The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 41 to 55.
Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill
https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill
<b>Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill. </b>
<h2>Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill</h2>
<h3>Constitutional Right to Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.</p>
<h3 style="text-align: justify; ">Nine National Privacy Principles</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:</p>
<ul>
<li style="text-align: justify; "><b>Notice</b>: The principle of notice as recommended by the Report of the Group of Experts on Privacy<b> </b>differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects. <br /><br />In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.<br /><br />Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Choice and Consent</b>: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data. <br /><br />Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Collection Limitation:</b> The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Purpose Limitation</b>: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data. </li>
</ul>
<ul>
<li><b>Access and Correction</b>: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Disclosure of Information: </b>The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Security:</b> The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Openness:</b> The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Accountability:</b> The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles. </li>
</ul>
<p style="text-align: justify; "><b>Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material</b>: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).</p>
<p style="text-align: justify; ">With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. <br /><br />With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised. <br /><br />With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.</p>
<h3 style="text-align: justify; ">Additional Protection for Sensitive Personal Data</h3>
<p style="text-align: justify; ">The <b>Report of the Group of Experts on Privacy</b> broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The <b>2014 Privacy Bill</b> incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.</p>
<h3 style="text-align: justify; ">Privacy Officers</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.</p>
<h3 style="text-align: justify; ">Co-regulatory Framework</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.</p>
<h2 style="text-align: justify; ">Recommendations in the Report that are not in the Bill</h2>
<h3>Scope</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.</p>
<h3 style="text-align: justify; ">Exceptions</h3>
<p>The Report of the Group of Experts recommends the following as exceptions to the right to privacy:</p>
<ol>
<li>National security</li>
<li>Public order</li>
<li>Disclosure in the public interest </li>
<li>Prevention, detection, investigation, and prosecution of criminal offenses </li>
<li>Protection of the individual and rights and freedoms of others </li>
</ol>
<p>The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.</p>
<p style="text-align: justify; ">The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:</p>
<ol>
<li>Sovereignty, integrity or security of India or</li>
<li>Strategic, scientific or economic interest of India; or</li>
<li>Preventing incitement to the commission of any offence; or</li>
<li>Prevention of public disorder; or</li>
<li>The investigation of any crime; or</li>
<li>Protection of rights and freedoms others; or</li>
<li>Friendly relations with foreign states; or</li>
<li>Any other legitimate purpose mentioned in this Act.</li>
</ol>
<p style="text-align: justify; ">Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.</p>
<h3 style="text-align: justify; ">Constitution of Infringement of Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.</p>
<h3 style="text-align: justify; ">The Data Protection Authority</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.</p>
<p style="text-align: justify; ">Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.</p>
<p style="text-align: justify; ">The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.</p>
<h3 style="text-align: justify; ">Tribunal and System of Complaints</h3>
<p style="text-align: justify; ">Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.</p>
<h3 style="text-align: justify; ">Penalties and Offenses</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.</p>
<p style="text-align: justify; ">In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.</p>
<ul>
</ul>
<hr />
<p><b>References</b></p>
<ol>
<li><a href="https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011/" class="external-link">Leaked Privacy Bill: 2014 vs. 2011 </a></li>
<li><a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy</a></li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill'>https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill</a>
</p>
No publisherelonnaiFeaturedInternet GovernancePrivacy2014-04-14T06:10:20ZBlog EntryRethinking DNA Profiling in India
https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india
<b>DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.</b>
<hr />
<p style="text-align: justify; ">Elonnai Hickok's article was <a class="external-link" href="http://www.epw.in/web-exclusives/rethinking-dna-profiling-india.html">published in Economic & Political Weekly</a>, Vol - XLVII No. 43, October 27, 2012</p>
<hr />
<p style="text-align: justify; ">DNA evidence was first accepted by the courts in India in 1985,<a href="#fn1" name="fr1">[1]</a> and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include</p>
<p class="callout" style="text-align: justify; ">"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.</p>
<p>The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.<a href="#fn3" name="fr3">[3]</a> The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,<a href="#fn5" name="fr5">[5]</a>, along with a number of private labs <a href="#fn6" name="fr6">[6]</a> which analyse DNA samples for crime-related purposes.</p>
<p style="text-align: justify; ">In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of</p>
<p class="callout" style="text-align: justify; ">"enhancing protection of people in the society and the administration of justice."<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.<a href="#fn8" name="fr8">[8]</a> The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.</p>
<p>Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from<a href="#fn9" name="fr9">[9]</a> from DNA samples<a href="#fn10" name="fr10">[10]</a> only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).<a href="#fn11" name="fr11">[11]</a> This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.<a href="#fn12" name="fr12">[12]</a></p>
<p style="text-align: justify; ">The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: <i>crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board</i>.<a href="#fn13" name="fr13">[13]</a> How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.<a href="#fn14" name="fr14">[14]</a> The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.<a href="#fn15" name="fr15">[15]</a> Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.</p>
<p style="text-align: justify; ">Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.<a href="#fn16" name="fr16">[16]</a> Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,<a href="#fn17" name="fr17">[17]</a> but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,<a href="#fn18" name="fr18">[18]</a> it allows for DNA profiles/DNA samples and related information related to be shared for <i>creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms</i>.”<a href="#fn19" name="fr19">[19]</a></p>
<p style="text-align: justify; ">An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."<a href="#fn20" name="fr20">[20]</a> CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.<a href="#fn21" name="fr21">[21]</a> Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?</p>
<p style="text-align: justify; ">Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:</p>
<p class="callout" style="text-align: justify; ">"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."<a href="#fn22" name="fr22">[22]</a></p>
<p style="text-align: justify; ">This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.<a href="#fn24" name="fr24">[24]</a> In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,</p>
<p style="text-align: justify; ">"<i>In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals</i>."<a href="#fn25" name="fr25">[25]</a> Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.<a href="#fn26" name="fr26">[26]</a> And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.<a href="#fn27" name="fr27">[27]</a> These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.</p>
<p style="text-align: justify; ">The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, <i>"DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."</i><a href="#fn28" name="fr28">[28]</a></p>
