The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
SCOSTA and UID Comparison not Valid, says Finance Committee
https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid
<b>The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.</b>
<p>On January 6, 2011, CIS had sent an <a href="https://cis-india.org/internet-governance/blog/blog/privacy/letter-to-finance-committee" class="external-link">open letter to the Parliamentary Finance Committee</a> demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.</p>
<p>Sir,</p>
<p>This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.</p>
<h3>CIS View /Suggestion:</h3>
<div> </div>
<p>"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."</p>
<p>In this regard, do you agree with the following view? If not, please justify.</p>
<p>"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.</p>
<p>The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.</p>
<p>UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."</p>
<p>You are requested to email your view by 14 October, 2011 positively.</p>
<p>Standing Committee on Finance Branch<br />Lok Sabha Secretariat</p>
<div> </div>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid'>https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid</a>
</p>
No publisherelonnaiInternet Governance2011-11-22T16:37:43ZBlog EntryRight to Privacy Bill 2010 — A Few Comments
https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010
<b>Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.</b>
<h2>Specific Recommendations</h2>
<div>
<div> </div>
</div>
<p>The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged. </p>
<p>The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory? </p>
<p>Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation. </p>
<h2>Specific Comments to the Bill</h2>
<h3>Misguiding Title</h3>
<p>The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".</p>
<h3><span class="Apple-style-span">Inappropriate Blanket Use of Privacy </span></h3>
<p>The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto." </p>
<p><strong>Comment</strong>: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest. </p>
<h3>Narrow Definition of Public Figures </h3>
<p>Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties</p>
<p><strong>Comment</strong>: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.</p>
<h3>Insufficient Limits to the Right to Privacy</h3>
<p>Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone: </p>
<p>Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.</p>
<p><strong>Comment</strong>: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited? </p>
<h3>Limited Scope of Technology </h3>
<p>Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be. </p>
<p><strong>Comment</strong>: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.</p>
<h2>Overly Complicated Clauses </h2>
<p>Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of: </p>
<div>
<p>Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned. </p>
<p>Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and</p>
<p>Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise. </p>
<p><strong>Comment</strong>: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.</p>
<p>Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010'>https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T06:26:14ZBlog EntryRethinking Privacy Principles
https://cis-india.org/internet-governance/files/rethinking-privacy-principles
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/rethinking-privacy-principles'>https://cis-india.org/internet-governance/files/rethinking-privacy-principles</a>
</p>
No publisherelonnai2017-09-11T02:17:02ZFileRethinking DNA Profiling in India
https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india
<b>DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.</b>
<hr />
<p style="text-align: justify; ">Elonnai Hickok's article was <a class="external-link" href="http://www.epw.in/web-exclusives/rethinking-dna-profiling-india.html">published in Economic & Political Weekly</a>, Vol - XLVII No. 43, October 27, 2012</p>
<hr />
<p style="text-align: justify; ">DNA evidence was first accepted by the courts in India in 1985,<a href="#fn1" name="fr1">[1]</a> and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include</p>
<p class="callout" style="text-align: justify; ">"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.</p>
<p>The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.<a href="#fn3" name="fr3">[3]</a> The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,<a href="#fn5" name="fr5">[5]</a>, along with a number of private labs <a href="#fn6" name="fr6">[6]</a> which analyse DNA samples for crime-related purposes.</p>
<p style="text-align: justify; ">In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of</p>
<p class="callout" style="text-align: justify; ">"enhancing protection of people in the society and the administration of justice."<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.<a href="#fn8" name="fr8">[8]</a> The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.</p>
<p>Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from<a href="#fn9" name="fr9">[9]</a> from DNA samples<a href="#fn10" name="fr10">[10]</a> only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).<a href="#fn11" name="fr11">[11]</a> This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.<a href="#fn12" name="fr12">[12]</a></p>
<p style="text-align: justify; ">The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: <i>crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board</i>.<a href="#fn13" name="fr13">[13]</a> How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.<a href="#fn14" name="fr14">[14]</a> The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.<a href="#fn15" name="fr15">[15]</a> Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.</p>
<p style="text-align: justify; ">Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.<a href="#fn16" name="fr16">[16]</a> Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,<a href="#fn17" name="fr17">[17]</a> but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,<a href="#fn18" name="fr18">[18]</a> it allows for DNA profiles/DNA samples and related information related to be shared for <i>creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms</i>.”<a href="#fn19" name="fr19">[19]</a></p>
<p style="text-align: justify; ">An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."<a href="#fn20" name="fr20">[20]</a> CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.<a href="#fn21" name="fr21">[21]</a> Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?</p>
<p style="text-align: justify; ">Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:</p>
<p class="callout" style="text-align: justify; ">"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."<a href="#fn22" name="fr22">[22]</a></p>
<p style="text-align: justify; ">This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.<a href="#fn24" name="fr24">[24]</a> In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,</p>
<p style="text-align: justify; ">"<i>In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals</i>."<a href="#fn25" name="fr25">[25]</a> Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.<a href="#fn26" name="fr26">[26]</a> And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.<a href="#fn27" name="fr27">[27]</a> These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.</p>
<p style="text-align: justify; ">The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, <i>"DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."</i><a href="#fn28" name="fr28">[28]</a></p>
<p style="text-align: justify; ">This statement ignores the possibility of false matches, cross-contamination, and laboratory error<a href="#fn29" name="fr29">[29]</a> as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime<a href="#fn30" name="fr30">[30]</a> in the French diplomat rape case, the DNA report came out with both negative and positive results;<a href="#fn31" name="fr31">[31]</a> and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.<a href="#fn32" name="fr32">[32]</a> Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.<a href="#fn33" name="fr33">[33]</a></p>
<p style="text-align: justify; ">The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:</p>
<p class="callout" style="text-align: justify; ">"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."<a href="#fn34" name="fr34">[34]</a></p>
<p style="text-align: justify; ">In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.<a href="#fn35" name="fr35">[35]</a> This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.<a href="#fn36" name="fr36">[36]</a> From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.</p>
<p style="text-align: justify; ">Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.<a href="#fn37" name="fr37">[37]</a></p>
<p style="text-align: justify; ">Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.<a href="#fn38" name="fr38">[38]</a> The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.</p>
