The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 61 to 75.
Presentation of the UID project by Ashok Dalwai – A Report
https://cis-india.org/internet-governance/blog/uid-dalwai-presentation
<b>On Tuesday, 7 September 2010, Ashok Dalwai, the Deputy Director General of the Unique Identification of India (UIDAI), gave a lecture at the Indian Institute for Science in Bangalore. Representing the UID Authority, his presentation explained the vision of the project and focused on the challenges involved in demographic and biometric identification, the technology adopted, and the enrolment process. Elonnai Hickok gives a report of his presentation in this blog post.</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-dalwai-presentation'>https://cis-india.org/internet-governance/blog/uid-dalwai-presentation</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:09:48ZBlog EntryPrivacy Concerns in Whole Body Imaging: A Few Questions
https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions
<b>Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.</b>
<p><strong>What is Whole Body Imaging? </strong></p>
<p>Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons. </p>
<h3>How are These Technologies Being Used - Two News Items to Ponder: <br /></h3>
<p><strong>News Item One </strong></p>
<p>In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.</p>
<p>Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.</p>
<p>Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.</p>
<p><strong>News Item Two</strong></p>
<p>In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car. </p>
<h3>Questions at the Heart of the WBI Debate: <br /></h3>
<p>Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?</p>
<p><strong>How Have Other Countries Responded to Whole Body Imaging and How Should India Respond? <br /></strong></p>
<p>Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.</p>
<p>In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.</p>
<p>Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.</p>
<p>The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions'>https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:09:02ZBlog EntryDSCI Information Security Summit 2010 – A Report
https://cis-india.org/internet-governance/blog/dsci-information-summit
<b>On 2 and 3 December 2010, the DSCI Information Security Summit 2010 took place in the Trident Hotel, Chennai. The two day summit included a broad spectrum of speakers/panels and topics, ranging from Securing Data & Systems to how to leverage the Cloud. The key speakers were Mr. Gulshan Rai, Director General, CERT-In, DIT, Mr. Rajeev Kapoor, Joint Secretary, DoPT, Govt. of India, Mr. Vakul Sharma, Advocate, Supreme Court of India and Dr. Kamlesh Bajaj, CEO, DSCI. Elonnai Hickok attended the summit.</b>
<p>Day one commenced with keynote address given by Jeffery Carr, Principal, GreyLogic, US who spoke about the gravity and risk that businesses and countries are facing in the digital age. A prominent theme in every presentation throughout the day was that India is facing both serious changes and challenges in light of evolving technology and global standards. A few specific challenges addressed were: encryption standards, the cloud, and securing business transactions. During the panel on encryption standards it was pointed out that India desperately needs a clear and comprehensive policy on encryption standards. Not only will this serve to facilitate transactions in India, but it will increase trade as foreign countries will have an enforced policy to ensure them that India is a safe destination to export to. The panel addressing the cloud focused on the challenges that businesses are facing in terms of the cloud in the Indian context. The three main challenges to the Cloud are: </p>
<ul><li>data security and privacy</li><li>compliance requirements</li><li>legal and contractual requirements <br /></li></ul>
<p>It was pointed out that in particular the Indian legal environment is serving as an obstacle to businesses wishing to move to the cloud, because of policies such as 40 bit encryption, and the Indian Telecom licensing policy which do not permit data transfer outside the cloud. Discussed also were measures that organisations have adopted to address data protection challenges in the cloud including: Including security & privacy clauses in the contractual agreement, making the Cloud service provider liable for a data breach, and auditing the services of Cloud service providers. Further information about the Cloud in the Indian context can be found in the DSCI report on <em>Data Protection Challenges in Cloud Computing: An Indian Perspective</em>. In the session on Securing Business Transactions, the challenge of protecting data and transactions was addressed. Many approaches were presented which explained how securing systems has moved away from using security enables software to security embedded hardware. The first day concluded with a presentation of DSCI Study Reports, including their recent study on the State of Data Security and Privacy in the Indian BPO Industry, Service Provider Assessment Framework – A Study Report, and the DSCI Security Framework.</p>
<p>The second day included presentations and panel discussions on privacy, the economics of security, and security technologies. The presentation on privacy presented many different viewpoints which ranged from the stance that India has been taking the right steps towards securing individuals privacy, and in contrast, that India has seen a dilution of privacy standards in the recent years. Contributing to the panel on privacy, Vakul Sharma, Supreme Court Advocate created a timeline of privacy in India, dispelling the popular belief that India does not have a history of privacy. Mr. Sharma closed his presentation with a challenge to those who believe that India does not have adequate privacy protections - to return to the clauses in the ITA, see if they are indeed being followed, and then assess if India does not have adequate privacy protection. The panel on the Economics of Security spoke about the rising costs of security