The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Report on the 3rd Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><span>Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18</span><sup>th</sup><span> May 2013.</span></p>
<h2><span><span><b>Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´</b></span></span></h2>
<h2 style="text-align: justify; "></h2>
<p style="text-align: justify; ">The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.</p>
<p style="text-align: justify; ">The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.</p>
<p style="text-align: justify; ">In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers <i>choose </i>to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.</p>
<p style="text-align: justify; ">The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.</p>
<p style="text-align: justify; ">The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.</p>
<p style="text-align: justify; ">The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.</p>
<p style="text-align: justify; ">Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.</p>
<p style="text-align: justify; ">Co-regulation was once again supported by the DSCI through the argument that customers <i>choose </i>to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of <i>incentives</i> companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.</p>
<h1 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h1>
<h2 style="text-align: justify; ">Discussion of definitions: Chapter II</h2>
<p style="text-align: justify; ">The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.</p>
<p style="text-align: justify; ">The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.</p>
<p style="text-align: justify; ">The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.</p>
<p style="text-align: justify; "><b>Discussion of “Protection of Personal Data”: Chapter III </b><b> </b></p>
<p style="text-align: justify; ">The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers. <b> </b></p>
<p style="text-align: justify; "><b>Issue of Consent</b></p>
<p style="text-align: justify; ">The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.</p>
<p style="text-align: justify; "><b>Outsourcing of Data</b></p>
<p style="text-align: justify; ">It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.</p>
<p style="text-align: justify; ">Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.</p>
<p style="text-align: justify; "><b>Data Retention</b></p>
<p style="text-align: justify; ">Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.</p>
<p style="text-align: justify; ">It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.</p>
<p style="text-align: justify; "><b>Data Processing</b></p>
<p style="text-align: justify; ">The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.</p>
<p style="text-align: justify; "><b>Data Disclosure</b></p>
<p style="text-align: justify; ">The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.</p>
<p style="text-align: justify; ">According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.</p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; ">The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p style="text-align: justify; ">The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:35:22ZBlog EntryThe Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!
https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers
<b>Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out! </b>
<hr />
<p style="text-align: justify; ">This blog post has been <a class="external-link" href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cross-posted</a> in Medianama on May 8, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">So yes, we live in an <a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">Internet Surveillance State</a>. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?</p>
<p style="text-align: justify; "><span>Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it</span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting"> lacks privacy legislation </a><span>which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.</span></p>
<p style="text-align: justify; "><span>The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?</span></p>
<h2><b>A glimpse of the surveillance industry in India</b></h2>
<p style="text-align: justify; "><span>In light of the </span><a href="http://uidai.gov.in/">UID scheme</a><span>, the </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National Intelligence Grid</a><span> (NATGRID), the </span><a href="http://ncrb.nic.in/cctns.htm">Crime and Criminal Tracking Network System</a><span> (CCTNS) and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a><span> (CMS), who supplies law enforcement agencies the technology to surveille us?</span></p>
<p style="text-align: justify; "><span>In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies </span><a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html">simultaneously produce internet monitoring software and encryption tools</a><span>! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.</span></p>
<p style="text-align: justify; ">Companies selling surveillance technology in India are listed in <a href="https://cis-india.org/internet-governance/blog/table-1.pdf" class="internal-link">Table 1</a>. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.</p>
<p style="text-align: justify; "><span><a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> shows the types of surveillance technology produced and sold by these 76 companies.</span></p>
<p style="text-align: justify; ">The graph below is based on <a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> and shows which types of surveillance are produced the most by the 76 companies.</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_Surveillancetechgraph.png" alt="Surveillance Graph" class="image-inline" title="Surveillance Graph" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Graph on types of surveillance sold to law enforcement agencies by 76 companies in India</p>
<p style="text-align: justify; "><span>Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the </span><a href="http://www.economist.com/node/21542814">UID scheme</a><span> which is rapidly expanding across India. Only </span><a href="http://www.clear-trail.com/">one company</a><span> from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System (CMS)</a><span>, especially since the project would have to monitor and mine Big Data.</span></p>
<p style="text-align: justify; "><span>On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since </span><a href="https://opennet.net/research/profiles/india">the majority of the population in India does not even have Internet access</a><span>. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while </span><a href="http://www.thehindu.com/news/national/half-of-indias-homes-have-cellphones-but-not-toilets/article2992061.ece">more than half the population owns mobile phones</a><span>. Seeing as companies, such as </span><a href="http://www.clear-trail.com/">ClearTrail Technologies</a><span> and </span><a href="http://www.shoghicom.com/">Shoghi Communications</a><span>, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.</span></p>
<h2>Did you Know:</h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/spywarepic.jpg" alt="Spyware" class="image-inline" title="Spyware" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>CARLOS62 on flickr </span></p>
<ol>
<li>WSS Security Solutions Pvt. Ltd. is <a href="http://www.wssgroup.in/aboutus.html">north India´s first CCTV zone</a></li>
<li>Speck Systems Limited was <a href="http://www.specksystems.com/sub-links/Strengths/core-strengths-UAV.htm">the first Indian company to design, manufacture and fly a micro UAV indigenously</a></li>
<li>Mobile Spy India (Retina-X Studios) has the following <a href="http://www.mobilespy.co.in/">mobile spying features</a>: </li>
</ol>
<ul>
<li><i>SniperSpy</i>: remotely monitors smartphones and computers from any location</li>
</ul>
<ul>
<li><i>Mobile Spy: </i>monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces</li>
</ul>
<p>4. Infoserve India Private Limited produces an<a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html"> Internet monitoring System</a> with the following features:</p>
<ul>
<li>Intelligence gathering for an entire state or a region</li>
<li>Builds a chain of suspects from a single start point</li>
<li>Data loss of less than 2%</li>
<li>2nd Generation Interception System</li>
<li>Advanced link analysis and pattern matching algorithms</li>
<li>Completely Automated System</li>
<li>Data Processing of up to 10 G/s</li>
<li>Automated alerts on the capture of suspicious data (usually based on keywords)</li>
</ul>
<p>5. ClearTrail Technologies<b> </b>deploys <a href="https://www.documentcloud.org/documents/409231-111-cleartrail.html#document/p3/a68269">spyware into a target´s machine</a><br />6. Spy Impex<b> </b>sells <a href="http://www.tradedir.in/s/coca-cola-tin-camera">Coca Cola Tin Cameras</a>!<br />7. Nice Deal<b> </b>also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and <a href="http://www.indiamart.com/nicedeal/spy-hidden-cameras.html">Lighter Video Cameras</a> to name a few...<br />8. Raviraj Technologies<b> </b>is an Indian company which supplies <a href="http://www.ravirajtech.com/index.html">RFID and biometric technology</a> to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?</p>
<ul>
<li style="text-align: justify; ">Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further <a href="http://www.rogerclarke.com/DV/Biometrics.html">oppression</a> within these countries </li>
</ul>
<ul>
<li style="text-align: justify; ">Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards</li>
</ul>
<h2><b>“I´m not a terrorist, I have nothing to hide!”</b></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/surveillancetechpic.jpg" alt="Surveillance Tec" class="image-inline" title="Surveillance Tec" /></th>
</tr>
</tbody>
</table>
<p><span> </span><a href="http://www.flickr.com/photos/r1chard/">r1chardm</a> on flickr</p>
<p style="text-align: justify; ">It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:</p>
<blockquote class="italized"><i>“I´m not a terrorist, I have nothing to hide!”</i></blockquote>
<p style="text-align: justify; "><span>Indeed. You may not be a terrorist...and you may </span><i>think </i><span>you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?</span></p>
<p style="text-align: justify; "><span>Last year at the </span><a href="http://lcaunderthestars.org.au/programme/schedule">linux.conf.au</a><span>, </span><a href="http://www.youtube.com/watch?v=GMN2360LM_U">Jacob Appelbaum</a><span> stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. </span><a href="http://www.schneier.com/essay-155.html">Bruce Schneier</a><span> has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.</span></p>
<p style="text-align: justify; "><span>That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, </span><a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">we are all potentially suspects</a><span>. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called </span><a href="http://www.computerworld.com/s/article/9176265/Half_of_social_networkers_post_risky_information_study_finds_">´risky information´</a><span>. As long as our data is being surveilled, we are all suspects, which means that </span><a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239412">we can all potentially be arrested, interrogated and maybe even tortured</a><span>, just like any other criminal suspect.</span></p>
<p style="text-align: justify; "><span>But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The </span><a href="http://www.sourcesecurity.com/news/articles/co-1753-ga.4047.html">market appears to demand for surveillance technologies</a><span> because a pre-existing </span><a href="http://www.abc.net.au/tv/bigideas/stories/2012/04/16/3476847.htm">surveillance culture</a><span> has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as </span><a href="http://money.cnn.com/magazines/fortune/global500/2012/snapshots/284.html">3M</a><span>, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that </span><a href="http://www.sscqueens.org/davidlyon/">surveillance is being socially integrated</a><span>. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.</span></p>
<p style="text-align: justify; "><span>By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID </a><span>and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><span> in India- or by handing over our data, </span><a href="http://www.schneier.com/essay-167.html"><i>we </i></a><a href="http://www.schneier.com/essay-167.html">are fuelling the surveillance state</a><span>. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution </span><i>and </i><span>of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.</span></p>
<p style="text-align: justify; "><span>Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because </span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting">India lacks privacy legislation </a><span>which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.</span></p>
<p style="text-align: justify; "><span>Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as </span><a href="http://www.ravirajtech.com/index.html">Raviraj Technologies</a><span>, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus </span><a href="https://www.privacyinternational.org/reports/our-response-to-eu-consultation-on-legality-of-exporting-surveillance-and-censorship-3">export controls</a><span> are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even </span><a href="http://edition.cnn.com/2013/03/15/world/asia/u-n-drone-objections">murdered</a><span> in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers'>https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers</a>
</p>
No publishermariasurveillance technologiesInternet GovernanceSAFEGUARDS2013-07-12T11:59:10ZBlog EntryReport on the 2nd Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table
<b>This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013. </b>
<hr />