<p style="text-align: justify; ">The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.<a href="#fn39" name="fr39">[39]</a> These are significant gaps in the proposed legislation as it restricts the rights of the individual.</p>
<p style="text-align: justify; ">In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at:<span> <a href="http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf">http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr2" name="fn2">2</a>]. Section 53. The Criminal Code of Procedure, 1973. Available at: <span><a href="http://www.vakilno1.com/bareacts/crpc/s53.htm">http://www.vakilno1.com/bareacts/crpc/s53.htm</a></span>. Last accessed October 9th 2012.<br />[<a href="#fr3" name="fn3">3</a>]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: <span><a href="http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf">http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf</a></span>. Last Accessed October 9th 2012.<br />[<a href="#fr4" name="fn4">4</a>]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: <span><a href="http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0">http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr5" name="fn5">5</a>]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr6" name="fn6">6</a>]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.<br />[<a href="#fr7" name="fn7">7</a>]. Draft Human DNA Profiling Bill 2012. Introduction.<br />[<a href="#fr8" name="fn8">8</a>]. Id. section 12(a-z)<br />[<a href="#fr9" name="fn9">9</a>]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.<br />[<a href="#fr10" name="fn10">10</a>]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.<br />[<a href="#fr11" name="fn11">11</a>]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.<br />[<a href="#fr12" name="fn12">12</a>]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html">http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr13" name="fn13">13</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))<br />[<a href="#fr14" name="fn14">14</a>]. Id. Section 35<br />[<a href="#fr15" name="fn15">15</a>]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.<br />[<a href="#fr16" name="fn16">16</a>]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.<br />[<a href="#fr17" name="fn17">17</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (5)-
<span class="" id="text-1">
<a class="link-wiki-add" title="Click to add a new page" href="https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india/@@wickedadd?Title=6)(a)-(b&section=text">
6)(a)-(b<sup>[+]</sup></a>
</span>
. Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.<br />[<a href="#fr18" name="fn18">18</a>]. Id. Section 39<br />[<a href="#fr19" name="fn19">19</a>]. Id. Section 40(c)<br />[<a href="#fr20" name="fn20">20</a>]. CDFD. Annual Report 2010-2011. Pg19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr21" name="fn21">21</a>]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: <a href="http://www.cdfd.org.in/servicespages/dnafingerprinting.html" title="http://www.cdfd.org.in/servicespages/dnafingerprinting.html">http://www.cdfd.org.in/servicespages/dnafingerprinting.html</a><br />[<a href="#fr22" name="fn22">22</a>]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: <span><a href="http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf">http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr23" name="fn23">23</a>]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html">http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr24" name="fn24">24</a>]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: <span><a href="http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms">http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr25" name="fn25">25</a>]. BioAxis DNA Research Centre (P) Limited. Website Available at: <span><a href="http://www.dnares.in/dna-databank-database-of-india.php">http://www.dnares.in/dna-databank-database-of-india.php</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr26" name="fn26">26</a>]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:<span><a href="http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank">http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr27" name="fn27">27</a>]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.<br />[<a href="#fr28" name="fn28">28</a>]. Draft DNA Human Profiling Bill 2012. Introduction<br />[<a href="#fr29" name="fn29">29</a>]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr30" name="fn30">30</a>]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: <span><a href="http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957">http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr31" name="fn31">31</a>]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: <span><a href="http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html">http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr32" name="fn32">32</a>]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: <span><a href="http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests">http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr33" name="fn33">33</a>]. Draft Human DNA Profiling Bill 2012. Section 18-27.<br />[<a href="#fr34" name="fn34">34</a>]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: <span><a href="http://dbtindia.nic.in/uniquepage.asp?id_pk=124">http://dbtindia.nic.in/uniquepage.asp?id_pk=124</a></span>. Last accessed: October 10 2012.<br />[<a href="#fr35" name="fn35">35</a>]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr36" name="fn36">36</a>]. CDFD Annual Report 2006-2007.Pg. 13. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2006_07.pdf">http://www.cdfd.org.in/images/AR_2006_07.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr37" name="fn37">37</a>]. Draft Human DNA Profiling Bill 2012. Section 35<br />[<a href="#fr38" name="fn38">38</a>]. Id. Section 41.<br />[<a href="#fr39" name="fn39">39</a>].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india'>https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-29T08:00:01ZBlog EntryReport of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill
https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill
<b>Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill. </b>
<h2>Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill</h2>
<h3>Constitutional Right to Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.</p>
<h3 style="text-align: justify; ">Nine National Privacy Principles</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:</p>
<ul>
<li style="text-align: justify; "><b>Notice</b>: The principle of notice as recommended by the Report of the Group of Experts on Privacy<b> </b>differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects. <br /><br />In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.<br /><br />Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Choice and Consent</b>: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data. <br /><br />Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Collection Limitation:</b> The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Purpose Limitation</b>: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data. </li>
</ul>
<ul>
<li><b>Access and Correction</b>: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Disclosure of Information: </b>The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Security:</b> The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Openness:</b> The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Accountability:</b> The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles. </li>
</ul>
<p style="text-align: justify; "><b>Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material</b>: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).</p>
<p style="text-align: justify; ">With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. <br /><br />With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised. <br /><br />With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.</p>
<h3 style="text-align: justify; ">Additional Protection for Sensitive Personal Data</h3>
<p style="text-align: justify; ">The <b>Report of the Group of Experts on Privacy</b> broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The <b>2014 Privacy Bill</b> incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.</p>
<h3 style="text-align: justify; ">Privacy Officers</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.</p>
<h3 style="text-align: justify; ">Co-regulatory Framework</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.</p>
<h2 style="text-align: justify; ">Recommendations in the Report that are not in the Bill</h2>
<h3>Scope</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.</p>
<h3 style="text-align: justify; ">Exceptions</h3>
<p>The Report of the Group of Experts recommends the following as exceptions to the right to privacy:</p>
<ol>
<li>National security</li>
<li>Public order</li>
<li>Disclosure in the public interest </li>
<li>Prevention, detection, investigation, and prosecution of criminal offenses </li>
<li>Protection of the individual and rights and freedoms of others </li>
</ol>