<p style="text-align: justify; ">This statement ignores the possibility of false matches, cross-contamination, and laboratory error<a href="#fn29" name="fr29">[29]</a> as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime<a href="#fn30" name="fr30">[30]</a> in the French diplomat rape case, the DNA report came out with both negative and positive results;<a href="#fn31" name="fr31">[31]</a> and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.<a href="#fn32" name="fr32">[32]</a> Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.<a href="#fn33" name="fr33">[33]</a></p>
<p style="text-align: justify; ">The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:</p>
<p class="callout" style="text-align: justify; ">"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."<a href="#fn34" name="fr34">[34]</a></p>
<p style="text-align: justify; ">In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.<a href="#fn35" name="fr35">[35]</a> This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.<a href="#fn36" name="fr36">[36]</a> From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.</p>
<p style="text-align: justify; ">Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.<a href="#fn37" name="fr37">[37]</a></p>
<p style="text-align: justify; ">Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.<a href="#fn38" name="fr38">[38]</a> The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.</p>
<p style="text-align: justify; ">The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.<a href="#fn39" name="fr39">[39]</a> These are significant gaps in the proposed legislation as it restricts the rights of the individual.</p>
<p style="text-align: justify; ">In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at:<span> <a href="http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf">http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr2" name="fn2">2</a>]. Section 53. The Criminal Code of Procedure, 1973. Available at: <span><a href="http://www.vakilno1.com/bareacts/crpc/s53.htm">http://www.vakilno1.com/bareacts/crpc/s53.htm</a></span>. Last accessed October 9th 2012.<br />[<a href="#fr3" name="fn3">3</a>]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: <span><a href="http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf">http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf</a></span>. Last Accessed October 9th 2012.<br />[<a href="#fr4" name="fn4">4</a>]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: <span><a href="http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0">http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr5" name="fn5">5</a>]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr6" name="fn6">6</a>]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.<br />[<a href="#fr7" name="fn7">7</a>]. Draft Human DNA Profiling Bill 2012. Introduction.<br />[<a href="#fr8" name="fn8">8</a>]. Id. section 12(a-z)<br />[<a href="#fr9" name="fn9">9</a>]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.<br />[<a href="#fr10" name="fn10">10</a>]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.<br />[<a href="#fr11" name="fn11">11</a>]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.<br />[<a href="#fr12" name="fn12">12</a>]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html">http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr13" name="fn13">13</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))<br />[<a href="#fr14" name="fn14">14</a>]. Id. Section 35<br />[<a href="#fr15" name="fn15">15</a>]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.<br />[<a href="#fr16" name="fn16">16</a>]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.<br />[<a href="#fr17" name="fn17">17</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (5)-
<span class="" id="text-1">
<a class="link-wiki-add" title="Click to add a new page" href="https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india/@@wickedadd?Title=6)(a)-(b&section=text">
6)(a)-(b<sup>[+]</sup></a>
</span>
. Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.<br />[<a href="#fr18" name="fn18">18</a>]. Id. Section 39<br />[<a href="#fr19" name="fn19">19</a>]. Id. Section 40(c)<br />[<a href="#fr20" name="fn20">20</a>]. CDFD. Annual Report 2010-2011. Pg19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr21" name="fn21">21</a>]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: <a href="http://www.cdfd.org.in/servicespages/dnafingerprinting.html" title="http://www.cdfd.org.in/servicespages/dnafingerprinting.html">http://www.cdfd.org.in/servicespages/dnafingerprinting.html</a><br />[<a href="#fr22" name="fn22">22</a>]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: <span><a href="http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf">http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr23" name="fn23">23</a>]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html">http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr24" name="fn24">24</a>]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: <span><a href="http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms">http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr25" name="fn25">25</a>]. BioAxis DNA Research Centre (P) Limited. Website Available at: <span><a href="http://www.dnares.in/dna-databank-database-of-india.php">http://www.dnares.in/dna-databank-database-of-india.php</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr26" name="fn26">26</a>]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:<span><a href="http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank">http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr27" name="fn27">27</a>]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.<br />[<a href="#fr28" name="fn28">28</a>]. Draft DNA Human Profiling Bill 2012. Introduction<br />[<a href="#fr29" name="fn29">29</a>]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr30" name="fn30">30</a>]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: <span><a href="http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957">http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr31" name="fn31">31</a>]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: <span><a href="http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html">http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr32" name="fn32">32</a>]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: <span><a href="http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests">http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr33" name="fn33">33</a>]. Draft Human DNA Profiling Bill 2012. Section 18-27.<br />[<a href="#fr34" name="fn34">34</a>]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: <span><a href="http://dbtindia.nic.in/uniquepage.asp?id_pk=124">http://dbtindia.nic.in/uniquepage.asp?id_pk=124</a></span>. Last accessed: October 10 2012.<br />[<a href="#fr35" name="fn35">35</a>]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr36" name="fn36">36</a>]. CDFD Annual Report 2006-2007.Pg. 13. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2006_07.pdf">http://www.cdfd.org.in/images/AR_2006_07.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr37" name="fn37">37</a>]. Draft Human DNA Profiling Bill 2012. Section 35<br />[<a href="#fr38" name="fn38">38</a>]. Id. Section 41.<br />[<a href="#fr39" name="fn39">39</a>].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india'>https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-29T08:00:01ZBlog EntryOpen Letter to Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee
https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee
<b>An open letter was sent to the Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee on the proposed EU Regulation. The letter was apart of an initiative that Privacy International and a number of other NGO's are undertaking.</b>
<p><b>Dear Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee</b>,</p>
<p style="text-align: justify; ">On behalf of The Centre for Internet and Society, Bangalore, India, we are writing to express our support of the European Commission’s proposed General Data Protection Regulation (COM (2012) 11).</p>
<p style="text-align: justify; ">The legal framework established under the 1995 Data Protection Directive (95/46/EC) in Europe has positively influenced many existing privacy regimes worldwide, serving as a model legal framework in jurisdictions that are in the process of developing privacy regimes, including India. The positive impact of the Data Protection Directive shows the potential of the Regulation to become a global model for the protection of personal data. The Regulation seeks to address new scenarios that have arisen in the context of rapidly changing technologies and practices, increasing its potential for positively influencing privacy rights for individuals globally.</p>
