Centre for Internet and Society

Workshop on 'Privacy after Big Data' (Delhi, November 12)

sumandro — 2016-11-12T10:14:52Z

The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, invite you to a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12. This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It is an open event. Please register to participate.

Invitation note and agenda: Download (PDF)

Venue and RSVP

Venue: Centre for the Study of Developing Societies 29, Rajpur Road, Civil Lines, Delhi 110054.

Location on Google Maps: https://www.google.com/maps/place/CSDS/@28.677775,77.2162523,17z/.

Registration: Complete this form.

Concept Note

In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few.

With the UID (“Aadhaar”) project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision.

Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.

As key privacy principles are at loggerheads with big data activities, it is important to consider privacy as an embedded component in the processes, systems and projects, rather than being considered as an afterthought. These examples highlight the current state of discourse around data protection and privacy in India and the shapes they are likely to take in near future.

This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy.

Agenda

09:00-09:30 Tea and Coffee

09:30-10:00 Introduction

Mr. Amber Sinha and Mr. Sandeep Mertia
This session will introduce the topic of the workshop in the context of the ongoing works at CIS and Sarai.

10:00-11:00 From Privacy Bill(s) to ‘Habeas Data’

Dr. Usha Ramanathan and Mr. Vipul Kharbanda
This session will present a brief history of the privacy bill(s) in India and end with reflections on ‘habeas data’ as a lens for thinking and actualising privacy after big data.

11:00-11:30 Tea and Coffee

11:30-12:30 Digital ID, Data Protection, and Exclusion

Ms. Amelia Andersdotter and Mr. Srikanth Lakshmanan
This session will discuss national centralised digital ID systems, often operating at a cross-functional scale, and highlight its implications for discussions on data protection, welfare governance, and exclusion from public and private services.

12:30-13:30 Digital Money and Financial Inclusion

Dr. Anupam Saraph and Ms. Astha Kapoor
This session will focus on the rise of digital banking and online payments as core instruments of financial inclusion in India, especially in the context of the Jan Dhan Yojana and UPI, and reflect on the concerns around privacy and financial data.

13:30-14:30 Lunch

14:30-15:30 Big Data and Mass Surveillance

Dr. Anja Kovacs and Mr. Matthew Rice
This session will reflect on the rise of mass communication surveillance across the world, and the evolving challenges of regulating il/legal surveillance by government agencies.

15:30-16:15 Privacy is (a) Right

Mr. Apar Gupta and Ms. Kritika Bhardwaj
This brief session is to share initial ideas and strategies for articulating and actualising a constitutional right to privacy in India.

16:15-16:30 Tea and Coffee

16:30-17:30 Round Table

An open discussion session to conclude the workshop.

Speakers

Mr. Amber Sinha

Amber works on issues surrounding privacy, big data, and cyber security. He is interested in the impact of emerging technologies like artificial intelligence and learning algorithms on existing legal frameworks, and how they need to evolve in response. Amber studied humanities and law at National Law School of India University, Bangalore.

E-mail: amber at cis-india dot org.

Twitter: @ambersinha07.

Ms. Amelia Andersdotter

Amelia Andersdotter has been a Member of the European Parliament. She works on practical implications of data protection laws and consumer information security in Sweden, and digital rights in the Europe in general. Presently she is residing in Bangalore, where she is a visiting scholar with Centre for Internet and Society. She holds a BSc in Mathematics.

URL: https://dataskydd.net.

Twitter: @teirdes.

Dr. Anja Kovacs

Dr. Anja Kovacs directs the Internet Democracy Project in Delhi, India, which works for an Internet that supports free speech, democracy and social justice in India and beyond. Anja’s research and advocacy focuses especially on questions regarding freedom of expression, cybersecurity and the architecture of Internet governance. She has been a member of the of the Investment Committee of the Digital Defenders Partnership and of the Steering Committee of Best Bits, a global network of civil society members. She has also worked as an international consultant on Internet issues, including for the Independent Commission on Multilateralism, the United Nations Development Programme Asia Pacific and the UN Special Rapporteur on Freedom of Expression, Mr. Frank La Rue, as well as having been a Fellow at the Centre for Internet and Society in Bangalore, India.

Internet Democracy Project: https://internetdemocracy.in.

Twitter: @anjakovacs.

Dr. Anupam Saraph

Anupam Saraph has extensively researched India's UID number that has been widely regarded as the game changer in development programs. It has come to be linked with both public and private databases and become the requirement for access to entitlements, benefits, services and rights. Dr. Saraph, who has the design of at least two identification programs to his credit has researched the UID’s functional creep since its inception.

He has been dissecting the myths of what the UID is or is not. He has also tracked the consequences of its linkages on databases that protect national security, sovereignty, democratic status and the entire banking and money system in India. He has also highlighted the implications of its use for targeted delivery of cash subsidies from the Consolidated Fund of India. He has written and lectured widely about the devastating impact of the UID number on development programs, national security and the governability of India.

As a Professor of Systems, Governance and Decision Sciences, Environmental Systems and Business he mentors students and teaches systems, information systems, environmental systems and sustainable development at universities in Europe, Asia and the Americas. He has worked with the Rensselaer Polytechnic Institute, Rijksuniversitiet Groningen, RIVM, University of Edinburgh, Resource Use Institute, Systems Research Institute among others. Dr. Saraph has had the unique distinction of being India’s only person who has held the only office of a City CIO in India, in a PPP arrangement with government, industry and himself. He has also been the first e-governance Advisor to a State government. Dr. Saraph has held CxO and ministerial level positions and serves as an independent director on the boards of Public and Private Sector companies and NGOs. He is also the President of the Nagrik Chetna Manch, an NGO charged with the mission to bring accountability in governance.

Dr. Saraph is also actively engaged in civil society where he participates in several environmental, resource and nature conservation initiatives, has authored draft legislations for river and natural resource conservation, right to good governance and has contributed to governance, election and democratic reforms. Dr. Saraph is a regular columnist in newspapers and writes on issues of governance, future design, technology and education from a systems perspective.

As a future designer and recognized as a global expert on complex systems he helps individuals and organisations understand and design the future of their worlds. Together they address the toughest challenges, accomplish missions and achieve business goals. He also supports building capacity to address the challenges of today as well as to build future designs through teams and effective leadership. Since the eighties Dr. Saraph has modeled complex systems of cities, countries, regions and even the planet. His models have been awarded internationally and even placed in 10-year permanent exhibitions.

Dr Saraph works with business and government executives, civil society leaders, politicians, generals, civil servants, police, trade unionists, community activists, United Nations and ASEAN officials, judges, writers, media, architects, designers, technologists, scientists, entrepreneurs, board members and business leaders of small, mid and large single and trans-national companies, religious leaders and artists across a dozen countries and various industry sectors to help them and their organisations succeed in their missions. He advises the World Economic Forum through its Global Agenda Council for Complex Systems and the Club of Rome, Indian National Association as a founder life member.

Dr Saraph holds a PhD in designing sustainable systems from the faculty of Mathematics and Natural Sciences of the Rijksuniversiteit Groningen, the Netherlands.

Website: http://anupam.saraph.in.

Twitter: @anupamsaraph.

Mr. Apar Gupta

Apar Gupta practices law in Delhi. He is also one of the co-founders of the Internet Freedom Foundation. His work and writing on public interest issues can be accessed at his personal website www.apargupta.com.

Twitter: @aparatbar.

Ms. Astha Kapoor

Astha Kapoor is a public policy strategy consultant working on financial inclusion and digital payments. Currently, she is working with MicroSave. Her tasks involve a focus on government to people (G2P) payments - and her work spans strategy, advisory and evaluation with the DBT Mission, Office of the Chief Economic Advisor, NITI Aayog and ministries pertaining to food, fuel and fertilizer. She recently designed a pilot to digitize uptake of fertilizers in Krishna district, and evaluated the newly introduced coupon system in the Public Distribution System in Bengaluru.

Twitter: @kapoorastha.

Ms. Kritika Bhardwaj

Kritika Bhardwaj works as a Programme Officer at the Centre for Communication Governance (CCG), National Law University, Delhi. Her main areas of research are privacy and data protection. At CCG, she has written about the privacy implications of several contemporary issues such as Aadhaar (India's unique identification project), cloud computing and the right to be forgotten. A lawyer by training, Kritika has a keen interest in information law and human rights law.

Centre for Communication Governance, NLU Delhi: http://ccgdelhi.org.

Twitter: @Kritika12.

Mr. Matthew Rice

Matthew Rice is an Advocacy Officer at Privacy International working across the organisation engaging with international partners and strengthening their capacity on communications surveillance issues. He has previously worked at Privacy International as a consultant building the Surveillance Industry Index, the largest publicly available database on the private surveillance sector ever assembled. Matthew graduated from University of Aberdeen with an LLB (Hons.) and also has an MA in Human Rights from University College London.

Privacy International: https://privacyinternational.org.

Twitter: @mattr3.

Mr. Sandeep Mertia

Sandeep Mertia is a Research Associate at The Sarai Programme, Centre for the Study of Developing Societies, Delhi. He is an ICT engineer by training with research interests in Science & Technology Studies, Software Studies and Anthropology. He is conducting an ethnographic study of emerging modes of data-driven knowledge production in the social sector.

Sarai: http://sarai.net.

Twitter: @SandeepMertia.

Academia: https://daiict.academia.edu/SandeepMertia.

Mr. Srikanth Lakshmanan

Srikanth is a software professional with interests in Internet, follower of Internet policy discussions, volunteers for multiple online campaigns related to Internet. He is also fascinated by FOSS, opendata, localization, Wikipedia, maps, public transit, civic tech and occasionally contributes to them.

Site: http://www.srik.me.

Twitter: @logic.

Mr. Vipul Kharbanda

Vipul Kharbanda is a consultant with the Center for Internet and Society, Bangalore. After finishing his BA.LLB.(Hons.) from National Law School of India University in Bangalore, he worked for India’s largest corporate law firm for two and a half years in their Mumbai office for two years working primarily on the financing of various infrastructure projects such as Power Plants, Roads, Airports, etc. Since quitting his corporate law job, Vipul has been working as the Associate Editor in a legal publishing house which has been publishing legal books and journals for the last 90 years in India. He has also been involved with the Center for Internet and Society as a Consultant working primarily on issues related to privacy and surveillance.

For more details visit https://cis-india.org/internet-governance/events/privacy-after-big-data-delhi-nov-12-2016

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Conference on the Digitalization of the Indian Legal System

Leilah Elmokadem — 2016-11-16T15:34:36Z

On Legal Services Day, November 9, 2016, LegalDesk.com collaborated with iSPIRT to host a conference on the “Digitalization of the Indian Legal System”. The event invited prominent speakers to present their organizations’ work and to participate in a panel discussion followed by a Q&A period for the audience.

The co-founder of DAKSH Society of India, Kishore Mandyam, opened the event with a thought-provoking presentation on the efficiency levels of the current legal system and the kinds of progress that can be brought about by technological reforms. Members of LegalDesk.com then presented their ideas and then introduced their newest white paper on Legal Digitalization, providing a brief overview of the study and summarizing the most relevant sections. The panel discussion then proceeded, moderated by Sanjay Khan Nagra, a policy expert at iSPIRT Foundation. He facilitated an insightful and conducive discussion around the advantages, disadvantages, risks and incentives of digitalizing the Indian legal system. On the discussion panel was Kishore Mandyam from DAKSH Society and Prabhuling K Navadgi, the Additional Solicitor General of India.

The objectives to the conference, as per its website, were to: (1) examine the current legal framework and the possibility of amendments in laws to facilitate digitalization of the system, (2) asses the potential of India Stack in digitalizing the legal system, (3) to identify statutes which require amendment, (4) identify the hurdles and roadblocks in the path towards digital reform of the legal ecosystem, and (5) suggest amendments to the act and potential areas of improvement. With those objectives in mind, this blog post intends to provide a brief overview of the main narratives shared in the conference and to identify some of the loopholes and unanswered questions that I was left with by the end.

Improved efficiency is the dominant narrative used to advocate for the digitalization of the Indian legal system. According to LegalDesk.com, the current Indian legal system relies mostly on paperwork, resulting in thousands of courts and over a million advocates accumulating lackhs of ongoing cases and an enormous pile of pending cases, mostly due to insufficient information. It is stated that the traditional methods of legal documentation, paperwork and court work must change through awareness, technology and pursuance by the government, as it needs to be implemented throughout the country. The key idea here is that digital transactions are faster and simplify the process of storing information. The ultimate desired outcome here, then, is increased efficiency and transparency.

One must question, however, if this narrative may be overly generous with the credit it gives to technology. IT systems, like many other manmade structures, are always bound to glitch and crash. It would be useful, then, to question whether the legal system is a department that can afford the complications that inevitably accompany a digital transformation. If portals or servers fail at critical times (i.e. when a person needs to confirm their trial date, submit a document before a deadline, or any other pressing procedures), the consequences may in fact outweigh the convenience brought about by overall digitalization. This is not to imply that the legal system cannot or should not undergo a digital transformation. Rather, it is to pose the question of whether the government will dedicate sufficient funds and expertise towards developing a resilient and reliable IT system for the courts. The conference was strongly centered on the concept that technology is always the way forward. This is a positive idea but one must pay special attention to the complications that may arise with the digitalization of a system that must function in a particularly time-sensitive manner – and to ensure that these complications can be managed efficiently and effectively should they arise. This then, requires more than a mere push for digitalization. Introducing new technological platforms is a positive step towards digitalization. However, there is a need for a detailed, government-authorized plan on how the judicial system will efficiently and smoothly undergo this digital transformation in a sustainable and resilient manner.

A presenter from LegalDesk.com mentioned Estonia’s model of complete digital governance as an example of successful digitalization: “If a small country like Estonia can do it, why can’t we?” While it is useful to draw examples and lessons from other countries, it is also crucial to recognize the contextual differences between countries. The presenter’s point was that Estonia is small in both size and population and has just recently gained independence in 1991—and has nonetheless been able to undergo technological reform and completely digitalize governance systems. India’s case is extremely different as one can logically argue that digital inclusion is more difficult to accomplish for large, spatially dispersed populations. Furthermore, the socioeconomic disparities in India, particularly in income and literacy, contribute to an immense digital divide that Estonia did not, to any comparable extent, face in order to digitalize governance over 1.3 million individuals. This is not to suggest that India cannot become a world leader in digital governance, or become comparable to Estonia. Rather, this is to highlight the importance of recognizing historical, political and sociocultural differences between countries when comparing governance models and digitalization processes. There is a need to indigenize digital reform strategies and platforms in India to cater to its unique context and vast diversity. This can be done by focusing on issues such as the language of digital governance, ensuring sufficient distribution of access to public digital platforms, and prioritizing the inclusion of all socioeconomic classes. I would argue that digitalization could come at a greater cost than benefit if it perpetuates the exclusion of the underprivileged members of society, especially from a system as critical as the judiciary. These topics were alarmingly overlooked in the conference.

The topic of privacy was also quite overlooked in the conference. As a step towards digital transformation, LegalDesk.com presented the new eNotary technology, which would be implemented by utilizing a combination of Adhaar based authentication, eSign, digilocker systems such as India Stack and video/audio recorded interviews. With the eNotary system, attestation, authentication and verification of legal instruments can be done remotely. This is expected to make paperwork easier, faster and more secure, as individuals would log into digital platforms using their Adhaar numbers to perform their judiciary procedures. A member of the audience asked about privacy concerns associated with digitalizing the legal records or property ownership information of individuals. Kishore Mandyam, from DAKSH, answered confidently with a statement that privacy is not a pressing issue here. He asserted that privacy concerns are a western construct that we have adopted in urban parts of India but that is not a concern for the majority of locals. It is clear, however, from examples such as the United States’ predictive policing practices, that accumulating data regarding the legal affiliations of individuals can result in discriminatory practices if this data does not remain strictly confidential to protect the privacy rights of citizens. This is not to mention the other forms of discrimination that can arise from the accumulation of such data, such as the targeting of certain demographics by corporate marketing and credit scoring practices that rely on trends in big data. To keep citizens’ legal records and affairs out of these databases, a digital legal system must be securely encrypted and protected by rigid privacy policies. India may have a varying context that leads to different privacy concerns with regards to a digital legal system. In any case, special attention must be given to privacy and security rights of individuals as their Adhaar numbers become attached to all their online personal data, including their legal records and judicial affairs.

For more details visit https://cis-india.org/internet-governance/blog/conference-on-the-digitalization-of-the-indian-legal-system

How The U.K. Got A Better Deal From Facebook Than India Did

praskrishna — 2016-11-18T01:56:49Z

The U.K.’s Information Commissioner’s Office (ICO) and India’s Karmanya Sareen shared a similar concern – how messenger application WhatsApp’s decision to share user data with parent Facebook is a violation of the promise of privacy.

The blog post by Payaswini Upadhyay was published in Bloomberg Quint on November 17, 2016. Sunil Abraham was quoted.

Last week, Facebook agreed to address the concerns of the ICO; in India, it didn’t have to.