<p>The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.</p>
<p style="text-align: justify; ">The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:</p>
<ol>
<li>Sovereignty, integrity or security of India or</li>
<li>Strategic, scientific or economic interest of India; or</li>
<li>Preventing incitement to the commission of any offence; or</li>
<li>Prevention of public disorder; or</li>
<li>The investigation of any crime; or</li>
<li>Protection of rights and freedoms others; or</li>
<li>Friendly relations with foreign states; or</li>
<li>Any other legitimate purpose mentioned in this Act.</li>
</ol>
<p style="text-align: justify; ">Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.</p>
<h3 style="text-align: justify; ">Constitution of Infringement of Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.</p>
<h3 style="text-align: justify; ">The Data Protection Authority</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.</p>
<p style="text-align: justify; ">Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.</p>
<p style="text-align: justify; ">The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.</p>
<h3 style="text-align: justify; ">Tribunal and System of Complaints</h3>
<p style="text-align: justify; ">Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.</p>
<h3 style="text-align: justify; ">Penalties and Offenses</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.</p>
<p style="text-align: justify; ">In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.</p>
<ul>
</ul>
<hr />
<p><b>References</b></p>
<ol>
<li><a href="https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011/" class="external-link">Leaked Privacy Bill: 2014 vs. 2011 </a></li>
<li><a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy</a></li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill'>https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill</a>
</p>
No publisherelonnaiFeaturedInternet GovernancePrivacy2014-04-14T06:10:20ZBlog EntryQ&A to the Report of the Group of Experts on Privacy
https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy
<b>In January 2012 Justice A.P. Shah formed a committee consisting of a group of experts to contribute to and create a report of recommendations for a privacy legislation in India. The committee met a total of seven times from January to September 2012. The Centre for Internet and Society (CIS) was a member of the committee creating the report. This blog post is CIS’s attempt to answer questions that have arisen from media coverage on the report, based on our understanding. </b>
<h2>Executive Summary</h2>
<p style="text-align: justify; ">The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.</p>
<p><b>Q: What are the salient features of the committee’s recommendations? </b></p>
<p><b>A:</b> In its report the committee recommended that any privacy legislation passed should:</p>
<ul>
<li style="text-align: justify; "> Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted. </li>
<li style="text-align: justify; ">Recognize the multiple dimensions of privacy including physical and informational privacy. </li>
<li style="text-align: justify; ">Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy. </li>
<li style="text-align: justify; ">Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors. </li>
<li style="text-align: justify; ">Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners. </li>
</ul>
<h2>Chapter 1: Constitutional Basis for Privacy</h2>
<p>This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.</p>
<p><b>Q: What are the contexts of the cases covered? </b></p>
<p><b>A:</b> This chapter covers cases that speak to the:</p>
<ul>
<li>Right to privacy in the context of surveillance by the State </li>
<li>Balancing the ‘right to privacy’ against the ‘right to free speech’ </li>
<li>The ‘right to privacy’ of HIV patients </li>
<li>Prior judicial sanctions for tapping telephones </li>
<li>The ‘search and seizure’ powers of revenue authorities </li>
</ul>
<h2>Chapter 2: International Privacy Principles</h2>
<p>This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.</p>
<p><b>Q: Privacy principles from which countries were reviewed by the Committee?</b></p>
<p><b>A:</b> The Committee reviewed privacy principles from the following countries and international organizations.</p>
<ul>
<li>EU Regulations of January 2012 </li>
<li>US Consumer Privacy Bill of Rights </li>
<li>OECD Privacy Principles </li>
<li>APEC Privacy Framework </li>
<li>Australia </li>
<li>Canada </li>
</ul>
<h2>Chapter 3: National Privacy Principles, Rationales, and Emerging Issues</h2>
<p style="text-align: justify; ">This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.</p>
<p><b>Q: What could the principles apply to? </b></p>
<p style="text-align: justify; "><b>A:</b> The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.</p>
<p><b>Q: Who could be brought under the scope of the principles?</b></p>
<p style="text-align: justify; "><b>A:</b> The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.</p>
<p><b>Q: How could the National Privacy Principles impact individuals? </b></p>
<p style="text-align: justify; "><b>A:</b> The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.</p>
<p><b>Q: Would the National Privacy Principles be binding for every data controller? </b></p>
<p><b>A:</b> Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.</p>
<h2>Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective</h2>
<p style="text-align: justify; ">This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.</p>
<p><b>Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?</b></p>
<p style="text-align: justify; "><b>A:</b> When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.</p>
<p><b>Q: How does the report understand the relationship between the freedom of expression and privacy? </b></p>
<p style="text-align: justify; "><b>A:</b> Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.</p>
<h2>Chapter 5: The Regulatory Framework</h2>
<p style="text-align: justify; ">This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.</p>
<p><b>Q: Who are the main actors in the regulatory framework?</b></p>
<p style="text-align: justify; "><b>A:</b> The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.</p>
<p><b>Q: What are the salient features of the regulatory framework? </b></p>
<p style="text-align: justify; "><b>A:</b> The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act</p>
<p><b>Q: What are exceptions to the right to privacy? Are these blanket exceptions?</b></p>
<p style="text-align: justify; "><b>A:</b> National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy</p>
<p style="text-align: justify; ">Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.</p>
<p><b>Q: What are the powers and responsibilities of the privacy commissioners? </b></p>
<p><b>A:</b> The powers and responsibilities of the Privacy Commissioners are the following:</p>
<p><b>Responsibilities:</b></p>
<ol>
<li>Enforcement of the Act </li>
<li style="text-align: justify; ">Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material. </li>
<li>Evaluate and approve privacy principles developed by SRO’s </li>
<li style="text-align: justify; ">Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations </li>
</ol>
<p><b>Powers: </b></p>
<ol>
<li>Order privacy impact assessments on organisations </li>
<li>Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary ) </li>
<li>Fine non-compliant data controllers </li>
</ol>
<p><b>Q: How does Co-regulation work? </b></p>
<p style="text-align: justify; "><b>A:</b> The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.</p>
<p><b>Q: What are data controllers? What are privacy officers? What are ombudsmen? </b></p>
<p style="text-align: justify; "><b>A:</b> A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector. Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.</p>
<p><b>Q: When can an individual issue a complaint? Which body should individuals issue complaints to? </b></p>
<p style="text-align: justify; "><b>A:</b> An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.</p>
<p><b>Q: Can an individual receive compensation for a violation of privacy: </b></p>
<p style="text-align: justify; "><b>A:</b> Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.</p>
<p><b>Q: What offences does the report reccomend?</b></p>
<p><b>A:</b> The following constitutes as an offence under the Act:</p>
<ul>
<li>Non-compliance with the privacy principles </li>
<li>Unlawful collection, processing, sharing/disclosure, access, and use of personal data </li>
<li>Obstruction of commissioner </li>
<li>Failure to comply with notification issued by commissioner
<ul>
<li> Processing data after receiving a notification </li>
<li> Failure to appear before commissioner </li>
<li>Failure to produce documents requested by commissioner </li>
<li> Sending report to commissioner with false or misleading information</li>
</ul>
</li>
</ul>
<h2>Chapter 6: The Multiple Dimensions of Privacy</h2>
<p style="text-align: justify; ">This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.<b> </b></p>
<p><b>Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?</b></p>