in the wake of cyber crime, and the rising cost of not adequately protecting one’s business. In the session on Technology Challenges to Fight Data Breaches and Cyber Crimes a debate evoked on current measures taken by industry and government to fight cyber crime, and steps that still need to be taken. Opening the session was a presentation by Mr. West, member of the National Cyber Forensics Training and Alliance. His presentation introduced a new approach taken by the States in which key stakeholders including students and local law enforcement were engaged when tracking down cyber criminals. Mr. West demonstrated the success of the program, and explained how such an approach could be easily adapted in India. From different comments made by the panel and audience it was clear from this session that there is a need for the Indian government to be more invested in funding and supporting smaller cybercrime initiatives. Closing the day was a panel on E-Security for the next five years including the application and enforcement of DSCI’s best practices for a Security and Privacy Framework. </p>
<p>The event was sponsored by: Trusted Computing Group, Computer Associates, McAfee, Verizon Business, Tata Consultancy Services, Deloitte, (ISC)2, BlackBerry, ACS, CSC, Microsoft, RSA, and Intel.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/dsci-information-summit'>https://cis-india.org/internet-governance/blog/dsci-information-summit</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:04:22ZBlog EntryC.I.S Responds to Privacy Approach Paper
https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper
<b>A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation. </b>
<h2>1. What is privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy. </p>
<p>b)<span class="Apple-tab-span"> </span>CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts: </p>
<p>1. Physical - physical space, body, home, car, etc. </p>
<p>2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc). </p>
<p>3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.</p>
</div>
<h2>2. Is there a need for privacy protection? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project. </p>
<p>c)<span class="Apple-tab-span"> </span>However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation. </p>
</div>
<h2>3. Is there a need for such legislation? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy. </p>
</div>
</div>
<h2>4. Legislative Competence: </h2>
<p>We agree.</p>
</div>
<h2>5. Is there a constitutional right to privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities. </p>
<p>c)<span class="Apple-tab-span"> </span>Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified. </p>
<p>d)<span class="Apple-tab-span"> </span>Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services. </p>
<p>e)<span class="Apple-tab-span"> </span>We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.</p>
</div>
</div>
</div>
<h2>6. Existing legislation: </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions. </p>
<p>c)<span class="Apple-tab-span"> </span>We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal. </p>
<p>d)<span class="Apple-tab-span"> </span>We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent. </p>
<p>e)<span class="Apple-tab-span"> </span>Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure.. </p>
<p>f)<span class="Apple-tab-span"> </span>Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy. </p>
</div>
<h2>7. Potential Conflicts between Data Protection Legislation and other Laws: </h2>
<div>
<p> We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.</p>
</div>
<h3> 7.1 Data Protection and the Right to Information</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>The argument that a privacy legislation would conflict with the RTI is somewhat overstated. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example. </p>
<p>d)<span class="Apple-tab-span"> </span>The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis. </p>
<p>e)<span class="Apple-tab-span"> </span>As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies. </p>
<p>f)<span class="Apple-tab-span"> </span>Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance. </p>
<p>g)<span class="Apple-tab-span"> </span>We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act. </p>
</div>
</div>
<h3>7.2 Data Protection and Credit Verification</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data. </p>
<p>c)<span class="Apple-tab-span"> </span>This may include limitations on marketing efforts and disclosure to third-parties. </p>
</div>
<h3>7.3 Data Protection and Private Investigative Agencies</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws. </p>
<div>
<div>
<p>b)<span class="Apple-tab-span"> </span>Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies. </p>
</div>
<h3>7.4 Data Protection and National Security</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required. </p>
</div>
</div>
<h3>7.5 Data Protection vs. Transparency in Government</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that this section engages very sloppily with the issue of transparency/corruption in India. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell. </p>
<p>c)<span class="Apple-tab-span"> </span>In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years. </p>
<p>d)<span class="Apple-tab-span"> </span>The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials. </p>
<p>e)<span class="Apple-tab-span"> </span>We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue. </p>
</div>
<h3>8.0 Privacy legislation in other countries:</h3>
<p>a)<span class="Apple-tab-span"> </span>We agree with the recommendations, but would include notification of breach: how, when, what and who. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties. </p>
</div>
</div>
</div>
<h3>9.0 Proposed Framework for Privacy Legislation: </h3>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs. </p>
<p>c)<span class="Apple-tab-span"> </span>We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector. </p>
<p>d)<span class="Apple-tab-span"> </span>We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.</p>