<p style="text-align: justify; ">India is currently in the process of considering the enactment of privacy legislation, in part with the aim of ensuring adequate safeguards to enable and enhance information flows into India from countries around the world, including Europe. At the same time, India is seeking Data Secure Status from the EU, on the basis of its current regime.</p>
<p style="text-align: justify; ">It is clear that the EU framework for data protection has a major influence on the current and emerging privacy regime in India. India is only one country of many that are in the beginning stages of developing a comprehensive privacy regime. Thus, we ask that you keep in mind how the Regulation will impact the rights of individual in countries outside of Europe, particularly in countries that are in the process of developing privacy regimes.</p>
<p style="text-align: justify; ">We ask that you take into consideration the four following points that we believe need to be addressed in the Regulation to help ensure adequate protection of the rights of individuals in the European Union and around the world.</p>
<ol>
<li style="text-align: justify; "><b>Strengthen the principle of purpose limitation: </b>The Regulation should incorporate a strong purpose limitation principle that strictly limits present and future uses of personal data to the purposes for which it was originally collected. Currently, Article 6(4) allows for the further processing of data when the processing is <i>“not compatible with the one for which the personal data have been collected”. </i>Though the provision establishes legal requirements, one of which must be before information can be used for a further purpose, this is has proven insufficient in the existing Directive. The current provision in the Regulation dilutes the principle of purpose limitation as well as weakening an individual’s ability to make informed decisions about their personal data.<b> </b></li>
<li style="text-align: justify; "><b>Define principles for interpretation of broad terms: </b>The Regulation should create principles for interpreting broad terms such as “legitimate interest” and “public interest”. These vague terms are used throughout the Regulation, and create the potential for loopholes or abuse. Because these terms can be interpreted in many different ways, it is important to create a set of principles to guide their interpretation by data protection authorities and courts to avoid inconsistent application and enforcement of the Regulation.</li>
<li style="text-align: justify; "><b>Clarify the scope of the Regulation:</b> The Regulation should clearly describe the jurisdictional scope and reach of its provisions. Currently Article 3(1) states that the Regulation will apply to the processing of data “in the context of the activities of an establishment of a controller or a processor in the Union”. The flow of information on the online environment coupled with trends such as cloud computing, outsourcing, and cross border business creates a scenario where defining what constitutes “context of the activities of an establishment”, is difficult and could lead to situations where personal data is not protected, as the collection, use, or storage of it does not necessarily fall within the “context of the activities”. </li>
<li style="text-align: justify; "><b>Address access by foreign alliance bodies</b>: In light of growing demands by law enforcement for access, use, and transfer of personal information for investigative purposes across jurisdictions– the Regulation should define the circumstances in which personal data protected by its provisions can be accessed and used by foreign intelligence bodies, and the procedure by which to do so. The Regulation should address challenges such as access by foreign intelligence bodies to data stored on the cloud and data that has passed through/is stored on foreign networks/servers. </li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee'>https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-23T05:00:02ZBlog EntryAn Interview with Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party
https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm
<b>The Centre for Internet and Society interviewed Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party.</b>
<h3 style="text-align: justify; ">What activities and functions does your office undertake?</h3>
<p style="text-align: justify; ">The activities and functions of the Dutch data protection authority can roughly be divided in 4 different categories: supervisory activities, giving advise on draft legislation, raising awareness and international tasks. <br /><br />The Dutch DPA supervises the legislation applicable in the Netherlands with regard to the use of personal data. The most important law is the Dutch Data Protection Act, but the Dutch DPA also supervises for example the Acts governing data processing by police and justice as well as parts of the Telecoms Act. <br /><br />The supervisory activities mainly consist of investigating, ex officio, violations of the law, with the focus on violations that are serious, structural and impact a large amount of people. Where necessary, the Dutch DPA can use its sanctioning powers, including imposing a conditional fine, to enforce the law. The Dutch DPA can also decide to examine sector-wide codes of conduct that are submitted to it and provide its views in the form of a formal opinion. <br /><br />In addition to investigations, the Dutch DPA advises the government, and sometimes the parliament, on draft legislation related to the processing of personal data. Following the Data Protection Act, the government is obliged to submit both primary and secondary legislation related to data processing to the DPA for advice. <br /><br />As regards awareness-raising, next to publishing the results of the investigations, its views on codes of conduct and its advice on legislation, the Dutch DPA also issues guidelines, on its own initiative, explaining legal norms. Via its websites, the Dutch DPA provides more information to both data subjects and controllers on how data can and cannot be processed. Specifically for data subjects, self-empowerment tools – including standard letters to exercise their rights – are made available. Furthermore, they can contact the Dutch DPA daily via a telephone hotline.<br /><br />Last but not least, the Dutch DPA participates in several International and European fora, including the Article 29 Working Party of which I am the Chair, the European and the International Conference of data protection and privacy commissioners, of whose Executive Committee I am also the Chair.</p>
<h3 style="text-align: justify; ">What powers does your office have? in your opinion are these sufficient? Which powers have been most useful? If there is a lack, what do you feel is needed?</h3>
<p style="text-align: justify; ">The Dutch DPA has a broad range investigative powers, including the power to order the controller to hand over all relevant information and entering the premises of the controller unannounced. All organisations subjected to the supervision of the Dutch DPA are obligated to cooperate. <br /><br />The Dutch DPA also has a considerable range of sanctioning powers, it can for example order the suspension or termination of certain processing operations and can also impose a conditional fine. Currently a bill is before Parliament to provide the Dutch DPA with fining powers as well.</p>
<p style="text-align: justify; ">Especially when the bill providing the Dutch DPA with fining powers will be passed, I feel the powers are sufficient, giving us all the necessary enforcement tools to ensure compliance with the law.</p>
<h3 style="text-align: justify; ">How is your office funded?</h3>
<p>The Dutch DPA is funded through the government who, together with the parliament, each year determines the budget for the next year. The budget is drafted on the basis of a proposal from the Dutch DPA.</p>
<h3 style="text-align: justify; ">What is the organizational structure of your office and the responsibilities of the key executives?</h3>
<p style="text-align: justify; ">The Dutch DPA consists of a college of commissioners and the supporting Secretariat, itself consisting of 6 departments and headed by the Director. The Dutch DPA has 2 supervision departments, one for the private and one for the public sector, a legal department, a communications department, an international department and a department providing the operational support.</p>
<h3 style="text-align: justify; ">If India creates a framework of co-regulation, how would you suggest the overseeing body be structured?</h3>
<p style="text-align: justify; ">Considering the many differences between India and the Netherlands - and Europe - this is a very hard question to answer. But whatever construction is chosen in India, it is of utmost importance to guarantee the independence of the supervisory authorit(y)(ies), who shall be provided with sufficient and scalable powers to be able to sanction violations.</p>
<h3 style="text-align: justify; ">What legal challenges has your office faced?</h3>