<p>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Following the first Privacy Round Table in Delhi, this <a href="https://cis-india.org/internet-governance/blog/report-on-bangalore-privacy-meeting" class="internal-link">report</a> entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20<sup>th</sup> April 2013.</p>
<h2 style="text-align: justify; ">Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13<sup>th</sup> April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.</p>
<p style="text-align: justify; ">DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.</p>
<p style="text-align: justify; ">The discussion points brought forward by DSCI were:</p>
<ul style="text-align: justify; ">
<li>What role should government and industry respectively play in developing and enforcing a regulatory framework? </li>
<li>How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?</li>
<li>How can an organization be incentivized to follow the codes of practice under the SRO?</li>
<li>What should be the role of SROs in redressal of complaints?</li>
<li>What should be the business model for SROs?</li>
</ul>
<p style="text-align: justify; ">DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.</p>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h2>
<h3 style="text-align: justify; ">Discussion of definitions and preamble: Chapter I & II</h3>
<p style="text-align: justify; ">The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.</p>
<h3 style="text-align: justify; ">Sensitive Personal Data</h3>
<p style="text-align: justify; ">The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.</p>
<h3 style="text-align: justify; ">Information vs. Data</h3>
<p style="text-align: justify; ">During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.</p>
<h3 style="text-align: justify; ">Exemptions</h3>
<p style="text-align: justify; ">Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.</p>
<h2 style="text-align: justify; ">Discussion of “Protection of Personal Data”: Chapter III</h2>
<p style="text-align: justify; ">Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.</p>
<h3 style="text-align: justify; ">Data Collection</h3>
<p style="text-align: justify; ">In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.</p>
<h3 style="text-align: justify; ">Consent</h3>
<p style="text-align: justify; ">On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they <i>choose </i>to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.</p>
<p style="text-align: justify; ">Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.</p>
<h3 style="text-align: justify; ">Data Disclosure</h3>
<p style="text-align: justify; ">In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.</p>
<p style="text-align: justify; ">A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.</p>
<h3 style="text-align: justify; ">Data Destruction</h3>
<p style="text-align: justify; ">In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.</p>
<h3 style="text-align: justify; ">Data Processing</h3>
<p style="text-align: justify; ">In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.</p>
<p style="text-align: justify; ">However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.</p>
<p style="text-align: justify; ">In brief, the following questions with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>Should consent be required prior to the collection of data?</li>
<li>Should consent be acquired prior and after the disclosure of data? </li>
<li>Should the purpose of data collection be the same as the purpose for the disclosure of data?</li>
<li>Should an executive order or a court order be required to disclose data?</li>
<li>At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?</li>
<li>An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?</li>
</ul>
<ul style="text-align: justify; ">
<li>Should companies notify individuals when they share their (individuals´) data with international third parties?</li>
</ul>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>The data subject has to be informed, unless there is a model contract. </li>
<li>The request for consent should depend on the type of data that is to be disclosed.</li>
<li>Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).</li>
<li>The shared data may be considered private data (need of a relevant regulatory framework).</li>
<li>An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.</li>
<li>If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country. </li>
<li>India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.</li>
<li>The problem with disclosure is when there is an exception for certain circumstances </li>
<li>Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability. </li>
<li>Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).</li>
<li>´Data ownership´ should be included in the definitions of the Bill. </li>
<li>What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.</li>
</ul>
<p> </p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.</p>
<p style="text-align: justify; ">Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.</p>
<h2 style="text-align: justify; ">Discussion on self-regulation and co-regulation</h2>
<p> </p>
<p style="text-align: justify; ">The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.</p>
<p style="text-align: justify; ">The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.</p>
<p style="text-align: justify; ">Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p> </p>
<p style="text-align: justify; ">The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table'>https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:54:28ZBlog EntryReport on the 1st Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li style="text-align: justify; ">New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p> </p>
<p>This <a href="https://cis-india.org/internet-governance/blog/report-on-delhi-privacy-round-table.pdf" class="internal-link">report </a>entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</p>
<p> </p>
<h2><b>Overview of Justice A P Shah Report: Purpose, Principles and Framework</b></h2>
<p style="text-align: justify; ">The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.</p>
<p style="text-align: justify; ">During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.</p>
<p style="text-align: justify; ">Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:</p>
<ul style="text-align: justify; ">
<li>The purpose of the collection of data</li>
<li>The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case</li>
<li>Data is shared with third parties and it is hard to control how long they retain the data for</li>
<li>Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data</li>
</ul>
<p style="text-align: justify; ">Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.</p>
<p style="text-align: justify; ">While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.</p>
<p style="text-align: justify; ">The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.</p>
<p style="text-align: justify; ">The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.</p>
<h3 style="text-align: justify; ">Discussion Highlights:</h3>
<ul style="text-align: justify; ">
<li>The pros and cons of self-regulation and co-regulation</li>
<li>The national privacy principles – and how to build in insurance for technology</li>
<li>The role of the Privacy Commissioner</li>
<li>The definition of terms used in the draft Privacy (Protection) Bill 2013 </li>
</ul>
<p style="text-align: justify; "> </p>
<h2><b>Overview, explanation and discussion on the Privacy (Protection) Bill 2013</b></h2>
<p style="text-align: justify; ">The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.</p>
<p style="text-align: justify; ">During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.</p>
<p style="text-align: justify; ">Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.</p>
<p style="text-align: justify; ">As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.</p>
<p style="text-align: justify; ">Many participants agreed that India´s proposed Privacy Law should meet <i>global standards </i>in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.</p>
<p style="text-align: justify; ">The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.</p>
<p style="text-align: justify; ">The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.</p>
<p style="text-align: justify; ">The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.</p>
<p style="text-align: justify; ">Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.</p>
<p style="text-align: justify; ">During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on <i>where </i>it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.</p>
<p style="text-align: justify; ">The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.</p>
<p style="text-align: justify; ">The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.<span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills</li>
<li><span>Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)</span></li>
<li>If personal data should be distinguished in the private and public sector</li>
<li>If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards</li>
<li>The nuances of consumer consent</li>
<li>Various ways to define ´public figures´</li>
<li>Freedom of expression in the context of the draft Privacy (Protection) Bill 2013 </li>
<li>The distinction between exemptions and exceptions</li>
</ul>
<p> </p>
<h2><b>In depth explanation and discussions regarding the Privacy (Protection)</b></h2>
<h2><b> Bill 2013</b></h2>
<p style="text-align: justify; ">The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.</p>
<p style="text-align: justify; ">The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals <i>choose</i> to disclose a large amount of information.</p>
<p style="text-align: justify; ">The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.</p>
<p style="text-align: justify; ">Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.</p>
<p style="text-align: justify; ">A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.</p>
<p style="text-align: justify; ">In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.</p>
<p style="text-align: justify; ">In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.</p>
<p style="text-align: justify; ">Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.</p>
<p style="text-align: justify; ">The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.</p>
<p style="text-align: justify; ">The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should <i>not </i>be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.</p>
<p style="text-align: justify; ">The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies. <span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>The different instances of data collection and consumer consent</li>
<li>The nuances of data sharing </li>
<li>The issue of consumer consent and security assurances offered by companies</li>
<li>The pros and cons of having a data retention regulatory framework</li>
<li>How transparency is incorporated into the draft Privacy Protection Bill 2013 </li>
<li>What is needed in provisions that speak to data destruction</li>
</ul>
<h2>Meeting conclusion</h2>
<p style="text-align: justify; ">The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.</p>
<p style="text-align: justify; ">Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="internal-link">Privacy Protection Bill, 2013</a> based on participants´ feedback, concerns, comments and ideas.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-30T11:11:11ZBlog EntryComments on the Information Technology (Electronic Service Delivery) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Information Technology (Electronic Services Delivery) Rules, 2011. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; "><b>I <span><span>Preliminary</span></span></b></p>
<p style="text-align: justify; ">1.1 This submission presents comments from the Centre for Internet and Society (<b>“CIS”</b>) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (<b>“ESD Rules”</b> or <b>“Rules”</b>).</p>
<p style="text-align: justify; ">1.2 The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (<b>“EDS Bill” </b>or<b> “Bill”</b>). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (<b>“electronic service delivery”</b>). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.</p>
<p style="text-align: justify; "><b>II <span><span>Basic Issues Regarding Electronic Service Delivery</span></span></b></p>
<p style="text-align: justify; ">2.1 CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (<b>“Standing Committee”</b>) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:</p>
<p style="text-align: justify; ">(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;</p>
<p style="text-align: justify; ">(b) Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;</p>
<p style="text-align: justify; ">(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;</p>
<p style="text-align: justify; ">(d) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;</p>
<p style="text-align: justify; ">(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;</p>
<p style="text-align: justify; ">(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection<a href="#fn1" name="fr1">[1]</a> and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,<a href="#fn2" name="fr2">[2]</a> the annual installed capacity for electricity generation is growing<a href="#fn3" name="fr3">[3]</a> and the literacy rate is increasing.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">2.2 The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. <b>In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. </b>Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.</p>
<p style="text-align: justify; "><b>III <span>Improper Exercise of Subordinate Legislative Power</span></b></p>
<p style="text-align: justify; ">3.1 Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (<b>“Rules of Procedure”</b>), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.</i></p>
<p style="text-align: justify; ">Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “<i>whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.</i>”</p>
<p style="text-align: justify; ">3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:</p>