WhatsApp: New Privacy Policy

In August 2016, WhatsApp issued a revised privacy policy that allowed it to share user information with parent company Facebook. Any user who didn’t want her information to be shared with Facebook had a 30-day period to opt out of the policy. Opting out meant that a user’s account information would not be shared with Facebook to improve ads and product experiences. But, there was a caveat.

The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.
WhatsApp Support Team statement on its website

Facebook’s Commitment To ICO

The ICO decided to delve deeper into what Facebook intended to do with the WhatsApp user data. Elizabeth Denham, Information Commissioner, ICO stated in her blog that users haven’t been given enough information about what Facebook plans to do with the information, and WhatsApp hasn’t got valid consent from users to share the information.

I also believe users should be given ongoing control over how their information is used, not just a 30-day window.
Elizabeth Denham, Information Commissioner, ICO

Denham further elaborated ICO’s stand - that it’s important users have control over their personal information, even if services don’t charge them a fee.

We’ve set out the law clearly to Facebook, and we’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes.
Elizabeth Denham, Information Commissioner, ICO

The ICO has now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data will be used, and to giving users ongoing control over that information. Additionally, the ICO also wants WhatsApp to give users an unambiguous choice before Facebook starts using that information and for them to be given the opportunity to change that decision at any point in the future. Facebook and WhatsApp are yet to agree to this, Denham stated.

If Facebook starts using the data without valid consent, it may face enforcement action from my office.
Elizabeth Denham, Information Commissioner, ICO

In the U.K., protections in the European Data Protection Directive have been incorporated into local law via the Data Protection Act 1998. The ICO is both the privacy regulator and the transparency (right to information) regulator, Sunil Abraham, executive director at the Centre for Internet and Society pointed out. The regulator can issue enforcement notices and also fine errant actors in the market place, he said.

This is a regulator with expertise, experience and teeth. Come May 25, 2018, the General Data Protection Regulation will come into force and this will give more comprehensive powers to the regulator to investigate and remedy cases like this. The regulator will take each principle from the Directive or Regulation and examine Facebook’s actions comprehensively before deciding on a response.
Sunil Abraham, Executive Director, Centre for Internet and Society

For example, if the regulator determines that the principle of choice and consent has not been complied with, it can force Facebook to reverse its decisions and provide greater transparency and clearer choices, Abraham added.

Karmanya Sareen’s Grievance

Back home in India, just two months ago, Karmanya Sareen, a WhatsApp user, argued before the Delhi High Court against the company’s new privacy policy. The argument was that WhatsApp’s August 2016 notice to its users about the proposed change in the privacy policy violated the fundamental rights of users under Article 21 of the Constitution. Article 21 promises protection of life and personal liberty.

Proposed change in the privacy policy of WhatsApp would result in altering/changing the most valuable, basic and essential feature of WhatsApp i.e. the complete protection provided to the privacy of details and data of its users.
Karmanya Sareen vs Union of India

The Delhi High Court struck down the Article 21 argument saying that the Supreme Court was still deliberating over including right to privacy as a fundamental right. It also pointed to WhatsApp’s 2012 Privacy Policy that allowed the company to transfer user information in case of an acquisition or merger with a third party. The 2012 policy also allowed WhatsApp to change the terms periodically.

Consequently, the Delhi High Court held that it is not open to the users now to contend that WhatsApp should be compelled to continue the same terms of service. However, the court gave WhatsApp two directions to protect users.

WhatsApp to delete from its servers and not share with Facebook or its group companies any information belonging to users who delete their account.

Users who continue to be on WhatsApp, their existing information up to September 25, 2016 cannot be shared with Facebook or any of its group companies.

Did The Delhi High Court Go Easy On Facebook And WhatsApp?

Apar Gupta, an advocate specializing in information technology, points out that the directions given by the Delhi High Court to WhatsApp did not contemplate any additional protection to a user than what was already provided by WhatsApp.

The Delhi Court essentially reproduced WhatsApp’s privacy policy. It did not compel or provide any additional safeguard.
Apar Gupta, Lawyer

Apar attributes this to the absence of a regulatory framework.

The lack of substantive safeguard and enforcement framework in India led to the Delhi High Court upholding WhatsApp’s new privacy policy.
Apar Gupta, Lawyer

Abraham added that the court did not examine the privacy policy from the perspective of data protection principles as would have been the case in EU or any other jurisdictions with a proper data protection law.

The court too admitted this in its order that there existed a regulatory vacuum in India and asked TRAI to look into the matter. Facebook did not respond to BloombergQuint’s query on whether it would implement its U.K. commitments in India as well.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-november-17-2016-payaswini-upadhyay-how-the-uk-got-a-better-deal-from-facebook-than-india-did

DSCI Best Practices Meet 2013

kovey — 2013-07-26T08:18:01Z

The DSCI Best Practices Meet 2013 was organized on July 12, 2013 at Hyatt Regency, Anna Salai in Chennai. Kovey Coles attended the meet and shares a summary of the happenings in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Last year’s annual Best Practices Meet, sponsored by the Data Security Council of India (DSCI), was held in here in Bangalore, and featured CIS associates as panelists for an agenda focused mostly around mobility in technology. This year, the event was continued in nearby Chennai, where many of India’s top stakeholders in Cyber Security came together at the Hyatt hotel to discuss the modern cyber security landscape. Several of the key points of the day emphasized how the industry realm needed to be especially keen on Cyber Security today. Early speakers explained how many Cyber-Attacks occur as opportunistic attacks on financial institutions, and that these breaches often take months to be discovered, with the discovery usually being made by a third-party. For those reasons, it was repeatedly mentioned throughout the day that modern entities must anticipate attacks as inevitable, and prepare themselves to be able to respond and successfully bounce-back.

Several panelists of the event expanded upon the evolving challenges facing industries, and explained why service based industry continually grows more susceptible to Cyber-Attack. There were representatives from Microsoft, Flextronics, MyEasyDoc, and others, who explained how technological demands of modern consumers resulted inadvertently in weaker security. For example, with customers expecting real-time access to data rather than periodic data reports, i.e financial data reports, industries must now keep their data open, which weakens database security. Overall, the primary challenge faced by the industry was effectively summarized by Microsoft India CSO Ganapathi Subramaniam, stating that within web services, “Security and usability are inversely proportional.” Essentially, the more convenient a product, the less secure its infrastructure.

Despite discussion of the difficulties facing modern producers and consumers, there were undoubtedly highlights of optimism at the conference. A presentation by event sponsor Juniper Networks shed light on practices which combat Cyber-Attackers, including rerouting perceived Distributed Denial of Service (DDoS) attacks and finger-printing suspected hackers through a series of characteristics rather than just IP addresses (these characteristics include browser version, fonts, Add-Ons, time zone, and more). Notably, there was a call for cooperation on all fronts in combatting Cyber-crime, for public-private partnerships (PPP), and many citizens stood and spoke on the behalf of civil society’s incorporation in the process as well. One speaker, Retired Brig. Abhimanyu Ghosh admirably tore down sector divisions in the face of Cyber-Security threats, saying “We all want to secure ourselves. It is not a question of industry versus government, government versus industry. Government needs industry, and industry needs government.”

Finally, a few speakers used their opportunity at the conference to highlight issues related to rights and responsibilities of both citizens and government in internet. Nikhil Moro, a scholar at the Hindu Center for Politics and Public Policy, spoke at length about the urgent condition of laws which undermine freedom of speech and freedom of expression in India, especially within while online. His talk, which occurred near the end of the event, stirred the crowd to discussion, and helped remind the attendees of the comprehensiveness of issues which demand attention in the realm of a growing internet presence.

For more details visit https://cis-india.org/internet-governance/blog/dsci-bpm-2013-conference-notes

CII Conference on "ACT": Achieve Cyber Security Together"

kovey — 2013-07-26T08:17:40Z

The Confederation of Indian Industries (CII) organized a conference on facing cyber threats and challenges at Hotel Hilton in Chennai on July 13, 2013. Kovey Coles attended this conference and shares a summary of the event in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.

Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.

With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.

In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."

For more details visit https://cis-india.org/internet-governance/blog/cii-conference-on-act

White Paper on RTI and Privacy V1.2

vipul — 2014-11-09T02:53:51Z

This white paper explores the relationship between privacy and transparency in the context of the right to information in India. Analysing pertinent case law and legislation - the paper highlights how the courts and the law in India address questions of transparency vs. privacy.

Introduction

Although the right to information is not specifically spelt out in the Constitution of India, 1950, it has been read into Articles 14 (right to equality), 19(1)(a) (freedom of speech and expression) and 21 (right to life) through cases such as Bennet Coleman v. Union of India,[1] Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd.,[2] etc. The same Articles of the Constitution were also interpreted in Kharak Singh v.State of U.P.,[3] Govind v. State of M.P., [4] and a number of other cases, to include within their scope a right to privacy. At the very outset it appears that a right to receive information -though achieving greater transparency in public life - could impinge on the right to privacy of certain people. The presumed tension between the right to privacy and the right to information has been widely recognized and a framework towards balancing the two rights, has been widely discussed across jurisdictions. In India, nowhere is this conflict and the attempt to balance it more evident than under the Right to Information Act, 2005 (the "RTI Act").

Supporting the constitutional right to information enjoyed by the citizens, is the statutorily recognized right to information granted under the RTI Act. Any potential infringement of the right to privacy by the provisions of the RTI Act are sought to be balanced by section 8 which provides that no information should be disclosed if it creates an unwarranted invasion of the privacy of any individual. This exception states that there is no obligation to disclose information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information. [5] The Act further goes on to say that where any information relating to or supplied by a third party and treated by that party as confidential, is to be disclosed, the Central Public Information Officer or State Public Information Officer has to give written notice to that party within five days of receiving such a request inviting such third party (within ten days) to make its case as to whether such information should or should not be disclosed.[6]

A plain reading of section 11 suggests that for the section to apply the following three conditions have to be satisfied, i.e. (i) if the PIO is considering disclosing the information (ii) the information relates to the third party or was given to a Public Authority by the third party in confidence; and (iii) the third party treated the information to be a confidential. It has been held that in order to satisfy the third part of the test stated above, the third party has to be consulted and therefore a notice has to be sent to the third party. Even if the third party claims confidentiality, the proviso to the section provides that the information cannot be withheld if the public interest in the disclosure outweighs the possible harm or injury that may be caused to the third party, except in cases of trade or commercial secrets.[7] The Courts have also held that section 11 should be read keeping in mind the exceptions contained in section 8 (discussed in detail later) and the exceptions contained therein. [8]

This principle of non disclosure of private information can be found across a number of common law jurisdictions. The United Kingdom's Freedom of Information Act, 2000 exempts the disclosure of information where it would violate the data protection principles contained in the Data Protection Act, 1998 or constitute an actionable breach of confidence.[9] The Australian Freedom of Information Act, 1982 categorizes documents involving unreasonable disclosure of personal information as conditionally exempt i.e. allows for their disclosure unless such disclosure would be contrary to public interest.[10] The Canadian Access to Information Act also has a provision which allows the authorities to refuse to disclose personal information except in accordance with the provisions of the Canadian Privacy Act. [11]

An overview of the RTI Act, especially sections 6 to 8 seems to give the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act. [12] This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right. [13] Logical as this argument may seem and appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). That is because the right to privacy envisaged in this section is also a pre-existing constitutional right which has been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates.[14] Therefore there is an ambiguity regarding the treatment and priority given to the privacy exception vs. the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.

The Privacy Exception

As discussed earlier, the purpose of the RTI Act is to increase transparency and ensure that people have access to as much public information as possible. Such a right is critical in a democratic country as it allows for accountability of the State and allows individuals to seek out information and make informed decisions. However, it seems from the language of the RTI Act that at the time of its drafting the legislature did realize that there would be a conflict between the endeavor to provide information and the right to privacy of individuals over the information kept with public authorities, which is why a privacy exception was carved into section 8(1)(j) of the Right to Information Act. The Act does not only protect the privacy of the third party who's information is at risk of being disclosed, but also the privacy of the applicant. In fact it has now been held that a private respondent need not give his/her ID or address as long as the information provided by him/her is sufficient to contact him/her.[15]

It is interesting to note that although the RTI Act gives every citizen a right to information, it does not limit this right with a stipulation as to how the information shall be used by the applicant or the reason for which the applicant wants such information. [16] This lack of a purpose limitation in the Act may have privacy implications as non sensitive personal information could be sought from different sources and processed by any person so as to convert such non-sensitive or anonymous information into identifiable information which could directly impact the privacy of individuals.

The exception in S. 8(1)(j) prohibits the disclosure of personal information for two reasons (i) its disclosure does not relate to any public activity or interest or (ii) it would be an unwarranted invasion into privacy. The above two conditions however get trumped if a larger public interest is satisfied by the disclosure of such information.

One interesting thing about the exception contained in section 8(1)(j) is that this exception itself has an exception to it in the form of a proviso. The proviso says that any information which cannot be denied to the central or state legislature shall not be denied to any person. Since the proviso has been placed at the end of sub-section 8(1) which is also the end of clause 8(1)(j), one might be tempted to ask whether this proviso applies only to the privacy exception i.e. clause 8(1)(j) or to the entire sub-section 8(1) (which includes other exceptions such as national interest, etc.). This issue was put to rest by the Bombay High Court when it held that since the proviso has been put only after clause 8(1)(j) and not before each and every clause, it would not apply to the entire sub-section 8(1) but only to clause 8(1)(j), thus ensuring that the exceptions to disclosure other than the right to privacy are not restricted by this proviso.[17]

Scope of Proviso to section 8(1)(j)
Though the courts have agreed that the proviso is applicable only to section 8(1)(j), the import of the proviso to section 8(1)(j) is a little more ambiguous and there are conflicting decisions by different High Courts on this point. Whereas the Bombay High Court has laid emphasis on the letter of the proviso and derived strength from the objects and overall scheme of the Act to water down the provisions of section 8(1)(j), [18] the Delhi High Court has disagreed with such an approach which gives "undue, even overwhelming deference" to Parliamentary privilege in seeking information. Such an approach would render the protection under section 8(1)j) meaningless, and the basic safeguard bereft of content.[19] In the words of the Delhi High Court:

" The proviso has to be only as confined to what it enacts, to the class of information that Parliament can ordinarily seek; if it were held that all information relating to all public servants, even private information, can be accessed by Parliament, Section 8(1)(j) would be devoid of any substance, because the provision makes no distinction between public and private information. Moreover there is no law which enables Parliament to demand all such information; it has to be necessarily in the context of some matter, or investigation. If the reasoning of the Bombay High Court were to be accepted, there would be nothing left of the right to privacy, elevated to the status of a fundamental right, by several judgments of the Supreme Court. "

The interpretation given by the Delhi High Court thus ensures that section 8(1)(j) still has some effect, as otherwise the privacy exception would have gotten steamrolled by parliamentary privilege and all sorts of information such as Income Tax Returns, etc. of both private and public individuals would have been liable to disclosure under the RTI Act.

Unfortunately, the RTI Act does not describe the terms "personal information" or "larger public interest" used in section 8(1)(j), which leaves some amount of ambiguity in interpreting the privacy exception to the RTI Act. Therefore the only option for anyone to understand these terms in greater depth is to discuss and analyse the case laws developed by the Hon'ble Supreme Court and the High Courts which have tried to throw some light on this issue.

We shall discuss some of these landmark judgments to understand the interpretations given to these terms and then move on to specific instances where (applying these principles) information has been disclosed or denied.

Personal Information
The RTI Act defines the term information but does not define the term "personal information". Therefore one has to rely on judicial pronouncements to understand the term a more clearly. Looking at the common understanding and dictionary meaning of "personal" as well as the definition of "information" contained in the RTI Act it could be said that personal information would be information, information that pertains to a person and as such it takes into its fold possibly every kind of information relating to the person. Now, such personal information of the person may, or may not, have relation to any public activity, or to public interest. At the same time, such personal information may, or may not, be private to the person. [20]

The Delhi High Court has tried to draw a distinction between the term "private information" which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and of the like nature and "personal information" which would be any information that pertains to an individual. This would logically imply that all private information would be part of personal information but not the other way round. [21] The term 'personal information' has in other cases, been variously described as "identity particulars of public servants, i.e. details such as their dates of birth, personal identification numbers",[22] and as including tax returns, medical records etc.[23] It is worth noting that just because the term used is "personal information" does not mean that the information always has to relate to an actual person, but may even be a juristic entity such as a trust or corporation, etc.[24]

Larger Public Interest
The term larger public interest has not been discussed or defined in the RTI Act, however the Courts have developed some tests to determine if in a given situation, personal information should be disclosed in the larger public interest.

