b>.</li>
<li style="text-align: justify; ">The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. <b>(Section 4)</b>. </li>
<li style="text-align: justify; ">The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 6)</b>.</li>
<li><b> ITA Interception and Monitoring Rules:</b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 7)</b>.</li>
<li style="text-align: justify; ">The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. <b>(Section 8)</b>.</li>
<li style="text-align: justify; ">The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. <b>(Section 9)</b>. </li>
<li style="text-align: justify; ">The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 10)</b>.</li>
</ul>
</li>
<li><b>ITA Traffic and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 3(3))</b>.</li>
<li style="text-align: justify; ">Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. <b>(Section 8)</b>.</li>
</ul>
</li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>7. </b><b>Principle - Due process</b>:<i> Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.</p>
<li><b> TA Rules 2007:</b>
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
<li><b>ITA Interception and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules:</b>
<ul>
<li style="text-align: justify; ">The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>8. </b><b>Principle - User notification</b>:<i> Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>9. </b><b>Principle - Transparency about use of government surveillance</b>: <i>The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>10. </b><b><i>Principle - Oversight</i></b><i>:</i> <i>An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)</i><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are requirements for a review committee to be established.<i> </i>The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li><b>TA Rules 2007</b>:
<ul>
<li style="text-align: justify; ">A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. <b>(Section 17)</b>.<b> </b>Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. <b>(Section 2)</b>.</li>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 22)</b>. </li>
</ul>
</li>
<li><b>ITA Traffic Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 7)</b>.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>11. </b><b>Principles - Integrity of communications and systems</b>: <i>It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA<i> Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.</p>
<p><b> </b></p>
<p>Relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007</b>: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. <b>(Section 20, 20A 21, 23).</b></li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules: </b>The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 20)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules</b>: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 5&6)</b>.</li>
<li style="text-align: justify; "><b>UASL License:</b> The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. <b>(Section 39.1, Section 39.2, Section 41.4)</b>.</li>
<li style="text-align: justify; "><b>ISP License:</b> The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. <b>(Section 32.1)</b> The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. <b>(Section 32.2</b>) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. <b>(Section 32.3)</b>.</li>
<p>Provisions requiring the provision of facilities, assistance, and retention:</p>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction <b>(Section 13(2))</b>.</li>
<li style="text-align: justify; ">If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. <b>(Section 17)</b>. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. <b>(Section 4(7))</b>.</li>
</ul>
</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. <b>(Section 39.1)</b>. </li>
<li style="text-align: justify; ">The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.<b>(Section 40.4)</b>.<b> </b></li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 41.11)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. <b>(Section 41.14)</b>. The database of subscribers must also be made available to the licensor or its representatives. <b>(Section 41.16)</b>.</li>
<li style="text-align: justify; ">The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. <b>(Section 41.17)</b>.</li>
<li style="text-align: justify; ">Calling Line Identification must be provided and the network should also support Malicious Call Identification.<b> (Section 41.18)</b>.</li>
<li style="text-align: justify; ">Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis <b>(Section 41.19)</b>.</li>
<li style="text-align: justify; ">Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. <b>(Section 41.19(iv))</b>.</li>
<li style="text-align: justify; ">The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. <b>(41.20 (ix))</b>.</li>
<li style="text-align: justify; ">On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. <b>(41.20 (x))</b></li>
<li style="text-align: justify; ">Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(41.20 (xiv))</b>. </li>
<li>A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. <b>(Section 41.20 (xv))</b>.</li>
<li>For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. <b>(Section 41.20 (xx))</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. <b>(Section 2.2(vii))</b>. </li>
<li style="text-align: justify; ">The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. <b>(Section 9.1)</b>.</li>
<li style="text-align: justify; ">The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. <b>(Section 30.1)</b>.</li>
