The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 81 to 87.
Privacy and Banking: Do Indian Banking Standards Provide Enough Privacy Protection?
https://cis-india.org/internet-governance/blog/privacy/privacy-banking
<b>Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.</b>
<p><span class="Apple-style-span">
</span></p>
<h2>1. Introduction</h2>
<p>Banking is one of the most at risk sectors for privacy violations due to the sensitive, and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information, their financial records, the access information to their accounts, and their credit history. Thus, privacy violations are not taken lightly and heavily impact the individual whose privacy was violated. Ways in which a violation of privacy can take place in the banking sector include: sharing personal information with third parties without consent for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of a clients personal data due to improper security measures. </p>
<h2>2. Examples of privacy violations in the banking sector: </h2>
<p>There have been many instances in which one of the above violations has occurred. The examples below demonstrate that a privacy violation of any nature is never as simple as “the disclosure of personal data” or “unauthorized access”. Each violation has a unique context that raises important questions that must be answered when forming a privacy legislation, while at the same time demonstrating the need for a certain level of privacy protection to be applied across the board in the financial sector.</p>
<h3>2.1 Bank of America: </h3>
<p>An example of very common privacy violation by Bank of America was reported by the Utility Consumers' Action Network. In the case Bank of America was charged for selling the personal information (social security numbers, bank account numbers etc) of 35 million customers to marketers and third parties without informing individuals. Bank of America is now settling for $14 million, and agreeing to change its privacy polices, its Web site, and its privacy procedures. Perhaps the most alarming element to this story is that Bank of America violated its own privacy policy <strong>[1]</strong>.</p>
<div>
<p> This example raises the question of who should be regulating the banking sector? If the banking sector should be subject to audits more frequently or more stringently? Under what circumstances should data transfer be permitted ie can financial institutions disclose encrypted account numbers to non-affiliated third parties as long as the access code is not provided? The example also demonstrates:</p>
<div>
<ul style="list-style-type: square;"><li>
<p>The need for a customers personal data to be distinguished between public and non-public information.</p>
</li><li>
<p>The need for opt out options for customers, so they can choose if personal information is shared with non-affiliated third parties.</p>
</li><li>
<p>The need for restrictions on re-disclosure and re-use of transferred or disclosed data </p>
</li></ul>
<h3>2.2 Punjab National Bank </h3>
<p>In 2008 in the case of the Punjab National Bank vs. Rupa Mahajan Pahwa a bank was charged of issuing a duplicate passbook of a joint saving bank account of a husband and wife being maintained with “operational instructions” of either or survivor, to an unauthorized person. The bank was held accountable for the disclosed information, and was charged a fine with the instructions to look into the conduct of the officials who were supplying information to the unauthorized individual. The fact that a bank employee permitted an unauthorized person access to personal information raises the question of whether a privacy legislation should require that employees in the financial sector go through training on privacy procedures <strong>[2]</strong>. </p>
<div>
<p>This example further demonstrates the need for: </p>
<ul><li>Specific guidelines to the instances in which each type of information can be disclosed.</li><li>Appropriate notice should be given to costumers for the disclosure of personal information. Notices of disclosure should include: initial privacy notices of the financial institutions policies and practices with respect to the disclosure and protection of personal information, annual notices. If there are exceptions to be made, these should be clearly established.</li></ul>
</div>
</div>
</div>
<h3>2.3 Canara Bank</h3>
<p>In the case of Canara Bank vs. DistRegistrar and Collector the district Registrar, entered onto Canara's banks premise and inspected its books and documents. After inspecting the documents they found an error, and seized the material. The bank argued that though the Registrar could inspect the documents, they did not have the authority to seize the documents without notice to the persons affected. The ruling of the case held that the exclusion of illegitimate intrusions into privacy depends on the nature of the right being asserted, and the way in which it is brought into play<strong>[3]</strong>. This case demonstrates that context is a crucial element of protecting privacy and defining the right to privacy, and raises the question of how a privacy legislation should define context for the financial sector. </p>
<h2>3. What are the current privacy standards for the banking sector in India? </h2>
<p>Below are questions pertaining to privacy concerns and the corresponding regulations that exist in the banking sector. </p>
<div>
<div>
<ul style="list-style-type: square;"><li>
<p>What are the rules and restrictions placed on banks that relate to confidentiality and secrecy?</p>
</li><li>
<p> What are the exceptions to the obligations of secrecy?</p>
<h3>3.1.<span class="Apple-tab-span"> </span>Customary/Statutory Banking Law</h3>