</div>
</div>
<h3>9.1 Applicability</h3>
<div>
<p>We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.</p>
<p>b)<span class="Apple-tab-span"> </span>We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law. </p>
</div>
<h3>9.2 Data</h3>
<div>
<p>While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age. </p>
<p>b)<span class="Apple-tab-span"> </span>However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.</p>
</div>
</div>
</div>
<h3> 9.3 Personal Data</h3>
<div>
<p>We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person</p>
</div>
</div>
<h3>9.4 Personal Sensitive Data </h3>
<p> See comments at 9.2 above </p>
<div>
<div><span class="Apple-style-span"></span></div>
</div>
<h3>9.5 Data Collection</h3>
<div>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’. </p>
<p>c)<span class="Apple-tab-span"> </span>Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent. </p>
<p>d)<span class="Apple-tab-span"> </span>It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines. </p>
<p>e)<span class="Apple-tab-span"> </span>As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.</p>
</div>
</div>
<h3> 9.6 Data Processing</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the need to fix primary responsibility for data security on the data controller, however, </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller. </p>
<p>c)<span class="Apple-tab-span"> </span>We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”. </p>
</div>
</div>
</div>
<h3>9.7 Data Storage</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We concur that data should be stored only until the time the purpose for which it was collected is achieved. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary. </p>
<p>d)<span class="Apple-tab-span"> </span>We endorse the approach paper’s conservative stance on linking of databases. </p>
</div>
</div>
<h3>9.8 Data Security</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information. </p>
</div>
</div>
<h3>9.9 Data Access</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right. </p>
</div>
</div>
<h3>9.10 Cross Border Applicability and Transfer</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted. </p>
</div>
</div>
<h3>9.11 Exemptions</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.</p>
</div>
</div>
<h3>9.12 Automated Decision Making</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms. </p>
</div>
</div>
<h3>9.13 Regulatory Set Up</h3>
<div>
<p>We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context </p>
<p>b)<span class="Apple-tab-span"> </span>Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim. </p>
<p>c)<span class="Apple-tab-span"> </span>Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this. </p>
</div>
</div>
<h2>Conclusion</h2>
<div>
<p>We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.</p>
<div>
<div> </div>
</div>
<div><a href="https://cis-india.org/internet-governance/blog/privacyapproachpaper" class="internal-link" title="Privacy Approach Paper">Approach Paper: 121KB</a></div>
<p> </p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper'>https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper</a>
</p>
No publisherelonnai2012-03-21T10:08:10ZBlog EntryAmerican Bar Association Online Privacy Conference: A Report
https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference
<b>On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take. </b>
<h3>Introduction</h3>
<p>On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:</p>
<ul><li>Lisa Sotto, a private practitioner in the US</li><li>Billy Hawkes, Commissioner of Data Protection, Ireland</li><li>Bojana Bellamy, Director of Data Privacy, London, UK</li><li>Hugh Stevenson, Deputy Director of the Federal Trade Commission, US</li><li> Jennifer Stoddart, Privacy Commissioner, Canada.</li></ul>
<p>The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.</p>
<h3>Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer</h3>
<p>When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.</p>
<h3>Privacy Seals Globally? Privacy Seals in India?</h3>
<p>If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.</p>
<h3>Accountability:</h3>
<p>In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.</p>
<h3>Data Breaches:</h3>
<p>The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:</p>
<p>Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?</p>
<ul><li>How will the balance between over-reporting breaches with under-reporting breaches be maintained?</li><li>Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?</li><li>If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?</li></ul>
<p>These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation. </p>
<h3> E-Privacy Directive Breach Notification:</h3>
<p>Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:</p>
<p>1. The type of information and compromised number of records</p>
<p>2. The circumstances of the loss, release, or corruption</p>
<p>3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed</p>
<p>4. details of how the breach is being investigated,</p>
<p>5. whether any other regulatory bodies have been informed and, if so, their responses</p>
<p>6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment. </p>
<h3>Accountability, breach notification: What material should India think about for a legal privacy structure?</h3>
<p>Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:</p>
<p>· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?</p>
<p>· If India wants a broad privacy framework how will this be set up?</p>
<p>· What will be the tools used for civil education?</p>
<p>· How will enforcement take place ? </p>
<p>· Is self regulated accountability or statuary accountability better?</p>
<p>· Will there be a privacy tribunal?</p>
<p>· How will data be categorized? </p>
<p>· Will breaches be notified?</p>
<p>· Will standardized privacy policies be created?</p>
<p> As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference'>https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:08:36ZBlog EntryPrivacy and Banking: Do Indian Banking Standards Provide Enough Privacy Protection?