<p style="text-align: justify; ">The biggest legal challenge we face at the moment is the new European legal framework currently being discussed. It is as yet uncertain whether and when this will enter into force, but it is clear that it will bring new challenges for our office.</p>
<h3 style="text-align: justify; ">What are the main differences between your offices?</h3>
<p style="text-align: justify; ">Generally, I think that the differences between my office and the UK and Canadian offices mostly stem from our different legal and cultural backgrounds, especially the difference between the common law and codified law systems. <br /><br />In addition, the norms and powers differ per supervisory authority. The Dutch DPA for example can enter a building without prior notice, while the ICO, if I understand correctly, can only enter with the consent of the supervised organisation. <br /><br />I however prefer to look at the similarities and possibilities to overcome our differences, because I think that we all feel that providing a high level of data protection and ensuring user control are all of our main priorities.<br /><br />Naturally, I am very curious to hear from Chrisopher and Chantal as well.</p>
<h3 style="text-align: justify; ">What are the most recent privacy developments for each of your respective offices?</h3>
<p style="text-align: justify; ">The technological developments of the past decades and the increasing use of smartphones and tablets, have also made privacy developments necessary and have obliged us, as data protection authorities, to consider the rules and norms in this new environment.</p>
<h3 style="text-align: justify; ">What would you broadly recommend for a privacy legislation for India?</h3>
<p style="text-align: justify; ">In my view the privacy legislation in India should in any case contain the basic principles of the protection of personal data, applicable to both the public and the private sector. Naturally with some exceptions for law enforcement purposes. <br /><br />Furthermore, the Indian law should protect the imported data of citizens from other parts of the world as well, including the EU. <br /><br />And as mentioned in my answer to question 5, it is of utmost importance that the Indian legislation guarantees the establishment of (a) completely independent supervisory authorit(y)(ies), provided with sufficient sanctioning powers, to supervise compliance with the legislation also of the government, including police and justice.<br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm'>https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-25T04:50:56ZBlog EntryWhat India can Learn from the Snowden Revelations
https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations
<b>Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.</b>
<p>The title of the article was changed in the<a class="external-link" href="http://in.news.yahoo.com/why-india-needs-a-snowden-of-its-own-054956734.html"> version published by Yahoo</a> on October 23, 2013.</p>
<hr />
<p>Since the ‘<a href="http://www.theguardian.com/world/edward-snowden" target="_blank">Snowden revelations</a>’, which uncovered the United States government’s massive global <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_3">surveillance</span> through the <a href="http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29" target="_blank">PRISM</a> program, there have been reactions aplenty to their impact.</p>
<p style="text-align: justify; ">The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.</p>
<p style="text-align: justify; ">The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.</p>
<p style="text-align: justify; ">Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.</p>
<p style="text-align: justify; ">This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including <span class="cs4-visible yshortcuts" id="lw_1382621265093_1">India</span>.</p>
<h3 style="text-align: justify; ">India’s reaction</h3>
<p style="text-align: justify; ">After the first news of the Snowden revelations, the Indian Supreme Court <a href="http://www.medianama.com/2013/06/223-supreme-court-to-hear-pil-against-nsa-surveillance-of-indian-data-report/" target="_blank">agreed</a> to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.<br /><br />The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_7">government</span> or individual can take against the US government or companies incorporated there.<br /><br />In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take. <br /><br />For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.<br /><br />To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same. <br /><br />In India, P. Rajeev, Member of Parliament from Kerala, has started a <a href="http://www.change.org/petitions/google-facebook-microsoft-yahoo-reveal-information-on-data-of-indian-citizens-given-to-us-security-agencies-2" target="_blank">petition</a> asking that the companies disclose information on <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_8">Indian data</span> given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.<br /><br />The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been <a href="http://articles.economictimes.indiatimes.com/2013-08-14/news/41409701_1_traffic-originating-and-terminating-servers-mocit" target="_blank">voiced by many</a>, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal <a href="http://mha.nic.in/Policy_Planing_Division" target="_blank">Mutual Legal Assistance Treaty</a> process, it does not necessarily enhance the privacy of Indian data. <br /><br />As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.</p>
<h3 style="text-align: justify; ">Snooping</h3>
<p style="text-align: justify; ">The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India. <br /><br />For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually <a href="http://timesofindia.indiatimes.com/tech/tech-news/telecom/BlackBerry-sets-up-server-in-Mumbai-to-aid-interception/articleshow/11969224.cms" target="_blank">set up servers in Mumbai</a> and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from <a href="http://news.cnet.com/8301-1009_3-20015418-83.html" target="_blank">Skype and Google</a>. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.<br /><br />Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive. <br /><br />The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.</p>
<p style="text-align: justify; ">The gaps in the Indian <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_4">surveillance</span> regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, <span class="cs4-visible yshortcuts" id="lw_1382621265093_2">India</span> is in the process of realizing a privacy legislation. <br /><br />In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf" target="_blank">The Report of the Group of Experts on Privacy</a>, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.<br /><br />The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.<br /><br />For example, telecoms in India are now required to include <a href="http://www.firstpost.com/tech/exclusive-location-tracking-of-every-indian-mobile-user-by-2014-876109.html/2" target="_blank">user location data</a> as part of the ‘call detail record’ and be able to <a href="http://www.medianama.com/2012/08/223-indian-government-revises-location-accuracy-guidelines-says-telcos-should-bear-the-cost/" target="_blank">provide</a> the same to law enforcement agencies on request under <a href="http://www.cca.ap.nic.in/i_agreement.pdf" target="_blank">provisions</a> in the Unified Access Service and Internet Service Provider Licenses. <br /><br />At the same time, the Government of India is in the process of putting in place a <a href="http://en.wikipedia.org/wiki/Central_Monitoring_System" target="_blank">Central Monitoring System</a> that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.</p>
<p style="text-align: justify; ">Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.<br /><br />If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.<br /><br />Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.</p>
<h3 style="text-align: justify; ">Policy vacuum</h3>
<p style="text-align: justify; ">For any <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_5">government</span>, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe. <br /><br />When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.<br /><br />In 2013, the <a href="https://en.necessaryandproportionate.org/text" target="_blank">International Principles on the Application of Human Rights to Communications Surveillance</a> were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications. <br /><br />When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.</p>
<hr />
<p style="text-align: justify; "><i>Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations'>https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-25T07:29:57ZBlog EntryCIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.