</li></ul>
</div>
</div>
<div>
<p>Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 – Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 – Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy as provided<strong> [4]</strong>. </p>
</div>
<p><em> Section 44. Obligation as to fidelity and secrecy: </em>Obligation as to fidelity and secrecy.(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information. (2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.</p>
<p> In Shankarlal Agarwalla v. State Bank of India, AIR 1987 Cal 29, a customer owned 261 bank currency notes of Rs. l.000/-each. Following the demonitisation of high value currency notes in 1978, he tendered these notes to the bank along with the requisite declaration and instricted the bank to credit his Current Account with the amount. The bank made declaration made by the customer available to the Income-tax Department who issued a notice under Sec. 226(3) of the Income-tax Act, attaching the said sum. Later the sum was released. The Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and was not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty. but was a qualified one subject to certain exceptions. The instances being (l)the duty to obey an order under the Bankers' Books Evidence Act. (2) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal, (3) of a bank issuing a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and (4) the familiar case where the customer authorises a reference to his banker. The learned Judge further observed that the State Bank of India was directed by the Reserve Bank of India and the Ministry of Finance to furnish all particulars regarding deposit of bank notes to the Income-tax Department as soon as such notices were received. This instance had, therefore, come within the exceptions. The recent Payment and Settlement Systems Act , 2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section 22 of the Act enjoins “system provider” not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is:</p>
<div>
<p>(a) required under the provisions of this Act </p>
<p>(b) made with the express or implied consent of the system participant concerned </p>
<p>(c) in obedience to the orders passed by a court of competent jurisdiction </p>
<p>(d) in obedience of a statutory authority in exercise of the powers conferred by a statute.</p>
</div>
<h3> 3.2 Reserve Bank of India regulations </h3>
<p>The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”. </p>
<p>In 2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the “Code of Bank's Commitment to Customers” which most banks in India adhere to. Enforcement is through a seriece of internal Grievance redressal mechanisms within each bank including a designated “Code Compliance Officer” and an Ombudsman.</p>
<p>Though these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and per-contract and enforcement is not guaranteed through parliamentary sanctions.</p>
<h3>3.3<span class="Apple-style-span"><strong> </strong></span>What legislation applies to data protection in the banking sector?</h3>
<p>Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorised disclosure of information by the banks for gain.</p>
<h2>4. International Regulation of Privacy in Banks: </h2>
<p><em>The EU: </em>The EU Data Protection Directive is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes,specifically as it relates to processing, using, or exchanging such data <strong>[5]</strong><span class="Apple-style-span">.</span> The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. For example in the UK the financial sector is regulated by the Banking Act of 2009<span class="Apple-style-span">, </span>but financial data, along with other data is monitored by the UK data regulator.</p>
<p class="MsoBodyText"> <em>The US: </em>Though the United States has many acts regulating the financial sector, the main legislation though is the Gramm-Leach-Bliley Act<strong> [6]</strong>. The GLBA imposes obligations and restrictions on financial institutions. The act defines:</p>
<ul><li> The entities covered in the act</li><li> Classifications of data and restrictions based on type of data</li><li> Acceptable and non-acceptable forms of disclosure</li><li> Opt out requirements protocols and procedures</li><li> Notice requirements</li><li> Acceptable and non-acceptable marketing activities</li><li> Measures that should be taken to safeguard information</li><li> Methods of enforcement.</li></ul>
<h2> Questions to Consider:</h2>
<ul><li>Should financial information be separated into categories based on level of privacy risk?</li><li>Should financial information be treated to a greater level of security?</li><li>Should organizations who commit data breaches in the financial sector receive more severe sanctions?</li><li>Should a privacy legislation create a standardized privacy policy for the financial sector?</li><li>Should a privacy legislation require specific internal and external audits and monitoring of the financial sector? </li></ul>
<p class="MsoBodyText"> </p>
<h2>Bibliography</h2>
<p class="MsoBodyText">1. <a href="http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices">http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices</a></p>
<p class="MsoBodyText">2.<a href="http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm">http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm</a></p>
<p class="MsoBodyText">3.(2005) 1 SCC 496: AIR 2005 SC 186</p>