https://cis-india.org/internet-governance/blog/privacy/privacy-banking
<b>Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.</b>
<p><span class="Apple-style-span">
</span></p>
<h2>1. Introduction</h2>
<p>Banking is one of the most at risk sectors for privacy violations due to the sensitive, and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information, their financial records, the access information to their accounts, and their credit history. Thus, privacy violations are not taken lightly and heavily impact the individual whose privacy was violated. Ways in which a violation of privacy can take place in the banking sector include: sharing personal information with third parties without consent for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of a clients personal data due to improper security measures. </p>
<h2>2. Examples of privacy violations in the banking sector: </h2>
<p>There have been many instances in which one of the above violations has occurred. The examples below demonstrate that a privacy violation of any nature is never as simple as “the disclosure of personal data” or “unauthorized access”. Each violation has a unique context that raises important questions that must be answered when forming a privacy legislation, while at the same time demonstrating the need for a certain level of privacy protection to be applied across the board in the financial sector.</p>
<h3>2.1 Bank of America: </h3>
<p>An example of very common privacy violation by Bank of America was reported by the Utility Consumers' Action Network. In the case Bank of America was charged for selling the personal information (social security numbers, bank account numbers etc) of 35 million customers to marketers and third parties without informing individuals. Bank of America is now settling for $14 million, and agreeing to change its privacy polices, its Web site, and its privacy procedures. Perhaps the most alarming element to this story is that Bank of America violated its own privacy policy <strong>[1]</strong>.</p>
<div>
<p> This example raises the question of who should be regulating the banking sector? If the banking sector should be subject to audits more frequently or more stringently? Under what circumstances should data transfer be permitted ie can financial institutions disclose encrypted account numbers to non-affiliated third parties as long as the access code is not provided? The example also demonstrates:</p>
<div>
<ul style="list-style-type: square;"><li>
<p>The need for a customers personal data to be distinguished between public and non-public information.</p>
</li><li>
<p>The need for opt out options for customers, so they can choose if personal information is shared with non-affiliated third parties.</p>
</li><li>
<p>The need for restrictions on re-disclosure and re-use of transferred or disclosed data </p>
</li></ul>
<h3>2.2 Punjab National Bank </h3>
<p>In 2008 in the case of the Punjab National Bank vs. Rupa Mahajan Pahwa a bank was charged of issuing a duplicate passbook of a joint saving bank account of a husband and wife being maintained with “operational instructions” of either or survivor, to an unauthorized person. The bank was held accountable for the disclosed information, and was charged a fine with the instructions to look into the conduct of the officials who were supplying information to the unauthorized individual. The fact that a bank employee permitted an unauthorized person access to personal information raises the question of whether a privacy legislation should require that employees in the financial sector go through training on privacy procedures <strong>[2]</strong>. </p>
<div>
<p>This example further demonstrates the need for: </p>
<ul><li>Specific guidelines to the instances in which each type of information can be disclosed.</li><li>Appropriate notice should be given to costumers for the disclosure of personal information. Notices of disclosure should include: initial privacy notices of the financial institutions policies and practices with respect to the disclosure and protection of personal information, annual notices. If there are exceptions to be made, these should be clearly established.</li></ul>
</div>
</div>
</div>
<h3>2.3 Canara Bank</h3>
<p>In the case of Canara Bank vs. DistRegistrar and Collector the district Registrar, entered onto Canara's banks premise and inspected its books and documents. After inspecting the documents they found an error, and seized the material. The bank argued that though the Registrar could inspect the documents, they did not have the authority to seize the documents without notice to the persons affected. The ruling of the case held that the exclusion of illegitimate intrusions into privacy depends on the nature of the right being asserted, and the way in which it is brought into play<strong>[3]</strong>. This case demonstrates that context is a crucial element of protecting privacy and defining the right to privacy, and raises the question of how a privacy legislation should define context for the financial sector. </p>
<h2>3. What are the current privacy standards for the banking sector in India? </h2>
<p>Below are questions pertaining to privacy concerns and the corresponding regulations that exist in the banking sector. </p>
<div>
<div>
<ul style="list-style-type: square;"><li>
<p>What are the rules and restrictions placed on banks that relate to confidentiality and secrecy?</p>
</li><li>
<p> What are the exceptions to the obligations of secrecy?</p>
<h3>3.1.<span class="Apple-tab-span"> </span>Customary/Statutory Banking Law</h3>
</li></ul>
</div>
</div>
<div>
<p>Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 – Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 – Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy as provided<strong> [4]</strong>. </p>
</div>
<p><em> Section 44. Obligation as to fidelity and secrecy: </em>Obligation as to fidelity and secrecy.(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information. (2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.</p>