<li style="text-align: justify; ">The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. <b>(Section 34.1)</b>.</li>
<li style="text-align: justify; ">In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. <b>(Section 34.4)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. <b>(Section 34.6)</b>.</li>
<li style="text-align: justify; ">The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. <b>(Section 34.7)</b>.</li>
<li style="text-align: justify; ">ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. <b>(Section 34.8)</b>.<b> </b></li>
<li style="text-align: justify; ">The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 34.9)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. <b>(Section 34.12)</b>.</li>
<li style="text-align: justify; ">The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies.<b> (Section 34.13)</b>. </li>
<li style="text-align: justify; ">Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. <b>(Section 34.15)</b>.</li>
<li style="text-align: justify; ">The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. <b>(Section 34.22)</b>. </li>
<li style="text-align: justify; ">The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. <b>(Section 34.23)</b>.</li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
<li style="text-align: justify; ">Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. <b>(Section 34.27 (a(v))</b>.</li>
<li style="text-align: justify; ">The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. <b>(Section 34.27 (ix))</b>.</li>
<li style="text-align: justify; ">On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. <b>(Section 34.27 (x))</b>.</li>
<li style="text-align: justify; ">Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(Section 34.27 (xiv))</b>.</li>
<li style="text-align: justify; ">A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. <b>(Section 34.27 (xv))</b>.</li>
<li style="text-align: justify; ">ISPs must provide access of their network and other facilities, as well as books to security agencies. <b>(Section 34.27 (xx))</b>.</li>
</ul>
</li>
<p> </p>
<p><b> </b></p>
<p style="text-align: justify; "><b>12. </b><b>Principle - Safeguards for international cooperation</b>:<i> In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.</p>
<p>Below is a summary of the relevant provisions:</p>
<li style="text-align: justify; "><b>ITA 2000</b>: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. <b>(Section 1(2))</b> </li>
<li style="text-align: justify; "><b>UASL License:</b> The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. <b>(section (41.20 (viii))</b></li>
<li style="text-align: justify; "><b>ISP License:</b> For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. <b>(Section 34.28 (iii)) </b>ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) <b>(Section 34.28 (viii))</b></li>
<p style="text-align: justify; "><b>13. </b><b><i>Principle - Safeguards against illegitimate access</i></b><i>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007:</b> The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation<b>. (Section 20, 20A, 23, and 24 Indian Telegraph Act)</b>.</li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 21)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 6)</b>.</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. <b>(Section 41.20 (xix))</b>.</li>
<li style="text-align: justify; ">Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. <b>(Section 34.28 (xix))</b>.</li>
<li style="text-align: justify; ">The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. <b>(Section 8.4)</b>.</li>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
</ul>
</li>
<p style="text-align: justify; "><b>14. </b><b><i>Principle - Cost of surveillance</i></b><b><i>:</i></b><i> The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.</p>
<p>Below are summaries of relevant provisions:</p>
<li><b>UASL License</b>:
<ul>
<li style="text-align: justify; "> Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. <b>(Section 41.20 (xvi))</b>.</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. <b>(Section 34.7)</b>. </li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
</ul>
</li>
</ul>
</li>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications'>https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:40:51ZBlog EntryLeaked Privacy Bill: 2014 vs. 2011
https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011
<b>The Centre for Internet and Society has recently received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted.</b>
<hr />
<p style="text-align: justify; ">Note: <i>After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post</i>.</p>
<hr />
<p style="text-align: justify; ">This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in <a href="http://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf">April 2011</a> and <a href="https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy">September 2011</a>.</p>
<p style="text-align: justify; ">When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions. Below is an outline of significant changes from the <a href="https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy">September 2011 Privacy Bill</a> to the 2014 Privacy Bill:</p>
<ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
<li><b>Scope:</b> The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India. The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.</li>
<li style="text-align: justify; "><b><span>Definitions:</span></b><span> The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.<br /></span></li>
</ul>
<p style="text-align: justify; "><b>Terms that have been added in the 2014 Bill and the definitions</b></p>