<p style="padding-left: 30px; "><i>The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.</i></p>
<p style="text-align: justify; "><b>This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.</b></p>
<p style="text-align: justify; ">3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:</p>
<p style="padding-left: 30px; text-align: justify; "><i>the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.</i></p>
<p>Section 6-A(2) of the IT Act states:</p>
<p style="padding-left: 30px; text-align: justify; "><i>The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.</i></p>
<p style="text-align: justify; "><i>Prima facie</i>, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, <span>they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own</span>.<b> Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is <i>ultra vires</i> the IT Act.</b> This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).</p>
<p style="text-align: justify; "><b>IV <span>Clause-by-Clause Comments</span></b></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span></p>
<p>4.1.1 Rule 2(c) of the ESD Rules states:</p>
<p style="text-align: justify; "><i>"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules</i></p>
<p style="text-align: justify; ">In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.</p>
<p style="text-align: justify; "><b>4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”</p>
<p style="text-align: justify; ">Rule 3 - <span>System of Electronic Service Delivery</span></p>
<p>4.2.1 Rule 3(3) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.</i></p>
<p style="text-align: justify; ">This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “<i>may</i>” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.</p>
<p>4.2.2 <b>Therefore, it is proposed that rule 3(3) is amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”</p>
<p>4.3.1 Rule 3(5) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.</i></p>
<p style="text-align: justify; "><span>Firstly</span>, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. <span>Secondly</span>, the use of the phrase “<i>financial code and treasury code</i>” is avoidable since these terms are undefined.</p>
<p><b>4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”</p>
<p>4.4.1 Rule 3(6) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services: </i></p>
<p><i> </i></p>
<p style="text-align: justify; padding-left: 30px; "><i>Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.</i></p>
<p style="text-align: justify; ">This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.</i></p>
<p style="text-align: justify; ">Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.</p>
<p style="text-align: justify; "><b>4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.</b></p>
<p>4.5.1 Rule 3(7) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.</i></p>
<p>This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.</i></p>
<p style="text-align: justify; ">As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.</p>
<p style="text-align: justify; "><b>4.5.2 Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.</b></p>
<p>4.6.1 Rule 3(8) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.</i></p>
<p style="text-align: justify; ">There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, <span>the state cannot enforce penalties unless authorised by law</span>. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.</p>
<p><b>4.6.2 Therefore, it is proposed that rule 3(8) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, <i>Telecom Sector in India: A Decadal Profile</i> (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T12:12:16ZBlog EntryComments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Sensitive Personal Data Rules. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span><span>Preliminary</span></span></b></p>
<p style="text-align: justify; ">1.1 The Centre for Internet and Society (<b>“CIS”</b>) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (<b>“Sensitive Personal Data Rules” or “Rules”</b>) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.</p>
<p style="text-align: justify; ">1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy<a href="#fn1" name="fr1">[1]</a>, there have never been codified provisions protecting the privacy of individuals and their personal information.</p>
<p style="text-align: justify; ">The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.<a href="#fn2" name="fr2">[2]</a> Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:</p>
<p style="text-align: justify; "><b>II <span>Principles to Facilitate Appraisal</span></b><br />2.1 The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.</p>
<p>2.2 To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:</p>
<p>(a) <span>Principle of Notice / Prior Knowledge</span></p>
<p style="text-align: justify; ">All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.</p>
<p>(b) <span>Principle of Consent</span></p>
<p style="text-align: justify; ">Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.</p>
<p>(c) <span>Principle of Necessity / Collection Limitation</span></p>
<p style="text-align: justify; ">Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.</p>
<p>(d) <span>Right to be Forgotten / Principle of Purpose Limitation</span></p>
<p style="text-align: justify; ">Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.</p>
<p>(e) <span>Right of Access</span></p>
<p style="text-align: justify; ">All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.</p>
<p>(f) <span>Principle regarding Disclosure</span></p>
<p style="text-align: justify; ">Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.</p>
<p>(g) <span>Principle of Security</span></p>
<p style="text-align: justify; ">All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.</p>
<p>(h) <span>Principle of Transparency / ‘Open-ness’</span></p>
<p>All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.</p>
<p>(i) <span>Principle of Accountability</span></p>
<p style="text-align: justify; ">Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.</p>
<p style="text-align: justify; ">2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. <b>CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards.</b> Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:</p>
<p style="text-align: justify; "><b>III <span><span>Clause-by-Clause Analysis and Comments</span></span></b></p>
<p style="text-align: justify; "><b><span>Rule 2 - Definitions</span></b></p>
<p>3.1.1 Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:</p>
<p style="text-align: justify; "><i>"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.</i></p>
<p style="text-align: justify; ">3.1.2 <span>Firstly</span>, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. <span>Secondly</span>, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.</p>
<p><b>3.1.3 Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”</p>
<p style="text-align: justify; ">3.2.1 Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (<b>“IT Act”</b>) as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.</i></p>
<p style="text-align: justify; ">3.2.2 <span>Firstly</span>, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, <span><span>will exclude public and private trusts</span></span><a href="#fn5" name="fr5">[5]</a> <span>and unincorporated public authorities</span>. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a <i>prima facie</i> violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.</p>
<p style="text-align: justify; ">3.2.3 <span>Secondly</span>, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.</p>
<p><b>3.2.4 Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”</p>
<p style="text-align: justify; "><b>Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate</b>.</p>
<p style="text-align: justify; "><b>Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India</b>.</p>
<p>3.3.1 Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:</p>
<p style="padding-left: 30px; text-align: justify; "><i>"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.</i></p>
<p style="text-align: justify; ">3.3.2 Before examining the provisions of this clause, CIS questions the need for this definition. The term “<i>cyber incidents</i>” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. <span>Firstly</span>, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. <span>Secondly</span>, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.</p>
<p style="text-align: justify; "><b>3.3.3 Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.4.1 Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.</p>
<p style="text-align: justify; "><b>3.4.2 Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 3 - Sensitive Personal Data</span><b> </b></p>
<p>3.5.1 Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:</p>
<p style="text-align: justify; "><i>Sensitive personal data or information of a person means such personal information which consists of information relating to – </i></p>
<p><i>(i) password; </i></p>
<p style="text-align: justify; "><i>(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; </i></p>
<p style="text-align: justify; "><i>(iii) physical, physiological and mental health condition; </i></p>
<p><i>(iv) sexual orientation; </i></p>
<p><i>(v) medical records and history; </i></p>
<p><i>(vi) Biometric information; </i></p>
<p style="text-align: justify; "><i>(vii) any detail relating to the above clauses as provided to body corporate for providing service; and </i></p>
<p style="text-align: justify; "><i>(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: </i></p>
<p><i> </i></p>
<p style="text-align: justify; "><i>provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.</i></p>
<p style="text-align: justify; ">3.5.2 In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.</p>
<p><b>3.5.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:</b></p>
<p>“Sensitive personal data or information of a person means personal information as to that person’s –</p>
<p>(i) passwords and encryption keys;</p>
<p>(ii) financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;</p>
<p>(iii) physical, physiological and mental condition;</p>
<p>(iv) sexual activity and sexual orientation;</p>
<p>(v) medical records and history;</p>
<p>(vi) biometric information; and</p>
<p>(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;</p>
<p>and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.</p>
<p style="text-align: justify; ">Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”</p>
<p style="text-align: justify; "><span>Rule 4 - Privacy and Disclosure Policy</span></p>
<p>3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:</p>
<p style="text-align: justify; "><b><i>Body corporate to provide policy for privacy and disclosure of information. – </i></b><i>(1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –</i></p>
<p><i>(i) Clear and easily accessible statements of its practices and policies; </i></p>
<p><i>(ii) type of personal or sensitive personal data or information collected under rule 3; </i></p>
<p><i>(iii) purpose of collection and usage of such information; </i></p>
<p><i>(iv) disclosure of information including sensitive personal data or information as provided in rule 6; </i></p>
<p><i>(v) reasonable security practices and procedures as provided under rule 8. </i></p>
<p style="text-align: justify; ">3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. <span>Firstly</span>, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. <span>Secondly</span>, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. <span>Thirdly</span>, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. <span>Fourthly</span>, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “<i>personal or sensitive personal data or information</i>” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.</p>
<p><b>3.6.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:</b></p>
<p style="text-align: justify; ">“<b>Duty to publish certain policies. – </b>(1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.</p>
<p>(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –</p>
<p style="text-align: justify; ">(i) the meanings of personal information and sensitive personal data in accordance with these rules;</p>
<p style="text-align: justify; ">(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;</p>
<p style="text-align: justify; ">(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;</p>
<p style="text-align: justify; ">(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;</p>
<p style="text-align: justify; ">(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and</p>
<p style="text-align: justify; ">(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”</p>
<p style="text-align: justify; "><span>Rule 5 - Collection of Information</span></p>
<p>3.7.1 Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.</i></p>
<p style="text-align: justify; ">3.7.2 <span>Firstly</span>, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. <span>Secondly</span>, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised. <span>Thirdly</span>, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.</p>
<p><b>3.7.3 Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”</p>
<p>3.8.1 Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:</p>
<p><i>Body corporate or any person on its behalf shall not collect sensitive personal data or information unless — </i></p>
<p style="text-align: justify; "><i>(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and </i></p>
<p style="text-align: justify; "><i>(b) the collection of the sensitive personal data or information is considered necessary for that purpose.</i></p>
<p style="text-align: justify; ">3.8.2 <span>Firstly</span>, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. <span>Secondly</span>, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.</p>
<p style="text-align: justify; ">3.8.3 <b>Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –</p>
<p style="padding-left: 30px; text-align: justify; ">(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and</p>
<p style="padding-left: 30px; text-align: justify; ">(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”</p>
<p style="text-align: justify; ">3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:</p>