<p class="MsoBodyText">4. <span class="Apple-style-span">One of the landmark cases on banking customs related to secrecy is the Court of Appeal case of Tournier v. National Provincial and Union Bank of England decided in 1924. The court upheld the general duty of secrecy arising out of a contract between the banker and the customer and held that the breach of it may give rise to a claim for substantial damages if injury has resulted from the breach. It is, however, not an absolute duty but qualified and is subject to certain reasonable exceptions. These exceptions have been incorporated into Indian law (see the Shankarlal Agarwalla case below)</span></p>
<p class="MsoBodyText"><span class="Apple-style-span">5.</span>Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.89-102</p>
<p class="MsoBodyText">6.Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.18</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-banking'>https://cis-india.org/internet-governance/blog/privacy/privacy-banking</a>
</p>
No publisherelonnai2012-03-21T10:07:08ZBlog EntryC.I.S Responds to Privacy Approach Paper
https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper
<b>A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation. </b>
<h2>1. What is privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy. </p>
<p>b)<span class="Apple-tab-span"> </span>CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts: </p>
<p>1. Physical - physical space, body, home, car, etc. </p>
<p>2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc). </p>
<p>3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.</p>
</div>
<h2>2. Is there a need for privacy protection? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project. </p>
<p>c)<span class="Apple-tab-span"> </span>However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation. </p>
</div>
<h2>3. Is there a need for such legislation? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy. </p>
</div>
</div>
<h2>4. Legislative Competence: </h2>
<p>We agree.</p>
</div>
<h2>5. Is there a constitutional right to privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities. </p>
<p>c)<span class="Apple-tab-span"> </span>Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified. </p>
<p>d)<span class="Apple-tab-span"> </span>Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services. </p>
<p>e)<span class="Apple-tab-span"> </span>We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.</p>
</div>
</div>
</div>
<h2>6. Existing legislation: </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions. </p>
<p>c)<span class="Apple-tab-span"> </span>We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal. </p>
<p>d)<span class="Apple-tab-span"> </span>We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent. </p>
<p>e)<span class="Apple-tab-span"> </span>Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure.. </p>
<p>f)<span class="Apple-tab-span"> </span>Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy. </p>
</div>
<h2>7. Potential Conflicts between Data Protection Legislation and other Laws: </h2>
<div>
<p> We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.</p>
</div>
<h3> 7.1 Data Protection and the Right to Information</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>The argument that a privacy legislation would conflict with the RTI is somewhat overstated. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example. </p>
<p>d)<span class="Apple-tab-span"> </span>The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis. </p>
<p>e)<span class="Apple-tab-span"> </span>As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies. </p>
<p>f)<span class="Apple-tab-span"> </span>Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance. </p>
<p>g)<span class="Apple-tab-span"> </span>We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act. </p>
</div>
</div>
<h3>7.2 Data Protection and Credit Verification</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data. </p>
<p>c)<span class="Apple-tab-span"> </span>This may include limitations on marketing efforts and disclosure to third-parties. </p>
</div>
<h3>7.3 Data Protection and Private Investigative Agencies</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws. </p>
<div>
<div>
<p>b)<span class="Apple-tab-span"> </span>Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies. </p>
</div>
<h3>7.4 Data Protection and National Security</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required. </p>
</div>
</div>
<h3>7.5 Data Protection vs. Transparency in Government</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that this section engages very sloppily with the issue of transparency/corruption in India. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell. </p>
<p>c)<span class="Apple-tab-span"> </span>In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years. </p>
<p>d)<span class="Apple-tab-span"> </span>The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials. </p>
<p>e)<span class="Apple-tab-span"> </span>We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue. </p>
</div>
<h3>8.0 Privacy legislation in other countries:</h3>
<p>a)<span class="Apple-tab-span"> </span>We agree with the recommendations, but would include notification of breach: how, when, what and who. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties. </p>
</div>
</div>
</div>
<h3>9.0 Proposed Framework for Privacy Legislation: </h3>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs. </p>
<p>c)<span class="Apple-tab-span"> </span>We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector. </p>
<p>d)<span class="Apple-tab-span"> </span>We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.</p>
</div>
</div>
<h3>9.1 Applicability</h3>
<div>
<p>We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.</p>
<p>b)<span class="Apple-tab-span"> </span>We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law. </p>
</div>
<h3>9.2 Data</h3>
<div>
<p>While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age. </p>