<ol style="text-align: justify; "> </ol><ol style="text-align: justify; ">
<li style="text-align: justify; "><b><i>Personal identifier</i>:</b> Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.</li>
<li style="text-align: justify; "><b><i>Legitimate purpose</i>:</b> A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.</li>
<li style="text-align: justify; "><b><i>Competent authority</i></b> : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.</li>
<li style="text-align: justify; "><b><i>Notification</i></b><i>: </i>Notification issued under this Act and published in the Official Gazette</li>
<li style="text-align: justify; "><b><i>Control</i> :</b> And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.</li>
<li style="text-align: justify; "> <b><i>Telecommunications system</i>:</b> Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.</li>
<li style="text-align: justify; "><b><i>Privacy standards</i>:</b> The privacy standards or protocols or codes of practice. developed by industry associations.</li>
</ol>
<p style="text-align: justify; "><b>Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions</b></p>
<ol style="text-align: justify; ">
<li><b><i>Communication data:</i></b>The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications </li>
<li><b><i>Data subject</i></b><i> </i>: Any living individual, whose personal data is controlled by any person</li>
<li><b><i>Interception</i></b><i>: </i>In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication. </li>
<li><b><i>Person</i></b><i>: A</i>ny natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban local body, or any other officer, agency or instrumentality of the state. </li>
<li><b><i>Sensitive personal data</i>:</b> Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation. Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.</li>
<li><b><i>Individual:</i></b><i> </i>a resident of Indian </li>
<li><b><i>Covert surveillance</i>:</b> covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual</li>
<li><b><i>Re-identify</i></b>: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;</li>
<li><b><i>Process</i>:</b> “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;</li>
<li><b><i>Direct marketing</i></b>: Direct Marketing means sending of a commercial communication to any individual </li>
<li><b><i>Data controller</i></b>: any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;</li>
<li><b><i> Government</i></b>: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;</li>
</ol>
<p style="text-align: justify; ">Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:</p>
<ol style="text-align: justify; ">
<li>Consent: Includes implied consent</li>
<li>Maintain: Includes maintain, collect, use, or disseminate.</li>
<li>Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller. </li>
<li>Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund. </li>
<li>Prescribed: Prescribed by rules made under this Act.</li>
<li>Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)</li>
<li>DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual. </li>
</ol>
<p style="text-align: justify; ">Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):</p>
<ol style="text-align: justify; ">
<li>Authority: The Data Protection Authority of India </li>
<li>Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.</li>
<li>Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject. </li>
<li>Member: Member of the Authority </li>
<li>Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data. </li>
<li>Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller. </li>
</ol>
<ul style="text-align: justify; ">
<li><b>Exceptions to the Right to Privacy</b>: According to the 2011 Bill, the exceptions to the Right to Privacy included: </li>
</ul>
<ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; ">
<li>Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state </li>
<li>Preventing incitement to the commission of any offence </li>
<li>Prevention of public disorder or the detection of crime</li>
<li>Protection of rights and freedoms of others </li>
<li>In the interest of friendly relations with foreign state</li>
<li>Any other purpose specifically mentioned in the Act. </li>
</ol>
<p style="text-align: justify; ">The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.</p>
<p id="content" style="text-align: justify; "></p>
<ul style="text-align: justify; ">
<li>Acts not to be considered deprivations of privacy: The 2011 Bill lists five instances that will not be considered a deprivation of privacy - namely</li>
</ul>
<ol style="text-align: justify; ">
<li>For journalistic purposes unless it is proven that there is a reasonable expectation of privacy, </li>
<li>Processing data for personal or household purposes,</li>
<li>Installation of surveillance equipment for the security of private premises, </li>
<li>Disclosure of information via the Right to Information Act 2005,</li>
<li>And any other activity exempted under the Act.</li>
</ol>
<p style="text-align: justify; ">The 2014 limits these instances to:</p>
<ol style="text-align: justify; ">
<li>The processing of data purely for personal or household purposes, </li>
<li>Disclosure of information under the Right to Information Act 2005,</li>
<li>And any other action specifically exempted under the Act.</li>
</ol>
<ul style="text-align: justify; ">
<li style="text-align: justify; ">Privacy Principles: Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices. </li>
</ul>
<ul style="text-align: justify; ">
<li>Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:</li>
</ul>
<ol style="text-align: justify; ">
<li>Collection of personal data, </li>
<li>Processing of personal data, </li>