https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d
<b>The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights. </b>
<p style="text-align: justify; ">On <a class="external-link" href="https://www.un.org/News/Press/docs/2013/gashc4094.doc.htm">November 26, 2013</a>, the United Nations adopted a non-binding resolution on <a href="http://www.un.org/ga/search/view_doc.asp?symbol=A/C.3/68/L.45/Rev.1">The Right to Privacy in the Digital Age</a>. The resolution was drafted <a href="http://news.idg.no/cw/art.cfm?id=F0537DC8-A06C-E9D5-2EBACEA94829DAC1">by Brazil and Germany</a> and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to <a href="http://www.theguardian.com/world/2013/nov/26/un-surveillance-resolution-human-right-privacy">privacy extending equally to citizens and non-citizens of a country. </a> The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.</p>
<p style="text-align: justify; ">The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the <a href="http://www.indexoncensorship.org/2013/11/india-online-report-freedom-expression-digital-freedom-3/">Central Monitoring System</a>, should take cognizance of, including in short:</p>
<ol>
<li style="text-align: justify; "><b>Privacy is a human right</b>: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence. </li>
<li style="text-align: justify; "><b>Privacy is integral to the right to free expression</b>: an integral component in recognizing the right to freedom of expression. </li>
<li style="text-align: justify; "><b>Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression</b>: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression. </li>
<li style="text-align: justify; "><b>Exceptions to privacy and freedom of expression should be in compliance with human rights law:</b> Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law. </li>
<li style="text-align: justify; "><b>Mass surveillance may have negative implications for human rights: </b>Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights. </li>
<li style="text-align: justify; "><b>Equal protection for online and offline privacy:</b> The right to privacy must be equally protected online and offline.</li>
</ol>
<p>The resolution further called upon states to:</p>
<ol>
<li style="text-align: justify; ">Respect and protect the right to privacy, particularly in the context of digital communications.</li>
<li style="text-align: justify; ">To ensure that relevant legislation is in compliance with international human rights law</li>
<li style="text-align: justify; ">To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.</li>
<li style="text-align: justify; ">To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.</li>
</ol>
<p style="text-align: justify; ">The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.</p>
<p style="text-align: justify; ">The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.</p>
<p style="text-align: justify; ">Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the <a href="https://en.necessaryandproportionate.org/TEXT">Necessary and Proportionate principles</a> that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A<a href="https://en.necessaryandproportionate.org/take-action/digiges"> petition</a> to sign onto the principles and demand an end to mass surveillance is currently underway.</p>
<p style="text-align: justify; ">Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.</p>
<p> </p>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d'>https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d</a>
</p>
No publisherelonnaiSurveillanceInternet GovernancePrivacy2013-11-30T07:25:18ZBlog EntryInternet Privacy in India
https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india
<b>Internet privacy encompasses a wide range of issues and topics. It can be understood as privacy rights that an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing. </b>
<h3 style="text-align: justify; ">The Changing Nature of Information</h3>
<p style="text-align: justify; ">For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.</p>
<h3 style="text-align: justify; ">The Blurry Line between the Public and Private Sphere</h3>
<p style="text-align: justify; ">The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,<a href="#fn2" name="fr2">[2]</a> while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.<a href="#fn3" name="fr3">[3] </a>Indian Courts have yet to deal directly with the question of social media content being public or private information.</p>
<h3 style="text-align: justify; ">The Complication of Jurisdiction</h3>
<p style="text-align: justify; ">The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.<a href="#fn4" name="fr4">[4] </a>In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.<a href="#fn5" name="fr5">[5] </a></p>
<p style="text-align: justify; ">Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.<a href="#fn6" name="fr6">[6] </a>Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.<a href="#fn7" name="fr7">[7] </a></p>
<p style="text-align: justify; ">In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.</p>
<h3 style="text-align: justify; ">Current Policy for Internet Privacy in India</h3>
<p style="text-align: justify; ">Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,<a href="#fn8" name="fr8">[8]</a>penalizing, hacking and fraud<a href="#fn9" name="fr9">[9] </a>and defining data protection standards for body corporate.<a href="#fn10" name="fr10">[10] </a></p>
<p style="text-align: justify; ">Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate<a href="#fn11" name="fr11">[11]</a> collection and monitoring of internet traffic data<a href="#fn12" name="fr12">[12] </a>and real time monitoring, interception, and decryption of online communications.<a href="#fn13" name="fr13">[13]</a> Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.</p>
<h3 style="text-align: justify; ">Online Data Protection</h3>
<p style="text-align: justify; ">Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.<a href="#fn14" name="fr14">[14] </a></p>
<p style="text-align: justify; ">The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”<a href="#fn15" name="fr15">[15] </a>and many gaps still exist. For example, the Rules apply only to:</p>
<ul style="text-align: justify; ">
<li>Body corporate and not to the government</li>
<li>Electronically generated and transmitted information </li>
<li>A limited scope of sensitive personal information.</li>
<li>A body corporate when a contractual agreement is not already in place.</li>
</ul>
<p style="text-align: justify; ">These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.</p>
<h3 style="text-align: justify; ">Cyber Cafés</h3>
<p style="text-align: justify; ">In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.<a href="#fn16" name="fr16">[16]</a> Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.<a href="#fn17" name="fr17">[17] </a>Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.<a href="#fn18" name="fr18">[18]</a> Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.<a href="#fn19" name="fr19">[19] </a>In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:</p>
<ul style="text-align: justify; ">
<li>An authorization process by which the registration agency follows to authorize individuals to conduct inspections.</li>
<li>Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.</li>
<li>The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.</li>
</ul>
<h3 style="text-align: justify; ">Online Surveillance and Access</h3>
<p style="text-align: justify; ">The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications<a href="#fn20" name="fr20">[20]</a> provide for the collection and monitoring of traffic data<a href="#fn21" name="fr21">[21]</a> and allow the government to set the national encryption standard.<a href="#fn22" name="fr22">[22] </a>In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.</p>
<h3 style="text-align: justify; ">Scope of Surveillance and Access</h3>
<p style="text-align: justify; ">The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.<a href="#fn24" name="fr24">[24] </a>This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.</p>
<p style="text-align: justify; ">Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.<a href="#fn25" name="fr25">[25]</a></p>
<p style="text-align: justify; ">The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.</p>
<h2 style="text-align: justify; ">Future frameworks for privacy in India: The Report of the Group of Experts on Privacy</h2>
<p style="text-align: justify; ">In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.<a href="#fn26" name="fr26">[26] </a>The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.</p>
<p style="text-align: justify; ">The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.</p>
<p style="text-align: justify; ">The nine national privacy principles include:</p>
<p style="text-align: justify; ">Notice: Principle 1: Notice</p>
<p style="text-align: justify; ">A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:</p>
<p style="text-align: justify; "><b>During Collection </b></p>
<ul>
<li>What personal information is being collected; </li>
<li>Purposes for which personal information is being collected; </li>
<li>Uses of collected personal information; </li>
<li>Whether or not personal information may be disclosed to third persons; </li>
<li>Security safeguards established by the data controller in relation to the personal information; </li>