<p style="text-align: justify; "><i>While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of — </i></p>
<p><i>(a) the fact that the information is being collected; </i></p>
<p><i>(b) the purpose for which the information is being collected; </i></p>
<p><i>(c) the intended recipients of the information; and </i></p>
<p><i>(d) the name and address of — </i></p>
<p><i>(i) the agency that is collecting the information; and </i></p>
<p><i>(ii) the agency that will retain the information.</i></p>
<p style="text-align: justify; ">3.9.2 <span>Firstly</span>, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. <span>Secondly</span>, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. <span>Thirdly</span>, the use of the phrase “<i>take such steps as are, in the circumstances, reasonable</i>” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.</p>
<p><b>3.9.3 Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:</b></p>
<p>“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –</p>
<p>(a) the fact that it is being collected;</p>
<p>(b) the purpose for which it is being collected;</p>
<p>(c) the manner in which it will be used;</p>
<p>(d) the intended recipients to whom it will be sent or made available;</p>
<p>(e) the duration for which it will be stored;</p>
<p>(f) the conditions upon which it may be disclosed;</p>
<p>(g) the conditions upon which it may be destroyed; and</p>
<p>(h) the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”</p>
<p style="text-align: justify; ">3.10.1 Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.</i></p>
<p style="text-align: justify; ">3.10.2 Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.</p>
<p><b>3.10.3 Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”</p>
<p style="text-align: justify; "><span>Rule 6 - Disclosure of Information</span></p>
<p style="text-align: justify; ">3.11.1 Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:</p>
<p style="text-align: justify; "><i>Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: </i></p>
<p><i> </i></p>
<p style="text-align: justify; "><i>Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.</i></p>
<p style="text-align: justify; ">3.11.2 In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: <span>Firstly</span>, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. <span>Secondly</span>, the use of the phrase “<i>any third party</i>” lends vagueness to this provision since the term “third party” has not been defined. <span>Thirdly</span>, the repeated use of the undefined phrase “<i>provider of information</i>” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.</p>
<p style="text-align: justify; ">3.11.3 Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. <span>Firstly</span>, the disclosure of personal information and sensitive personal data when it is “<i>necessary for compliance of a legal obligation</i>” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. <span>Secondly</span>, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. <span>Thirdly</span>, the definition and use of the term “<i>cyber incidents</i>” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. <span>In sum</span>, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.</p>
<p><b>3.11.4 Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.</p>
<p style="padding-left: 30px; text-align: justify; ">Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.</p>
<p style="padding-left: 30px; text-align: justify; ">Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”</p>
<p>3.12.1 Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.</i></p>
<p style="text-align: justify; ">3.12.2 This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “<i>an order under the law</i>”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.</p>
<p style="text-align: justify; "><b>3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.</b></p>
<p>3.13.1 Rule 6(4) of the Sensitive Personal Data Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.</i></p>
<p style="text-align: justify; ">3.13.2 <span>Firstly</span>, as mentioned elsewhere in this submission, the phrase “<i>third party</i>” has not been defined. This is a drafting discrepancy that must be rectified. <span>Secondly</span>, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. <span>Thirdly</span>, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.</p>
<p><b>3.13.3 Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”</p>
<p style="text-align: justify; "><span>Rule 7 - Transfer of Information</span></p>
<p style="text-align: justify; ">3.14.1 Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:</p>
<p style="padding-left: 30px; text-align: justify; "><i>A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</i></p>
<p style="text-align: justify; ">3.14.2 This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: <span>firstly</span>, the simultaneous use of the phrases “<i>provider of information</i>” and “<i>such person</i>” is imprecise and misleading; <span>secondly</span>, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.</p>
<p><b>3.14.3 Therefore, it is proposed that rule 7 be re-drafted to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”</p>
<p style="text-align: justify; "><span>Rule 8 - Reasonable Security Practices</span></p>
<p style="text-align: justify; ">3.15.1 Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):</p>
<p style="padding-left: 30px; "><i>The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).</i></p>
<p style="text-align: justify; ">3.15.2 ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.</p>
<p style="text-align: justify; "><b>3.15.3 Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001. </b></p>
<p style="text-align: justify; "><b>IV <span>The Press Release of 24 August 2011</span></b></p>
<p style="text-align: justify; ">4.1 The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.</i></p>
<p style="text-align: justify; padding-left: 30px; "><i>Press Note</i></p>
<p style="padding-left: 30px; text-align: justify; "><i>The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>Ministry of Communications & Information Technology (Dept. of Information Technology) </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; "><i>SP/ska <br /> (Release ID :74990)</i></p>
<p style="text-align: justify; ">4.2 It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.</p>
<p style="text-align: justify; ">4.3 At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,</p>
<p style="padding-left: 30px; text-align: justify; ">...<i>law</i> <i>includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.</i></p>
<p style="text-align: justify; ">Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.</p>
<p style="padding-left: 30px; text-align: justify; ">[See, <i>Edward Mills</i> AIR 1955 SC 25 at pr. 12, <i>Babaji Kondaji Garad</i> 1984 (1) SCR 767 at pp. 779-780 and <i>Indramani Pyarelal Gupta</i> 1963 (1) SCR 721 at pp. 73-744]</p>
<p>Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.</p>
<p></p>
<p style="padding-left: 30px; "> <span>[See, <i>Raj Narain Singh</i> AIR 1954 SC 569 and <i>Re Delhi Laws Act</i> AIR 1951 SC 332]</span></p>
<p style="text-align: justify; "></p>
<p style="text-align: justify; "> <span>Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.</span></p>
<p style="text-align: justify; "><span><b>V <span>Summary</span></b></span></p>
<p style="text-align: justify; "> </p>
<p class="MsoNormal"><span>5.1<span> </span>CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled</span></p>
<ul>
<li><span> </span><span>Rule 2(1)(b);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(c);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(d);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(g);</span><span><span> </span></span></li>
<li><span>Rule 3;</span><span><span> </span></span></li>
<li><span>Rule 4(1);</span><span> </span></li>
<li><span>Rule 5(1);</span><span><span> </span></span></li>
<li><span>Rule 5(2);</span><span><span> </span></span></li>
<li><span>Rule 5(3);</span><span><span> </span></span></li>
<li><span>Rule 5(4);</span><span><span> </span></span></li>
<li><span>Rule 6(1);</span><span><span> </span></span></li>
<li><span>Rule 6(1) Proviso;</span><span><span> </span></span></li>
<li><span>Rule 6(2);</span><span><span> </span></span></li>
<li><span>Rule 6(4);</span><span><span> </span></span></li>
<li><span>Rule 7; and</span><span><span> </span></span></li>
<li><span>Rule 8.</span></li>
</ul>
<p style="text-align: justify; ">5.2 CIS submits that the Committee on Subordinate Legislation <span>should take a serious view of the press release issued by the </span><span>Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.</span></p>
<p style="text-align: justify; "><span>5.3 CIS submits </span><span>that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.</span></p>
<p style="text-align: justify; "><span>5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.</span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, <i>Kharak Singh</i> AIR 1963 SC 1295, <i>Gobind</i> (1975) 2 SCC 148, <i>R. Rajagopal</i> (1994) 6 SCC 632, <i>People’s Union for Civil Liberties</i> (1997) 1 SCC 301 and <i>Canara Bank</i> (2005) 1 SCC 496.</p>
<p>[<a href="#fr2" name="fn2">2</a>]. See <i>infra</i> pr. 4.3.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).</p>
<p class="MsoFootnoteText">[<a href="#fr4" name="fn4">4</a>].<span>See generally, <i>Board of Trustees of Ayurvedic College</i> AIR 1962 SC 458 and <i>S. P. Mittal</i> AIR 1983 SC 1.</span></p>
<p style="text-align: justify; "> </p>
<p>[<a href="#fr5" name="fn5">5</a>]. <span>See </span><span>generally, <i>W. O. Holdsworth</i> AIR 1957 SC 887 and <i>Duli Chand</i> AIR 1984 Del 145.</span></p>
<div id="_mcePaste"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T12:13:53ZBlog EntryComments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society submitted the following comments on the Information Technology (Guidelines for Cyber Cafe Rules), 2011.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span>Preliminary</span></b></p>
<p style="text-align: justify; ">1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“<b>CIS</b>”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“<b>Cyber Café Rules</b>”).</p>
<p style="text-align: justify; ">1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21<sup>st</sup> Report, the Committee on Subordinate Legislation presciently noted that:</p>
<p style="text-align: justify; padding-left: 30px; ">“…<i>statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.</i>” [See the 21<sup>st</sup> Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]</p>
<p style="text-align: justify; ">Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:</p>
<p><b>II <span>Validity of the Cyber Cafe Rules</span></b></p>
<p style="text-align: justify; ">2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:</p>
<p>“<i>the guidelines to be observed by the intermediaries under sub-section (2) of section 79</i>”</p>
<p>Sections 79 (1) and (2) state:</p>
<p>“<b><i>79. Exemption from liability of intermediary in certain cases. –</i></b><i> (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for <span>any third party information, data, or communication link made available or hosted by him</span>. </i></p>
<p><i>(2) The provisions of sub-section (1) shall apply if— </i></p>
<p><i>(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or</i></p>
<p><i>(b) the intermediary does not— </i></p>
<p><i>(i) initiate the transmission, </i></p>
<p><i>(ii) select the receiver of the transmission, and </i></p>
<p><i>(iii) select or modify the information contained in the transmission; </i></p>
<p><i>(c) the intermediary observes due diligence while discharging his duties under this Act and also observes <span>such other guidelines as the Central Government may prescribe in this behalf</span>.</i>”</p>
<p style="text-align: justify; ">2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “<i>any third party information, data, or communication link made available or hosted</i>” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. <b>To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are <i>ultra vires</i> the IT Act.</b></p>
<p style="text-align: justify; "><b>III Clause-by-Clause Analysis and Comments</b><span> </span></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span><b> </b></p>
<p style="text-align: justify; ">3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:</p>
<p style="text-align: justify; ">“<i>“cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public</i>”</p>
<p style="text-align: justify; ">This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”</p>
<p style="text-align: justify; ">3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.</p>
<p><b>Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.</p>
<p><b>Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p><span>Rule 3 - Agency for Registration of Cyber Cafes</span></p>
<p>4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:</p>
<p style="text-align: justify; ">“<b><i>3. Agency for registration of cyber cafe. –</i></b><i> (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include: </i></p>
<p><i>(i) name of establishment; </i></p>
<p><i>(ii) address with contact details including email address; </i></p>
<p><i>(iii) whether individual or partnership or sole properitership or society or company; </i></p>
<p><i>(iv) date of incorporation; </i></p>
<p><i>(v) name of owner/partner/proprietor/director; </i></p>
<p><i>(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and </i></p>
<p><i>(vii) type of service to be provided from cyber cafe </i></p>
<p style="text-align: justify; "><i>Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency. </i></p>
<p style="text-align: justify; "><i>(2) The details of registration of cyber cafe shall be published on the website of the registration agency. </i></p>
<p style="text-align: justify; "><i>(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line. </i></p>
<p style="text-align: justify; "><i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">CIS raises two unrelated and substantial objections to this provision: <span>firstly</span>, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, <span>secondly</span>, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.</p>