<li>Data quality, </li>
<li>Provisions relating to sensitive personal data, </li>
<li>Retention of personal data,</li>
<li>Sharing (disclosure) of personal data, </li>
<li>Security of personal data, </li>
<li>Notification of breach of security, </li>
<li>Access to personal data by data subject,</li>
<li>Updation of personal data by data subject</li>
<li>Mandatory processing of data,</li>
<li>Trans border flows of personal data.</li>
</ol>
<p style="text-align: justify; ">Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:</p>
<ol style="text-align: justify; ">
<li>Collection of personal data,</li>
<li>Processing of personal data, </li>
<li>Access to personal data,</li>
<li>Updating personal data</li>
<li>Retention of personal data</li>
<li>Data quality, </li>
</ol>
<p style="text-align: justify; ">The 2014 Bill has further includes provisions addressing:</p>
<ol style="text-align: justify; ">
<li>Openness and accountability, </li>
<li>Choice, </li>
<li>Consent,</li>
<li>Exceptions for personal identifiers. </li>
</ol>
<p style="text-align: justify; ">The 2014 Bill has made changes to the provisions addressing:</p>
<ol style="text-align: justify; ">
<li>Provisions relating to sensitive personal data, </li>
<li>Sharing (disclosure of personal data), </li>
<li>Notification of breach of security, </li>
<li>Mandatory processing of data </li>
<li>Security of personal data</li>
<li>Trans border flows of personal data. </li>
</ol>
<p style="text-align: justify; ">The changes that have been made have been mapped out below:</p>
<ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
</ul>
<p style="text-align: justify; "><b>Provisions Relating to Sensitive Personal Data:</b> The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:</p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; ">
<li style="text-align: justify; ">For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.</li>
<li style="text-align: justify; ">Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.</li>
</ol>
<p style="text-align: justify; ">The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.</p>
<ol style="text-align: justify; "> </ol>
<p style="text-align: justify; "><b>Notification of Breach of Security</b>: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach. <br /><b><br />Notice</b>: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:</p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; "> </ol> <ol style="text-align: justify; "> </ol> <ol style="text-align: justify; ">
<li>The documented purposes for which such personal data is being collected</li>
<li>Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service</li>
<li>The consequences of the failure to provide the personal data </li>
<li>The recipient or category of recipients of the personal data </li>
<li>The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller </li>
<li>If such personal data is intended to be transferred out of the country, details of such transfer. </li>
</ol>
<p style="text-align: justify; ">In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:</p>
<ol style="text-align: justify; ">
<li>What data is being collected and</li>
<li>The legitimate purpose for the collection.</li>
</ol>
<p style="text-align: justify; ">If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:</p>
<ol style="text-align: justify; ">
<li>The use to which the personal data will be put</li>
<li>Whether or not the personal data will be disclosed to a third party and if so the identity of such person </li>
<li>If the personal data being collected is intended to be transferred outside India and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data. </li>
<li>The security and safeguards established by the data controller in relation to the personal data </li>
<li>The processes available to a data subject to access and correct his personal data</li>
<li>The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto</li>
<li>The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. </li>
</ol><ol style="text-align: justify; "> </ol>
<p style="text-align: justify; "><b>Disclosure of personal data</b>: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing. In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. As a safeguard, the 2014 Bill requires that any person to whom personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.</p>
<p style="text-align: justify; "><b>Transborder flow of information</b>: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.</p>
<p style="text-align: justify; "><b>Mandatory Processing of Data</b>: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.</p>
<p style="text-align: justify; "><b>Security of Personal Data:</b> The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of security.</p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; "> </ol><ol> </ol>
<ul>
<li style="text-align: justify; "><b>Conditions on which provisions do not apply:</b> Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy will not apply to personal data. Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill carves out an exception for Government Intelligence Agencies - stating that the provisions of updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.</li>
<li style="text-align: justify; "><b>Privacy Officers</b>: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.</li>
<li style="text-align: justify; "><b>Power of Authority to Exempt: </b> Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .</li>
</ul>
<ul>
<li style="text-align: justify; "><b>The Data Protection Authority:</b> The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority. For example, new functions of the Authority include:</li>