<p><b>A:</b> No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice, and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.</p>
<h3>Summary of Recommendations</h3>
<p>This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.</p>
<p><b>Q: Are the recommendations in this chapter different from chapters above?</b></p>
<p style="text-align: justify; "><b>A:</b> No. The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act including:</p>
<ol>
<li style="text-align: justify; ">The Act should define and harmonize with existing laws in force. </li>
<li style="text-align: justify; ">The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India. </li>
<li style="text-align: justify; ">The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy. </li>
<li style="text-align: justify; ">The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked. </li>
<li style="text-align: justify; ">If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply. </li>
</ol>
<hr />
<p><a href="https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf" class="internal-link">Report of the Group of Experts on Privacy</a> [PDF, 1270 Kb]</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy'>https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-11-09T10:20:48ZBlog EntryPublic Statement to Final Draft of UID Bill
https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID
<b>The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill. </b>
<p>On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.<strong><br /></strong></p>
<ul><li>
<p><strong>Architecture</strong></p>
</li></ul>
<p>The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.</p>
<ul><li>
<p><strong>Scope</strong></p>
</li></ul>
<p>The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits</p>
<ul><li>
<p><strong>Voluntary and not Mandatory</strong></p>
</li></ul>
<p>The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the <em>Aadhaar</em> number is truly voluntary. </p>
<ul><li>
<p><strong>Inadequate Privacy Safeguards</strong></p>
</li></ul>
<p>The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.</p>
<ul><li>
<p><strong>Unwarranted Data Retention</strong></p>
</li></ul>
<p>The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.</p>
<ul><li>
<p><strong>Lack of accountability for all Actors</strong></p>
</li></ul>
<p>The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced. </p>
<ul><li>
<p><strong>Lack of Exceptions</strong></p>
</li></ul>
<p>The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of <em>Aadhaar</em> numbers or authentication of transactions. </p>
<ul><li>
<p><strong>Lack of Anonymity</strong></p>
</li></ul>
<p>The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an<em> Aadhaar </em>number should not be requested.</p>
<ul><li>
<p><strong>Inadequacy of Penalties</strong></p>
</li></ul>
<p>The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.</p>
<ul><li>
<p><strong>Unaffordability of Fees</strong></p>
</li></ul>
<p> It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated. </p>
<ul><li>
<p><strong>Lack of Rollback and Ombudsman Office</strong></p>
</li></ul>
<p>The Bill does not provide adequate redress for system/transaction errors and fraud. </p>
<ul><li>
<p><strong>Inappropriate Structure and Governance</strong></p>
</li></ul>
<p>The Bill does not provide appropriate judicial and parliamentary oversight.</p>
<p> Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant: </p>
<ul><li><strong>Definition of Resident</strong></li></ul>
<p>Section 2 (q): “resident” means an individual usually residing in a
village or rural area or town or ward or demarcated area (demarcated by
the Registrar General of Citizen Registration) within ward in a town
or urban area”<em><strong> </strong></em></p>
<p><em>Comment</em>: This section clarifies the definition of
‘resident’ from the draft Bill, which defined resident as an “individual
usually residing within the territory of India”. By specifying that
individuals in demarcated areas will not receive UID numbers, the
definition of resident is brought into line with the scope of the Bill
as laid out in the preamble. We see this change as a positive revision.<strong></strong></p>
<ul><li><strong>Prohibition of Dissemination of Information</strong></li></ul>
<p>Section 30 (3): “Notwithstanding anything contained in
any other law and save as otherwise provided in this Act, the Authority
or any of its officer or other employee or any agency who maintains the
Central Identities Data Repository shall not, whether during his service
as such or thereafter, reveal any information stored in the Central
Identities Data Repository to any person”</p>
<p><em>Comment</em>: This
section prohibits the dissemination of any information that is stored in
the Central Identities Data Repository. This prohibition extends to
anyone or any entity that handles information, and supersedes other laws
that might permit dissemination of information. We see this change as a
positive revision. <strong><br /></strong></p>
<ul><li><strong>Disclosure of Information in the Case of a National Security<br /></strong></li></ul>
<p> Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”<strong><em> </em></strong><em><br /></em></p>
<p><em>Comment</em>: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID'>https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:48:00ZBlog EntryPrivacy, Free/Open Source, and the Cloud
https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing
<b>A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture. </b>
<h3>Introduction</h3>
<p>Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.</p>
<p>There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.</p>
<h3>Privacy Concerns:</h3>
<p> Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?</p>
<p>These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.</p>
<h3>How are privacy, free/open source, and the cloud related ?</h3>
<p>Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.</p>
<h3>Is free/open software the solution?</h3>
<p> Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.</p>
<h3>Conclusion</h3>
<p> Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing'>https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing</a>
</p>
No publisherelonnaiOpennessInternet GovernancePrivacy2012-03-22T05:50:10ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntryPrivacy Perspectives on the 2012 -2013 Goa Beach Shack Policy
https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy
<b>CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained. </b>
<p style="text-align: justify; ">The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.</p>
<p style="text-align: justify; ">An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.<a href="#fn1" name="fr1">[1]</a> This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.</p>
<p style="text-align: justify; ">To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.</p>
<h2 style="text-align: justify; ">Current Status of the Shack Policy</h2>
<p style="text-align: justify; ">This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1<sup>st</sup> through May 31<sup>st</sup>, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.<a href="#fn2" name="fr2">[2]</a> Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.</p>
<h2 style="text-align: justify; ">Inside the policy:</h2>
<h3>Application Requirements</h3>
<p style="text-align: justify; ">To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.<a href="#fn3" name="fr3">[3]</a> These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.</p>
<h3 style="text-align: justify; ">Operational Requirements</h3>
<p style="text-align: justify; ">The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack<a href="#fn4" name="fr4">[4]</a> and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,<a href="#fn6" name="fr6">[6]</a> shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,<a href="#fn7" name="fr7">[7]</a> and the proper disposal of trash and waste water will be the responsibility of the shack owner.<a href="#fn8" name="fr8">[8]</a> Furthermore, foreigners working in the shacks must have a work visa,<a href="#fn9" name="fr9">[9]</a> and loud music is not allowed to be played after 10:30 p.m.<a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; ">As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. <a href="#fn11" name="fr11">[11]</a> But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.</p>
<p style="text-align: justify; ">Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.<a href="#fn12" name="fr12">[12]</a>Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.</p>
<h3 style="text-align: justify; ">Enforcement</h3>
<p style="text-align: justify; ">The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.<a href="#fn13" name="fr13">[13]</a>The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. <a href="#fn14" name="fr14">[14]</a> If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.<a href="#fn15" name="fr15">[15]</a> Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.<a href="#fn16" name="fr16">[16]</a></p>
<p style="text-align: justify; ">Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.</p>