Whenever a Public Information Officer is asked for personal information about any person, it has to balance the competing claims of the privacy of the third party on the one hand and claim of public interest on the other and determine whether the public interest in such a disclosure satisfies violating a person's privacy. The expression "public interest" is not capable of a precise definition and does not have a rigid meaning. It is therefore an elastic term and takes its colors from the statute in which it occurs, the concept varying with the time and the state of the society and its needs. This seems to be the reason why the legislature and even the Courts have shied away from a precise definition of "public interest". However, the term public interest does not mean something that is merely interesting or satisfies the curiosity or love of information or amusement; but something in which a class of the community have some interest by which their rights or liabilities are affected.[25]

There have been suggestions that the use of the word "larger" before the term "public interest" denotes that the public interest involved should serve a large section of the society and not just a small section of it, i.e. if the information has a bearing on the economy, the moral values in the society; the environment; national safety, or the like, the same would qualify as "larger public interest".[26] However this is not a very well supported theory and the usage of the term "larger public interest" cannot be given such a narrow meaning, for example what if the disclosure of the information could save the lives of only 10 people or even just 5 children? Would the information not be released just because it violates one person's right to privacy and there is not a significant number of lives at stake? This does not seem to be what all the cases on the right to privacy, right from Kharak Singh[27] all the way to Naz Foundation, [28] seem to suggest. Infact, in the very same judgment where the above interpretation has been suggested, the Court undermines this argument by giving the example of a person with a previous crime of sexual assault being employed in an orphanage and says that the interest of the small group of children in the orphanage would outweigh the privacy concerns of the individual thus requiring disclosure of all information regarding the employee's past.

In light of the above understanding of section 8(1)(j), there seem to be two different tests that have been proposed by the Courts, which seem to connote the same principle although in different words:

1. The test laid down by Union Public Service Commission v. R.K. Jain:

(i) The information sought must relate to „Personal information‟ as understood above of a third party. Therefore, if the information sought does not qualify as personal information, the exemption would not apply;

(ii) Such personal information should relate to a third person, i.e., a person other than the information seeker or the public authority; AND

(iii) (a) The information sought should not have a relation to any public activity qua such third person, or to public interest. If the information sought relates to public activity of the third party, i.e. to his activities falling within the public domain, the exemption would not apply. Similarly, if the disclosure of the personal information is found justified in public interest, the exemption would be lifted, otherwise not; OR (b) The disclosure of the information would cause unwarranted invasion of the privacy of the individual, and that there is no larger public interest involved in such disclosure. [29]

2. The other test was laid down in Vijay Prakash v. Union of India, but in the specific circumstances of disclosure of personal information relating to a public official:

(i) whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization;

(ii) whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case; and

(iii) whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources. [30]

Constitutional Restrictions
Since there is not extensive academic discussion on the meaning of the term "larger public interest" or "public interest" as provided in section 8(1)(j), one is forced to turn to other sources to get a better idea of these terms. One such source is constitutional law, since the right to privacy, as contained in section 8(1)(j) has its origins in Articles 14,[31] 19(1)(a) [32] and 21[33] of the Constitution of India. The constitutional right to privacy in India is also not an absolute right and various cases have carved out a number of exceptions to privacy, a perusal of which may give some indication as to what may be considered as 'larger public interest', these restrictions are:

a) Reasonable restrictions can be imposed on the right to privacy in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; ^{^[34]}

b) Reasonable restrictions can be imposed upon the right to privacy either in the interests of the general public or for the protection of the interests of any Scheduled Tribe;^{^[35]}

c) The right to privacy can be restricted by procedure established by law which procedure would have to satisfy the test laid down in the Maneka Gandhi case.^{^[36]}

d) The right can be restricted if there is an important countervailing interest which is superior; ^{^[37]}

e) It can be restricted if there is a compelling state interest to be served by doing so; ^{^[38]}

f) It can be restricted in case there is a compelling public interest to be served by doing so; ^{^[39]}

g) The Rajagopal tests - This case lays down three exceptions to the rule that a person's private information cannot be published, viz. i) person voluntarily thrusts himself into controversy or voluntarily raises or invites a controversy, ii) if publication is based on public records other than for sexual assault, kidnap and abduction, iii) there is no right to privacy for public officials with respect to their acts and conduct relevant to the discharge of their official duties. It must be noted that although the Court talks about public records, it does not use the term 'public domain' and thus it is possible that even if a document has been leaked in the public domain and is freely available, if it is not a matter of public record, the right to privacy can still be claimed in regard to it.^{^[40]}

Section 8(1)(j) in Practice

The discussion in the previous chapter regarding the interpretation of section 8(1)(j), though (hopefully) helpful still seems a little abstract without specific instances and illustrations to drive home the point. In this chapter we shall endeavor to briefly discuss some specific cases regarding information disclosure where the issue of violation of privacy of a third party was raised.

Private Information of Public Officials
Some of the most common problems regarding section 8(1)(j) come up when discussing information (personal or otherwise) regarding public officers. The issue comes up because an argument can be made that certain information such as income tax details, financial details, medical records, etc. of public officials should be disclosed since it has a bearing on their public activities and disclosure of such information in case of crooked officers would serve the interests of transparency and cleaner government (hence serving a larger public interest). Although section 8(1)(j) does not make any distinction between a private person and a public servant, a distinction in the way their personal information is treated does appear in reality due to the inherent nature of a public servant. Infact it has sometimes been argued that public servants must waive the right to privacy in favour of transparency.[41] However this argument has been repeatedly rejected by the Courts, [42] just because a person assumes public office does not mean that he/she would automatically lose their right to privacy in favour of transparency.

If personal information regarding a public servant is asked for, then a distinction must be made between the information that is inherently personal to the person and that which has a connection with his/her public functions. The information exempted under section 8(1)(j) is personal information which is so intimately private in nature that the disclosure of the same would not benefit any other person, but would result in the invasion of the privacy of the third party.[43] In short, the Courts have concluded that there can be no blanket rule regarding what information can and cannot be disclosed when it comes to a public servant, and the disclosure (or lack of it) would depend upon the circumstances of each case.

Although the earlier thinking of the CIC as well as various High Courts of the country was that information regarding disciplinary proceedings and service records of public officials is to be treated as public information in order to boost transparency,[44] however this line of thinking took almost a U-turn in 2012 after the decision of the Supreme Court in Girish Ramchandra Deshpande v. Central Information Commissioner,[45] and now the prevailing principle is that such information is personal information and should not be disclosed unless a larger public interest is would be served by the disclosure.

It would also be helpful to look at a list of the type of information regarding public servants which has been disclosed in the past, gleaned from various cases, to get a better understanding of the prevailing trends in such cases:

(i) Details of postings of public servants at various points of time, since this was not considered as personal information; [46]

(ii) Copies of posting/ transfer orders of public servants, since it was not considered personal information; [47]

(iii) Information regarding transfers of colleagues cannot be exempted from disclosure, since disclosure would not cause any unwarranted invasion of privacy and non disclosure would defeat the object of the RTI Act;[48]

(iv) Information regarding the criteria adopted and the marks allotted to various academic qualifications, experience and interview in selection process for government posts by the state Public Service Commission;[49]

(v) Information regarding marks obtained in written test, interview, annual confidential reports of the applicant as well as the marks in the written test and interview of the last candidate selected, since this information was not considered as personal information; [50]

(vi) Information relating to the appointment and educational certificates of teachers in an educational institution (which satisfies the requirements of being a public authority) was disclosed since this was considered as relevant to them performing their functions. [51]

The performance of an employee/officer in an organization is primarily a matter between the employee and the employer and normally those aspects are governed by the service rules which fall under the expression "personal information", the disclosure of which has no relationship to any public activity or public interest. To understand this better below is a brief list of the type of information that has been considered by the Courts as personal information which is liable to be exempt from disclosure under section 8(1)(j):

(i) (a) Salary details, (b) show cause notice, memo and censure, (c) return of assets and liabilities, (d) details of investment and other related details, (e) details of gifts accepted, (f) complete enquiry proceedings, (g) details of income tax returns;[52]

(ii) All memos issued, show cause notices and orders of censure/punishment etc. are personal information. Cannot be revealed unless a larger public interest justifies such disclosure;[53]

(iii) Disciplinary information of an employee is personal information and is exempt under section 8(1)(j); [54]

(iv) Medical records cannot be disclosed due to section 8(1)(j) as they come under "personal information", unless a larger public interest can be shown meriting such disclosure;[55]

(v) Copy of personnel records and service book (containing Annual Confidential Reports, etc.) of a public servant is personal information and cannot be disclosed due to section 8(1)(j);[56]

(vi) Information regarding sexual disorder, DNA test between an officer and his surrogate mother, name of his biological father and step father, name of his mother and surrogate step mother and such other aspects were denied by the Courts as such information was considered beyond the perception of decency and was an invasion into another man's privacy.[57]

It is not just the issue of disclosure of personal details of public officials that raises complicated questions regarding the right to information, but the opposite is equally true, i.e. what about seemingly "public" details of private individuals. A very complicated question arose with regard to information relating to the passport details of private individuals.

Passport Information of Private Individuals
The disclosure of passport details of private individuals is complicated because for a long time there was some confusion because of the treatment to be given to passport details, i.e. would its disclosure cause an invasion of privacy since it contains personally identifying information, specially because photocopies of the passport are regularly given for various purposes such as travelling, getting a new phone connection, etc. The Central Information Commission used a somewhat convoluted logic that since a person providing information relating to his residence and identity while applying for a passport was engaging in a public activity therefore such information relates to a public activity and should be disclosed. This view was rejected by the Delhi High Court in the case of Union of India v. Hardev Singh,[58] and the view taken inHardev Singh was later endorsed and relied upon in Union of India v. Rajesh Bhatia, [59] while hearing a number of petitions to decide what details of a third party's passport should be disclosed and what should be exempt from disclosure.

A list of the Courts conclusions is given below:

Information that can be revealed:

(i) Name of passport holder;

(ii) Whether a visa was issued to a third party or not;

(iii) Details of the passport including dates of first issue, subsequent renewals, dates of application for renewals, numbers of the new passports and date of expiry;

(iv) Nature of documents submitted as proof;

(v) Name of police station from where verification for passport was done;

(vi) Whether any report was called for from the jurisdictional police;

(vii) Whether passport was renewed through an agent or through a foreign embassy;

(viii) Whether it was renewed in India or any foreign country;

(ix) Whether tatkal facility was availed by the passport holder;

Information that cannot be revealed:

(i) Contents of the documents submitted with the passport application;

(ii) Marital status and name and address of husband;

(iii) Whether person's name figures as mother/guardian in the passport of any minor;

(iv) Copy of passport application form;

(v) Residential address of passport holder;

(vi) Details of cases filed/pending against passport holder;

(vii) Copy of old passport;

(viii) Report of the police and CID for issuing the passport;

(ix) Copy of the Verification Certificate, if any such Verification Certificate was relied upon for the issue of the passport.

Other Instances

Apart from the above two broad categories of information that has been the subject of intense judicial discussion, certain other situations have also arisen where the Courts have had to decide the issue of disclosure under section 8(1)(j), a brief summary of such situations is given below:

(i) names and details of people who received money as donations from the President out of public funds was considered as information which has a definite link to public activities and was therefore liable to be disclosed;[60]

(ii) information regarding the religion practiced by a person, who is alleged to be a public figure, collected by the Census authorities was not disclosed since it was held that the quest to obtain the information about the religion professed or not professed by a citizen cannot be in any event; [61]

(iii) information regarding all FIRs against a person was not protected under section 8(1)(j) since it was already a matter of public record and Court record and could not be said to be an invasion of the person's privacy;[62]

(iv) information regarding the income tax returns of a public charitable trust was held not to be exempt under section 8(1)(j), since the trust involved was a public charitable trust functioning under a Scheme formulated by the District Court and registered under the Bombay Public Trust Act as such due to its character and activities its tax returns would be in relation to public interest or activities.[63]

Conclusion

A discussion of the provisions of section 8 and 11 of the RTI Act as well as the case laws under it reveals that the legislature was aware of the dangers posed to the privacy of individuals from such a powerful transparency law. However, it did not want the exceptions carved out to protect the privacy of individuals to nullify the objects of the RTI Act and therefore drafted the legislation to incorporate the principle that although the RTI Act should not be used to violate the privacy of individuals, such an exception will not be applicable if a larger public interest is to be served by the disclosure. This principle is in line with other common law jurisdictions such as the U.K, Austalia, Canada, etc. which have similar exceptions based on privacy or confidentiality.

However it is disappointing to note that the legislature has only left the legislation at the stage of the principle which has left the language of the exception very wide and open to varied interpretations. It is understandable that the legislature would try to keep specifics out of the scope of the section to make it future proof. It is obvious that it would be impossible for the legislature or the courts to imagine every single circumstance that could arise where the right to information and the right to privacy would be at loggerheads. However, such wide and ambiguous drafting has led to cases where the Courts and the Central Information Commission have taken opposing views, with the views of the Court obviously prevailing in the end. This was illustrated by the issue of disclosure of passport details of private individuals with a large number of CIC cases taking different views till the High Court of Delhi gave categorical findings on the issue in the Hardev Singh and Rajesh Bhatia cases. Similar was the issue of service details of public officials since before the decision of the Supreme Court in the case of Girish Ramchandra Deshpande in 2012 the prevailing thinking of the CIC was that details of disciplinary proceedings against public officials are not covered by section 8(1)(j), however this thinking has now taken a U-turn as the Supreme Court's understanding of the right to privacy has taken stronger roots and such information is now outside the scope of the RTI Act, unless a larger public interest in the disclosure can be shown.

The ambiguity that arises in application when trying to balance the right to privacy against the right to information is a drawback in incorporating only a principle and leaving the language ambiguous in any legislation. This paper does not advocate that the legislature try to list out all the instances of this problem that are possibly imaginable, this would be too time consuming and may even be counterproductive. However, it is possible for the legislature to adopt an accepted practice of legislative drafting and list certain instances where there is an obvious balancing required between the two rights and put them as "Illustrations" to the section. This device has been utilised to great effect by some of the most fundamental legislations in India such as the Contract Act, 1872 and the Indian Penal Code, 1860. An alternative to this approach could be to utilize the approach taken in the Australian Freedom of Information Act, where the Act itself gives certain factors which should be considered to determine whether access to a particular document would be in the public interest or not.

List of References

Primary Sources

1. Australia Freedom of Information Act, 1982.

2. Bennet Coleman v. Union of India, AIR 1973 SC 106.

3. Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

4. Calcutta High Court, WP (W) No. 33290 of 2013, dated 20-11-2013.

5. Canadian Access to Information Act.

6. Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667

7. Constitution of India, 1950.

8. Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

9. Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

10. Jamia Millia Islamia v. Sh. Ikramuddin, Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

11. Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

12. Kharak Singh v. State of U.P., AIR 1963 SC 129.

13. Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978.

14. Naz Foundation Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

15. P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

16. Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82.

17. President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

18. Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

19. R. Rajagopal v. Union of India, Supreme Court of India, dated 7-10-1994.

20. Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

21. Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

22. Right to Information Act, 2005

23. Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

24. Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

25. Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

26. Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

27. Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd., (1995) 5 SCC 139.

28. U.K. Freedom of Information Act, 2000.

29. UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

30. Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151

31. Union of India v. Hardev Singh WP(C) 3444 of 2012 dated 23-08-2013.

32. Union of India v. Rajesh Bhatia WP(C) 2232/2012 dated 17-09-2013.

33. Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

34. Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

Secondary Sources

1. "Country Report for U.K.", Privacy International, available at https://www.privacyinternational.org/reports/united-kingdom.

2. "Country Report for Australia", Privacy International, available at https://www.privacyinternational.org/reports/australia.

3. "Country Report for Canada", Privacy International, available at https://www.privacyinternational.org/reports/canada.

[1] AIR 1973 SC 106. This case held that the freedom of the press embodies in itself the right of the people to read.

[2] (1995) 5 SCC 139.

[3] AIR 1963 SC 129.

[4] Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[5] Section 8(1) in its entirety states as follows:

(1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,-

(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;

(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;

(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;

(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;

(f) information received in confidence from foreign Government;

(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;

(h) information which would impede the process of investigation or apprehension or prosecution of offenders;

(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:

Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:

Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;

(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

[6] Section 11 of the RTI Act.

[7] The Registrar General v. A. Kanagaraj, (Madras High Court, 14 June 2013, available at http://www.indiankanoon.org/doc/36226888/.

[8] Arvind Kejriwal v. Central Public Information Officer, (Delhi High Court, 30 September 2011, available at http://www.indiankanoon.org/doc/1923225/.

[9] Sections 40 and 41 of the U.K. Freedom of Information Act, 2000.

[10] Section 11A read with section 47-F of the Australia Freedom of Information Act, 1982.

[11] Section 19 of the Canadian Access to Information Act.

[12] Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

[13] Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

[14] Articles 14, 19(1)(a) and 21 of the Constitution of India, 1950.

[15] Calcutta High Court, WP(W) No. 33290 of 2013, dated 20-11-2013.

[16] Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

[17] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

[18] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom), para 14. Where the Court held that since the medical records of a convict cannot be denied to Parliament or State legislature therefore they cannot be exempted from disclosure under the Act.

[19] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[20] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[21] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[22] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[23] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[24] Jamia Millia Islamia v. Sh. Ikramuddin , Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

[25] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[26] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[27] AIR 1963 SC 129.

[28] Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

[29] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012. This ruling was overturned by a Division Bench of the High Court relying upon a subsequent Supreme Court ruling, however, it could be argued that the Division Bench did not per se disagree with the discussion and the principles laid down in this case, but only the way they were applied.

[30] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[31] Right to equality.

[32] Freedom of speech and expression.

[33] Right to life.

[34] Article 19(2) of the Constitution of India, 1950.

[35] Article 19(5) of the Constitution of India, 1950.