<p> In Shankarlal Agarwalla v. State Bank of India, AIR 1987 Cal 29, a customer owned 261 bank currency notes of Rs. l.000/-each. Following the demonitisation of high value currency notes in 1978, he tendered these notes to the bank along with the requisite declaration and instricted the bank to credit his Current Account with the amount. The bank made declaration made by the customer available to the Income-tax Department who issued a notice under Sec. 226(3) of the Income-tax Act, attaching the said sum. Later the sum was released. The Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and was not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty. but was a qualified one subject to certain exceptions. The instances being (l)the duty to obey an order under the Bankers' Books Evidence Act. (2) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal, (3) of a bank issuing a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and (4) the familiar case where the customer authorises a reference to his banker. The learned Judge further observed that the State Bank of India was directed by the Reserve Bank of India and the Ministry of Finance to furnish all particulars regarding deposit of bank notes to the Income-tax Department as soon as such notices were received. This instance had, therefore, come within the exceptions. The recent Payment and Settlement Systems Act , 2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section 22 of the Act enjoins “system provider” not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is:</p>
<div>
<p>(a) required under the provisions of this Act </p>
<p>(b) made with the express or implied consent of the system participant concerned </p>
<p>(c) in obedience to the orders passed by a court of competent jurisdiction </p>
<p>(d) in obedience of a statutory authority in exercise of the powers conferred by a statute.</p>
</div>
<h3> 3.2 Reserve Bank of India regulations </h3>
<p>The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”. </p>
<p>In 2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the “Code of Bank's Commitment to Customers” which most banks in India adhere to. Enforcement is through a seriece of internal Grievance redressal mechanisms within each bank including a designated “Code Compliance Officer” and an Ombudsman.</p>
<p>Though these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and per-contract and enforcement is not guaranteed through parliamentary sanctions.</p>
<h3>3.3<span class="Apple-style-span"><strong> </strong></span>What legislation applies to data protection in the banking sector?</h3>
<p>Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorised disclosure of information by the banks for gain.</p>
<h2>4. International Regulation of Privacy in Banks: </h2>
<p><em>The EU: </em>The EU Data Protection Directive is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes,specifically as it relates to processing, using, or exchanging such data <strong>[5]</strong><span class="Apple-style-span">.</span> The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. For example in the UK the financial sector is regulated by the Banking Act of 2009<span class="Apple-style-span">, </span>but financial data, along with other data is monitored by the UK data regulator.</p>
<p class="MsoBodyText"> <em>The US: </em>Though the United States has many acts regulating the financial sector, the main legislation though is the Gramm-Leach-Bliley Act<strong> [6]</strong>. The GLBA imposes obligations and restrictions on financial institutions. The act defines:</p>
<ul><li> The entities covered in the act</li><li> Classifications of data and restrictions based on type of data</li><li> Acceptable and non-acceptable forms of disclosure</li><li> Opt out requirements protocols and procedures</li><li> Notice requirements</li><li> Acceptable and non-acceptable marketing activities</li><li> Measures that should be taken to safeguard information</li><li> Methods of enforcement.</li></ul>
<h2> Questions to Consider:</h2>
<ul><li>Should financial information be separated into categories based on level of privacy risk?</li><li>Should financial information be treated to a greater level of security?</li><li>Should organizations who commit data breaches in the financial sector receive more severe sanctions?</li><li>Should a privacy legislation create a standardized privacy policy for the financial sector?</li><li>Should a privacy legislation require specific internal and external audits and monitoring of the financial sector? </li></ul>
<p class="MsoBodyText"> </p>
<h2>Bibliography</h2>
<p class="MsoBodyText">1. <a href="http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices">http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices</a></p>
<p class="MsoBodyText">2.<a href="http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm">http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm</a></p>
<p class="MsoBodyText">3.(2005) 1 SCC 496: AIR 2005 SC 186</p>
<p class="MsoBodyText">4. <span class="Apple-style-span">One of the landmark cases on banking customs related to secrecy is the Court of Appeal case of Tournier v. National Provincial and Union Bank of England decided in 1924. The court upheld the general duty of secrecy arising out of a contract between the banker and the customer and held that the breach of it may give rise to a claim for substantial damages if injury has resulted from the breach. It is, however, not an absolute duty but qualified and is subject to certain reasonable exceptions. These exceptions have been incorporated into Indian law (see the Shankarlal Agarwalla case below)</span></p>
<p class="MsoBodyText"><span class="Apple-style-span">5.</span>Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.89-102</p>
<p class="MsoBodyText">6.Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.18</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-banking'>https://cis-india.org/internet-governance/blog/privacy/privacy-banking</a>
</p>
No publisherelonnai2012-03-21T10:07:08ZBlog EntryPrivacy and Telecommunications: Do We Have the Safeguards?