<p style="text-align: justify; ">4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.</p>
<p style="text-align: justify; ">Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:</p>
<p style="text-align: justify; ">“<b><i>5. Registration of establishment. –</i></b><i> (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing </i></p>
<p><i>(a) the name of the employer and the manager, if any; </i></p>
<p><i>(b) the postal address of the establishment; </i></p>
<p><i>(c) the name, if any, of the establishment, </i></p>
<p style="text-align: justify; "><i>(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment; </i></p>
<p><i>(e) the number of employees working about the business of the establishment; and </i></p>
<p><i>(f) such other particulars as may be prescribed. </i></p>
<p style="text-align: justify; "><i>(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier. </i></p>
<p style="text-align: justify; "><i>(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect. </i></p>
<p style="text-align: justify; "><i>(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act. </i></p>
<p style="text-align: justify; "><i>(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).</i>”</p>
<p style="text-align: justify; ">Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.</p>
<p style="text-align: justify; ">4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, <span>all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts</span> as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.</p>
<p style="text-align: justify; ">In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.</p>
<p style="text-align: justify; ">4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.</p>
<p style="text-align: justify; ">4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:</p>
<p style="text-align: justify; ">“<i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, <i>prima facie</i> violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 4 - Identification of User</span><b> </b></p>
<p style="text-align: justify; ">5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:</p>
<p>“<i>(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:</i></p>
<p><i>(i) Identity card issued by any School or College; or </i></p>
<p><i>(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or </i></p>
<p><i>(iii) Passport; or </i></p>
<p><i>(iv) Voter Identity Card; or </i></p>
<p><i>(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or </i></p>
<p><i>(vi) Photo Identity Card issued by the employer or any Government Agency; or </i></p>
<p><i>(vi) Driving License issued by the Appropriate Government; or </i></p>
<p><i>(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).</i>”</p>
<p style="text-align: justify; ">The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.</b></p>
<p class="DefaultCxSpFirst">5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:</p>
<p>“<i>The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.</i>”</p>
<p style="text-align: justify; ">While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
<p><b>Therefore, it is proposed that rule 4(2) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”</p>
<p>5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:</p>
<p style="text-align: justify; ">“<i>(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.</i>”</p>
<p style="text-align: justify; ">Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.4 Sub-rue (4) of rule 4 reads as follows:</p>
<p>“<i>(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).</i>”</p>
<p style="text-align: justify; ">Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.</p>
<p><b>Therefore, it is proposed that rule 4(4) be amended to read as follows:</b></p>
<p style="text-align: justify; ">“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”</p>
<p style="text-align: justify; ">5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “<i>shall be allowed to enter the cyber cafe after he has established his identity</i>.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “<i>allow[ing] any user to use its computer resource without the identity of the user of the user being established</i>,” this rule 4(5) is redundant.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.6 Rule 4(6) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.</i>”</p>
<p style="text-align: justify; ">This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.</p>
<p><b>Therefore, it is proposed that rule 4(6) be deleted.</b></p>
<p><span>Rule 5 - Log Register</span></p>
<p>6.1 Rule 5(3) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.</i>”</p>
<p style="text-align: justify; ">This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 7<b> - </b>Inspection of Cyber Cafe</span></p>
<p>7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:</p>
<p style="text-align: justify; ">“<i>An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.</i>”</p>
<p style="text-align: justify; ">The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.</p>
<p><b>Therefore, it is proposed that rule 7 be deleted.</b></p>
<p><b>IV <span>Summary</span></b></p>
<p>8.1 In sum:</p>
<p style="text-align: justify; ">(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are <i>ultra vires</i> the parent statute;</p>
<p style="text-align: justify; ">(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:</p>
<ul>
<li>Rule 2(1)(c);</li>
<li>Rule 2(1)(e);</li>
<li>Rule 2(1)(g);</li>
<li>Rule 3(1);</li>
<li>Rule 3(4);</li>
<li>Rule 4(1);</li>
<li>Rule 4(2);</li>
<li>Rule 4(3);</li>
<li>Rule 4(4);</li>
<li>Rule 4(5);</li>
<li>Rule 4(6);</li>
<li>Rule 5(3); and</li>
<li>Rule 7.</li>
</ul>
<p style="text-align: justify; ">(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.</p>
<p style="text-align: justify; ">8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011</a>
</p>
No publisherbhairavInternet GovernanceSAFEGUARDS2013-07-12T12:15:30ZBlog EntryIndia's Biometric Identification Programs and Privacy Concerns
https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns
<b>The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.
</b>
<p> </p>
<hr />
<p style="text-align: justify;">Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. <em>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</em>.</p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify;">Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.</p>
<h3 style="text-align: justify;">‘Big Data’ and Privacy Issues</h3>
<p style="text-align: justify;">Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,<a name="fr1" href="#fn1">[1]</a> the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.<a name="fr2" href="#fn2">[2]</a> The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.</p>
<h3 style="text-align: justify;">Biometric ID and Theft of Private Data</h3>
<p style="text-align: justify;">The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.</p>
<h3 style="text-align: justify;">Biometric data and Potential Misuse</h3>
<p style="text-align: justify;">Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.<a name="fr4" href="#fn4">[4]</a> The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]</p>
<p style="text-align: justify;">A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.<a name="fr5" href="#fn5">[5]</a> Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.<a name="fr6" href="#fn6">[6]</a> With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.<a name="fr7" href="#fn7">[7]</a></p>
<p style="text-align: justify;">With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.<a name="fr8" href="#fn8">[8]</a> Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]</p>
<p style="text-align: justify;">Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.</p>
<hr />
<p>[<a name="fn1" href="#fr1">1</a>]. <a href="http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections">http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections</a>.</p>
<p>[<a name="fn2" href="#fr2">2</a>]. <a href="http://www.wired.com/threatlevel/2008/03/hackers-publish">http://www.wired.com/threatlevel/2008/03/hackers-publish</a>.</p>
<p>[<a name="fn3" href="#fr3">3</a>].<a href="https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions">https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions</a>.</p>
<p>[<a name="fn4" href="#fr4">4</a>]. <a href="http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001">http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001</a>.</p>
<p>[<a name="fn5" href="#fr5">5</a>]. <a href="http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece">http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece</a>.</p>
<p>[<a name="fn6" href="#fr6">6</a>]. <a href="http://news.bbc.co.uk/2/hi/8691753.stm">http://news.bbc.co.uk/2/hi/8691753.stm</a></p>
<p>[<a name="fn7" href="#fr7">7</a>]. Supra note 1.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns'>https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns</a>
</p>
No publisherdivijSAFEGUARDSInternet GovernancePrivacy2016-07-21T10:51:42ZBlog EntryMicrosoft releases its first report on data requests by law enforcement agencies around the world
https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies
<b>In this post, the Centre for Internet and Society presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released <a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">2012 Law Enforcement Requests Report </a>depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.</p>
<p style="text-align: justify; "><span>As of 30 June 2012, </span><a href="http://www.internetworldstats.com/asia.htm#in">137 million</a><span> Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">blog post</a><span>:</span></p>
<blockquote class="italized"><i>“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”</i></blockquote>
<h2><b>Microsoft 2012 Law Enforcement Requests</b></h2>
<p style="text-align: justify; "><span>Democratic countries requested the most data during 2012, according to </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Microsoft´s report</a><span>. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the</span><a href="http://www.itpro.co.uk/data-protection/19488/microsoft-opens-collaboration-law-enforcement-agencies"> top-five league</a><span> which accounted for the most requests, despite the country having </span><a href="https://opennet.net/research/profiles/india">one of the world´s highest number of Internet users</a><span>.</span></p>
<p style="text-align: justify; "><span>Out of the</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 70,665 requests</a><span> to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.</span></p>
<p style="text-align: justify; "><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Content data</a><span> is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. </span><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?_r=1&">Non-content data</a><span>, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">2.2 percent </a><span>of requests from law enforcement agencies around the world resulted in the disclosure of content data, </span><a href="http://www.engadget.com/2013/03/21/microsoft-posts-its-first-law-enforcement-requests-report/">99 percent of which were in response to warrants from courts in the United States</a><span>. Microsoft may have not disclosed any of our content data, but</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 370 requests</a><span> from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.</span></p>
<p style="text-align: justify; "><span>Out of the 418 requests made to Microsoft by Indian law enforcement agencies, </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">only 4 were rejected </a><span>(1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:</span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total number of requests</p>
</td>
<td>
<p>418 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/Users specified in requests</p>
</td>
<td>
<p>594 (0.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of non-content data</p>
</td>
<td>
<p>370 (88.5%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>44 (10.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests rejected</p>
</td>
<td>
<p>4 (1%)</p>
</td>
</tr>
</tbody>
</table>
<h2><span>Skype 2012 Law Enforcement Requests</span></h2>
<p style="text-align: justify; "><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">Microsoft acquired Skype</a> towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the<a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> Microsoft 2012 report</a>, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.</p>
<p style="text-align: justify; "><span>The</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> report </a><span>appears to be extremely reassuring, as it states that Skype did</span><i> not </i><span>disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">disclose </a><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx"><i>non-content data</i></a><span>, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.</span></p>
<p style="text-align: justify; "><span>Microsoft </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">reported </a><span>that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:</span><span> </span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total of requests</p>
</td>
<td>
<p>53 (0.1%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/identifiers specified in requests</p>
</td>
<td>
<p>101 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests resulting in disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>47 (88.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Provided guidance to law enforcement</p>
</td>
<td>
<p>10 (18.8%)</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The Centre for Internet and Society (CIS) supports the publication of </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft´s 2012 Law Enforcement Requests Report</a><span> and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies'>https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies</a>
</p>
No publishermariaInternet GovernanceSAFEGUARDS2013-07-12T12:19:31ZBlog EntryDriving in the Surveillance Society: Cameras, RFID tags and Black Boxes...