[36] Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978. The test laid down in this case is universally considered to be that the procedure established by law which restricts the fundamental right should be just, fair and reasonable.

[37] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[38] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[39] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975. However the Court later used phrases such as "reasonable restriction in public interest" and "reasonable restriction upon it for compelling interest of State" interchangeably which seems to suggest that the terms "compelling public interest" and "compelling state interest" used by the Court are being used synonymously and the Court does not draw any distinction between them. It is also important to note that the wider phrase "countervailing interest is shown to be superior" seems to suggest that it is possible, atleast in theory, to have other interests apart from public interest or state interest also which could trump the right to privacy.

[40] R. Rajagopal v. Union of India , Supreme Court of India, dated 7-10-1994. These tests have been listed as one group since they are all applicable in the specific context of publication of private information.

[41] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[42] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010. Also see Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[43] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667. This case also held that information cannot be denied on the ground that it would be too voluminous.

[44] Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151; Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012

[45] 2012 (119) AIC 105 (SC).

[46] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[47] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[48] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667.

[49] Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

[50] UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

[51] Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

[52] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[53] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[54] R.K. Jain v. Union Public Service Commission, Delhi High Court, LPA No. 618 of 2012, dated 12-11-2012.

[55] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[56] Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

[57] Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82. It must be mentioned that this case was not exactly under the procedure prescribed under the RTI Act but was a public interest litigation although the courts relied upon the provisions of the RTI Act.

[58] WP(C) 3444 of 2012 dated 23-08-2013.

[59] WP(C) 2232/2012 dated 17-09-2013.

[60] President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

[61] P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

[62] Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

[63] Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

For more details visit https://cis-india.org/internet-governance/blog/white-paper-on-rti-and-privacy-v-1.2

IOCOSE's talk at CIS

praskrishna — 2014-11-25T01:02:24Z

Please join us at the Centre for Internet and Society in Bangalore on Thursday, November 27, 2014 at 7 p.m. for a presentation of the work of the artists group IOCOSE, current artists in residence at T.A.J./SKE Residency.

What is the life of a drone 'in times of peace'? What are the creative potential of a drone? Drones do not have such a thing as a ‘life’. But what if?

The title of our project, 'In Times of Peace' refers to Paul Virilio's theory of logistics (Pure War, 1983).

Quoting an article published by the Pentagon in late '40s, the theorist highlighted the fact that the text presented logistics as the procedure for which the potential of a nation lies in its armed forces, 'in times of peace' as in times of war.

But what does it mean to live 'in times of peace'? And what does this mean for a drone?”

The talk will open with the announcement of the winner of the NoTube Contest 2014 which will be held at the Sree Venkateshwara Cyber Cafe in Bangalore on the very same day.

IOCOSE

IOCOSE is a collective of four artists who has been working in Italy and Europe since 2006. It organises actions in order to subvert ideologies, practices and processes of identification and production of meanings. It uses pranks and hoaxes as tactical means, as joyful and sound tools. IOCOSE thinks about the streets, internet and word of mouth as a battlefield. Tactics such as mimesis and trickery are used to lead and delude the audience into a semantic pitfall. IOCOSE’s work has been shown internationally, such as at Jeu de Paume (Paris, France; 2011); Tate Modern (London, UK; 2011), Festival Nrmal, (Monterrey, Mexico; 2011); Furtherfield Gallery (London, UK; 2012); Venice Biennal (Italy; 2011), Macro (Rome, Italy; 2012); CLICK Festival (Helsingor, Denmark; 2013); Science gallery (Dublin, Ireland, 2012), http://www.iocose.org

T.A.J. RESIDENCY & SKE PROJECTS

T.A.J. RESIDENCY & SKE PROJECTS is a residency program established in 2013 as a collaborative project between a visual artist and a gallerist. Intended as an interdisciplinary residency, it has already hosted visual artists, curators, academics, scientists, fiction writers and journalists. There is always one visual artist in residence. The residency program is also open to applicants from the fields of architecture, design, music, film, performing arts and education, http://t-a-j.in

Marialaura Ghidini

Marialaura is a curator, researcher and writer. She is the founder director of or-bits.com since 2009. Currently she is AHRC-doctoral researcher with CRUMB (Curatorial Upstart Media Bliss) at the University of Sunderland. Based in London, UK, from Brescia, Italy. She can be contacted at mlghidini@gmail.com

For more details visit https://cis-india.org/internet-governance/events/iocose-talk-at-cis

Introduction: About the Privacy and Surveillance Roundtables

manoj — 2014-11-27T13:34:56Z

The Privacy and Surveillance Roundtables is a Centre for Internet and Society (CIS) initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. The Roundtable will be closed-door deliberation involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India.

The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The third Privacy and Surveillance Roundtable was held in New Delhi at the India International Centre by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and Vahura, legal Partner on the 1^st of September, 2014.

The aim of the discussion was to gain inputs on what would constitute an ideal surveillance regime in India working with theCIS Draft Privacy Protection Bill, the Report of the Group of Experts on Privacy prepared by the Justice Shah committee, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context: Privacy and Surveillance in India

The discussion began with the chair giving an overview of the legal framework that governs communications interception under Indian Law in the interest of the participants since many were there for the first time.

The legal system to govern the manner in which communications are intercepted in India are defined under three main acts

1. Interception of Telephonic Calls : The Telegraph Act 1885

2. Interception of Posts : The Indian Post Office Act,1898

3. Interception of Electronic communication like e-mails etc :The IT Act, 2000

While the interception of postal mail is governed by Section 26 of the Post Office Act, 1898, the interception of modern forms of communication that use electronic information and traffic data are governed under Sections 69 and 69B of the Information Technology Act, 2000, while interception of telephonic conversations are governed by section 5(2) of the Indian Telegraph Act 1885 and subsequent rules under section 419A.

The main discussion of the meeting revolved around the Telegraph Act since it is the main Act which covers the interception of telecommunications. In 1968 the 30th Law Commission Report studying Section 5(2) of this Act came to the conclusion that the standards in the Act may be unconstitutional given factors such as 'public emergency' & 'public safety' were too wide in nature and called for a relook at the provision.

Objective of Round Table Meetings

The objective of the round table meetings is to, be prepared with the proposals on the Privacy Bill which the new government intends to split into separate Bill for Surveillance and Data privacy. Thus these submissions once out in the public domain would further deliberate more discussion and shape the course of the Bill.

Discussion

Authorisation

The chair initiated the discussion continuing from the last meeting about the two models of authorisation for Interception 1. The Judiciary & 2. The Executive

The chair explained why the earlier proposed Judiciary based model, based on the efficient experience of separation of power, would not fit into the Indian context. The main reason for this being that the lower judiciary in India is not competent enough to take decisions of this nature. Providing examples, the chair explained how in many cases the lower Judiciary overlooks essential human rights in their decisions, and such rights are only addressed when the case is appealed in Higher courts. While participants felt that High Court judges would be favourable, it was expressed that the immense backlog at the High Court level and the lack of judges is a challenge and risks being inefficient. Thus an additional responsibility for the High Court would not be a feasible model. Furthermore, adopting a judicial based model would mean that the existing model of executive would need to be entirely replaced. Owing to these practical implementation issues consensus was built over adoption of the existing executive model, but with more safeguards.

Safeguards proposed:

1. A redressal tribunal: Establishing a tribunal for the redressal of interception complaints. The tribunal could be a non-active body. Such a model would be different from other models adopted around the world - for example e in UK a designated tribunal suo-motu reviews cases on a regular basis. The tribunal could also have judicial review authority, to which one of the participants raised an issue that the tribunals usually will not have the power of Judicial review, however the chair assured him that the delegation of Judicial review to a tribunal does exist in Indian law.

2. A review commission: Establishing a commission to review the interceptions carried out on the orders of home secretary. For such an overseeing body, the commissioner should be appointed independently. The commissioner must be a Judge or a senior Lawyer and should report to the Parliament.

Content data and Metadata

In the next session the chair explained the difference between content data and metadata while initiating discussion on provisions addressing them in the proposed Bill. Content data, also called as payload data, is the actual content of the communication which takes place between X and Y.

Example 1: In the VOIP call the voice is packetized and sent in different packets to the destination, the content of that packet is the content data whereas the information of this content i.e the header, footer and checksum of the packet is the metadata.

Example 2: In the serial communication of the normal phone call the content data will be what the communication happened between two or more people over the call and the metadata will be who were involved in the call, on what date and time the call was made from which place, and under which tower.

It was noted that generally it is easier to intercept metadata than content data. In the proposed bill, section 2 (C) refers to the definition of content data and section 2(E) to metadata.

Participants also pointed out that often it is with metadata that concerned governmental authorities are able to carry out tracking. Thus, when determining procedural safeguards for surveillance - and specifically for interception - the question of whether or not content data and meta data should be treated the same under law must be addressed. Participants suggested looking into German laws, which have procedure to deal with this question. Despite differences over the exact level of protection meta data should legally be afforded, participants agreed that a higher authority should be responsible for the interception, collection, and access to metadata and content data.

In India, because the existing legal framework in India has different standards for different modes of communication, it is proposed that a uniform legal framework be created by harmonizing the three Acts through amendments or overriding existing legislation regulating surveillance in India, and establishing a new framework under a Privacy legislation.

Big Data, Cloud & OTT

In this session a participant raised the issue of Big data and Cloud services, and asked whether the CIS Privacy Protection Bill or the draft Privacy Bill from the government addresses this issue. This question was of particular relevance because a number of the cloud data centres are located in locations outside India. Thus a question of jurisdiction arises. The participant opined that in the coming years and with the new government's vision to have space for every citizen in cloud and data localisation being priority, he stressed that the Bill should clearly address issues related to the cloud, big data, outsourcing, and questions of jurisdiction. Responding to this the chair was of the view that the crimes committed outside the territory of India come under Extra-territorial law, section 4 of IPC and Section 188 Cr. P.C. But it was noted that due to the fact that the crime is committed outside the territory of India, despite the provision, it is practically not implementable unless there is a contract between countries or a treaty signed. The solution could be data localisation, hosting the cloud servers in India, but that again has its own pros & cons. In response participants indicated that if a choice had to be made about data localization - the best option would be one that would be economical for Indian business and the government.

OTT (Over the Top) Services

Another participant brought to the notice of the meeting that most of the networks of service provider's are adopting IP (Internet Protocol). In the context of surveillance, this means that for an interception to take place, Deep Packet Inspection (DPI) must be adopted by service providers. This is currently placing a burden on service providers, as it is costly and the connection time of the calls for the number under surveillance increases - though not enough to be noticed by customers.

Telephone Tapping Process

In India the process of intercepting telephones can be broken down into the following three steps:

1. Authorization

a. The Home Secretary issues an authorization for an interception request.

b. The Authorization is handed over to Police Officer in charge of the investigation.

c. The Police Officer serves the order to the nodal officer in the relevant service provider.

2. The service provider conducts the interception.

3. The intercepted data is handed over to the Police officer.

Under Rule 419A, a committee to review the authorization exists, comprising of officials such as the Cabinet Secretary, Secretary of the Department of Telecommunications, Secretary of the Department of Law and Justice and the Secretary of Information Technology and Communication ministry at the Centre and the Chief Secretary, the Law Secretary and an officer not below the rank of a Principal secretary at the State level.

Since the current infrastructure of telecom and broadband is with private service providers, the government is dependent on service providers to carry out surveillance. As national security is a concern of the government and because in the past intercepted material has been leaked by various sources, the government has proposed to replace the existing system. In this regard the government has proposed to set up a Central Monitoring System (CMS) for the interception of voice and data communications.

It is proposed that the CMS infrastructure will be positioned at the service provider's facilities, and will allow governmental agencies to directly intercept traffic on the network of service providers - thus there would no longer be a need for the government to reply on service providers to carry out interception requests. During the meeting it was discussed how this system has pros & cons

Pros

1. For private companies it eliminates an entire level of compliance.

2. It will reduce the possibility of unlawful, extra legal, & fraudulent authorizations of interception requests.

3. The interception carried out would be maintained in a log, which would clearly recorded, making the interception process becomes accountable.

Cons

1. Even though the existing system gives room for leaks, ironically it is the only way through which a person who is tapped will come to know, hence accounting for some transparency eg: Nira Radia & Amar Singh phone Tap case.

2. CMS will be built upon an existing interception framework, which is not procedurally fair - because of issues such as Internal Authorization, Adhoc procedure, that it is not under the ambit of RTI etc. This will result in a system with no transparency and accountability.

To this last point the Chair noted that in 2011 there were 7.5 Lakh phone taps by a single agency which was reportedly illegal. In an attempt to minimize such brazen violations a Privacy Bill is mooted and the round table conference is a step towards making it possible.

Immunity to TSP's & ISP's

Participants also raised the issue of difficulties that TSPs face while engaged in the process of interception, as they are caught between the customers and government authorities and subjected to harassment sometimes. This places service providers in a position where they must often make a number of compromises as they are expected to store traffic data for a specified period of time, but sometimes a judge might ask for access to data that is dated past the specific retention period. In such a scenario, service providers must provide it by accessing backup data.

The question of who should be the custodian of intercepted data was raised by participants as well as who should be held accountable if intercepted data is leaked into the public domain. The chair responded that the officers investigating the case should be held accountable for the intercepted data. This would be analogous to the system under the Right to Information Act whereby the Information officer is named and held accountable for the data or information he provides. Similarly, for the case of intercepted material, an officer should be named and held accountable for the data and ensuring that it reaches those that it is legally intended to.

It was also expressed that a market regulator, responsible for the safeguarding the interest of communication service providers, could be appointed for handling the personal data. Such a role could be merged with the traditional role of a Data Protection Authority and could be the first step towards an information security and assurance regime.

Legal immunity given to service providers was also discussed, as there was a general concern about the position service providers find themselves in - being held legally liable for not complying with orders from the government and being taken to court by citizens.

Format of Interception Orders and Interception as a service

A question was also posed to participants about what information ideally - apart from the intended duration of the order - should be incorporated into interception orders. Participants suggested that the order should be as specific and precise as possible, which the existing format to a large extent confirms. On the topic, a participant noted that in some cases, despite DoPT guidelines, interception orders are issued in regional languages. This can pose as a problem as the nodal officer might not know the language, thus leading to possible ambiguity & misinterpretation of the order. Participants suggested that orders should be in English.

Participants also pointed out that in most European countries - like France and Italy - a fee for the compliance cost arising out of implementing an interception order is paid to service providers by the government. In India, huge costs are involved in carrying out interceptions which service providers presently have to bare. As law enforcement and security agencies ask for more and more accuracy in surveillance, the charges of carrying out surveillance. To address this, participants suggested that interception as a service should be accommodated in the proposed Bill.

Conclusion

The discussions in the Surveillance and Privacy Roundtable in New Delhi mainly revolved around the authorization model and the process of interception. Overall, participants agreed on an organised executive model with an established accountability and review system. Also discussed was how to ensure that service providers are legally protected from disproportionate and unwarranted penalties. Towards this, the interception process should be viewed as a service rather than an obligation.

For more details visit https://cis-india.org/internet-governance/blog/introduction-about-the-privacy-and-surveillance-roundtables

Security and Surveillance: A public discussion on Optimizing Security while Safeguarding Human Rights

praskrishna — 2014-12-19T08:46:34Z

The Centre for Internet and Society (CIS) invites you to a public discussion on optimizing security and safeguarding human rights at its Bangalore office on Friday, December 19th, 2014, 16:00 to 18:00.

The Centre for Internet and Society, in collaboration with Privacy International UK, has undertaken exploratory research into surveillance, security, and the security market in India.

Through this research, we hope to understand and document policy and law associated with security, surveillance, and the security market in India and learn about the regulation of security and related technologies such as encryption, filtering, monitoring software, and interception equipment. We also hope to understand the import and export policy regime for dual use technologies.

Such findings will be critical in creating evidence based research to inform security policy and regulation in India and work towards enabling regulatory frameworks that optimize the nation’s security while protecting the rights of citizens.

For more details visit https://cis-india.org/internet-governance/events/security-and-surveillance-optimizing-security-human-rights

A Study of the Privacy Policies of Indian Service Providers and the 43A Rules

elonnai — 2015-01-13T02:37:31Z

Written by Prachi Arya and Kartik Chawla
Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra

Click to download the PDF

Contents
Executive Summary
Introduction
Objective, Methodology, and Scope of the Study
Objective of Research
Methodology
Scope
Criteria for selection of companies being studied
Overview of Company Privacy Policy and Survey Results
Vodafone
Tata Teleservices Limited
Airtel
Aircel
Atria Convergence Technologies
Observations
International Best Practices
Australia
European Union
Recommendations
Annexure 1
Annexure 2

Executive Summary

India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.^{^[1]} With over 164.8 Million people accessing the internet ^{^[2]} in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.^{^[3]}

While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.^{^[4]} Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.

The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.

The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.

Introduction

The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) ^{^[5]} pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. ^{^[6]}

Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a quid pro quo by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.

In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. ^{^[7]} In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.

However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. ^{^[8]} The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,^{^[9]} for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.

Objective, Methodology, and Scope of the Study

Objective of Research

This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.