<p>b)<span class="Apple-tab-span"> </span>However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.</p>
</div>
</div>
</div>
<h3> 9.3 Personal Data</h3>
<div>
<p>We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person</p>
</div>
</div>
<h3>9.4 Personal Sensitive Data </h3>
<p> See comments at 9.2 above </p>
<div>
<div><span class="Apple-style-span"></span></div>
</div>
<h3>9.5 Data Collection</h3>
<div>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’. </p>
<p>c)<span class="Apple-tab-span"> </span>Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent. </p>
<p>d)<span class="Apple-tab-span"> </span>It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines. </p>
<p>e)<span class="Apple-tab-span"> </span>As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.</p>
</div>
</div>
<h3> 9.6 Data Processing</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the need to fix primary responsibility for data security on the data controller, however, </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller. </p>
<p>c)<span class="Apple-tab-span"> </span>We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”. </p>
</div>
</div>
</div>
<h3>9.7 Data Storage</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We concur that data should be stored only until the time the purpose for which it was collected is achieved. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary. </p>
<p>d)<span class="Apple-tab-span"> </span>We endorse the approach paper’s conservative stance on linking of databases. </p>
</div>
</div>
<h3>9.8 Data Security</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information. </p>
</div>
</div>
<h3>9.9 Data Access</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right. </p>
</div>
</div>
<h3>9.10 Cross Border Applicability and Transfer</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted. </p>
</div>
</div>
<h3>9.11 Exemptions</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.</p>
</div>
</div>
<h3>9.12 Automated Decision Making</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms. </p>
</div>
</div>
<h3>9.13 Regulatory Set Up</h3>
<div>
<p>We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context </p>
<p>b)<span class="Apple-tab-span"> </span>Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim. </p>
<p>c)<span class="Apple-tab-span"> </span>Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this. </p>
</div>
</div>
<h2>Conclusion</h2>
<div>
<p>We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.</p>
<div>
<div> </div>
</div>
<div><a href="https://cis-india.org/internet-governance/blog/privacyapproachpaper" class="internal-link" title="Privacy Approach Paper">Approach Paper: 121KB</a></div>
<p> </p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper'>https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper</a>
</p>
No publisherelonnai2012-03-21T10:08:10ZBlog EntryAmerican Bar Association Online Privacy Conference: A Report
https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference
<b>On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take. </b>
<h3>Introduction</h3>
<p>On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:</p>
<ul><li>Lisa Sotto, a private practitioner in the US</li><li>Billy Hawkes, Commissioner of Data Protection, Ireland</li><li>Bojana Bellamy, Director of Data Privacy, London, UK</li><li>Hugh Stevenson, Deputy Director of the Federal Trade Commission, US</li><li> Jennifer Stoddart, Privacy Commissioner, Canada.</li></ul>
<p>The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.</p>
<h3>Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer</h3>
<p>When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.</p>
<h3>Privacy Seals Globally? Privacy Seals in India?</h3>
<p>If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.</p>
<h3>Accountability:</h3>
<p>In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.</p>
<h3>Data Breaches:</h3>
<p>The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:</p>
<p>Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?</p>
<ul><li>How will the balance between over-reporting breaches with under-reporting breaches be maintained?</li><li>Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?</li><li>If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?</li></ul>
<p>These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation. </p>
<h3> E-Privacy Directive Breach Notification:</h3>
<p>Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:</p>
<p>1. The type of information and compromised number of records</p>
<p>2. The circumstances of the loss, release, or corruption</p>
<p>3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed</p>
<p>4. details of how the breach is being investigated,</p>
<p>5. whether any other regulatory bodies have been informed and, if so, their responses</p>
<p>6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment. </p>
<h3>Accountability, breach notification: What material should India think about for a legal privacy structure?</h3>
<p>Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:</p>
<p>· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?</p>
<p>· If India wants a broad privacy framework how will this be set up?</p>
<p>· What will be the tools used for civil education?</p>
<p>· How will enforcement take place ? </p>
<p>· Is self regulated accountability or statuary accountability better?</p>
<p>· Will there be a privacy tribunal?</p>
<p>· How will data be categorized? </p>
<p>· Will breaches be notified?</p>
<p>· Will standardized privacy policies be created?</p>
<p> As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference'>https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:08:36ZBlog EntryPrivacy Concerns in Whole Body Imaging: A Few Questions