<li>Processes available to data subjects to access and correct their own personal information; </li>
<li>Contact details of the privacy officers and SRO ombudsmen for filing complaints. </li>
</ul>
<p style="text-align: justify; "><b>Other Notices</b><br />Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.</p>
<h3 style="text-align: justify; ">Principle 2: Choice and Consent</h3>
<p style="text-align: justify; ">A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.</p>
<p style="text-align: justify; "><b>Example of implementation</b>: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.</p>
<h3 style="text-align: justify; ">Principle 3: Collection Limitation</h3>
<p>A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.</p>
<h3 style="text-align: justify; ">Principle 4: Purpose Limitation</h3>
<p style="text-align: justify; ">Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.</p>
<h3 style="text-align: justify; ">Principle 5: Access and Correction</h3>
<p style="text-align: justify; ">Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.</p>
<h3 style="text-align: justify; ">Principle 6: Disclosure of Information</h3>
<p style="text-align: justify; ">A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.</p>
<h3 style="text-align: justify; ">Principle 7: Security</h3>
<p style="text-align: justify; ">A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.</p>
<h3 style="text-align: justify; ">Principle 8: Openness</h3>
<p style="text-align: justify; ">A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.</p>
<h3 style="text-align: justify; ">Principle 9: Accountability</h3>
<p style="text-align: justify; ">The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.</p>
<h3 style="text-align: justify; ">Public Discourses on Privacy</h3>
<p style="text-align: justify; ">In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.</p>
<h3 style="text-align: justify; ">The Unique Identification Project</h3>
<p style="text-align: justify; ">One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,<a href="#fn27" name="fr27">[27] </a>privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions<a href="#fn28" name="fr28">[28] </a>but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.</p>
<h3 style="text-align: justify; ">The Human DNA Profiling Bill</h3>
<p style="text-align: justify; ">In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.<a href="#fn29" name="fr29">[29]</a></p>
<h3 style="text-align: justify; ">Surveillance</h3>
<p style="text-align: justify; ">For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.</p>
<p style="text-align: justify; ">The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.</p>
<h3 style="text-align: justify; ">A Privacy Legislation for India</h3>
<p style="text-align: justify; ">Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.<a href="#fn31" name="fr31">[31] </a>In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.<a href="#fn32" name="fr32">[32] </a>Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.<a href="#fn33" name="fr33">[33]</a> From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.<a href="#fn34" name="fr34">[34]</a></p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. http://www.bbc.co.uk/news/technology-24744695</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1</p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. ITA section 67</p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. ITA section 43, 66, and 66F</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009</p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn1">13</a>]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009</p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Ibid footnote 6</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Guidelines for Cyber Cafe Rules 5(4)</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Guidelines for Cyber Cafe Rules 5(6)</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Guidelines for Cyber Café Rules 5(6)</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Guidelines for Cyber Café Rules 7(1)</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Ibid footnote 9</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. Ibid footnote 8</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. ITA section 84A</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. http://www.epw.in/authors/elonnai-hickok</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft</p>
<p style="text-align: justify; ">[<a href="#fr34" name="fn34">34</a>]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</p>
<p>
For more details visit <a href='https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india'>https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india</a>
</p>
No publisherelonnaiInternet Access2014-01-08T13:51:06ZPageState Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntryUnderstanding the Right to Information
https://cis-india.org/internet-governance/understanding-right-to-information
<b>Elonnai Hickok summarises the Right to Information Act, 2005, how it works, how to file an RTI request, the information that an individual can request under the Act, the possible responses and the challenges to the citizen and the government. She concludes by saying that there are many structural changes that both citizens and governmental officers can make to improve the system.</b>
<h2>Introduction</h2>
<p style="text-align: justify; ">The <a class="external-link" href="http://righttoinformation.gov.in/webactrti.htm">Right to Information Act, 2005</a> (RTI) was created in 2005 and marked an important time in Indian legislative history. The Right to Information enables citizens to hold the government accountable and ensure that it is a transparent body. Questions that can be asked by the citizen to the government range from anything that may concern to some meeting notes to why a teacher is not present in a public school, etc. In the current RTI system there are many challenges that are inhibiting the government’s efficient delivery of the RTI as a service to the people. This has changed the concept of how the citizens view the RTI, as the government feels harassed and the citizens feel as though their rights are being unjustly denied. Additionally, individuals have turned the RTI into a redressal mechanism rather than a way to ensure transparency and learn/understand how their government is functioning. The use of the RTI as a redressal mechanism has created a relationship of animosity between the government and citizens. The below note outlines the ecosystem of the RTI and notes specific challenges that both citizens and the government face.[<a href="#1">1</a>]</p>
<h2>The RTI Ecosystem</h2>
<h3>RTI work flow</h3>
<div>
<ul>
<li style="text-align: justify; ">An individual files an RTI with the central/ state public information officer (PIO) or a specific PIO. PIOs are often not trained, and rarely apply for the position, but are instead designated.</li>
<li style="text-align: justify; ">Within five days the information is to be forwarded to the correct PIO.</li>
<li style="text-align: justify; ">The PIO must open a file and dispose of the request within 30 days. </li>
<li style="text-align: justify; ">If the PIO fails to reply to the applicant by either approving or denying a request, the PIO is liable to pay a fine of Rs. 250 for each day of delay. </li>
<li style="text-align: justify; ">If information is electronically uploaded, it is stored in any format the officer chooses (jpeg, pdf, html, etc).</li>
<li style="text-align: justify; ">Except for land records and staff records, files are retained for a maximum of one year. </li>
<li style="text-align: justify; ">If the PIO does not dispose of the request, there is scope for an appeal within 30-45 days to the appellate authority.</li>
<li style="text-align: justify; ">There is scope for a second appeal to the information commissioner if the authority does not respond within 90 days or the answer is found to be unsatisfactory. </li>
<li style="text-align: justify; ">The final decision of the information commissioner is binding. </li>
</ul>
</div>
<h3><span class="Apple-style-span">Filing an RTI request</span></h3>
<div style="text-align: justify; ">Though there is no specific format an individual must follow when submitting an RTI, when filing a request, individuals must include:</div>
<div>
<ul>
<li style="text-align: justify; ">His /her name and address.</li>
<li style="text-align: justify; ">The name and address of the public information officer (PIO).</li>
<li style="text-align: justify; ">The particulars of information/documents required (limited to 150 words and one subject matter).</li>
<li style="text-align: justify; ">The time period of the information required.</li>
<li style="text-align: justify; ">Proof of payment.</li>
<li style="text-align: justify; ">Signature.</li>
<li style="text-align: justify; ">Proof if the individual is a BPL holder.[<a href="#2">2</a>] </li>
</ul>
</div>
<h3>Information that an individual can request under the RTI Act</h3>
<div>
<ul>
<li style="text-align: justify; ">Inspection of work, documents, and records</li>
<li style="text-align: justify; ">Taking notes, extracts or certified copies of documents or records.</li>
<li style="text-align: justify; ">Taking certified samples of material.</li>