<h2 style="text-align: justify; ">Other practices around security and identification in Goa</h2>
<p style="text-align: justify; ">In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.<a href="#fn17" name="fr17">[17]</a></p>
<p>The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.</p>
<h2 style="text-align: justify; ">Will the 2012 – 2013 Beach Shack Policy have new implications?</h2>
<p style="text-align: justify; ">In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.</p>
<p style="text-align: justify; ">The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.</p>
<p style="text-align: justify; ">At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.</p>
<p style="text-align: justify; ">For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.<a href="#fn18" name="fr18">[18]</a> Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.<a href="#fn19" name="fr19">[19]</a></p>
<p style="text-align: justify; ">The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.<a href="#fn20" name="fr20">[20]</a> The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.<a href="#fn21" name="fr21">[21]</a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.</p>
<p style="text-align: justify; ">Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.</p>
<hr />
<p style="text-align: justify; "><b>Notes</b><br />[<a href="#fr1" name="fn1">1</a>].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: <a class="external-link" href="http://bit.ly/Xk18NH">http://bit.ly/Xk18NH</a>. Last accessed: October 24th 2012.<br />[<a href="#fr2" name="fn2">2</a>]. Id. Section 2.<br />[<a href="#fr3" name="fn3">3</a>]. Id. Application Requirements 1-8. Pg 1&2.<br />[<a href="#fr4" name="fn4">4</a>]. Section 33.<br />[<a href="#fr5" name="fn5">5</a>].A part of the affidavit<br />[<a href="#fr6" name="fn6">6</a>].Id. Section 4.<br />[<a href="#fr7" name="fn7">7</a>]. Id. Section 17.<br />[<a href="#fr8" name="fn8">8</a>].Id. Section 28.<br />[<a href="#fr9" name="fn9">9</a>]. Id. Section 35.<br />[<a href="#fr10" name="fn10">10</a>].Id. Section 37.<br />[<a href="#fr11" name="fn11">11</a>]. Id. Section 38.<br />[<a href="#fr12" name="fn12">12</a>]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: <a class="external-link" href="http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf">http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf</a><br />[<a href="#fr13" name="fn13">13</a>]. Beach Shack Policy 2012 - 2013, Section 16.<br />[<a href="#fr14" name="fn14">14</a>]. Id. Section 18.<br />[<a href="#fr15" name="fn15">15</a>]. Id. Section 22.<br />[<a href="#fr16" name="fn16">16</a>]. Id. Section 32.<br />[<a href="#fr17" name="fn17">17</a>]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: <a class="external-link" href="http://bit.ly/TbUO4S">http://bit.ly/TbUO4S</a><br />[<a href="#fr19" name="fn18">18</a>]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28<sup>th</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/RXtgBg">http://bit.ly/RXtgBg</a>. Last Accessed: October 24th 2012.<br />[<a href="#fr19" name="fn19">19</a>]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20<sup>th</sup> 2011. Available at: <a class="external-link" href="http://bit.ly/VHwCz">http://bit.ly/VHwCz</a>d. Last accessed: October 24th 2012.<br />[<a href="#fr20" name="fn20">20</a>]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a>. <span> </span>Last accessed: October 24th 2012.<span> </span><br />[<a href="#fr21" name="fn21">21</a>]. Id. pg. 61-62.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy'>https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-25T10:23:50ZBlog EntryPrivacy Concerns in Whole Body Imaging: A Few Questions
https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions
<b>Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.</b>
<p><strong>What is Whole Body Imaging? </strong></p>
<p>Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons. </p>
<h3>How are These Technologies Being Used - Two News Items to Ponder: <br /></h3>
<p><strong>News Item One </strong></p>
<p>In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.</p>
<p>Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.</p>
<p>Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.</p>
<p><strong>News Item Two</strong></p>
<p>In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car. </p>
<h3>Questions at the Heart of the WBI Debate: <br /></h3>
<p>Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?</p>
<p><strong>How Have Other Countries Responded to Whole Body Imaging and How Should India Respond? <br /></strong></p>
<p>Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.</p>
<p>In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.</p>
<p>Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.</p>
<p>The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions'>https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:09:02ZBlog EntryPrivacy and Telecommunications: Do We Have the Safeguards?
https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications
<b>All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.</b>
<h2>1 Introduction <br /></h2>
<p>With a subscriber base that stands at just over 700 million (TRAI, August 2010) the telecom industry has enjoyed spectacular success at absorbing Indians into its fold. Tele-density which, even as recently as in 2002 was stagnant in the low single-digits, today stands at a proud 59%. However far one could go today, it would seem one would never be too distant from a mobile phone.</p>
<p>While this extensive penetration has heralded an era of unprecedented access – truly a ‘communications revolution’ whose full effects it may still be too early to grasp – it has also led to the exposure of individuals to risks on a magnitude never before witnessed. Firstly, in the ordinary course of their business, telecom companies accumulate vast volumes of personal information about their customers including photocopies of identity documents, biographical information etc, which could potentially be misused; </p>
<p>Secondly, the fact that a vast amount of our communication now occurs with the involvement of electronic media has rendered us more susceptible to invasive surveillance - whether lawful or not;</p>
<p> Thirdly, much of our communication is now not merely ephemeral, but is stored in digital form for indefinite periods in corporate ‘data centers’.;</p>
<p> Lastly, owning a mobile phone not only enables us to communicate with our business partners and loved ones, but also forces us to engage with an incessant stream of ‘noise’ – telemarketing calls and SMSes, prank/hoax calls, calls pestering us for the payment of bills and offensive/threatening calls.</p>
<p>This note examines the kinds of safeguards that currently exist under Indian law to protect the privacy of telecom users. Broadly there are three streams of such protection</p>
<p>1) The Telegraph Act and Rules, which contains provisions that prohibit and penalize unlawful interception of communication. Furthermore, licenses issued to telecom service providers (TSPs) under this Act require TSPs to take measures to safeguard the privacy of their customers and confidentiality of communications.</p>
<p>2) The Telecom Regulatory Authority of India has issued various guidelines to TSPs many of which pertain to privacy. </p>
<p>3) The Consumer Protection Act provides customers with an avenue of redress in case of violation of their privacy. </p>
<p> The first two are described in greater detail in the paragraphs that follow. This is followed by a brief analysis of certain international norms</p>
<h2>2 Indian Regulatory Regime</h2>
<div> </div>
<h3>2.1 The Indian Telegraph Act and Rules</h3>
<p>First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes, the internet etc. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over ‘telegraphs’i. The following sections apply:</p>
<p><em>1) Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence”ii</em></p>
<p><em>2) Section 23 imposes a fine of Rs. 500 on anyone who enters a telegraph office without proper authorization.</em></p>
<p><em>3) Section 24 makes it a criminal offence for a person to enter a telegraph office “with the intent of unlawfully learning the contents of any message”. Such a person may be punished with imprisonment for a term of up to a year.</em></p>
<p><em>4) Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.</em></p>
<p><em>5) Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.</em></p>
<p><em>6) Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.</em></p>
<h3>2.2 License Agreements</h3>
<p>Although the statute itself governs the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to the telecoms which permit them to conduct businessiii. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. A few examples include: </p>
<p><em>1) Clause 21 of the National Long Distance Licenseiv comprehensively covers various aspects of privacy including </em></p>
<p><em>a. Licensees to be responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place.</em></p>
<p><em>b. Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavors to secure that :</em></p>