Methodology

The Privacy Policies^{^[10]} of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.

Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.

Scope

Criteria for selection of companies being studied

For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.

The privacy policies of the following service providers have been analyzed:

1. State Owned Companies^{^[11]}

a. BSNL^{^[12]}: Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, inter alia, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. ^{^[13]} It had a monopoly in India except for Mumbai and New Delhi till 1992.

b. MTNL^{^[14]}: Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, inter alia, Telephone, Mobile, 3G, and Broadband services. ^{^[15]}

2. Multinational Companies

a. Bharti Airtel Ltd:^{^[16]} Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. ^{^[17]} The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.[18]

b. Vodafone^{^[19]}: Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. ^{^[20]} The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994^{^[21]}, and it bought out Essar's share in the same in the year 2007.^{^[22]} As of today, it has the second largest subscriber base in India. After Airtel, ^{^[23]} Vodafone is the largest provider of telecommunications and mobile internet services in India.^{^[24]}

3. Joint Ventures

a. Tata Teleservices^{^[25]} - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. ^{^[26]} Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. ^{^[27]}

b. Aircel^{^[28]}: Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. ^{^[29]} Aircel provides telecommunications and mobile internet services in the aforementioned regions.

4. India based Companies/Domestic Companies -

a. Atria Convergence Technologies (ACT)^{^[30]}: Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.

Overview of Company Privacy Policy and Survey Results

This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.

VODAFONE[31]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of publicly available documents of the body corporate that collect personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Vodafone

Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.

Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.

There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.

The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.

Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.

With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy

Tata Teleservices Limited[32]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Yes
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Yes
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	No
Whether the privacy policy provides the contact information of the grievance officer?	No
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Tata Teleservices Limited

Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.

The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.

The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.

As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.

TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.

Airtel[33]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	Yes
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Yes
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Yes
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	Yes
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	Yes
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the name and contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties?	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Airtel

Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.

While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.

Aircel[34]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	no
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	Yes
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	Yes
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Partially
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Partially
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Partially
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	Yes

Aircel

Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.

Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.

In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.

In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.

Atria Convergence Technologies[35]: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	Yes
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	information not available
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	Partially
Whether the privacy policy explicitly specifies the type of SPD/I being collected?	Partially
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	No
Whether the privacy policy provides the contact information of the grievance officer?	No
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Yes
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Partially
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	No

Atria Convergence Technologies

Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.

BSNL: 43A Rules Survey
Criteria	Yes/No
Clear and Accessible statements of its practices and policies
Whether the privacy policy is accessible through the main website of the body corporate?	No
Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?	No
Whether the privacy policy can be comprehended by persons without legal knowledge?	Yes
Collection of personal or sensitive personal data/information
Type
Whether the privacy policy mentions all categories of personal information including SPD/I being collected?	No
Whether the privacy policy explicitly states that it is collecting SPD/I?	No
Option
Whether the Privacy Policy specifies that the user has the option to not provide information?	No
Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?	No
Grievance Officer
Whether the privacy policy mentions the existence of a grievance officer?	Yes
Whether the privacy policy provides the contact information of the grievance officer?	Yes
Purpose of Collection and usage of information
Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?	Partially
Disclosure of Information
Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties	Yes
Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?	Yes
Reasonable Security practices and procedures
Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?	No

BSNL

BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .

BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.

As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.

With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.

MTNL

MTNL does not provide a publicly available Privacy Policy.

Observations

This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.

1. Access and Location of Privacy Policy

Applicable Rule and Principle: According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.^{^[36]}

Observation : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:

a. Privacy Policy on main website: Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.

b. Privacy Policy not on website : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.

c. Privacy Policy not accessible through main website : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. ^{^[37]}

d. Privacy Policy not included in Customer Application form : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.

e. Collection of personal information before Privacy Policy: In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.

2. Sharing of information with Government

Applicable Rule and Principle: Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.

Observation : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:

a.) Listing circumstances for disclosure to law enforcement : The Privacy Policy of ACT states "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". ^{^[38]} The Privacy Policy of Airtel on the other hand states "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." ^{^[39]} Lastly, TTL states " To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". ^{^[40]}

b.) Listing authorities to whom information will be disclosed to : The privacy policy of Aircel states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".^{^[41]} Similarly, Vodafone states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." ^{^[42]} While BSNL states "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".^{^[43]}

3. Readability of Privacy Policies

Applicable Rule and Principle : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "clear and accessible". Similarly, the Notice Principle requires that the data controller give a " simple-to-understand notice of its information practices to all individuals, in clear and concise language".

Observation : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:

a. Vague terminology: For example, in the Privacy Policy of ACT, it states as a purpose of collection "conduct research" while for the collection and disclosure of information it states ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." ^{^[44]} Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect "any other information collected in relation to your use of our products and services". ^{^[45]}

b. Undefined terminology: On disclosure of information TTL's privacy policy states disclosure is "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" ^{^[46]} Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.

4. Information about security practices

Applicable Rule and Principle: The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.

Observation : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:

a. Comprehensive information about security practices in privacy policy: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.

b. Information about security practice, but not in privacy policy: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.

c. Broad reference to security practices: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only "we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL." ^{^[47]}

d. No information about security practices: Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.

5. Grievance mechanisms

Applicable Rule and Principle: Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.

Observation : It was found that adherence with this requirement varied depending on service provider. For example:

a. No Grievance Officer: ACT and MTNL do not provide details of a grievance officer on their websites.

b. Grievance Officer, but no process details: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.

c. Grievance Officer and details of process: Aircel provides details of the grievance officer and grievance process.

As a note: All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. ^{^[48]} It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.

6. Consent Mechanism

Applicable Rule and Principle : Rules 5 and 6 of the Rules^{^[49]} on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. ^{^[50]} Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules^{^[51]} and the National Privacy Principles ^{^[52]}.

Observation: Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:

a. Obtaining consent: Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.

b. No Consent or choice offered: Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.

c. Consent for limited circumstances: Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.

There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.

7. Transparency mechanism :

Applicable Rule and Principle: The Openness Principle specifically recommends transparency in all activities of the data controller. ^{^[53]} The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.

Observation: All service providers fail in implementing adequate mechanisms for transparency.

8. Scope :

Applicable Rule and Principle : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. "

Observation : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.

International Best Practices

Canada

The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' ^{^[54]} made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). ^{^[55]}

The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.

Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.^{^[56]}

ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.

Australia

The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.^{^[57]} These principles govern the following: collection,^{^[58]} use and disclosure,^{^[59]} data quality,^{^[60]} security,^{^[61]} openness,^{^[62]} access and correction,^{^[63]} identifiers,^{^[64]} anonymity,^{^[65]} trans-border data flows,^{^[66]} and sensitive information. ^{^[67]}

The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, ^{^[68]} but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.

European Union

The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). ^{^[69]} The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.^{^[70]} The Directive differentiates between Personal Data and Sensitive Personal Data, ^{^[71]} with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. ^{^[72]} The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. ^{^[73]}

In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications^{^[74]} and the Data Retention Directive. ^{^[75]} The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.

The established practices considered above have the following principles, relevant to the study at hand, in common:

1. Notice

2. Collection Limitation

3. Use Limitation

4. Access and Corrections

5. Security

6. Data Quality and Accuracy

7. Consent

8. Transparency

And the following principles are common between two of the three regimes discussed above:

1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.

2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act

3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.

Recommendations

Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.

1. Access and location of privacy policy: Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.

2. Scope of privacy policy: The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.

3. Defining consent: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.

4. Clear language: The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.

5. Transparent security practices: The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.

6. Defined and specified third parties: The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.

7. Comprehensive grievance mechanism: The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.

8. Specify laws governing disclosure to governmental agencies and law enforcement: The Privacy Policy should specify under what laws and service providers are required disclose personal information to.

9. Inclusion of data retention practices: The Privacy Policy should include provisions defining the retention practices of the company.

Annexure 1

Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.

The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.

Relevant provisions that pertain to the privacy policy of body corporate

Rule 3: This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:

i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"^{^[76]}.

ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" ^{^[77]}

iii. Physical, physiological and mental health condition

iv. Sexual orientation

v. Medical records and history

vi. Biometric information

The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. ^{^[78]}

The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.

Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person "^{^[79]}

Interpretation: While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.^{^[80]} While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. ^{^[81]} Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.

As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.

On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.

In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.

Rule 4: This rule mandates that a "body corporate that collects, receives possess, stores, deals or handles information of the provider of information". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.

The following details have to be included in the privacy policy -

"(i) Clear and easily accessible statements of its practices and policies;

(ii) Type of personal or sensitive personal data or information collected under rule 3;

(iii) Purpose of collection and usage of such information;

(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;

(v) Reasonable security practices and procedures as provided under rule 8."^{^[82]}

Interpretation : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.

Rule 5: This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. ^{^[83]}

Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -

a. The fact that the information is being collected.

b. The purpose of such collection.

c. Intended recipients of the collected information.

d. Names and addresses of the agency or agencies collecting and retaining information.

Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.

This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.

It also requires that a Grievance Officer be instated to redress the grievance " expeditiously but within one month from the date of receipt of grievance." The Grievance Redressal process has been discussed in more detail later.

Interpretation: Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]

Prima facie , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle ^{^[84]}, Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.

In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.

Rule 6: This rule lays down the conditions and procedure for disclosure of information.^{^[85]} Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -

a. The body corporate is required to obtain prior permission from the provider of the information, or

b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or

c. Disclosure is necessary for the compliance of a legal obligation.

An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.

Interpretation :

The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.

Rule 7 : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.

Interpretation : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.

Rule 8: This Rule details the criteria for reasonable security practices and procedures.^{^[86]} It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "managerial, technical, operational and physical security control measures". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.

Interpretation : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task^{^[87]}. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.

Other Relevant Policies:

Empanelled Information Technology Security Auditors - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.^{^[88]} The empanelled IT security auditing organization is required to, inter alia, conduct a " Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." ^{^[89]} and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.^{^[90]} For this purpose CERT-In maintains a list of IT Security Auditing Organizations^{^[91]}.

Criteria for analysis of company policies based on the 43A Rules

1. Clear and Accessible statements of its practices and policies^{^[92]} -

i. Whether the privacy policy is accessible through the main website of the body corporate?

ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

iii. Whether the privacy policy can be comprehended by persons without legal knowledge?

2. Type and acknowledgment of personal or sensitive personal data/information collected ^{^[93]}-

i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.

ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

3. Option to not provide information and withdrawal of consent^{^[94]} -

i. Whether the Privacy Policy specifies that the user has the option to not provide information?

ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

4. Existence of Grievance Officer -

i. Whether the privacy policy mentions the existence of a grievance officer?

ii. Whether the privacy policy provides details of the grievance redressal mechanism?

iii. Whether the privacy policy provides the names and contact information of the grievance officer?

5. Purpose of Collection and usage of information -

i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

6. Disclosure of Information -

i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?

ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?

7. Reasonable Security practices and procedures -

i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?

Annexure 2

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY

1. Bharti Airtel Ltd.

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: Airtel's Privacy Policy^{^[95]} is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.

2. Type and acknowledgement of personal or sensitive personal data/information collected: Yes

b. Rationale: Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information^{^[96]}, and specifies specific types of personal^{^[97]} and sensitive personal information ^{^[98]} that will be collected.

3. Option to not provide data or information and subsequent withdrawal of consent: Yes

c. Rationale: The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.^{^[99]}

4. Existence of Grievance Officer: Yes

a. Rationale: Airtel provides for the contact details of nodal officers^{^[100]} and appellate authorities ^{^[101]} on its website. Additionally the website provides for the 'Office of the Ombudsperson'^{^[102]}, which is an independent forum for employees and external stakeholders^{^[103]} of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.^{^[104]}

5. Comprehensive disclosure of purpose of collection and usage of information: Partial

Rationale: Airtel's Privacy Policy indicates eight purposes^{^[105]} that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.

6. Disclosure of Information^{^[106]}: Yes

a. Rationale: Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information^{^[107]}, how collected personal information may be collected internally ^{^[108]}, the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract^{^[109]}, the possible transfer of personal information and its purposes^{^[110]}, and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) ^{^[111]}

7. Existence of reasonable security practices and procedures ^{^[112]} : Yes

a. Rationale: Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant ^{^[113]}, that access is restricted to a need to know basis and that employees are bound by codes of confidentiality^{^[114]}, and that Airtel works to ensure that third parties also have strong security procedures in place.^{^[115]} The policy also provides details on the retention^{^[116]} and destruction ^{^[117]} procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.^{^[118]}

1. Tata Telecommunication Services (DoCoMo and Virgin Mobile)

1. Clear and Accessible statements of its practices and policies : Partial

a. Rationale: Though Tata DoCoMo has a comprehensive Data Privacy Policy ^{^[119]} that is applicable to Tata Teleservices Limited's ("TTL") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. ^{^[120]}

2. Type of personal or sensitive personal data/information collected: Partial

a. Rational: TTL defines personal information^{^[121]} but only provides general examples of types of personal information^{^[122]} (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. ^{^[123]}

3. Option to not provide information and withdrawal of consent: N/A

a. Rationale: The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.

4. Existence of Grievance Officer: Yes

a. Rationale: TTL has various methods to lodge complaints and provides for an appellate authority. ^{^[124]} Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.^{^[125]}

5. Purpose of Collection and usage of information: Yes

a. Rationale: In its' Privacy Policy, TTL describes the way in which collected information is used. ^{^[126]} The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, ^{^[127]} and the use of aggregate and anonymized data.^{^[128]}

6. Disclosure of Information: Yes

a. Rationale: In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties^{^[129]}, with law enforcement/governmental agencies^{^[130]}, and with other TTL companies. ^{^[131]} Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. ^{^[132]}

7. Reasonable Security practices and procedures: Partial

a. Rationale: TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. ^{^[133]} Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012^{^[134]}. Information on IT security standards adopted by other circles could not be found on the internet.

2. Vodafone

1. Clear and Accessible statements of its practices and policies: Yes

Rationale: Vodafone's Privacy Policy^{^[135]} is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. ^{^[136]}

2. Collection of personal or sensitive personal data/information: No

Rationale: Type -

a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as 'amongst other things', implying that information other than that which is notified is being collected.^{^[137]}

b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.

4. Existence of Grievance Officer: Yes

a. Rationale: The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.^{^[138]}

5. Purpose of Collection and usage of information: Partial

a. Rationale:

The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, ^{^[139]} but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.

6. Disclosure of Information: Yes

a. Rationale:

The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.^{^[140]} The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. ^{^[141]} Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website ^{^[142]} states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard^{^[143]}.

3. Aircel

1. Clear and Accessible statements of its practices and policies: Yes

Rationale:

The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.^{^[144]}

2. Type of personal or sensitive personal data/information collected: Partial

Rationale: Type -

a. Personal Information

In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. ^{^[145]} The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.

a. Sensitive Personal Data or Information

The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.

3. Option to not provide information and withdrawal of consent - Yes

Rationale : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. ^{^[146]}

4. Existence of Grievance Officer: Yes

a. Rationale:

Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. ^{^[147]}

5. Purpose of Collection and usage of information: Partial

a. Rationale: The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.^{^[148]}

6. Disclosure of Information: Yes

a. Rationale: Though the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. ^{^[149]}

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.^{^[150]}

4. Atria Convergence Technologies Private Limited (ACT)

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.^{^[151]}

2. Type of personal or sensitive personal data/information collected: Partial

a. Rationale:

Type -

a. Personal Information - Yes -

The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. ^{^[152]}

a. Sensitive Personal Data or Information -

The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.

4. Existence of Grievance Officer: No

a. Rationale: No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.^{^[153]}

5. Purpose of Collection and usage of information: Yes

a. Rationale: The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.^{^[154]} The list of purposes for collection given in the Privacy Policy is a very general list.

6. Disclosure of Information: Yes

a. Rationale: The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.^{^[155]} At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.

7. Reasonable Security practices and procedures: No

a. Rationale: - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. ^{^[156]}

[1] . Telecom Regulatory Authority of India, Press Release 143/2012,(< http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf >)

[2] . The Indian Telecom Service Performance Indicators, January-March 2013, Telecom Regulatory Authority of India,. (< http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >)

[3] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece >

[4] . In addition, the Unified Access License Framework which allows for a single license for multiple services such as telecom, the internet and television, provides certain security guidelines. As per the model UIL Agreements, privacy of communications is to be maintained and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. For internet services, the Agreement stipulates the keeping an Internet Protocol Detail Record (IPDR) and copies of packets from customer premises equipment (CPE). Accessed at < http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf>

[5] . See >> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >>

[6] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece > Accessed..

[7] . Starting with Kharak Singh v. State of UP 1963 AIR SC 1295, the right to privacy has been further confirmed and commented on in other cases, like Govind v.State of M.P (1975) 2 SCC 148: 1975 SCC (Cri) 468. A full history of the development of the Right to Privacy can be found in B.D. Agarwala, Right to Privacy: A Case-By-Case Development, (1996) 3 SCC (Jour) 9, available at http://www.ebc-india.com/lawyer/articles/96v3a2.htm.