<li style="text-align: justify; ">Obtaining of information in the form of diskettes, floppies, tapes, and video cassettes, or in any other electronic mode, or through printouts where such information is stored in a computer, or in any other device.</li>
<li style="text-align: justify; ">Obtaining the status of an RTI request or complaint.</li>
</ul>
</div>
<div style="text-align: justify; ">Note: If an individual is requesting third party information, the PIO must inform the third party and provide the individual the opportunity to state a reason for not disclosing the information.</div>
<div>
<h3>Accepted format of requested materials and records</h3>
<ul>
<li style="text-align: justify; ">Material requested can be in any format including: records, documents, memos, emails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, and data material held in any electronic form.</li>
<li style="text-align: justify; ">Records requested can include: any document, manuscript and file, any microfilm, microfiche and facsimile copy of a document, and reproduction of image or images embodied in such microfilm (whether enlarged or not), and any other material produced by a computer or any other device.</li>
</ul>
</div>
<h3><span class="Apple-style-span">Possible Responses to an RTI request</span></h3>
<div>
<div><b>An information officer can respond to an RTI in the following ways</b>:</div>
<div>
<ul>
<li style="text-align: justify; ">Transfer request to appropriate PIO within five days and notify the applicant about the transfer.</li>
<li style="text-align: justify; ">Provide the requested information within 30 days.</li>
<li style="text-align: justify; ">Reject the request information within 30 days stating the reasons for rejection, the period within which an appeal against such rejection may be preferred, and the details of the appellate authority.</li>
<li style="text-align: justify; ">Not respond to the applicant. If no response is received within 30 days the officer is liable for a penalty of Rs. 250 per day.</li>
</ul>
</div>
<h3><span class="Apple-style-span">Appeal/Complaint Process</span></h3>
<div>
<ul>
<li style="text-align: justify; ">First appeal can be filed after 30 days or if the information given was unsatisfactory. The appeal must include: name and address of the appellant, name and address of the PIO involved, brief facts leading to appeal, relief sought, grounds for appeal, and copies of the application or documents involved, including copies of the reply, if received from the PIO.</li>
<li style="text-align: justify; ">Second appeal must contain: name and address of the applicant, and name and address of the PIO involved, particulars of the Order including the number if any against which the appeal is preferred, brief facts leading to the appeal, if appeal/complaint is preferred against deemed refusal then the particulars of the application, including number and date and name, address of the PIO to whom the application was originally made, relief sought, grounds for the relief, verification by the applicant, any other information which the commission may deem necessary for deciding during the appeal, self attested copies of the application or documents involved, copies of the documents relied upon by the appellant and referred to in the appeal, and an index of the documents referred to in the appeal.</li>
<li style="text-align: justify; ">A complaint must include: name and address of the complainant, name and address of the state PIO against whom the complaint is being made, facts leading to the complaint, particulars of the application [number, date, name and address of the PIO (three copies)], relief sought, grounds and proof for relief, verification of the complainant (three copies), index of documents referred to in the complaint, and any other necessary information.[<a href="#3">3</a>]</li>
</ul>
</div>
<h2>Challenges to the Citizen</h2>
<h3>Knowing the correct Public Information Officer</h3>
<p style="text-align: justify; ">Knowing which public information officer to mail in the RTI request is the first difficulty that an individual faces. As noted above in 2008 there were a total of 73,256 recorded public information commissioners in the State of Karnataka. New public information commissioners are created every day, because the RTI extends not only to any department of the government, but to any sub-contracted company, organization, school, or NGO that is receiving government funding and doing work on behalf of the government directly or indirectly. Lists of PIOs can be found on department bulletin boards and websites, but there is no clear method for an individual to know what information each PIO is the custodian over. Thus, they are left to determine on their own, and rely on the PIO to forward their application to the correct individual.</p>
</div>
<h3>Filing in the correct format</h3>
<div>
<p style="text-align: justify; ">Though it is stated in the law what language an RTI request will be accepted in, and what information should be included – individuals are often unaware of the guidelines and unaware of how to correctly fill out an RTI request. An incorrectly formatted request is one of the major reasons for rejection of a request by the PIO.</p>
</div>
<h3>Language</h3>
<div>
<p style="text-align: justify; ">In the State of Karnataka, RTIs can be filed only in two languages: Kannada and English. By law, RTI responses are given only in the language that the department works in on a daily basis, and in English. The information that is supplied through the request is given in its original language. For example, if you ask for a document that is originally in Marathi, the document will be photo copied and sent to you. No translation of documents takes place, because it is not the job function of the officer to translate documents.</p>
</div>
<h3>Appeals</h3>
<div>
<p style="text-align: justify; ">If an individual is denied information, or does not receive a reply within 30 days, they have the option of seeking an appeal through an appellate authority. In 2008 Karnataka had 5416 Appellate Authorities. Currently, because of the backlog in appeal cases and the slow functioning of the system, an individual might have to wait for upto one year for his/her appeal to be heard. Often at this point the information is no longer relevant or needed.</p>
</div>
<h3>Privacy</h3>
<div>
<p style="text-align: justify; ">In some cases individuals are denied a request for information based on the grounds that it would invade the privacy of the public officer. This is sometimes the case and sometimes not the case. Finding the right balance between the right to information and privacy is important, as protecting an individual’s privacy is crucial, but privacy should not be used as a reason for the government to be less transparent to the citizen and be used as a way to deny a citizen the information that they are entitled to.[<a href="#4">4</a>]</p>
</div>
<h2>Challenges in the RTI System for the Government</h2>
<ul>
<li style="text-align: justify; "><b>Too many RTI requests and no system to record duplicates</b>: As the figure shows above, in 2008, the Karnataka Government received 42208 RTI requests. Currently, it is not possible to know how many of these requests were duplicates since departments handling RTIs do not make it a practice to upload and organize filed RTI requests in a format easily accessible to citizens. Thus, there is no present system in place to track, upload, and store past RTI's in a meaningful way.</li>
<li style="text-align: justify; "><b>Additional overhead in recording, organizing, accessing, and storing data</b>: In the current system every time an RTI request is received by the government, they open a new file for that request. Though in some ways this system of storage simplifies the process of finding past RTIs, it adds an additional overhead cost as photocopies must be made, new files created, and correctly added to the organized system. Each state follows its own method of recording, organizing, accessing, and storing data – thus, currently it is not possible to easily access the information from another state or combine information from two separate states.</li>
<li style="text-align: justify; "><b>Lack of compliance with section 4(d) pro-active disclosure</b>: Under section 4 (d), the government is required to pro-actively disclose a pre-determined data to the public via websites and other useful modes. Currently there is very little compliance with section 4(d) from governmental departments. There are many factors that contribute to the low rate of compliance that exist including lack of resources and lack of proper enforcement. If governmental departments were to comply with section 4(d) then the load of RTI requests and the time each request must take to answer could be lightened considerably as the government could respond by pointing citizens to the already disclosed information. </li>
</ul>
<h2>Conclusion</h2>
<div style="text-align: justify; ">Though the Right to Information is an important right, the above entry looks at some of the weaknesses and challenges in the system. There are many structural changes that both citizens and governmental officers can make to improve the system such as pro-actively disclosing information, ensuring that an RTI is filed correctly, and creating a system for organizing previously asked questions. Alongside of these structural changes it is also critical that a positive culture of transparency and accountability is fostered throughout society, thus encouraging citizens to actively engage with the government and exercise their right to information.</div>