https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes
<b>In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have <a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">already adopted measures</a> to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, <a href="http://arstechnica.com/tech-policy/2012/09/your-car-tracked-the-rapid-rise-of-license-plate-readers/2/">privacy concerns</a> have arisen as it remains unclear how data collected will be used.<span> </span></p>
<h2><b>Red light cameras</b></h2>
<p style="text-align: justify; "><span>Last week, the Chennai police announced that it plans</span><a href="http://articles.timesofindia.indiatimes.com/2011-05-12/chennai/29535601_1_red-light-camera-system-red-light-cameras-traffic-signals"> to install traffic enforcement cameras</a><span>, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since </span><a href="http://www.traffictechnologytoday.com/news.php?NewsID=2767">early 2008</a><span> and a</span><a href="http://ibnlive.in.com/news/study-finds-red-light-cameras-cuts-crashes/142065-57-132.html"> study</a><span> indicates that they have reduced the traffic violation rates. A </span><a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">2003 report by the National Cooperative Highway Research Programme (NCHRP)</a><span> examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.</span></p>
<p style="text-align: justify; "><span></span><span>However, how are traffic violation rates even measured? According to </span><a href="http://blogs.wsj.com/numbersguy/seeing-red-1208/">Barbara Langland Orban</a><span>, an associate professor of health policy and management at the University of South Florida:</span></p>
<blockquote class="italized"><i>“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”</i></blockquote>
<p style="text-align: justify; "><span>Last year, the Bombay state government informed the High Court that the </span><a href="http://www.indianexpress.com/news/cctvs-not-fit-to-detect-traffic-violations-state-to-hc/910392">100 CCTV cameras</a><span> installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s </span><a href="http://www.thehindu.com/opinion/op-ed/of-constitutional-due-process/article436586.ece">due-process rights</a><span>?</span></p>
<h2 style="text-align: justify; "><b>RFID tags and Black Boxes</b></h2>
<p style="text-align: justify; "><span>A communication revolution is upon us, as Maharashtra state transport department is currently including radio </span><a href="http://www.dnaindia.com/mumbai/report_maharashtra-rto-spy-to-breathe-down-drivers-neck_1625521">frequency identification (RFID) tags on each and every number plate of vehicles</a><span>. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the </span><a href="http://www.hsrpdelhi.com/Rule50.pdf">2001 amendment of Rule 50 of the Central Motor Vehicles Rules</a><span>, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.</span></p>
<p style="text-align: justify; "><span>RFID technology has also been launched at Maharashtra´s </span><a href="http://articles.timesofindia.indiatimes.com/2012-08-18/mumbai/33261046_1_rfid-stickers-border-check-posts">state border check-posts</a><span>. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.</span></p>
<p style="text-align: justify; "><span>By </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">31 March 2014</a><span>, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to </span><a href="http://netindian.in/news/2013/03/05/00023379/electronic-toll-collection-all-national-highways-march-2014-joshi">Dr. Joshi</a><span>, the Union Minister for Road Transport and Highways:</span></p>
<blockquote class="italized" style="text-align: justify; "><i>“</i><i>The RFID technology</i><i> shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”</i></blockquote>
<p style="text-align: justify; "><span>Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">uniquely identifies each vehicle</a><span>, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.</span></p>
<p style="text-align: justify; "><span>The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an </span><a href="http://www.thehindu.com/news/national/article3636417.ece">Event Data Recorder (EDR)</a><span>, otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.</span></p>
<p style="text-align: justify; "><span>Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it </span><a href="http://www.thehindu.com/news/national/article3636417.ece">mandatory for cars</a><span> to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.</span></p>
<h2><b>Are monitored cars safer?</b></h2>
<p style="text-align: justify; "><span>The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a </span><a href="http://www.fhwa.dot.gov/publications/research/safety/05049/05049.pdf">2005 Federal Highway Administration study</a><span>, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other</span><a href="http://www.techdirt.com/articles/20091218/1100537428.shtml"> studies</a><span> of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.</span></p>
<p style="text-align: justify; "><span>Furthermore, there have been </span><a href="http://www.usatoday.com/story/news/nation/2013/03/08/speed-camera-ruling/1974369/">claims</a><span> that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.</span></p>
<p style="text-align: justify; "><span>Companies which manufacture </span><a href="http://dir.indiamart.com/impcat/vehicle-tracking-systems.html">vehicle tracking systems</a><span> are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?</span></p>
<p style="text-align: justify; "><span>And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope,</span><a href="http://www.farnish.plus.com/amatterofscale/mirrors/omni/surveillance.htm"> but us</a><span>. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored,</span><a href="http://www.samharris.org/blog/item/the-trouble-with-profiling"> we are all suspects</a><span> and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.</span></p>
<h2><b>Maneuvering our monitoring</b></h2>
<p style="text-align: justify; "><span>Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.</span></p>
<p style="text-align: justify; "><span>Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as</span><a href="http://d2dtl5nnlpfr0r.cloudfront.net/tti.tamu.edu/documents/0-4196-2.pdf"> increasing the duration of the yellow light</a><span> between the green and the red, </span><a href="http://www.motorists.org/red-light-cameras/alternatives">re-timing lights</a><span> so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.</span></p>
<p style="text-align: justify; "><span>Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:</span></p>
<blockquote class="quoted"><i>Should we be monitored at all?</i></blockquote>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes'>https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:26:33ZBlog EntryThe Privacy (Protection) Bill 2013: A Citizen's Draft
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft
<b>The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, Bhairav Acharya has drafted the Privacy (Protection) Bill 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">The Privacy (Protection) Bill 2013 contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of a possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf" class="internal-link">Click</a> to download a full draft of the Privacy (Protection) Bill, 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:50:20ZBlog EntryWorkshop on the Unique Identity Number (UID), the National Population Register (NPR) and Governance: What will happen to our data?