[8] . White Paper on EU Adequacy Assessment of India, 3, ("Based on an overall

analysis against the identifiable principles under Article 25, the 2010 Report concludes that India does not at present provide adequate protection to personal data in relation to any sector or to the whole of its private sector or to the whole of its public sector. ") available at < https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf >

[9] . Planning Commission, Report of the Group of Experts on Privacy, 2012, (< http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>)

[10] . Though a company's Privacy Policy was the main document analysed for this research, when applicable a company's Terms of Service wavas also reviewed.

[11] . BSNL and MTNL are government companies as defined under section 617, Indian Companies Act, 1956, incorporated under the Indian Companies Act, 1956. Under section 43 A (i) of the Act, a 'body corporate' has been broadly defined as "any company…sole proprietorship or other association of individuals engaged in commercial or professional activities". Therefore, for the purpose of this survey, BSNL and MTNL are recognized as bodies corporate.

[12] . Documents Reviewed: http://portal.bsnl.in/portal/privacypolicy.html

[13] . A full list of its services are available here: < http://bsnl.co.in/opencms/bsnl/BSNL/services/>

[14] . The MTNL website does not provide access to a privacy policy

[15] . A full list of its services are available here <<http://mtnldelhi.in>>

[16] . Documents Reviewed: http://www.airtel.in/forme/privacy-policy , http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp, http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp , http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office

[17] . A full list of services provided by Bharti Airtel is available here: <www.airtel.in>

[18] . http://submarinenetworks.com/stations/asia/india/chennai-bharti

[19] . Documents Reviewed: http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker , http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html

[20] . See < http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html. >

[21] . Vodafone International Holdings v Union of India, WP 1325/2010, Bombay High Court

[22] . 'Vodafone to Buy Additional Essar India Stake for $5 Billion',(Bloomberg, March 31, 2011) < http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html >Accessed 26 May 2014

[23] . See <https://www.vodafone.in/pages/aboutus.aspx?cid=ker.>

[24] . Vodafone, supra note 13.

[25] . Documents Reviewed:http://www.tatadocomo.com/downloads/data-privacy-policy.pdf, http://www.tatateleservices.com/t-customercare.aspx, http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf

[26] . 'Japan's Docomo acquires 26% stake in Tata Tele'(The Hindu Business Line, November 13 2008) < http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm .>

[27] . Further details are available at: < http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx>

[28] . Documents Reviewed

http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 , http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page , http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf

[29] . See < http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book. >

[30] . Documents Reviewed: http://www.acttv.in/index.php/privacy-policy

[31] . https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker

[32] . http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[33] . http://www.airtel.in/forme/privacy-policy

[34] .http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061

[35] . http://www.acttv.in/index.php/privacy-policy

[36] . In 2012, the Minister of State for Communications & Information Technology informed the Rajya Sabha that " (a)ny change in the privacy policy is not within the purview of amended Information Technology Act, 2000",, while discussing changes to Google's privacy policy. Even though the Minister noted that the EU has reported its dissatisfaction with the changed policy, finding that the policy " makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service ", he argued that the Act and Rules therein merely stipulate the publication of a privacy policy which provide " information to the end users as to how their personal information is collected, for which it is collected, processed and secure". Further, when asked how changes to privacy policy affect end users the Minister shifted the responsibility on end users, stating that " (t)he end users… need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services ".( < http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22 >).

[37] . Available at http://portal.bsnl.in/portal/privacypolicy.htm, the privacy policy was found through a search engine and not through a link from the website. An RTI request was submitted to BSNL for a copy of its privacy policy as applicable to all its products, services and websites. BSNL responded by submitting a copy of this privacy policy even though the text of the policy does not clarify the scope.

[38] . See, <http://www.acttv.in/index.php/privacy-policy>

[39] . See <http://www.airtel.in/forme/privacy-policy>

[40] . See <www.tataindicom.com/Download/data-privacy-policy.pdf>

[41] . See <<www.aircel.com/AircelWar/appmanager/aircel/delhi?_nfpb=true&_pageLabel=P26400194591312373872061>>

[42] . See <https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar>

[43] . See<< http://portal.bsnl.in/portal/privacypolicy.htm>>

[44] . See <http://www.acttv.in/index.php/privacy-policy>

[45] . See <https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar>

[46] . See <http://www.tataindicom.com/Download/data-privacy-policy.pdf>

[47] . Ibid

[48] . The complaint center details are available here: < http://www.tccms.gov.in/Queries.aspx?cid=1>

[49] . Rules 5 and 6

[50] . Principle 2, Principle 3, Personal Information Protection and Electronic Documents Act 2000. Available at: << http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html>>

[51] . Rule 5(7),

[52] . Principle 2

[53] . P. 21

[54] . Telecom Regulatory Policy CRTC 2009-657, Review of the Internet traffic management practices of Internet service providers << www.crtc.gc.ca/eng/archive/2009/2009-657.htm>>

[55] . Alex Cameron,CRTC Imposes Super-PIPEDA Privacy Protections for Personal Information Collected by ISPs, Privacy and Information Protection Bulletin, Fasken Martineau, << http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf . >> Accessed 21 May 2014

[56] . Bram D. Abramson, Grant Buchanan, Hank Intven, CRTC Shapes Canadian "Net Neutrality" Rules, McCarthy Tetrault. < http://www.mccarthy.ca/article_detail.aspx?id=4720 > Accessed 21 May 2014

[57] . The Privacy Act, 1988, Part III, available at << http://www.comlaw.gov.au/Series/C2004A03712.>>

[58] . Id, note 28, Schedule 3, 1.

[59] . Id, schedule 3, 2.

[60] . Id, schedule 3, 3.

[61] . Id, schedule 3, 4.

[62] . Id, schedule 3, 5.

[63] . Id, schedule 3, 6.

[64] . Id, schedule 3, 7.

[65] . Id, schedule 3, 8.

[66] . Id, schedule 3, 9.

[67] . Id, schedule 3, 10.

[68] . Telecommunications Act, Part 13 (Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.)

[69] . Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[70] . Id, article 3.

[71] . Id, article 8.

[72] . Id, article 2, (d). (" (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; ")

[73] . European Commission-IP-12/46, 25 January 2012, < http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.>

[74] . Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[75] . Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

[76] . Rule 2 (h)

[77] . Rule 3 (ii)

[78] . Rule 3 (vii) and (viii)

[79] . Rule 2 (i)

[80] . Rule 4(iii), (iv)

[81] . Section 2(v) of the Act defines 'information'

[82] . Rule 4 (1).

[83] . Rule 5 (5)

[84] . Defined by Venkatarama Aiyar, J as: "The rule of construction is well settled that when there are in an enactment two provisions which cannot be reconciled with each other, they should be so interpreted that, if possible, effect could be given to both" in Venkataramana Devaru v. State of Mysore, AIR 1958 SC 255, p. 268: G. P. Singh, Principles of Statutory Interpretation, 1th ed. 2010, Lexisnexis Butterworths Wadhwa Nagpur. The principle was applied to interpret statutory Rules in A. N. Sehgal v. Raje Ram Sheoram, AIR 1991 SC 1406.

[85] . Rule 6

[86] . Rule 8

[87] . 52^nd Report, Standing Committee on Information Technology, 24, available at < http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf. >

[88] . Panel Of Information Security Auditing Organisations, CERT-IN < http://www.cert-in.org.in/PDF/background.pdf>

[89] . Section 1, Guidelines for applying to CERT-In for Empanelment of IT Security Audition Organisation, < http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf>

[90] . Section 2.0, Guidelines for auditee organizations, Version 2.0, IT Security

Auditing Assignment, http://www.cert-in.org.in/PDF/guideline_auditee.pdf

[91] . See <http://www.cert-in.org.in/PDF/Empanel_org.pdf>

[92] . Rule 4

[93] . Rule 4

[94] . Rule 5 (7)

[95] . See << http://www.airtel.in/forme/privacy-policy>>

[96] . 'Information that can be used by itself to uniquely identify, contact or locate a person, or can be used with information available from other sources to uniquely identify an individual. For the purpose of this policy, sensitive personal data or information has been considered as a part of personal information.' Accessed at << http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >>

[97] . Subscriber's name, father's name, mother's name, spouse's name, date of birth, current and previous addresses, telephone number, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Information related to your utilization of our services which may include your call details, your browsing history on our website, location details and additional information provided by you while using our services. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

[98] . Password, Financial information -details of Bank account, credit card, debit card, or other payment instrument detail s, Physical, physiological and mental health condition.

[99] . Airtel states that if a customer does not provide information or consent for usage of personal information or subsequently withdraws consent, Airtel reserves the right to not provide the services or to withdraw the services for which the said information was sought, Avaliable at: < http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >

[100] . See <www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp>

[101] . See << http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp >

[102] . See << http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office>>

[103] . Stakeholders are defined as: employee, associate, strategic partner, vendor

[104] . See << http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf >>

[105] . Verification of customer's identity; Complete transactions effectively and bill for products and service; Respond to customer requests for service or assistance; Perform market analysis, market research, business and operational analysis; Provide, maintain and improve Airtel products and services; Anticipate and resolve issues and concerns with Airtel products and services; Promote and market Airtel products and services which it may consider of interest and benefit to customers; and, Ensure adherence to legal and regulatory requirements for prevention and detection of frauds and crimes.

[106] . See << http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0 >>

[107] . "Airtel may obtain a customer's consent for sharing personal information in several ways, such as in writing, online, through "click-through" agreements; orally, including through interactive voice response; or when a customer's consent is part of the terms and conditions pursuant to which Airtel provides a service."

[108] . Airtel and its employees may utilize some or all available personal information for internal assessments, measures, operations and related activities…"

[109] . Airtel may at its discretion employ, contract or include third parties external to itself for strategic, tactical and operational purposes. Such agencies though external to Airtel, will always be entities which are covered by contractual agreements. These agreements in turn include Airtel's guidelines to the management, treatment and secrecy of personal information

[110] . Airtel may transfer subscriber's personal information or other information collected, stored, processed by it to any other entity or organization located in India or outside India only in case it is necessary for providing services to a subscriber or if the subscriber has consented (at the time of collection of information) to the same. This may also include sharing of aggregated information with them in order for them to understand Airtel's environment and consequently, provide the subscriber with better services. While sharing personal information with third parties, adequate measures shall be taken to ensure that reasonable security practices are followed at the third party."

[111] . Airtel may share subscribers' personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences.

[112] . See<< http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0 >>

[113] . Airtel adopts reasonable security practices and procedures, in line with international standard IS/ISO/IEC 27001, to include, technical, operational, managerial and physical security controls in order to protect a customer's personal information from unauthorized access, or disclosure while it is under our control.

[114] . Airtel's security practices and procedures limit access to personal information on need-only basis. Further, its employees are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal information.

[115] . Airtel takes adequate steps to ensure that its third parties adopt reasonable level of security practices and procedures to ensure security of personal information.

[116] . Airtel may retain a subscriber's personal information for as long as required to provide him/her with services or if otherwise required under any law.

[117] . When Airtel disposes of its customers' personal information, it uses reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media)."

[118] . Airtel maintains the security of its internet connections, however for reasons outside of its control, security risks may still arise. Any personal information transmitted to Airtel or from its online products or services will therefore be at a customer's own risk. It observes reasonable security measures to protect a customer's personal information against hacking and virus dissemination.

[119] . See <<http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[120] . Information that customers provide to non-TTL companies is not covered by TTL's Policy. For example: When customers download applications or make an online purchase from a non-TTL company while using TTL's Internet or wireless services, the information collected by the non-TTL company is not subject to this Policy. When you navigate to a non-TTL company from TTL websites or applications (by clicking on a link or an advertisement, for example), information collected by the non-TTL company is governed by its privacy policy and not TTL's Privacy Policy. If one uses public forums - such as social networking services, Internet bulletin boards, chat rooms, or blogs on TTL or non-TTL websites, any Personal Information disclosed publicly can be read, collected, or used by others. Once one chooses to reveal Personal Information on such a site, the information is publicly available, and TTL cannot prevent distribution and use of that information by other parties. Information on a wireless Customer 's location, usage and numbers dialed, which is roaming on the network of a non-TTL company will be subject to the privacy policy of the non-TTL company, and not TTL's Policy.

[121] . "Personal Information" is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

[122] . Personal Information - Some general examples -TTL may collect Confidential Data in different forms such as Personal and other Information based on a customer's use of its products and services. Some examples include, Contact Information that allows us to communicate with you -- including your name, address, telephone number, and e-mail address; Billing information-- including payment data, credit history, credit card number, security codes, and service history.Equipment, Performance, TTL Website Usage, Viewing and other Technical Information about use of TTL's network, services, products or websites.

Technical & Usage Information is clarified in the FAQ's as information related to the services provided, use of TTL's network, services, products or websites. Examples of the Technical & Usage Information collected include: Equipment Information that identifies the equipment used on TTL's network, such as equipment type, IDs, serial numbers, settings, configuration, and software. Performance Information about the operation of the equipment, services and applications used on TTL's network, such as IP addresses, URLs, data transmission rates and latencies, location information, security characteristics, and information about the amount of bandwidth and other network resources used in connection with uploading, downloading or streaming data to and from the Internet. TTL Website Usage Information about the use of TTL websites, including the pages visited, the length of time spent, the links or advertisements followed and the search terms entered on TTL sites, and the websites visited immediately before and immediately after visiting one of TTL's sites.TTL also may collect similar information about a customer's use of its applications on wireless devices. Viewing Information about the programs watched and recorded and similar choices under Value added TTL services and products.

[123] . Ways in which TTL collects information: On the purchase or interaction about a TTL product or service provided; Automatically collected when one visits TTL's websites or use its products and services; Other sources, such as credit agencies.

[124] . See <http://www.tatateleservices.com/t-customercare.aspx>

[125] .See< http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf >

[126] . To provide the best customer experience possible; Provide the services a customer purchases, respond to customer questions; Communicate with customers regarding service updates, offers, and promotions; Deliver customized content and advertising that may be of interest to customers; Address network integrity and security issues; Investigate, prevent or take action regarding illegal activities, violations of TTL's Terms of Service or Acceptable Use Policies

[127] . Site functionality -Cookies and other tracking tools are used to help TTL analyze, manage and improve websites and storing customer preferences. Advertising TTL and its advertising partners, including Yahoo! and other advertising networks, use anonymous information gathered through cookies and other similar technologies, as well as other information TTL or its advertising networks may have, to help tailor the ads a customer sees on its sites.

[128] . TTL collects some Information on an anonymous basis. TTL also may anonymize the Personal Information it collects about customers. It may obtain aggregate data by combining anonymous data that meet certain criteria into groups.

[129] . In Other Circumstances: TTL may provide Personal Information to non-TTL companies or other third parties for purposes such as: To assist with identity verification, and to prevent fraud and identity theft; Enforcing its agreements and property rights; Obtaining payment for products and services that appear on customers' TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; and to comply to legal and regulatory requirements. TTL shares customer Personal Information only with non-TTL companies that perform services on its behalf, and only as necessary for them to perform those services. TTL requires those non-TTL companies to protect any Personal Information they may receive in a manner consistent with this policy. TTL does not provide Personal Information to non-TTL companies for the marketing of their own products and services without a customer's consent. TTL may share aggregate or anonymous Information in various formats with trusted non-TTL entities, and may work with those entities to do research and provide products and services.

[130] . TTL provides Personal Information to non-TTL companies or other third parties (for example, to government agencies, credit bureaus and collection agencies) without consent for certain purposes, such as: To comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims, To obtain payment for products and services that appear on customer TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; To enforce its agreements, and protect our rights or property; To assist with identity verification, and to prevent fraud and identity theft; To prevent unlawful use of TTL's services and to assist in repairing network outages; To provide information regarding the caller's location to a public safety entity when a call is made to police/investigation agencies, and to notify the public of wide-spread emergencies; To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay; To display name and telephone number on a Caller ID device;

[131] . Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI), the TTL companies may share your Personal Information with each other to make sure your experience is as seamless as possible, and you have the benefit of what TTL has to offer.

[132] . Customers and Users should be aware that TTL affiliates and non-TTL companies that perform services on behalf of TTL may be located outside the country where customers access TTL's services. As a result, when customer Personal Information is shared with or processed by such entities, it may be accessible to government authorities according to the laws of those jurisdictions.

[133] . TTL has implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL. It has established electronic and administrative safeguards designed to secure the information it collects, to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately. Some examples of those safeguards include: All TTL employees are subject to the internal Code of Business Conduct. The TTL Code requires all employees to follow the laws, rules, regulations, court and/or commission orders that apply to TTL's business such as legal requirements and company policies on the privacy of communications and the security and privacy of Customer records. Employees who fail to meet the standards embodied in the Code of Business Conduct are subject to disciplinary action, up to and including dismissal. TTL has implemented technology and security features and strict policy guidelines to safeguard the privacy of customer Personal Information. TTL has implemented encryption or other appropriate security controls to protect Personal Information when stored or transmitted by it; TTL limits access to Personal Information to those employees, contractors, and agents who need access to such information to operate, develop, or improve its services and products; TTL requires caller/online authentication before providing Account Information so that only the customer or someone who knows the customer's account Information will be able to access or change the information.

[134] . See << http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf >>

[135] . See << https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker >>

[136] . "We have created this Privacy Policy to help you understand how we collect, use and protect your information when you visit our web and WAP sites and use our products and services."