https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications
<b>All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.</b>
<h2>1 Introduction <br /></h2>
<p>With a subscriber base that stands at just over 700 million (TRAI, August 2010) the telecom industry has enjoyed spectacular success at absorbing Indians into its fold. Tele-density which, even as recently as in 2002 was stagnant in the low single-digits, today stands at a proud 59%. However far one could go today, it would seem one would never be too distant from a mobile phone.</p>
<p>While this extensive penetration has heralded an era of unprecedented access – truly a ‘communications revolution’ whose full effects it may still be too early to grasp – it has also led to the exposure of individuals to risks on a magnitude never before witnessed. Firstly, in the ordinary course of their business, telecom companies accumulate vast volumes of personal information about their customers including photocopies of identity documents, biographical information etc, which could potentially be misused; </p>
<p>Secondly, the fact that a vast amount of our communication now occurs with the involvement of electronic media has rendered us more susceptible to invasive surveillance - whether lawful or not;</p>
<p> Thirdly, much of our communication is now not merely ephemeral, but is stored in digital form for indefinite periods in corporate ‘data centers’.;</p>
<p> Lastly, owning a mobile phone not only enables us to communicate with our business partners and loved ones, but also forces us to engage with an incessant stream of ‘noise’ – telemarketing calls and SMSes, prank/hoax calls, calls pestering us for the payment of bills and offensive/threatening calls.</p>
<p>This note examines the kinds of safeguards that currently exist under Indian law to protect the privacy of telecom users. Broadly there are three streams of such protection</p>
<p>1) The Telegraph Act and Rules, which contains provisions that prohibit and penalize unlawful interception of communication. Furthermore, licenses issued to telecom service providers (TSPs) under this Act require TSPs to take measures to safeguard the privacy of their customers and confidentiality of communications.</p>
<p>2) The Telecom Regulatory Authority of India has issued various guidelines to TSPs many of which pertain to privacy. </p>
<p>3) The Consumer Protection Act provides customers with an avenue of redress in case of violation of their privacy. </p>
<p> The first two are described in greater detail in the paragraphs that follow. This is followed by a brief analysis of certain international norms</p>
<h2>2 Indian Regulatory Regime</h2>
<div> </div>
<h3>2.1 The Indian Telegraph Act and Rules</h3>
<p>First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes, the internet etc. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over ‘telegraphs’i. The following sections apply:</p>
<p><em>1) Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence”ii</em></p>
<p><em>2) Section 23 imposes a fine of Rs. 500 on anyone who enters a telegraph office without proper authorization.</em></p>
<p><em>3) Section 24 makes it a criminal offence for a person to enter a telegraph office “with the intent of unlawfully learning the contents of any message”. Such a person may be punished with imprisonment for a term of up to a year.</em></p>
<p><em>4) Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.</em></p>
<p><em>5) Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.</em></p>
<p><em>6) Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.</em></p>
<h3>2.2 License Agreements</h3>
<p>Although the statute itself governs the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to the telecoms which permit them to conduct businessiii. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. A few examples include: </p>
<p><em>1) Clause 21 of the National Long Distance Licenseiv comprehensively covers various aspects of privacy including </em></p>
<p><em>a. Licensees to be responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place.</em></p>
<p><em>b. Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavors to secure that :</em></p>
<p><em>i. No person acting on behalf of the Licensees or the Licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and</em></p>
<p><em>ii. No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.</em></p>
<p><em>c. The above safeguard however does not apply where </em></p>
<p><em>i. The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or </em></p>
<p><em>ii. The information is already open to the public and otherwise known.</em></p>
<p><em>d. The Licensees shall take necessary steps to ensure that the they and any person(s) acting on their behalf observe confidentiality of customer information.</em></p>
<p><em>2) Clause 39.2 of the Unified Access Service License and clause 42.2 of the Cellular Mobile Telephone Service licence enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party, and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information - except as may be necessary in the course of providing such service to the third party.</em></p>
<p><em>3) The Internet Services License Agreement (which authorizes ISPs to function in India) similarly contains provisions touching on privacy:</em></p>