https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions
<b>Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.</b>
<p><strong>What is Whole Body Imaging? </strong></p>
<p>Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons. </p>
<h3>How are These Technologies Being Used - Two News Items to Ponder: <br /></h3>
<p><strong>News Item One </strong></p>
<p>In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.</p>
<p>Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.</p>
<p>Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.</p>
<p><strong>News Item Two</strong></p>
<p>In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car. </p>
<h3>Questions at the Heart of the WBI Debate: <br /></h3>
<p>Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?</p>
<p><strong>How Have Other Countries Responded to Whole Body Imaging and How Should India Respond? <br /></strong></p>
<p>Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.</p>
<p>In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.</p>
<p>Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.</p>
<p>The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions'>https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:09:02ZBlog EntryPrivacy, Free/Open Source, and the Cloud
https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing
<b>A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture. </b>
<h3>Introduction</h3>
<p>Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.</p>
<p>There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.</p>
<h3>Privacy Concerns:</h3>
<p> Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?</p>
<p>These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.</p>
<h3>How are privacy, free/open source, and the cloud related ?</h3>
<p>Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.</p>
<h3>Is free/open software the solution?</h3>
<p> Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.</p>
<h3>Conclusion</h3>
<p> Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing'>https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing</a>
</p>
No publisherelonnaiOpennessInternet GovernancePrivacy2012-03-22T05:50:10ZBlog EntryPresentation of the UID project by Ashok Dalwai – A Report
https://cis-india.org/internet-governance/blog/uid-dalwai-presentation
<b>On Tuesday, 7 September 2010, Ashok Dalwai, the Deputy Director General of the Unique Identification of India (UIDAI), gave a lecture at the Indian Institute for Science in Bangalore. Representing the UID Authority, his presentation explained the vision of the project and focused on the challenges involved in demographic and biometric identification, the technology adopted, and the enrolment process. Elonnai Hickok gives a report of his presentation in this blog post.</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-dalwai-presentation'>https://cis-india.org/internet-governance/blog/uid-dalwai-presentation</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:09:48ZBlog EntryFeedback to the NIA Bill
https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill
<b>Malavika Jayaram and Elonnai Hickok introduce the formal submission of CIS to the proposed National Identification Authority of India (NIA) Bill, 2010, which would give every resident a unique identity. The submissions contain the detailed comments on the draft bill and the high level summary of concerns with the NIA Bill submitted to the UIDAI on 13 July, 2010.</b>
<p>The UID draft bill is a proposed legislation that authorizes the creation of a centralized database of unique identification numbers that will be issued to every resident of India. The purpose of such a database is characterized as ensuring that every resident is provided services and benefits. The UID project was first set up and introduced to the public in February 2009 by the planning committee. In June 2010, a draft bill was proposed which attracted public debates and opinions for over two weeks. Currently the bill is being considered by Parliament in the winter session (July-August 2010). If the Parliament of India approves the bill, it may be enacted during Winter 2010.</p>
<p>CIS has closely followed the UID project and reviewed the bill right from the time when it was first issued. and has worked to initiate and contribute to a public debate including attending of workshops in Delhi on 6 May, 2010 and in Bangalore on 16 May, 2010.</p>
<p>We respect the fact that civil society has many voices. That said, in our criticisms, suggestions, and analysis of the UID draft bill, we are asking for a simple, well-defined document, the language and structure of which expressly precludes abuse of a centralized identification database. The document should provide solely for its stated purpose of enabling the provision of benefits to the poor. Along with this mandate we believe the document should give clear rights of choice, control, and privacy to the <em>Aadhaar</em> number holder. Below is a summary of our general comments with citations to specific sections of the draft bill. A <a href="https://cis-india.org/internet-governance/letter-to-uid-authority" class="internal-link" title="Feedback on the NIA Bill 2010">detailed</a> section by section critique is attached along with our <a href="https://cis-india.org/internet-governance/high-level-summary" class="internal-link" title="High Level Summary">high level summary</a> of concerns. The compilation and synthesis of detailed critiques was done by Malavika Jayaram.</p>
<h2>Summary of High Concerns </h2>
<h3>Clarity of Definition and Purpose</h3>