https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr
<b>On March 2nd, 2013, the Centre for Internet and Society and the Say No to UID campaign organized a workshop to discuss the present state of the UID and NPR schemes. Some of the questions which were addressed included ´How do the UID and NPR impact citizenship´, ´Why and how is national security linked to UID/NPR´, and ´What is the relationship between UID and Big Data´. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="italized" style="text-align: justify; "><i>“The UIDAI will own our data...When we hand over information, we hand over the ownership of that data...”</i>, stated Usha Ramanathan, legal researcher and human rights activist.She also pointed out that, although the UID has been set up by an executive order, there is no statute which legally backs up the UID. In other words, the collection of our data through the UID scheme is currently illegal in India, hinging only on an executive order. However, Usha Ramanathan stated that if the UID scheme is going to be carried out, it is highly significant that a statute for the UID is enacted to prevent potential abuse of human rights, especially since the UIDAI is currently collecting, sharing, using and storing our data on untested grounds.</p>
<blockquote class="italized"><i>´What is alarming is that the Indian government has not even attempted to legalize the UID! When a government does not even care about legalizing its actions, then we have much bigger problems...” </i></blockquote>
<p style="text-align: justify; "><span>The NPR is legally grounded in the provisions of the Citizenship Act 1955 and in the Citizenship Rules 2003 and it is mandatory for every usual resident in India to register with the NPR. Even though the collection of biometrics is not accounted for in the statute or rules, the NPR is currently collecting photographs, iris prints and fingerprints. Concerns regarding the use of biometrics in the UID and NPR schemes were raised during the workshop; biometrics are not infallible and can be spoofed, an individual´s biometrics can change in response to a number of factors (including age, environment and stress), the accuracy of a biometric match depends on the accuracy of the technology used and the larger the population is, the higher the probability of an error. Thus, individuals are required to re-enrol every two to three years, to ensure that the biometric data collected is accurate; but the accuracy of the data is not the only problem. The Indian government is illegally collecting biometrics and as of yet has not amended the 2003 Citizenship Rules to include the collection of biometrics! As Usha Ramanathan stated:</span></p>
<blockquote class="italized" style="text-align: justify; "><span> </span><i>“It´s not really about the UID and the NPR per se...it´s more about the idea of profiling citizens and the technologies which enable this...”</i></blockquote>
<p style="text-align: justify; "><span>In his presentation, Anant Maringanti, from the Hyderabad Urban Labs and Right to the City Foundation, stated that even though seventy seven lakh duplicates have been found, no action has been taken, other than discarding one of them. Despite the fact that enrolment with the UID is considered to be voluntary, children in India are forced to get a unique identification number as a prerequisite of going to school. Anant emphasized that the UID scheme supposedly provides some form of identity to the poor and marginalised groups in India, but it actually targets some of the most vulnerable groups of people, such as HIV patients and sex workers. Furthermore, though Indians living below the poverty line (BPL) are eligible for direct cash transfer programmes, apparently registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BLP category. This is problematic as individuals who have not enrolled in the UID or do not want to enroll in the UID could risk being denied benefits because they did not enroll and thus were not classified in the BPL category. Anant also pointed out that, linking biometric data to a bank account through the UID scheme is basically exposing personal data to fraud. Anant Maringanti characteristically stated: </span></p>
<blockquote class="italized"><span> </span><i>“I wish the 100 people applying the UID scheme had UIDs so that we could track them...!”</i></blockquote>
<p style="text-align: justify; "><span>Following the end of the workshop on the UID and NPR schemes, CIS interviewed Usha Ramanathan and Anant Maringanti: <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/P1CdCkdKtcU" width="250"></iframe> </span></p>
<p style="text-align: justify; "><span>The workshop can be viewed in two parts: <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/o7X1Af5Jw3s" width="250"></iframe> <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/rSFYOfvtOr8" width="250"></iframe> </span></p>
<p style="text-align: justify; "><span><br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr'>https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:28:50ZBlog EntryHacking without borders: The future of artificial intelligence and surveillance
https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance
<b>In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="Normal1">Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.</p>
<h2><b>Combat Zones That See (CTS)</b></h2>
<p><b><img src="http://farm5.staticflickr.com/4137/4749564682_9ab88cb4d1.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/swanksalot/">swanksalot</a> on flickr</p>
<p class="Normal1">Ten years ago DARPA started funding the<a href="http://www.freerepublic.com/focus/f-news/939608/posts"> Combat Zones That See (CTS)</a> project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.</p>
<p class="Normal1">Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that<span> <a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">40 million surveillance cameras were already in use around the </a></span><a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">world </a>by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. <a href="http://www.wired.com/politics/law/news/2003/07/59471">Police</a> in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.</p>
<p class="Normal1">However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.</p>
<h2><b>Mind´s Eye</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8425/7775805386_8260b7836c.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/58687716@N05/">watchingfrogsboil</a> on flickr</p>
<p class="Normal1">A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">thinking camera</a>. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">´visual intelligence´</a>. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to <a href="http://phys.org/news/2012-10-surveillance-tech-carnegie-mellon.html">predict future human activities and situations</a>.</p>
<p class="Normal1">Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">General</a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/"> </a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">James Cartwright</a>, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">operationally significant activity</a> and predicting outcomes.</p>
<p class="Normal1">Mounting these <a href="http://www.dailygalaxy.com/my_weblog/2011/01/minds-eye-darpas-new-thinking-camera-will-transform-the-world-of-surveillance.html">smart cameras on drones</a> is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?</p>
<h2><b>SyNAPSE</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8230/8384110298_da510e0347.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/healthblog/">A Health Blog</a> on flickr</p>
<p class="Normal1">The <i>Terminator </i>could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the <a href="http://www.artificialbrains.com/darpa-synapse-program">Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE)</a> programme. Is DARPA funding the creation of the <i>Terminator</i>? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.</p>
<p class="Normal1">SyNAPSE is a programme which aims to develop <a href="http://celest.bu.edu/outreach-and-impacts/the-synapse-project">electronic neuromorphic machine technology</a> which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received<a href="http://www.artificialbrains.com/darpa-synapse-program"> $102.6 million</a> in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create <a href="http://www.darpa.mil/Our_Work/DSO/Programs/Systems_of_Neuromorphic_Adaptive_Plastic_Scalable_Electronics_(SYNAPSE).aspx">biological neural systems </a>which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">cognitive computers</a> would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.</p>
<p class="Normal1">Although this original type of computational device could be beneficial to <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">predict natural disasters</a> and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.</p>
<p class="Normal1">Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.</p>
<h2><b>Brain-Computer Interface (BCI)</b></h2>
<p><b><br /></b></p>
<p><iframe frameborder="0" height="360" src="http://www.youtube.com/embed/qCSSBEXBCbY?feature=player_embedded" width="640"></iframe></p>
<p class="Normal1">Remember Orwell's ´<i>Thought Police</i>´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in <i>1984</i>. Unlike the ´<i>Thought Police</i>´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can <i>literally </i>read our thoughts.</p>
<p class="Normal1">Once again, DARPA appears to be funding one of the world´s most innovative projects: the <a href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/">Brain-Computer Interface (BCI)</a>. The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph -<a href="http://www.extremetech.com/wp-content/uploads/2012/08/brain-hacking-accuracy-chart.jpg"> an EEG</a>) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely <i>thinking </i>of the action.</p>
<p class="Normal1">Ten years ago it was reported that the brains of <a href="http://www.newscientist.com/article/dn2237">rats</a> and <a href="http://news.bbc.co.uk/2/hi/health/3186850.stm">monkeys</a> could control robot arms through the use of such technologies. A few years later<a href="http://www.newscientist.com/article/dn4540"> brainstem implants</a> were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as<a href="http://www.cyborgdb.org/mckeever.htm"> to control robotic limbs with their thoughts</a>. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally <i>thinking </i>about them, while using a BCI.</p>
<p class="Normal1">Brain-controlled robotic limbs could change the lives of disabled persons, but<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> ethical concerns</a> have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out <a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data">sensitive data</a>, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the <i>P300 response</i>, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to <a href="http://www.digitaltrends.com/cool-tech/this-is-your-brain-on-silicon/">DARPA</a>:</p>
<blockquote class="italized"><i>´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´</i></blockquote>
<p class="Normal1">This constitutes the human brain as<a class="external-link" href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/"> a <span>new warfighting </span>domain</a> of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.</p>
<p class="Normal1">Security expert, Barnaby Jack, of IOActive demonstrated the <a href="http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt">vulnerability of biotechnological systems</a>, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.</p>
<p class="Normal1">Will BCI be used in the future to<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> interrogate terrorists and suspects</a>? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our <i>thoughts</i> - can potentially be hacked? Human rights are essential because they protect us from those in power; but the <i>privacy of our thoughts</i> is even more important, because without it, we can have no human rights, no individuality.</p>
<p class="Normal1">Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.</p>
<p class="Normal1">Apparently, anyone can<a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data"> buy Emotiv or Neurosky BCI online</a> to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance'>https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:30:27ZBlog EntryA Comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills
<b>In this post, Maria Xynou gives us a comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.</p>
<h2><b>Draft 2007 DNA Profiling Bill <i>vs.</i> Draft 2012 Human DNA Profiling Bill</b></h2>
<h3><b> </b><b>1. </b><b>Composition of the DNA Profiling Board</b></h3>
<p><b>Amendment:</b> The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.</p>
<p><b>Analysis:</b> The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.</p>
<ul>
<li><b>DNA 2007 Bill (Section 4): </b><i>“The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely: (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice, or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law, Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation or his nominee ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated by Secretary, Ministry of Home Affairs, New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular Biology, Hyderabad ex-officio Member; (o) Representative of the Department of Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics Committee of Department of Biotechnology, Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence to be nominated by Secretary, MHRD, Government of India Member; (r) four Directors General of Police representing different regions of the country to be nominated by MHA Members; (s) two expert Members to be nominated by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad ex-officio Member Secretary”</i><b> </b></li>
</ul>
<p><b> </b></p>
<ul>
<li><b>DNA April 2012 Bill (Section 4):</b><i>“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member</i><b> </b><i>(g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary” </i></li>
</ul>
<p><i><br /></i></p>
<h3><b>2. </b><b>Powers and functions of the Chief Executive Officer</b></h3>
<p><b>Amendment:</b> Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.</p>
<p><b>Analysis:</b> The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.</p>
<ul>
<li><b>DNA 2007 Bill (Section 11):</b><i>“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 10): </b><i>“(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>3. </b><b>Functions of the Board</b></h3>