<p><em>a) Part VI of the License Agreement gives the Government the right to inspect/monitor the TSPs systems. The TSP is responsible for making facilities available for such interception. </em></p>
<p><em>b) Clause 32 under Part VI contains provisions mandating the confidentiality of information. </em>These provisions are identical to those described in Clause 21 of the NLD License agreement (see above).</p>
<p><em>c) Clause 33.4 makes it the responsibility of the TSP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.</em></p>
<p><em>d) Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. T</em>hese logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.</p>
<p><em>e) Clause 34.12 and 34.13 requires the Licensee to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities. </em></p>
<p><em>f) Clause 34.16 requires the Licensee to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.</em></p>
<p><em>g) Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”. </em></p>
<p><em>h) Clause 34.23 mandates that the Licensee maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor”. </em></p>
<p><em>i) Clause 34.28 (viii) forbids the licensee from transferring the following information to any person/place outside India:</em></p>
<p><em>j) Any accounting information relating to subscriber (except for international roaming/billing) (</em>Note: it does not restrict a statutorily required disclosure of financial nature)<em> ; and</em></p>
<p><em>k) User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).</em></p>
<p><em>l) Clause 34.28(ix) and (x) require the TSP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time. </em></p>
<p><em>m) Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”.</em> (It is unclear whether this is to operate as an overriding provision governing all other clauses as well)</p>
<h3>2.3 TRAI Regulations and Directions</h3>
<p>The Telecom Regulatory Authority of India was established by statute in 1997 to safeguard interests of consumers while simultaneously nurturing conditions for growth of telecommunications in the country. The Authority has issued several regulations on various subjects which are binding on TSPs. The following regulations touch on the subject of privacy:</p>
<h3>2.4 Unsolicited Commercial Communications Regulation</h3>
<p>In 2007, the Authority introduced the Telecom Unsolicited Commercial Communications Regulations which were aimed at creating a mechanism for registering requests of subscribers who did not wish to receive unsolicited commercial communications. </p>
<p>* The regulations define “unsolicited commercial communication” as any message, through telecommunications service, which is transmitted for the purpose of informing about, or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive, </p>
<p>* The following categories of message are excluded</p>
<p> (i) any message under a specific contract between the parties to such contract; or </p>
<p> (ii) any messages relating to charities, national campaigns or natural calamities transmitted on the directions of the Government or agencies authorized by it for the said purpose; </p>
<p> (iii) any message transmitted, on the directions of the Government or any authority or agency authorized by it, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality;</p>
<p>* The regulations specified a procedure for initiation of complaints by consumers and for their adjudication and disposal. </p>
<p>* Telemarketers who initiate unsolicited commercial communication with a person who has opted not to receive such communications face a fine of Rs. 500 per call/SMS as well as disconnection of their telephone services. </p>
<p>* The regulations require the TSPs to maintain confidentiality of all information submitted by the subscribers for the purposes of the ‘Do not Call Registry’.</p>
<h3>2.5 Privacy and Confidentiality Direction </h3>
<p>In February 2010, the TRAI issued a direction seeking to implement the privacy and confidentiality related clauses in the service providers’ licenses (see previous sections). Accordingly by this direction, the TRAI ordered all service providers to “put in place an appropriate mechanisms, so as to prevent the breach of confidentiality on information belonging to the subscribers and privacy of communication”. All service providers were required by this regulation to submit a report to the TRAI giving details of measures so adopted. </p>
<h2>3 International Norms</h2>
<h3>3.1 Telecommunications in the EU </h3>
<p>In 2006, the European Union adopted Directive 2006/24/EC which mandated member states to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. The directive permits police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information would only be granted through a court order. In 2002 the Directive adopted the Privacy and Electronic Communications Directive. The ECD regulates the electronic communications sector and addresses issues such as: the retention of data, the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories. </p>