<div style="text-align: justify; "></div>
<hr />
<p><b>Notes</b></p>
<p>[<a href="#fr1" name="fn1">1</a>].I am grateful to N. Vikram Simha, RTI activist, for his insight and feedback into the RTI system.</p>
<p>[<a href="#fr2" name="fn2">2</a>].N. Vikram Simha, Right to Information Act of 2005: Guide for Citizens.</p>
<p>[<a href="#fr3" name="fn3">3</a>].N. Vikram Simha, Right to Information: Trend Ahead. Karanataka State Chartered Accountants Association, Bangalore</p>
<p>[<a href="#fr4" name="fn4">4</a>].N. Vikram Simha, RTI and Protection of Individual Privacy</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/understanding-right-to-information'>https://cis-india.org/internet-governance/understanding-right-to-information</a>
</p>
No publisherelonnaiInternet Governance2013-06-12T11:39:05ZBlog EntryAI in India a Policy Agenda
https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda'>https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda</a>
</p>
No publisherelonnai2018-09-05T15:26:08ZFileGNI-Industry Dialogue Learning Session: Human Rights Impact Assessments and Due Diligence in the ICT sector
https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector
<b>Elonnai Hickok attended the meeting organized by Global Network Initiative on March 11, 2016 in Washington D.C.</b>
<p style="text-align: justify; ">The GNI welcomed its new observers from the Telecommunications Industry Dialogue by holding a learning session in conjunction with the GNI Board Meeting on March 10. This learning session aimed to increase understanding between the GNI and the ID by examining some of the common challenges that face ICT companies in the area of human rights due diligence and highlighting good practices. A second objective was to help the GNI develop a learning program and materials that will be useful for its members and draw on their expertise. Finally, this learning session informed the review of the GNI Implementation Guidelines that will take place during 2016.</p>
<p style="text-align: justify; ">The session took place according to the Chatham House Rule. Each short presentation was followed by a space for questions and answers.</p>
<ul>
<li>
<div style="text-align: justify; ">Human Rights Impact Assessments in the ICT sector – Michael Samway</div>
</li>
<li>
<div style="text-align: justify; ">The Human Rights Due Diligence Process at Nokia – Laura Okkonen</div>
</li>
<li>
<div style="text-align: justify; ">Yahoo’s approach to Human Rights Impact Assessments– Nicole Karlebach and Katie Shay</div>
</li>
<li>
<div style="text-align: justify; ">Orange’s challenges and approach to doing business in Africa – Yves Nissim</div>
</li>
<li>
<div style="text-align: justify; ">Microsoft’s human rights impacts and the warrant case – Steve Crown and Bernard Shen</div>
</li>
<li>
<div style="text-align: justify; ">TeliaSonera’s approach to withdrawing from Eurasia – Patrik Hiselius</div>
</li>
<li>
<div style="text-align: justify; ">Considerations for company due diligence on the ground – Kathleen Reen and Babette Ngene, Internews</div>
</li>
</ul>
<p>For discussion:</p>
<ul>
<li>What are some of the common challenges facing current GNI member companies and ID member companies?</li>
<li>What do we consider to be good practices that are applicable to all?</li>
<li>What lessons can be applied to the review of the GNI Implementation Guidelines that will take place during 2016?</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector'>https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2016-04-06T15:42:41ZNews ItemShort-term Consultant (IETF)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf
<b>The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.</b>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples or other examples of technical work and CV</p>
<p dir="ltr">Contact: sunil@cis-india.org</p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf</a>
</p>
No publisherelonnaiJobsInternet Governance2018-04-21T15:44:49ZPageShort-term Consultant (Cyber Security)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security
<b>The Centre for Internet & Society is seeking an individual with strong understanding of cyber security to contribute research to its cyber security research under its Internet Governance programme.</b>
<p style="text-align: justify; ">Research topics include economic incentives for cyber security, cross border sharing of data, India’s cyber security framework, and cybersecurity dimensions of e-governance .</p>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples and CV</p>
<p dir="ltr">Contact: <a href="mailto:elonnai@cis-india.org">elonnai@cis-india.org</a></p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security</a>
</p>
No publisherelonnaiInternet Governance2018-04-20T01:27:36ZPageGNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression
https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression
<b>Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.</b>
<h3>Introduction</h3>
<p style="text-align: justify; ">In January 2014, the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">Global Network Initiative (GNI)</a> published t<a href="http://globalnetworkinitiative.org/sites/default/files/GNI%20Assessments%20Public%20Report.pdf">he <i>Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo</i></a><i>. </i>GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.</p>
<h3 style="text-align: justify; ">Overview of the Public Report</h3>
<p style="text-align: justify; ">The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">GNI principles</a> on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with <a href="https://globalnetworkinitiative.org/sites/default/files/GNI_-_Implementation_Guidelines_1_.pdf">Implementation Guidelines</a> to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.</p>
<p style="text-align: justify; ">Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.</p>
<p style="text-align: justify; ">The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.</p>
<p style="text-align: justify; ">A number of findings came out of the assessments undertaken for the Report including:</p>
<ol>
<li style="text-align: justify; ">As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.</li>
<li style="text-align: justify; ">The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights. </li>
<li style="text-align: justify; ">Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles. </li>
</ol>
<p style="text-align: justify; ">The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:</p>
<ul>
<li>Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies. </li>
<li>Consider the impact of hardware on freedom of expression and privacy.</li>
<li>Improve external and internal reporting.</li>
<li>Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations. </li>
<li>Review executive management training.</li>
<li>Improve stakeholder engagement.</li>
<li>Improve communication with users. </li>
<li>Increase sharing of best practices. </li>
<li>The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights. </li>
</ul>
<h3>NSA leaks, global push for governmental surveillance reform, and the Public Report</h3>
<p style="text-align: justify; ">With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five <a href="http://reformgovernmentsurveillance.com/">Principles on Global Government Surveillance Reform</a>. Similar to other efforts to end mass and disproportionate surveillance, such as the <a href="https://en.necessaryandproportionate.org/text">Necessary and Proportionate</a> principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.</p>
<p style="text-align: justify; ">Along these lines, on January 14<sup>th</sup>, GNI released the statement <a href="http://globalnetworkinitiative.org/news/surveillance-reforms-protect-rights-and-restore-trust">“Surveillance Reforms to Protect Rights and Restore Trust”, </a> urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.</p>
<h3 style="text-align: justify; ">Conclusion and way forward</h3>
<p style="text-align: justify; ">Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.</p>
<p style="text-align: justify; ">The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression'>https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression</a>
</p>
No publisherelonnaiFreedom of Speech and ExpressionInternet Governance2014-01-20T06:17:46ZBlog EntryThe Omnishambles of UID, shrouded in its RTI opacity
https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity
<b>The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013. </b>
<p>Click below to see Colonel Mathew Thomas's presentation</p>
<h3><b><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1">Omnishambles of UID Shrouded in its Opacity</a></b></h3>
<p><iframe frameborder="0" height="421" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/16619783" width="512"> </iframe></p>
<p><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1"> </a></p>
<div><b><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1"> </a><br /></b><b><a href="http://www.slideshare.net/praskrishna" target="_blank"></a></b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity'>https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-19T11:04:30ZBlog Entry