<p><b>Amendment:</b> The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.</p>
<p><b>Analysis:</b> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.</p>
<p><b>DNA 2007 Bill (Section 13(x)): </b><i>The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by</i><b> </b><i>law enforcement agencies;” </i><b> </b></p>
<p><b>DNA April 2012 Bill (Section 12(j)): </b><i>The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”</i></p>
<h3><i> </i><b>4. </b><b>Regional DNA Data Banks</b></h3>
<p><b>Amendment:</b> Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.</p>
<p><b>Analysis:</b> This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(1)): </b><i>“The Central Government shall, by a notification published in the</i><b> </b><i>Gazette of India, establish a National DNA Data Bank.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(1)): </b><i>“The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>5. </b><b>Data sharing</b></h3>
<p>Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.</p>
<p>This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(2)): </b><i>“A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(2)):</b><i>“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>6. </b><b>Data retention</b></h3>
<p><b>Amendment:</b> Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.</p>
<p><b>Analysis:</b> This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(3)): </b><i>“The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different</i><b> </b><i>laboratories in the format as may be specified by regulations.”</i> <b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(3)): </b><i>“The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>7. </b><b>Data Bank Manager</b></h3>
<p><b>Amendment:</b> Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.</p>
<p><b>Analysis:</b> All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<ul>
<li><b>DNA 2012 Bill (Section 33):</b><i>“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>8. </b><b>Communication of DNA profiles to foreign agencies</b></h3>
<p><b>Amendment:</b> The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.</p>
<p><b>Analysis:</b> The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.</p>
<ul>
<li><b>DNA 2007 Bill (Sections 35(2,3)): </b><i>“(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 36(1)): </b><i>“On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>9. </b><b>Data destruction</b></h3>
<p><b>Amendment:</b> Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.</p>
<p><b>Analysis:</b> This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.</p>
<ul>
<li><b>DNA 2007 Bill (Section 37): </b><i>“The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 37):</b><i>“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>10. </b><b>Use of DNA profiles and DNA samples and records</b></h3>
<p><b>Amendment</b>: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.</p>
<p><b>Analysis:</b> The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify <i>who </i>can be authorised to use DNA data under such conditions, which raises further concerns.</p>
<ul>
<li><b>DNA 2007 Bill (Section 39):</b> <i>“(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified</i><b> </b><i>offence: Provided that such records or samples may be used to identify victims of</i><b> </b><i>accidents, disasters or missing persons or for such other purposes.</i><b> </b><i>(2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of: (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system</i><b> </b><i>by law enforcement officers or any other persons, as may be</i><b> </b><i>prescribed, in accordance with provisions of any law for the time</i><b> </b><i>being in force; (iv) inquest or inquiry; (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information</i><b> </b><i>which may be used to determine the identity of any person.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 39): </b><i>“All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>11. </b><b>Availability of DNA profiles and DNA samples</b></h3>
<p><b>Amendment:</b> Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.</p>
<p><b>Analysis:</b> ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.</p>
<ul>
<li><b>DNA 2007 Bill (Section 40):</b><i>“The information on DNA profiles, samples and DNA identification records</i><b> </b><i>shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal</i><b> </b><i>case; (ii) in judicial proceedings, in accordance with the rules of</i><b> </b><i>admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and</i><b> </b><i>protocol development, or for quality control provided that it does not</i><b> </b><i>contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 40):</b><i>“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>12. </b><b>Restriction on access to information in DNA Data Banks</b></h3>
<p><b>Amendment:</b> Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.</p>
<p><b>Analysis:</b> This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.</p>
<ul>
<li><b>DNA April 2012 Bill (Section 43): </b><i>“Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>13. </b><b>Board exemption from tax on wealth and income, profits and gains</b></h3>
<p><b>Amendment:</b> Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.</p>
<p><b>Analysis:</b> Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.</p>
<ul>
<li><b>DNA 2007 Bill (Section 53):</b><i>“(1) The DNA Profiling Board shall furnish to the Central Government at</i><b> </b><i>such time and in such form and manner as may be specified by rules or </i><b> </b><i>as the Central Government may direct, such returns and statements as</i><b> </b><i>the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling</i><b> </b><i>Board shall, within ninety days after the end of each financial</i><b> </b><i>year, submit to the Central Government a report in such form, as may be</i><b> </b><i>prescribed, giving a true and full account of its activities, policy and</i><b> </b><i>programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 62): “</b><i>Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”</i><b> </b></li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills'>https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:32:08ZBlog EntrySummary of the CIS workshop on the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012
<b>On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!<span> </span></p>
<p>Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn1">[1]</a>, with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn2">[2]</a>. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.</p>
<p>However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…</p>
<h2><b>DNA databases...and Justice for All?</b></h2>
<p><img src="http://farm8.staticflickr.com/7197/6959954129_fefd0f928a.jpg" /></p>
<p class="italized">Source: <span> </span><a href="http://www.flickr.com/photos/libertasacademica/">Libertas Academica</a> on flickr</p>
<p class="italized"><a class="external-link" href="http://dnaphenomena.blogspot.in/2011/05/dna-profiling.html"></a>Du<span>ring the workshop </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn3">[3]</a><span>on the 2012 draft Human DNA Profiling Bill, DNA</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn4">[4]</a><span> was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn5">[5]</a><span> was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:</span></p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><i> </i></p>
<p>The following concerns were raised and discussed during the workshop:</p>
<h3>● The myth of the infallibility of DNA evidence</h3>
<p>The Innocence Project<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn6">[6]</a>, which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is <i>not </i>infallible<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn7">[7]</a>.</p>
<p>False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides<i> probabilities</i> of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn8">[8]</a>.</p>
<h3>● <b>The non-criteria of DNA data collection</b></h3>
<p>How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that <i>all</i> offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under <i>´any other law as may be specified by the regulations made by the Board´</i>. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.</p>
<h3>● <b>The DNA Profiling Board´s power</b></h3>
<p>The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn9">[9]</a>. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.</p>
<p><b>No human rights experts</b></p>
<p><b> </b></p>
<p>Despite the various amendments<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn10">[10]</a> to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.</p>
<p><b>Vague authorisation for communication of DNA profiles</b></p>
<p><b> </b></p>
<p>The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for<i> civil proceedings</i> and for crime investigation by law enforcement and <i>other agencies</i>´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn11">[11]</a>. Although the 2007 Bill <a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn12">[12]</a>restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn13">[13]</a> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.</p>
<p><b>Protecting the public</b></p>
<p><b> </b></p>
<p>The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn14">[14]</a>. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn15">[15]</a>. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.</p>
<p><b>Sharing data with international agencies…and regulating DNA laboratories</b></p>
<p>In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn16">[16]</a>. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.</p>
<p>The Board would <i>also </i>be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn17">[17]</a>. The draft 2012 Bill ultimately gives <i>monopolistic control</i> to the DNA Profiling Board over<i> all</i> the procedures related to the handling of DNA data!</p>
<h3>● <b>The DNA Data Bank Manager</b></h3>
<p>According to the 2012 draft Human DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn18">[18]</a>, it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<p>The Bill also empowers the Manager to determine appropriate instances for the communication of information<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn19">[19]</a>. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.</p>
<p><span> </span></p>
<ul>
<li><span>DNA access restrictions</span></li>
</ul>
<p> </p>
<p><span> </span><span>Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn20">[20]</a><span>states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.</span></p>
<h3>● Availability of DNA profiles and DNA samples</h3>
<p>According to the amended draft 2012 Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn21">[21]</a>, DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a<i> population statistics database</i>´. This is controversial because it remains unclear how such a database would be used.</p>
<h3>● Data destruction</h3>
<p>According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.</p>
<h2>Workshop conclusions</h2>
<p><img src="http://farm4.staticflickr.com/3235/3080247531_bf04a5cbe5.jpg" /></p>
<p>Source: <span> </span><a href="http://www.flickr.com/photos/micahb37/">micahb37</a> on flickr</p>
<p>The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.<span> </span></p>
<p>During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.</p>
<p>A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.</p>
<p>However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:</p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><br clear="all" /></p>
<hr align="left" size="1" width="33%" />
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref1">[1]</a> Draft DNA Profiling Bill 2007, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref2">[2]</a> Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref3">[3]</a> Centre for Internet and Society, <i>Analyzing the Draft Human DNA Profiling Bill 2012, </i>25 February 2013, <a href="https://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill">http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref4">[4]</a> Genetics Home Reference: Your Guide to Understanding Genetic Conditions, <i>What is DNA?, </i><a href="http://ghr.nlm.nih.gov/handbook/basics/dna"><i>http://ghr.nlm.nih.gov/handbook/basics/dna</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref5">[5]</a> Shanna Freeman, <i>How DNA profiling Works, </i><a href="http://science.howstuffworks.com/dna-profiling.htm"><i>http://science.howstuffworks.com/dna-profiling.htm</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref6">[6]</a> Innocence Project, <i>DNA exoneree case profiles, </i><a href="http://www.innocenceproject.org/know/"><i>http://www.innocenceproject.org/know/</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref7">[7]</a> Australian Law Reform Commission (ALRC), <i>Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), </i>´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, <a href="http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence">http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref8">[8]</a> Ibid.</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref9">[9]</a> Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref10">[10]</a> Ibid: Section 4(q)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref11">[11]</a> Ibid: Section 12(j)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref12">[12]</a> Draft DNA Profiling Bill 2007, Section 13, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref13">[13]</a> : Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(j), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref14">[14]</a> Ibid: Section 12(l)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref15">[15]</a> Schneier, B.(2008), <i>Schneier on Security, </i>´CCTV cameras´, <a href="http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html">http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref16">[16]</a> Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(u) and 12(v), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref17">[17]</a> Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref18">[18]</a> Ibid: Section 33</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref19">[19]</a> Ibid: Section 35</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref20">[20]</a> Ibid: Section 43</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref21">[21]</a> Ibid: Section 40</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012'>https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012</a>
</p>
No publishermariaWorkshopInternet GovernanceSAFEGUARDS2013-07-12T15:33:25ZBlog Entry