<p><em>i. No person acting on behalf of the Licensees or the Licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and</em></p>
<p><em>ii. No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.</em></p>
<p><em>c. The above safeguard however does not apply where </em></p>
<p><em>i. The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or </em></p>
<p><em>ii. The information is already open to the public and otherwise known.</em></p>
<p><em>d. The Licensees shall take necessary steps to ensure that the they and any person(s) acting on their behalf observe confidentiality of customer information.</em></p>
<p><em>2) Clause 39.2 of the Unified Access Service License and clause 42.2 of the Cellular Mobile Telephone Service licence enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party, and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information - except as may be necessary in the course of providing such service to the third party.</em></p>
<p><em>3) The Internet Services License Agreement (which authorizes ISPs to function in India) similarly contains provisions touching on privacy:</em></p>
<p><em>a) Part VI of the License Agreement gives the Government the right to inspect/monitor the TSPs systems. The TSP is responsible for making facilities available for such interception. </em></p>
<p><em>b) Clause 32 under Part VI contains provisions mandating the confidentiality of information. </em>These provisions are identical to those described in Clause 21 of the NLD License agreement (see above).</p>
<p><em>c) Clause 33.4 makes it the responsibility of the TSP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.</em></p>
<p><em>d) Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. T</em>hese logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.</p>
<p><em>e) Clause 34.12 and 34.13 requires the Licensee to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities. </em></p>
<p><em>f) Clause 34.16 requires the Licensee to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.</em></p>
<p><em>g) Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”. </em></p>
<p><em>h) Clause 34.23 mandates that the Licensee maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor”. </em></p>
<p><em>i) Clause 34.28 (viii) forbids the licensee from transferring the following information to any person/place outside India:</em></p>
<p><em>j) Any accounting information relating to subscriber (except for international roaming/billing) (</em>Note: it does not restrict a statutorily required disclosure of financial nature)<em> ; and</em></p>
<p><em>k) User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).</em></p>
<p><em>l) Clause 34.28(ix) and (x) require the TSP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time. </em></p>
<p><em>m) Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”.</em> (It is unclear whether this is to operate as an overriding provision governing all other clauses as well)</p>
<h3>2.3 TRAI Regulations and Directions</h3>
<p>The Telecom Regulatory Authority of India was established by statute in 1997 to safeguard interests of consumers while simultaneously nurturing conditions for growth of telecommunications in the country. The Authority has issued several regulations on various subjects which are binding on TSPs. The following regulations touch on the subject of privacy:</p>
<h3>2.4 Unsolicited Commercial Communications Regulation</h3>
<p>In 2007, the Authority introduced the Telecom Unsolicited Commercial Communications Regulations which were aimed at creating a mechanism for registering requests of subscribers who did not wish to receive unsolicited commercial communications. </p>
<p>* The regulations define “unsolicited commercial communication” as any message, through telecommunications service, which is transmitted for the purpose of informing about, or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive, </p>
<p>* The following categories of message are excluded</p>
<p> (i) any message under a specific contract between the parties to such contract; or </p>
<p> (ii) any messages relating to charities, national campaigns or natural calamities transmitted on the directions of the Government or agencies authorized by it for the said purpose; </p>
<p> (iii) any message transmitted, on the directions of the Government or any authority or agency authorized by it, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality;</p>
<p>* The regulations specified a procedure for initiation of complaints by consumers and for their adjudication and disposal. </p>
<p>* Telemarketers who initiate unsolicited commercial communication with a person who has opted not to receive such communications face a fine of Rs. 500 per call/SMS as well as disconnection of their telephone services. </p>
<p>* The regulations require the TSPs to maintain confidentiality of all information submitted by the subscribers for the purposes of the ‘Do not Call Registry’.</p>
<h3>2.5 Privacy and Confidentiality Direction </h3>
<p>In February 2010, the TRAI issued a direction seeking to implement the privacy and confidentiality related clauses in the service providers’ licenses (see previous sections). Accordingly by this direction, the TRAI ordered all service providers to “put in place an appropriate mechanisms, so as to prevent the breach of confidentiality on information belonging to the subscribers and privacy of communication”. All service providers were required by this regulation to submit a report to the TRAI giving details of measures so adopted. </p>
<h2>3 International Norms</h2>
<h3>3.1 Telecommunications in the EU </h3>
<p>In 2006, the European Union adopted Directive 2006/24/EC which mandated member states to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. The directive permits police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information would only be granted through a court order. In 2002 the Directive adopted the Privacy and Electronic Communications Directive. The ECD regulates the electronic communications sector and addresses issues such as: the retention of data, the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories. </p>
<p>Art 10(1) of the German Constitution holds “The secrecy of letters, as well as of the post and telecommunications, is inviolable”. However, in 1968 an amendment was introduced which permitted (1) surveillance to occur without the affected person ever being informed of it; and (2) surveillance without judicial review, but through “a review of the</p>
<p>case by bodies and auxiliary bodies appointed by Parliament.”These measures could only be invoked in order to protect “the free democratic basic order or the existence or security of the Federation or a state.”</p>
<h3>3.2 Telecommunication in the United States </h3>
<p>In the United States telecommunications are regulated by the Federal Communications Commission. Specifically the FCC regulates how telecommunications carriers and providers of cable television use customer personal information, cable subscriber information, and telemarketing and junk fax activities. Every company that participates in telemarketing must comply with the FCC's rules. The main legislation used to regulate telecommunication carriers is the Federal Communication Act. The Act applies to how carriers may use and disclose “Customer Proprietary Network Information” which includes billing information, type of telecommunications service used, and the types of calls customers tend to make. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. The FCC does though provide, what is known as a “total service approach”, exception to these rules - that allows carriers to use CPNI to market to existing customers. Also, under the Act, cable providers are required to provide to their subscribers detailed notice about the collection and use of information, and gather consent before collecting, distributing, or disclosing information. Additionally, customers are granted access to their information, and information must be destroyed after it has served the purpose for which it is collected. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. </p>
<p>The Telephone Consumer Protection Act applies to U.S companies that tele-market to consumers for commercial purposes. The rules require that phone calls are not permitted before 8:00 am or after 9:00 pm, the company must keep an internal record of consumer who ask not to be called again, and the company must refrain from sending commercial faxes without the recipient's consent. Telephone monitoring and recording are regulated in each state. Many states follow a system known as “one-party consent”, which permits a party to record a telephone conversation without the other party's consent. Only eleven states require consent of all parties before a telephone conversation is recorded (ibid Westby, International Guide to Privacy, 2004). </p>
<h2>4 Discussion</h2>