[137] . Vodafone may hold information relating to customers that have been provided (such as on an application or registration form) or that it may has obtained from another source (such as its suppliers or from marketing organisations and credit agencies).

This information may include, amongst other things, a customer's name, address, telephone numbers, information on how a customer uses Vodafone's products and services (such as the type, date, time, location and duration of calls or messages, the numbers called and how much a customer spends, and information on his/her browsing activity when visiting one of Vodafone's group companies' websites), the location of a customer's mobile phone from time to time, lifestyle information and any other information collected in relation to his/her use of Vodafone's products and services ("information").

It may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts with its website, and web-related products and services.

It may use a persistent cookie to record details such as a unique user identity and general registration details on your PC. Vodafone states that most browser technology (such as Internet Explorer, Netscape etc) allows one to choose whether to accept cookies or not - a customer can either refuse all cookies or set their browser to alert them each time that a website tries to set a cookie.

[138] . In case of any concerns the privacy officer can be contacted at privacyofficer@vodafone.com. Additionally details of the Grievance Redressal Officers is provided via the TRAI website. (TRAI website: http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf _

[139] . The information that Vodafone collects from customers is held in accordance with applicable laws and regulations in India. It may be used by us for a number of purposes connected with its business operations and functions, which include:

2.1 Processing customer orders or applications;

2.2 Carrying out credit checking and scoring (unless Vodafone have agreed otherwise);

2.3 Providing the customer with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering his/her account;

2.4 Billing

2.5 Settling accounts with those who provide related services to Vodafone;

2.6 Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes;

2.7 Carrying out market and product analysis and marketing Vodafone and its group companies' products and services generally;

2.8 Contacting a customer (including by post, email, fax, short text message (SMS), pager or telephone) about Vodafone and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to customers (unless a customer asks us in writing not to). Electronic marketing messages may not include a marketing facility.

2.9 Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that a customer may have in respect of our and our group companies' schemes.

2.10 inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party (subject to any objection or preference a customer may have indicated to us in writing);

2.11 carrying out any activity in connection with a legal, governmental or regulatory requirement on Vodafone or in connection with legal proceedings, crime or fraud prevention, detection or prosecution;

2.12 carrying out activities connected with the running of Vodafone's business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Vodafone's business with respect to a customer or a potential customer.

[140] . In the need for disclosure to third parties, the personal information will only be disclosed to the third parties below:

3.1 Vodafone's group companies who may in India use and disclose your information for the same purposes as us;

3.2 those who provide to Vodafone or its group companies products or services that support the services that we provide, such as our dealers and suppliers;

3.3 credit reference agencies (unless Vodafone has agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Vodafone makes against a customer's name;

3.4 if someone else pays a customer's bill, such as a customer's employer, that person;

3.5 those providing telephone and similar directories or directory enquiry services

3.6 anyone Vodafone transfers business to in respect of which a person is a customer or a potential customer;

3.7 anyone who assists Vodafone in protecting the operation of the Vodafone India networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;

3.8 persons to whom Vodafone may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services;

3.9 any person or organisation as authorised by laws and regulations applicable in India.

If a customer has opted in to receiving marketing material from Vodafone, it may also provide customer's personal information to carefully selected third parties who we reasonably believe provide products or services that may be of interest to customers and who have contracted with Vodafone India to keep the information confidential, or who are subject to obligations to protect your personal information.

To opt-out of receiving Vodafone marketing materials,customers can send a 'Do Not Disturb' message to Vodafone. If a customer wishes to use Vodafone products or services abroad, his/her information may be transferred outside India to that country. Vodafone's websites and those of its group companies may also be based on servers located outside of India.

[141] . Vodafone takes reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, modification or disclosure.

Vodafone makes every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to it or from its online products or services will be at a customer's own risk, however, it will use its best efforts to ensure that any such information remains secure. Vodafone cannot protect any information that a customer makes available to the general public - for example, on message boards or in chat rooms.

Vodafone may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts.

[142] . See <http://www.vodafone.com>

[143] . See < http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html >

[144] . http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 (Scope - This Privacy Policy has been created to help customer's understand how Aircel collects, uses and protects customer information when one visits its web and WAP sites and use its products and services.)

[145] . This information may include, amongst other things, customer's name, father's name, mother's name, spouse's name, date of birth, address, telephone numbers, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Aircel may also hold information related to utilization of its services. This may include customer call records, browsing history while surfing Aircel's website, location details and additional information provided by customer while using our services.

Aircel may keep a log of the activities performed by a customer on its websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with Aircel's website, and web-related products and services

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on customer's Personal Computers.

[146] . In case a customer does not provide information or consent for usage of personal information or later on withdraw consent for usage of the personal information so collected, Aircel reserves the right to discontinue the services for which the said information was sought.

[147] . In case of any feedback or concern regarding protection of personal information, customers can contact Aircel's Circle Care ID. Alternatively, one may also direct your privacy-related feedback or concerns to the Circle Nodal Officer. (e.g. - Delhi Circle Nodal details are as mentioned below):

1. Name: Moushumi De

Contact Number: 9716199209

E-mail: nodalofficer.delhi@aircel.co.in

Further it provides for a general customer grievance redressal mechanism

Additionally details of the Grievance Redressal Officers is provided via the TRAI website.

To resolve all concerns, Aircel has established a 2-tier complaint handling mechanism. Level I: Our Customer Touch Points As an Aircel customer you have the convenience to contact at Customer Interface Points via email, post or telephone. Level II - Appellate AuthorityDespite the best efforts put by Aircel's executive, if a customer is still not satisfied with the resolution provided then he/she may submit his/her concern to the Appellate Authority of the circle. Comments - However this information contradicts the mechanism provided under Aircel's Manual of Practice for handling Consumer Complaints which provides for a 3-tier complaint handling mechanism.

[According to the DoT - The earlier three-tier complaint redressal mechanism - Call center, Nodal Center and Appellate Authority, has been replaced by a two-tier one by doing away with the level of Nodal Officer. This is because the Complaint Centres are essentially registration and response centres and do not deal with the resolution of complaints. They only facilitate registration of consumer complaint and the level at which a problem is resolved within a company depends upon the complexity of the issue involved.]

[148] . It may be used by us for a number of purposes connected with our business operations and functions, which include:

1. Processing customer orders or applications.

2. Carrying out credit checking and scoring (unless agreed otherwise).

3. Providing customers with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering a customer's account.

4. Billing (unless there exists another agreed method).

5. Settling accounts with those who provide related services to Aircel.

6. Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes.

7. Carrying out market and product analysis and marketing our and our group companies' products and services generally.

8. Contacting customers (including by post, email, fax, short text message (SMS), pager or telephone) about Aircel and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to a customer (unless a customer says 'no' in writing). Electronic messages need not have an unsubscribe facility.

9. Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that customers may have in respect of Aircel and its group companies' loyalty or reward programmes and other similar schemes.

10. Inclusion in any telephone or similar directory or directory enquiry service provided or operated by Aircel or by a third party (subject to any objection or preference a customer may have indicated in writing).

11. Carrying out any activity in connection with a legal, governmental or regulatory requirement on Aircel or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.

12. Carrying out activities connected with the running of business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Aircel's business with respect to a customer or potential customer. Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with our website, and web-related products and services, to:

● Understand what a customer likes and uses about Aircel's website.

● Provide a more enjoyable, customised service and experience

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on your Personal Computer.

[149] . Where Aircel needs to disclose your information to third parties, such third parties will be:

1. Group companies who may use and disclose your information for the same purposes as us.

2. Those who provide to Aircel or its group companies products or services that support the services that we provide, such as our dealers and suppliers.

3. Credit reference agencies (unless we have agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Aircel make against your name.

4. If someone else pays a customer's bill, such as an employer.

5. Those providing telephone and similar directories or directory enquiry services.

6. Anyone Aircel transfers its business to in respect of which you are a customer or a potential customer.

7. Anyone who assists Aircel in protecting the operation of the Aircel networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities.

8. Persons to whom Aircel may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services. If a customer has opted in to receiving marketing material from Aircel, it may also provide personal information to carefully selected third parties who it reasonably believes to provide products or services that may be of interest to customers and who have contracted with Aircel to keep the information confidential, or who are subject to obligations to protect customer personal information.

[150] . We adopt reasonable security practices and procedures to include, technical, operational, managerial and physical security control measures in order to protect your personal information from unauthorized access, or disclosure while it is under our control.Our security practices and procedures limit access to personal information on need to know basis. Further, our employees, to the extent they may have limited access to your personal information on need to know basis, are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal informationWe take adequate steps to ensure that our third parties adopt reasonable level of security practices and procedures to ensure security of personal information

We may retain your personal information for as long as required to provide you with services or if otherwise required under any law. We, however assure you that Aircel does not disclose your personal information to unaffiliated third parties (parties outside Aircel corporate network and its Strategic and Business Partners) which could lead to invasion of your privacy

When we dispose off your personal information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media).

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.

We make every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk, however we will use our best efforts to ensure that any such information remains secure.

[151] . http://www.acttv.in/index.php/privacy-policy

[152] . "When you register, we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests.

The Company collects information about your transactions with us and with some of our business partners, including information about your use of products and services that we offer."

[153] . Not provided for on the TRAI website as ACT is not a telecom.

[154] . The Company can use information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.

The Company collects personal information when you register with the Company, when you use the Company products or services, when you visit the Company pages or the pages of certain partners of the Company. The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you.

[155] . Aircel provide the information to trusted partners who work on behalf of or with the Company under confidentiality agreements. These companies may use customer personal information to help the Company communicate about offers from the Company and marketing partners.

Aircel believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Company's terms of use, or as otherwise required by law.

Aircel transfer information about a customer if the Company is acquired by or merged with another company under a different management. In this event, the Company will notify a customer before information about a customer is transferred and becomes subject to a different privacy policy.

The Company plans to display targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click on targeted ads meet the targeting criteria - for example, women ages 18-24 from a particular geographic area.

The Company will not provide any personal information to the advertiser when customers interact with or view a targeted ad. However, by interacting with or viewing an ad a customer consents to the possibility that the advertiser will make the assumption that he/she meets the targeting criteria used to display the ad.

[156] . Rule 8.

For more details visit https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules

Get an Aadhaar card if you don't have one

praskrishna — 2017-04-04T15:39:05Z

The Aadhaar number has been made compulsory for filing tax return. With both the government and private parties insisting on it for various activities despite the Supreme Court's assertion that is not mandatory, you need to get one at the earliest.

The article by Priya Nair and Sanjay Kumar Singh was published in the Business Standard on March 27, 2017. Udbhav Tiwari was quoted.

Until now the need for an Aadhaar card arose if someone wanted to avail of the LPG subsidy, or if senior citizens wanted to enjoy a concession on train tickets. This 12-digit number, which is a proof of identity, is largely used by the government to distribute cash benefits and other subsidies under its welfare schemes. Since submitting the Aadhaar card at the time of opening a bank account, investing in a mutual fund, etc is optional (you can submit another proof of identity), many people have still not bothered to get one. That ambivalent attitude will now have to change.

This year onwards all those filing income tax returns will have to furnish their Aadhaar number. There is a field in the income tax return form for Aadhaar number. Don’t forget to fill it this year. If you do not have an Aadhaar number, you will have to submit the enrolment number of your application for Aadhaar. "In case of failure to intimate the Aadhaar number, the PAN allotted to the person shall be deemed invalid and the other provisions of the Income Tax Act shall apply, as if the person has not applied for allotment of PAN," says Amarpal Chadha, tax partner, people advisory services, EY India.

Experts say that this step has been taken to deal with the problem of duplicate permanent account numbers (PAN) and to control black money. Says Kuldip Kumar, partner and leader-personal tax at PwC India: “Many people have more than one PAN, even though there is a penalty under the Income Tax Act for doing so. The government is linking PAN to Aadhaar to deal with this problem. This step will also help control black money. Whether you invest in stocks, shares, or do any other high-value transaction, over a period of time the tax department will be able to see all this information at the click of a button." Other experts also agree that this step will create an audit trail for various transactions. “Linking of Aadhaar and PAN will throw up any discrepancies in reported transactions and provide a ready database to the revenue authorities for necessary action,” says Vikas Vasal, partner, Grant Thornton India.

Interim problems
This measure is expected to create a slew of problems for people. Many individuals may still not have an Aadhaar card. They should apply for one post-haste. Everyone needs to check if their Aadhaar and PAN details match. If there are discrepancies between the two, get either your Aadhaar or PAN details updated so that you do not face problems at the time of filing returns. Details on how to update the Aadhaar and PAN are available on the web sites of UID and the IT department respectively (see box).

Non-Resident Indians (NRI) and foreign nationals may also need to obtain an Aadhaar number now. Many NRIs have an income (before claiming any deduction) that exceeds the basic exemption limit of Rs 2.5 lakh, and hence file a tax return in India. Foreign nationals who have spent time in India and earned an income also need to file a tax return. Indian residents who have been sent by their companies to work abroad will also have to scramble for the card. "March is about to end and tax returns will have to be filed by the end of July. Persons who have to file a tax return but are abroad will face a challenge getting the Aadhaar card made in time since you have to be physically present in India for this purpose,’’ says Kumar. The government may possibly grant some leeway to such people.

Even though the Supreme Court has said that Aadhaar is not mandatory, there are several instances where the authorities are insisting on it. Those applying for domicile proof and those who want to get their property registered are being asked to provide this number. Some telecom providers also insist on it before giving a connection. Schools are asking for it from students. You need it to appear for competitive exams like IIT JEE. Online providers of financial products insist on Aadhaar since it makes KYC easier. With the government moving strongly towards making Aadhaar compulsory, one can't escape complying with this regulation.

Risks of an Aadhaar-centric system
There are several risks associated with Aadhaar, whose basic purpose is authentication and authorisation. The first problem arises from the fact that it is easily accessible to miscreants. Aadhaar numbers of thousands of people have been uploaded on the Internet. "Since the Aadhaar number has to be given at so many places, it can be misused to pull information about people from the centralised database. In the case of credit and debit cards, we are told not to shares these numbers publicly as the number is the first thing required for carrying out a transaction. That is not the case with Aadhaar. UID's position is that you should treat your Aadhaar number carefully. But the fact is that the Aadhaar number is not used carefully either by consumers or businesses. It is a fairly public number. With Aadhaar too much power is being vested in a number that is quite public,’’ says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru.

Second, Aadhaar has a centralised database, and all centralised databases are vulnerable to hacking. Third, biometrics are not a very secure form of authentication. "Fingerprints are easy to forge. The UID says that the device (used to check the fingerprint) should not remember the biometrics but should only transfer it to UID which will verify the information. But miscreants could use a device that captures your biometrics," says Tiwari.

Other documents used for identification like PAN and passport are not easy to duplicate because of their security features. PAN, for instance, has a hologram. The power of the passport lies not in the passport number but in the document. Without the passport one cannot travel internationally. But in case of Aadhaar one can go on the Internet and print a new Aadhaar card. “If somebody has managed to capture my fingerprint and has my Aadhaar number, he can use it wherever Aadhaar is required,’’ says Tiwari.

For more details visit https://cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one

Right to be Forgotten: A Tale of Two Judgements

amber — 2017-04-07T02:27:03Z

In the last few months, there have been contrasting judgments from two Indian high courts, Karnataka and Gujarat, on matters relating to the right to be forgotten. The two high courts heard pleas on issues to do the right of individuals to have either personal information redacted from the text of judgments available online or removal of such judgment from publically available sources.

While one High Court (Karnataka) ordered the removal of personal details from the judgment,^[1] the other (Gujarat) dismissed the plea^[2]. In this post, we try to understand the global jurisprudence on the right to be forgotten, and how the contrasting judgments in India may be located within it.

Background

The ‘right to be forgotten’ has gained prominence since a matter was referred to the Court of Justice of European Union (CJEU) in 2014 by a Spanish court.^[3] In this case, Mario Costeja González had disputed the Google search of his name continuing to show results leading to an auction notice of his reposed home. The fact that Google continued to make available in its search results, an event in his past, which had long been resolved, was claimed by González as a breach of his privacy. He filed a complaint with the Spanish Data Protection Agency (AEPD in its Spanish acronym), to have the online newspaper reports about him as well as related search results appearing on Google deleted or altered. While AEPD did not agree to his demand to have newspaper reports altered, it ordered Google Spain and Google, Inc. to remove the links in question from their search results. The case was brought in appeal before the Spanish High Court, which referred the matter to CJEU. In a judgement having far reaching implications, CJEU held that where the information is ‘inaccurate, inadequate, irrelevant or excessive,’ individuals have the right to ask search engines to remove links with personal information about them. The court also ruled that even if the physical servers of the search engine provider are located outside the jurisdiction of the relevant Member State of EU, these rules would apply if they have branch office or subsidiary in the Member State.

The ‘right to be forgotten’ is a misnomer, and essentially when we speak of it in the context of the proposed laws in EU, we refer to the rights of individuals to seek erasure of certain data that concerns them. The basis of what has now evolved into this right is contained in the 1995 EU Data Protection Directive, with Article 12 of the Directive allowing a person to seek deletion of personal data once it is no longer required.