</ul>
<ul>
</ul>
<ol>
<li style="text-align: justify; ">Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act, </li>
<li> Suggesting international instruments relevant to the administration of the Act,</li>
<li style="text-align: justify; "> Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.</li>
</ol>
<p style="text-align: justify; ">The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.</p>
<p style="text-align: justify; ">At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement, if for the objectives of (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.</p>
<p style="text-align: justify; ">This power is instead vested with a court of competent jurisdiction.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><b>The National Data Controller Registry</b>: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.</li>
<li style="text-align: justify; "><b>Direct Marketing: </b>Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’ and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.</li>
<li style="text-align: justify; "><b>Interception of Communications</b>: Though maintaining some of the safeguards defined in the 2011 Bill for interception, 2014 Bill changes the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees, removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.</li>
<li style="text-align: justify; "><b>Video Recording Equipment in public places</b>: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed. </li>
</ul>
<p>The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><b>Privacy Standards and Self Regulation</b>: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them. For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.</li>
<li style="text-align: justify; "><b>Settlement of Disputes and Appellate Tribunal:</b> The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish. If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court. </li>
</ul>
<p style="text-align: justify; ">In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><b>Offences and Penalties:</b> The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section. </li>
</ul>
<ol> </ol><ol> </ol><ol> </ol>
<ul>
<li style="text-align: justify; "><b>Offences</b>: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:</li>
</ul>
<ol>
<li>Unauthorized interception of communications </li>
<li>Disclosure of intercepted communications </li>
<li>Undertaking unauthorized Covert Surveillance </li>
<li>Unauthorized use of disclosure of communication data </li>
</ol>
<p style="text-align: justify; ">The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.</p>
<p style="text-align: justify; "><b>Penalties</b>: The 2014 Bill provides a list of penalties including:</p>
<ol>
<li>Penalty for obtaining personal data on false pretext</li>
<li style="text-align: justify; ">Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers </li>
<li>Penalty for disclosure of other personal information </li>
<li>Penalties for contravention of directions of the Authority </li>
<li>Penalties for data theft </li>
<li>Penalties for unauthorised collection, processing, and disclosure of personal data</li>
<li style="text-align: justify; ">Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines<br /><br /></li>
</ol><ol> </ol>
<p style="text-align: justify; "><b>Adjudicating Officer</b>: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default</p>
<p style="text-align: justify; "><b>Civil Remedies and compensation</b>: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense. <br /><br />The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.</p>
<ol> </ol>
<p style="text-align: justify; "><b>Exceptions for intelligence agencies</b>: Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.</p>
<ol> </ol><ol> </ol>
<p style="text-align: justify; ">The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.</p>
<p style="text-align: justify; ">In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.</p>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011'>https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011</a>
</p>
No publisherelonnaiFeaturedInternet GovernancePrivacy2014-04-01T10:52:41ZBlog EntryAnalysis of CLOUD Act and Implications for India
https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india'>https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india</a>
</p>
No publisherelonnai2018-08-22T14:53:50ZFileSCOSTA and UID Comparison not Valid, says Finance Committee
https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid
<b>The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.</b>
<p>On January 6, 2011, CIS had sent an <a href="https://cis-india.org/internet-governance/blog/blog/privacy/letter-to-finance-committee" class="external-link">open letter to the Parliamentary Finance Committee</a> demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.</p>
<p>Sir,</p>
<p>This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.</p>
<h3>CIS View /Suggestion:</h3>
<div> </div>
<p>"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."</p>
<p>In this regard, do you agree with the following view? If not, please justify.</p>
<p>"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.</p>
<p>The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.</p>
<p>UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."</p>
<p>You are requested to email your view by 14 October, 2011 positively.</p>
<p>Standing Committee on Finance Branch<br />Lok Sabha Secretariat</p>
<div> </div>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid'>https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid</a>
</p>
No publisherelonnaiInternet Governance2011-11-22T16:37:43ZBlog Entry