<p>The Indian Constitution does not, as in certain other countries (Eg. Germany), contain express language upholding the right to privacy in telecommunications. This absence has not however hindered the Supreme Court from reading in the right to privacy into the Fundamental Right to Life. Various judicial decisions as well as statutes affirm this right to privacy in telecommunications. In conclusion, we would like to provide a quick FAQ on privacy in telecommunications that draws on the foregoing analysis of Indian Law.v </p>
<p>(1) To what extent is there legal protection for customer information (such as one’s name, address, telephone number, or non-dynamic IP address); </p>
<p>As mentioned above, it is fairly easy for enforcement agencies to obtain this data. ISPs are required to make available much of this data on a website for the government to access at all times. Such access may be gained without judicial scrutiny and without even any showing of suspicion.</p>
<p>(2) The extent of legal protection for connection data (such as the telephone numbers called; time and length of connection; one’s dynamic IP address) and the content of telecommunications </p>
<p>Targeted surveillance or wiretapping is only possible following the procedure laid out in the Telegraph Rules which specify the manner in which such an order may be made, the review procedure and the maximum permissible duration of surveillance. </p>
<p> (3) the legal requirements placed on telecommunications providers for data retention or data erasure; </p>
<p>The ISP License agreement requires the ISP to maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny. No definition is provided of what these commercial records would include or exclude. There is no information on the extent to which ISPs in India currently comply with this requirement and whether they follow any data erasure procedures. </p>
<h2>Questions: </h2>
<p>Will a privacy legislation address data retention for the Telecom sector? </p>
<p>Will a privacy legislation regulate the monitoring and tapping of phones? </p>
<h3>End Notes </h3>
<p><span class="Apple-tab-span"></span>i‘Telegraph’ is defined widely in the Act to include any “apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature” thus covering most known mediums of communication. </p>
<p>ii<span class="Apple-tab-span"> </span> In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.</p>
<p>iii<span class="Apple-tab-span"> </span> Section 4 of the Telegraph Act forbids the establishment of any telegraph service (including, as mentioned earlier, all telephony, internet etc) without obtaining a license from the Central Government.</p>
<p>iv<span class="Apple-tab-span"> </span> Issued to TSPs who offer long distance telephony in India</p>
<p>v<span class="Apple-tab-span"> </span> These questions drawn from a template provided in Schwartz, Paul M. “German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance.” Hastings Law Journal 54 (August 25, 2003): 751.</p>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications'>https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications</a>
</p>
No publisherelonnai2012-03-21T10:06:48ZBlog EntryPrivacy and Governmental Databases
https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases
<b>In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases. </b>
<h2>Government Databases and recommendations for privacy practices</h2>
<ol><li>
<p> <strong>Citizen-State relationships and privacy standards</strong><br />Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.</p>
</li><li>
<p><strong>Specific privacy policy </strong></p>
<p>Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:</p>
<ul><li>data collection</li><li>digitization</li><li>usage</li><li>storage</li><li>security</li><li>disclosure</li><li>retrieval</li><li>access (inter departmental and public)</li><li>anonymization, obfuscation and deletion.</li></ul>
</li><li>
<p><strong>Personal vs. personal sensitive and public vs. non-public data categories </strong></p>
<p>Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct</p>
<p>categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.</p>
</li><li>
<p><strong>Standardization of Privacy Policies and Access Control </strong></p>
<p>Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.</p>
</li><li>
<p><strong>Record of breach notification </strong></p>
<p>If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.</p>
</li><li>
<p><strong>Anonymization/obfuscation and deletion policies </strong></p>
<p>Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.</p>
</li><li>
<p><strong>Accountability for accuracy of data </strong></p>
<p>Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.</p>
</li><li>
<p><strong>Appropriate uses of government databases </strong></p>
<p>Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."</p>
</li><li>
<p><strong>Access, updation and control of personal information </strong></p>
<p>Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.</p>
</li></ol>
<p><strong>Bibliography </strong></p>
<ul><li>
<p>Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.</p>
</li><li>
<p>Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.</p>
</li></ul>
<ul><li>Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada</li></ul>
<p> joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases'>https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:41:38ZBlog EntryPrivacy and Banking: Do Indian Banking Standards Provide Enough Privacy Protection?
https://cis-india.org/internet-governance/blog/privacy/privacy-banking
<b>Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.</b>
<p><span class="Apple-style-span">
</span></p>
<h2>1. Introduction</h2>
<p>Banking is one of the most at risk sectors for privacy violations due to the sensitive, and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information, their financial records, the access information to their accounts, and their credit history. Thus, privacy violations are not taken lightly and heavily impact the individual whose privacy was violated. Ways in which a violation of privacy can take place in the banking sector include: sharing personal information with third parties without consent for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of a clients personal data due to improper security measures. </p>
<h2>2. Examples of privacy violations in the banking sector: </h2>
<p>There have been many instances in which one of the above violations has occurred. The examples below demonstrate that a privacy violation of any nature is never as simple as “the disclosure of personal data” or “unauthorized access”. Each violation has a unique context that raises important questions that must be answered when forming a privacy legislation, while at the same time demonstrating the need for a certain level of privacy protection to be applied across the board in the financial sector.</p>
<h3>2.1 Bank of America: </h3>
<p>An example of very common privacy violation by Bank of America was reported by the Utility Consumers' Action Network. In the case Bank of America was charged for selling the personal information (social security numbers, bank account numbers etc) of 35 million customers to marketers and third parties without informing individuals. Bank of America is now settling for $14 million, and agreeing to change its privacy polices, its Web site, and its privacy procedures. Perhaps the most alarming element to this story is that Bank of America violated its own privacy policy <strong>[1]</strong>.</p>
<div>
<p> This example raises the question of who should be regulating the banking sector? If the banking sector should be subject to audits more frequently or more stringently? Under what circumstances should data transfer be permitted ie can financial institutions disclose encrypted account numbers to non-affiliated third parties as long as the access code is not provided? The example also demonstrates:</p>
<div>
<ul style="list-style-type: square;"><li>
<p>The need for a customers personal data to be distinguished between public and non-public information.</p>
</li><li>
<p>The need for opt out options for customers, so they can choose if personal information is shared with non-affiliated third parties.</p>
</li><li>
<p>The need for restrictions on re-disclosure and re-use of transferred or disclosed data </p>
</li></ul>
<h3>2.2 Punjab National Bank </h3>
<p>In 2008 in the case of the Punjab National Bank vs. Rupa Mahajan Pahwa a bank was charged of issuing a duplicate passbook of a joint saving bank account of a husband and wife being maintained with “operational instructions” of either or survivor, to an unauthorized person. The bank was held accountable for the disclosed information, and was charged a fine with the instructions to look into the conduct of the officials who were supplying information to the unauthorized individual. The fact that a bank employee permitted an unauthorized person access to personal information raises the question of whether a privacy legislation should require that employees in the financial sector go through training on privacy procedures <strong>[2]</strong>. </p>
<div>
<p>This example further demonstrates the need for: </p>