Critical to our understanding of the rationale for how the ‘right to be forgotten’ is being framed in the EU, is an appreciation of how European laws perceive privacy of individuals. Unlike the United States (US), where privacy may be seen as a corollary of personal liberty protecting against unreasonable state intrusions, European laws view privacy as an aspect of personal dignity, and are more concerned with protection from third parties, particularly the media. The most important way in which this manifests itself is in where the burden to protect privacy rights lie. In Europe, privacy policy often dictates intervention from the state, whereas in the US, in many cases it is up to the individuals to protect their privacy.^[4]

Since the advent of the Internet, both the nature and quantity of information existing about individuals has changed dramatically. This personal information is no longer limited to newspaper reports and official or government records either. Our use of social media, micro-discussions on Twitter, photographs and videos uploaded by us or others tagging us, every page or event we like, favourite or share—all contribute to our digital footprint. Add to this the information created not by us but about us by both public and private bodies storing data about individuals in databases, our digital shadows begin to far exceed the data we create ourselves. It is abundantly clear that we exist in a world of Big Data, which relies on algorithms tracking repeated behaviour by our digital selves. It is in this context that a mechanism which enables the purging of some of this digital shadow makes sense.

Further, it is not only the nature and quantity of information that has changed, but also the means through which this information can be accessed. In the pre-internet era, access to records was often made difficult by procedural hurdles. Permissions or valid justifications were required to access certain kinds of data. Even for the information available in the public domain, often the process of gaining access were far too cumbersome. Now digital information not only continues to exist indefinitely, but can also be easily accessed readily through search engines. It is in this context that in a 2007 paper, Viktor Mayer-Schöenberger pioneered the idea of memory and forgetting for the digital age.^[5] He proposed that all forms of personal data should have an additional meta data of expiration date to switch the default from information existing endlessly to having a temporal limit after which it is deleted. While this may be a radical suggestion, we have since seen proposals to allow individuals some control over information about them.

In 2016, the EU released the final version of the General Data Protection Regulation. The regulation provides for a right to erasure under Article 17, which would enable a data-subject to seek deletion of data.^[6] Notably, except in the heading of the provision, Article 17 makes no reference to the word ‘forgetting.’ Rather the right made available in this regulation is in the form of making possible ‘erasure’ and ‘abstention from further dissemination.’ This is significant because what the proposed regulations provide for is not an overarching framework to enable or allow ‘forgetting’ but a limited right which may be used to delete certain data or search results. Providing a true right to be forgotten would pose issues of interpretation as to what ‘forgetting’ might mean in different contexts and the extent of measures that data controllers would have to employ to ensure it. The proposed regulation attempts to provide a specific remedy which can be exercised in the defined circumstances without having to engage with the question of ‘forgetting’.

The primary arguments made against the ‘right to be forgotten’ have come from its conflict with the right to freedom of speech. Jonathan Zittrain has argued against the rationale that the right to be forgotten merely alters results on search engines without deleting the actual source, thus, not curtailing the freedom of expression.^[7] He has compared this altering of search results to letting a book remain in the library but making the catalogue unavailable. According to Zittrain, a better approach would be to allow data subjects to provide their side of the story and more context to the information about them, rather than allowing any kind of erasure. Unlike in the US, the European approach is to balance free speech against other concerns. So while one of the exceptions in sub-clause (3) of Article 17 provides that information may not be deleted where it is necessary to exercise the right to free speech, free speech does not completely trump privacy as the value that must be protected. On the other hand, US constitutional law would tend to give more credence to the First Amendment rights and allow them to be compromised in very limited circumstances. As per the position of the US Supreme Court in Florida Star v. B.J.F., lawfully obtained information may be restricted from publication only in cases involving a ‘state interest of the highest order’. This position would allow any potential right to be forgotten to be exercised in the most limited of circumstances and privacy and reputational harm would not satisfy the standard. For these reasons the rights to be forgotten as it exists in Article 17 may be unworkable in the US.

Issues in application

Significant technical challenges remain in the effective and consistent application of Article 17 of the EU Directive. One key issue is concerned with how ‘personal data’ is defined and understood, and how its interpretation will impact this right in different contexts. According to Article 17 of the EU directive, the term ‘personal data’ includes any information relating to an individual. Some ambiguity remains about whether information which may not uniquely identify a person, but as a part of small group, could be considered within the scope of personal data. This becomes relevant, for instance, where one seeks the erasure of information which, without referring to an individual, points fingers towards a family. At the same time, often the piece of information sought to be erased by a person may contain personal information about more than one individual. There is no clarity over whether a consensus of all the individuals concerned should be required, and if not, on what parameters should the wishes of one individual prevail over the others. Another important question, which is as yet unanswered, is whether the same standards for removal of content should apply to most individuals and those in public life.

The issue of what is personal data and can therefore be erased gets further complicated in cases of derived data about individuals used in statistics and other forms of aggregated content. While, it would be difficult to argue that the right to be forgotten needs to be extended to such forms of information, not erasing such derived content poses the risk of the primary information being inferred from it. In addition, Article 17(1)(a) provides for deletion in cases where the data is no longer necessary for the purposes for which they were collected or used. The standards for circumstances which satisfy this criteria are, as yet, unclear and may only be fully understood through a consistent application of this law.

Finally, once there are reasonable grounds to seek erasure of information, it is not clear how this erasure will be enforced practically. It may not be prudent to require that all copies of the impugned data are deleted such that they may not be recovered, to the extent technologically possible. A more reasonable solution might be to permit the data to continue to remain available in encrypted forms, much like certain records are sealed and subject to the strictest confidentiality obligations. In most cases, it may be sufficient to ensure that the records of the impugned data is removed from search results and database reports without actually tampering with information as it may exist. These are some of the challenges which the practical application of this right will face, and it is necessary to take them into account in enforcing the proposed regulations.

The two Indian judgments

In the first case, (before the Gujarat High Court), the petitioner entered a plea for “permanent restraint [on] free public exhibition of the judgment and order.” The judgment in question concerned proceeding against the petitioner for a number of offences, including culpable homicide amounting to murder. The petitioner was acquitted, both by the Sessions court and the High Court before which he was pleading. The petitioner’s primary contention was that despite the judgment being classified as ‘unreportable’, it was published by an online repository of judgments and was also indexed by Google search. The decision of the High Court to dismiss the petition, rest of the following factors: a) failure on the part of the petitioner to show any provisions in law which are attracted, or threat to the constitutional right to life and liberty, b) publication on a website does not amount to ‘reporting’, as reporting only refers to that by law reports.

While the second point of reasoning made by the courts is problematic in terms of the function of precedent served by the reported judgments, and the basis for reducing the scope of ‘reporting’ to only law reports, the first point is of direct relevance to our current discussion. The lack of available legal provisions points to the absence of data protection legislation in India. Had there been a privacy legislation which addressed the issues of how personal information may be dealt with, it is possible that it may have had instructive provisions to address situation like these. In the absence of such law, the only recourse that an individual has is to seek constitutional protection under one of the fundamental rights, most notably Article 21, which over the years, has emerged as the infinite repository of unenumerated rights. However, typically rights under Article 21 are of a vertical nature, i.e., available only against the state. Their application in cases where a private party is involved remains questionable, at best.

In contrast, in the second case, the Karnataka High Court ruled in favor of the petitioner. In this case, the petitioner’s daughter instituted both criminal and civil proceedings against a person. However, later they arrived at a compromise and one of the conditions was quashing all the proceedings which had been initiated. The petitioner had raised concerns about the appearance of his daughter’s name in the cause title and was easily searchable. The court, while making vague references to “trend in the Western countries where they follow this as a matter of rule “Right to be forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned, held in the petitioner’s favor, and order that the name be redacted from the cause title and the body of the order before releasing to any service provider. The second judgment is all the more problematic for while it makes a reference to jurisprudence in other countries, yet it does not base it on the fundamental right to privacy, but to the idea of modesty and reputation of women, which has no clear legal basis on either Indian or comparative jurisprudence.

Conclusion

The above two cases demonstrate the problem of lack of a clear legal basis being employed by the judiciary in interpreting the right to be forgotten. Not only were no clear legal provisions in Indian law were taken refuge of while ruling on the existence of this right, the court also do not engage in any analysis of comparative jurisprudence such as the GDPR or the Costeja judgment. Such ad-hoc jurisprudence underlines the need for a data protection legislation, as in its absence, it is likely that divergent views are taken upon this issue, without a clear legal direction. It is likely that most matters concerning the right to erasure concern private parties as data controllers. In such cases, the existing jurisprudence on the right to privacy as interpreted under Article 21 may also be of limited value. Further, as has been pointed out above, the right to be forgotten needs to be a right qualified by conditions very clearly, and its conflict with the right to freedom of expression under Article 19. Therefore, it is imperative that a comprehensive data protection law addresses these issues.

^[1] Sri Vasunathan vs The Registrar, available at http://www.iltb.net/2017/02/karnataka-hc-on-the-right-to-be-forgotten/

^[2] Dharmraj Bhanushankar Dave v. State of Gujarat, available at https://drive.google.com/file/d/0BzXilfcxe7yueXFJWG5mZ1pKaTQ/view.

^[3] Google Spain et al v. Mario Costeja González, available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065.

^[4] http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf

^[5] Mayer-Schoenberger, Viktor, Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (April 2007). KSG Working Paper No. RWP07-022. Available at SSRN: https://ssrn.com/abstract=976541 or http://dx.doi.org/10.2139/ssrn.976541.

^[6] Article 17 (1) states: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

^[7] Zittrain, Jonathan, “Don’t Force Google to ‘Forget’”, The New York Times, May 14, 2014. Available at https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

For more details visit https://cis-india.org/internet-governance/blog/right-to-be-forgotten-a-tale-of-two-judgments

India’s National ID Program May Be Turning The Country Into A Surveillance State

praskrishna — 2017-04-07T12:49:30Z

For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.

The blog post by Pranav Dixit was published by BuzzFeedNews on April 4, 2017. Sunil Abraham was quoted.

An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below:

“You can’t change your fingerprints”

Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.

“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.

Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking into the country’s online national identity database and registering himself as Ecuadorian President Rafael Correa. In April 2016, hackers posted a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — was leaked onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — released on the Dark Web.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”

“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”

The UIDAI claims that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.

“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.

Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”

Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an interview with the Economic Times, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.

Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.

Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”

“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”

For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent interview with Indian business news channel ET Now. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”

Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”

For more details visit https://cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state

Privacy in the Age of Big Data

amber — 2017-04-11T14:43:59Z

Personal data is freely accessible, shared and even sold, and those to whom this information belongs have little control over its flow.

The article was published in the Asian Age on April 10, 2017.

In 2011 it was estimated that the quantity of data produced globally surpassed 1.8 zettabyte. By 2013, it had increased to 4 zettabytes. This is a result of digital services which involve constant data trails left behind by human activity. This expansion in the volume, velocity, and variety of data available, together with the development of innovative forms of statistical analytics on the data collected, is generally referred to as “Big Data”. Despite significant (though largely unrealised) promises about Big Data, which range from improved decision-making, increased efficiency and productivity to greater personalisation of services, concerns remain about the impact of such datafication of all human activity on an individual’s privacy. Privacy has evolved into a sweeping concept, including within its scope matters pertaining to control over one’s body, physical space in one’s home, protection from surveillance, and from search and seizure, protection of one’s reputation as well as one’s thoughts. This generalised and vague conception of privacy not only comes with great judicial discretion, it also thwarts a fair understanding of the subject. Robert Post called privacy a concept so complex and “entangled in competing and contradictory dimensions, so engorged with various and distinct meanings”, that he sometimes “despairs whether it can be usefully addressed at all”.

This also leaves the idea of privacy vulnerable to considerable suspicion and ridicule. However, while there is a lack of clarity over the exact contours of what constitutes privacy, there is general agreement over its fundamental importance to our ability to lead whole lives. In order to understand the impact of datafied societies on privacy, it is important to first delve into the manner in which we exercise our privacy. The ideas of privacy and data management that are prevalent can be traced to the Fair Information Practice Principles (FIPP). These principles are the forerunners of most privacy regimes internationally, such as the OECD Privacy Guidelines, APEC Framework, or the nine National Privacy Principles articulated by the Justice A.P. Shah Committee Report. All of these frameworks have rights to notice, consent and correction, and how the data may be used, as their fundamental principles. It makes the data subject to the decision-making agent about where and when her/his personal data may be used, by whom, and in what way. The individual needs to be notified and his consent obtained before his personal data is used. If the scope of usage extends beyond what he has agreed to, his consent will be required for the increased scope.

In theory, this system sounds fair. Privacy is a value tied to the personal liberty and dignity of an individual. It is only appropriate that the individual should be the one holding the reins and taking the large decisions about the use of his personal data. This makes the individual empowered and allows him to weigh his own interests in exercising his consent. The allure of this paradigm is that in one elegant stroke, it seeks to ensure that consent is informed and free and also to implement an acceptable trade-off between privacy and competing concerns. This approach worked well when the number of data collectors were less and the uses of data was narrower and more defined. Today’s infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most people have no understanding of what happens to their data.

The quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information”. The inadequacy of the regulatory approaches and the absence of a comprehensive data protection regulation is exacerbated by the emergence of data-driven business models in the private sector and the adoption of data-driven governance approach by the government. The Aadhaar project, with over a billion registrants, is intended to act as a platform for a number of digital services, all of which produce enormous troves of data. The original press release by the Central Government reporting the approval by the Cabinet of Ministers of the Digital India programme, speaks of “cradle to grave” digital identity as one of its vision areas.

While the very idea of the government wanting to track its citizens’ lives from cradle to grave is creepy enough in itself, let us examine for a minute what this form of datafied surveillance will entail. A host of schemes under Digital India shall collect and store information through the life cycle of an individual. The result, as we can see, is building databases on individuals, which when combined, will provide a 360 degree view into the lives of individuals. Alongside the emergence of India Stack, a set of APIs built on top of the Aadhaar, conceptualised by iSPIRT, a consortium of select IT companies from India, to be deployed and managed by several agencies, including the National Payments Corporation of India, promises to provide a platform over which different private players can build their applications.

The sum of these interconnected parts will lead to a complete loss of anonymity, greater surveillance and impact free speech and individual choice. The move towards a cashless economy — with sharp nudges from the government — could lead to lack of financial agencies in case of technological failures as has been the case in experiments with digital payments in Africa. Lack of regulation in emerging data driven sectors such as Fintech can enable predatory practices where right to remotely deny financial services can be granted to private sector companies. An architecture such as IndiaStack enables datafication of financial transactions in a way that enables linked and structured data that allows continued use of the transaction data collected. It is important to recognise that at the stage of giving consent, there are too many unknowns for us to make informed decisions about the future uses of our personal data. Despite blanket approvals allowing any kind of use granted contractually through terms of use and privacy policies, there should be legal obligations overriding this consent for certain kinds of uses that may require renewed consent.

Biometrics-based identification in UK: In 2005, researchers from London School of Economics and Political Science came out with a detailed report on the UK Identity Cards Bill (‘UK Bill’) — the proposed legislation for a national identification system based on biometrics. The project also envisaged a centralised database (like India) that would store personal information along with the entire transaction history of every individual. The report pointed strongly against the centralising storage of information and suggested other alternatives such as a system based on smartcards (where biometrics are stored on the card itself) or offline biometric-reader terminals.

As per the report, the alternatives would also have been cheaper as neither required real-time online connectivity. In India, online authentication is a far greater challenge. According to Network Readiness Index, 2016, India ranks 91, whereas UK is placed eight. Poor Internet connectivity can raise a lot of problems in the future including paralysis of transactions. The UK identification project was subsequently discarded as a result of the privacy and cost considerations raised in this report.

Aadhaar: Privacy concerns

Once the data is collected through National Information Utilities, it will be privatised and controlled by private utilities.
Once an individual’s data is entered in the system, it cannot be deleted. That individual will have no control over it.
Aadhaar Data (Demographic details along with photographs) are shared/transferred with the private entities including telecom companies as per the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Act, 2016 with the consent of Aadhaar number holder to fulfil their e-KYC requirements. The data is shared in encrypted form through secured channel.
Aadhaar Enabled Payment System (AEPS) on which 119 banks are live.
More than 33.87 crore transactions have taken place through AEPS, which was only 46 lakhs in May 2014.
As on 30-9-2016, 78 government schemes were linked to Aadhaar.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, provides that no core-biometric information (fingerprints, iris scan) shall be shared with anyone for any reason whatsoever (Sec 29) and that the biometric information shall not be used for any purpose other than generation of Aadhaar and authentication.
Access to the data repository of UIDAI, called the Central Identities Data Repository(CIDR), is provided to third parties or private companies.

Central Monitoring System (CMS) is already live in Delhi, New Delhi and Mumbai. Union minister Ravi Shankar Prasad revealed this in one of his replies in the Lok Sabha last year. CMS has been set up to automate the process of Lawful Interception & Monitoring of telecommunications.

Lawful Intercept and Monitoring (LIM) systems are used by the Indian Government to intercept records of voice, SMSes, GPRS data, details of a subscriber’s application and recharge history and call detail record (CDR) and monitor Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users.

For more details visit https://cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data