<p>Most importantly we find that in order to adhere to the stated purpose of the bill there is a need to limit and better define language in the relevant sections of the bill. This includes the powers and purpose of the Authority and the overarching scheme of the bill. We are concerned that the over-breadth and generality of the language will open up the opportunity for more information to be collected than originally stated. Further, definition will act to prevent uncontrolled or unwanted change in the project’s scope, and will clearly limit the usage of the <em>Aadhaar</em> numbers to the facilitation of the delivery of social welfare programs.<br /><br />For the bill to be in line with its original purpose of reaching out to the poor, we also believe the issue of fees must be addressed. We find that there is an inadequate definition in the bill of what fees shall be applied for authentication of <em>Aadhaar</em> numbers. Also we find that it is incompatible with the bill’s stated purpose to require an individual to pay to be authenticated. The bill should provide that no charges will be levied for authentication by registrars and other service providers for certain categories of <em>Aadhaar</em> number holders (BPL, disabled, etc.), and that charges will be limited/capped in other cases. This will bring the bill in line with the statement in Chapter II 3 (1) “Every resident shall be entitled to obtain an <em>Aadhaar</em> number on providing his demographic information and biometric information to the Authority in such a manner as may be specified by regulations” and Chapter 3 (10 ) “The Authority shall take special measures to issue <em>Aadhaar</em> numbers to women, children, senior citizens, persons with disability, migrant unskilled and unorganized workers, nomadic tribes or such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations. If a fee must be permitted, a cap/safeguard should be put in place to ensure that the fee does not become a mechanism of abuse.</p>
<h3>Protection of the Citizen</h3>
<p>The bill should ensure the protection of citizens’ rights to privacy and freedom of choice. To do this it is important that the bill is voluntary, allows for the protection of anonymity, and is clear on how data will be collected, stored and deleted. Measures should be taken towards ensuring that the <em>Aadhaar</em> number is truly voluntary. Accordingly, a prohibition against the denial of goods, services, entitlements and benefits (private or public) for lack of a UID number – provided that an individual furnishes equivalent ID is necessary. The bill should also spell out the situations in which anonymity will be preserved and/or an <em>Aadhaar</em> number should not be requested such as a person’s sexuality/sexual orientation and marital status/history. Furthermore, the bill should require the Authority, registrars, enrolling agencies and service providers to delete/anonymize/obfuscate transaction data according to defined principles after appropriate periods of time in order to protect the privacy of citizens.</p>
<h3>Motivations of the UID Bill</h3>
<p>Since the submission of the high level summary, we note that a list of 221 agencies empanelled by the UIDAI has been uploaded onto the website (by a memo dated 15 July, 2010). A swift reading reveals that most of the agencies who are going to help enroll people into the UIDAI system are not NGOs, CSOs or other welfare oriented not-for-profit entities; rather, they are largely IT companies and commercial enterprises. This begs the question as to whether the UID scheme/<em>Aadhaar</em> is truly geared towards delivery of benefits and inclusivity of the poor and marginalized. Already concerns have been voiced that the “ecosystem” of registrars and enrolling agencies contemplated by the scheme, to the extent that it envisages a public-private partnership, could firstly, be “hijacked” or “captured” by commercial motives and result in sharing of data, security breaches, compromised identities, loss of privacy, data mining and customer profiling, and secondly, end up neglecting the very sections of society that the scheme allegedly most wants to help. The list of empanelled companies makes this even more likely and imminent a concern. Without casting aspersions on any of those entities, we would like to highlight that this sort of delegated structure raises several concerns.</p>
<p>Additionally, we find the speed and efficiency with which the UIDAI juggernaut is signing MoUs with states, banks and government agencies on the one hand, and issuing tenders, RFPs, RFQs and otherwise seeking proposals and awarding contracts to private entities – in the absence of any Parliament-sanctioned law (the bill is still a draft, and yet to even be placed before the Parliament) to be alarming. Along with news of the increasing costs of the project and doubts about how foolproof the technology will be, it is staggering to imagine that something that raises so many concerns is being pushed through without a more serious debate. The lack of formal procedures and open debates makes one wonder how democratic the actual process is.</p>
<h2>Conclusion</h2>
<p>To conclude, CIS believes that the UID bill threatens the rights of citizens in India, and appeals to the citizen to think critically of its implications and consequences.</p>
<p>1. <a href="https://cis-india.org/internet-governance/letter-to-uid-authority" class="internal-link" title="Feedback on the NIA Bill 2010">Detailed Summary pdf (159kb)</a></p>
<p><a href="https://cis-india.org/internet-governance/high-level-summary" class="internal-link" title="High Level Summary">2. High Level Summary (77kb)<br /></a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill'>https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill</a>
</p>
No publisherelonnaiSubmissionsInternet Governance2012-03-21T10:14:27ZBlog Entry