<ul><li>Specific guidelines to the instances in which each type of information can be disclosed.</li><li>Appropriate notice should be given to costumers for the disclosure of personal information. Notices of disclosure should include: initial privacy notices of the financial institutions policies and practices with respect to the disclosure and protection of personal information, annual notices. If there are exceptions to be made, these should be clearly established.</li></ul>
</div>
</div>
</div>
<h3>2.3 Canara Bank</h3>
<p>In the case of Canara Bank vs. DistRegistrar and Collector the district Registrar, entered onto Canara's banks premise and inspected its books and documents. After inspecting the documents they found an error, and seized the material. The bank argued that though the Registrar could inspect the documents, they did not have the authority to seize the documents without notice to the persons affected. The ruling of the case held that the exclusion of illegitimate intrusions into privacy depends on the nature of the right being asserted, and the way in which it is brought into play<strong>[3]</strong>. This case demonstrates that context is a crucial element of protecting privacy and defining the right to privacy, and raises the question of how a privacy legislation should define context for the financial sector. </p>
<h2>3. What are the current privacy standards for the banking sector in India? </h2>
<p>Below are questions pertaining to privacy concerns and the corresponding regulations that exist in the banking sector. </p>
<div>
<div>
<ul style="list-style-type: square;"><li>
<p>What are the rules and restrictions placed on banks that relate to confidentiality and secrecy?</p>
</li><li>
<p> What are the exceptions to the obligations of secrecy?</p>
<h3>3.1.<span class="Apple-tab-span"> </span>Customary/Statutory Banking Law</h3>
</li></ul>
</div>
</div>
<div>
<p>Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 – Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 – Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy as provided<strong> [4]</strong>. </p>
</div>
<p><em> Section 44. Obligation as to fidelity and secrecy: </em>Obligation as to fidelity and secrecy.(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information. (2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.</p>
<p> In Shankarlal Agarwalla v. State Bank of India, AIR 1987 Cal 29, a customer owned 261 bank currency notes of Rs. l.000/-each. Following the demonitisation of high value currency notes in 1978, he tendered these notes to the bank along with the requisite declaration and instricted the bank to credit his Current Account with the amount. The bank made declaration made by the customer available to the Income-tax Department who issued a notice under Sec. 226(3) of the Income-tax Act, attaching the said sum. Later the sum was released. The Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and was not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty. but was a qualified one subject to certain exceptions. The instances being (l)the duty to obey an order under the Bankers' Books Evidence Act. (2) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal, (3) of a bank issuing a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and (4) the familiar case where the customer authorises a reference to his banker. The learned Judge further observed that the State Bank of India was directed by the Reserve Bank of India and the Ministry of Finance to furnish all particulars regarding deposit of bank notes to the Income-tax Department as soon as such notices were received. This instance had, therefore, come within the exceptions. The recent Payment and Settlement Systems Act , 2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section 22 of the Act enjoins “system provider” not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is:</p>
<div>
<p>(a) required under the provisions of this Act </p>
<p>(b) made with the express or implied consent of the system participant concerned </p>
<p>(c) in obedience to the orders passed by a court of competent jurisdiction </p>
<p>(d) in obedience of a statutory authority in exercise of the powers conferred by a statute.</p>
</div>
<h3> 3.2 Reserve Bank of India regulations </h3>
<p>The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”. </p>
<p>In 2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the “Code of Bank's Commitment to Customers” which most banks in India adhere to. Enforcement is through a seriece of internal Grievance redressal mechanisms within each bank including a designated “Code Compliance Officer” and an Ombudsman.</p>
<p>Though these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and per-contract and enforcement is not guaranteed through parliamentary sanctions.</p>
<h3>3.3<span class="Apple-style-span"><strong> </strong></span>What legislation applies to data protection in the banking sector?</h3>
<p>Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorised disclosure of information by the banks for gain.</p>
<h2>4. International Regulation of Privacy in Banks: </h2>
<p><em>The EU: </em>The EU Data Protection Directive is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes,specifically as it relates to processing, using, or exchanging such data <strong>[5]</strong><span class="Apple-style-span">.</span> The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. For example in the UK the financial sector is regulated by the Banking Act of 2009<span class="Apple-style-span">, </span>but financial data, along with other data is monitored by the UK data regulator.</p>
<p class="MsoBodyText"> <em>The US: </em>Though the United States has many acts regulating the financial sector, the main legislation though is the Gramm-Leach-Bliley Act<strong> [6]</strong>. The GLBA imposes obligations and restrictions on financial institutions. The act defines:</p>
<ul><li> The entities covered in the act</li><li> Classifications of data and restrictions based on type of data</li><li> Acceptable and non-acceptable forms of disclosure</li><li> Opt out requirements protocols and procedures</li><li> Notice requirements</li><li> Acceptable and non-acceptable marketing activities</li><li> Measures that should be taken to safeguard information</li><li> Methods of enforcement.</li></ul>
<h2> Questions to Consider:</h2>
<ul><li>Should financial information be separated into categories based on level of privacy risk?</li><li>Should financial information be treated to a greater level of security?</li><li>Should organizations who commit data breaches in the financial sector receive more severe sanctions?</li><li>Should a privacy legislation create a standardized privacy policy for the financial sector?</li><li>Should a privacy legislation require specific internal and external audits and monitoring of the financial sector? </li></ul>
<p class="MsoBodyText"> </p>
<h2>Bibliography</h2>
<p class="MsoBodyText">1. <a href="http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices">http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices</a></p>
<p class="MsoBodyText">2.<a href="http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm">http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm</a></p>
<p class="MsoBodyText">3.(2005) 1 SCC 496: AIR 2005 SC 186</p>
<p class="MsoBodyText">4. <span class="Apple-style-span">One of the landmark cases on banking customs related to secrecy is the Court of Appeal case of Tournier v. National Provincial and Union Bank of England decided in 1924. The court upheld the general duty of secrecy arising out of a contract between the banker and the customer and held that the breach of it may give rise to a claim for substantial damages if injury has resulted from the breach. It is, however, not an absolute duty but qualified and is subject to certain reasonable exceptions. These exceptions have been incorporated into Indian law (see the Shankarlal Agarwalla case below)</span></p>
<p class="MsoBodyText"><span class="Apple-style-span">5.</span>Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.89-102</p>
<p class="MsoBodyText">6.Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.18</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-banking'>https://cis-india.org/internet-governance/blog/privacy/privacy-banking</a>
</p>
No publisherelonnai2012-03-21T10:07:08ZBlog EntryPresentation of the UID project by Ashok Dalwai – A Report
https://cis-india.org/internet-governance/blog/uid-dalwai-presentation
<b>On Tuesday, 7 September 2010, Ashok Dalwai, the Deputy Director General of the Unique Identification of India (UIDAI), gave a lecture at the Indian Institute for Science in Bangalore. Representing the UID Authority, his presentation explained the vision of the project and focused on the challenges involved in demographic and biometric identification, the technology adopted, and the enrolment process. Elonnai Hickok gives a report of his presentation in this blog post.</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-dalwai-presentation'>https://cis-india.org/internet-governance/blog/uid-dalwai-presentation</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:09:48ZBlog Entry