<p>Art 10(1) of the German Constitution holds “The secrecy of letters, as well as of the post and telecommunications, is inviolable”. However, in 1968 an amendment was introduced which permitted (1) surveillance to occur without the affected person ever being informed of it; and (2) surveillance without judicial review, but through “a review of the</p>
<p>case by bodies and auxiliary bodies appointed by Parliament.”These measures could only be invoked in order to protect “the free democratic basic order or the existence or security of the Federation or a state.”</p>
<h3>3.2 Telecommunication in the United States </h3>
<p>In the United States telecommunications are regulated by the Federal Communications Commission. Specifically the FCC regulates how telecommunications carriers and providers of cable television use customer personal information, cable subscriber information, and telemarketing and junk fax activities. Every company that participates in telemarketing must comply with the FCC's rules. The main legislation used to regulate telecommunication carriers is the Federal Communication Act. The Act applies to how carriers may use and disclose “Customer Proprietary Network Information” which includes billing information, type of telecommunications service used, and the types of calls customers tend to make. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. The FCC does though provide, what is known as a “total service approach”, exception to these rules - that allows carriers to use CPNI to market to existing customers. Also, under the Act, cable providers are required to provide to their subscribers detailed notice about the collection and use of information, and gather consent before collecting, distributing, or disclosing information. Additionally, customers are granted access to their information, and information must be destroyed after it has served the purpose for which it is collected. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. </p>
<p>The Telephone Consumer Protection Act applies to U.S companies that tele-market to consumers for commercial purposes. The rules require that phone calls are not permitted before 8:00 am or after 9:00 pm, the company must keep an internal record of consumer who ask not to be called again, and the company must refrain from sending commercial faxes without the recipient's consent. Telephone monitoring and recording are regulated in each state. Many states follow a system known as “one-party consent”, which permits a party to record a telephone conversation without the other party's consent. Only eleven states require consent of all parties before a telephone conversation is recorded (ibid Westby, International Guide to Privacy, 2004). </p>
<h2>4 Discussion</h2>
<p>The Indian Constitution does not, as in certain other countries (Eg. Germany), contain express language upholding the right to privacy in telecommunications. This absence has not however hindered the Supreme Court from reading in the right to privacy into the Fundamental Right to Life. Various judicial decisions as well as statutes affirm this right to privacy in telecommunications. In conclusion, we would like to provide a quick FAQ on privacy in telecommunications that draws on the foregoing analysis of Indian Law.v </p>
<p>(1) To what extent is there legal protection for customer information (such as one’s name, address, telephone number, or non-dynamic IP address); </p>
<p>As mentioned above, it is fairly easy for enforcement agencies to obtain this data. ISPs are required to make available much of this data on a website for the government to access at all times. Such access may be gained without judicial scrutiny and without even any showing of suspicion.</p>
<p>(2) The extent of legal protection for connection data (such as the telephone numbers called; time and length of connection; one’s dynamic IP address) and the content of telecommunications </p>
<p>Targeted surveillance or wiretapping is only possible following the procedure laid out in the Telegraph Rules which specify the manner in which such an order may be made, the review procedure and the maximum permissible duration of surveillance. </p>
<p> (3) the legal requirements placed on telecommunications providers for data retention or data erasure; </p>
<p>The ISP License agreement requires the ISP to maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny. No definition is provided of what these commercial records would include or exclude. There is no information on the extent to which ISPs in India currently comply with this requirement and whether they follow any data erasure procedures. </p>
<h2>Questions: </h2>
<p>Will a privacy legislation address data retention for the Telecom sector? </p>
<p>Will a privacy legislation regulate the monitoring and tapping of phones? </p>
<h3>End Notes </h3>
<p><span class="Apple-tab-span"></span>i‘Telegraph’ is defined widely in the Act to include any “apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature” thus covering most known mediums of communication. </p>
<p>ii<span class="Apple-tab-span"> </span> In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.</p>
<p>iii<span class="Apple-tab-span"> </span> Section 4 of the Telegraph Act forbids the establishment of any telegraph service (including, as mentioned earlier, all telephony, internet etc) without obtaining a license from the Central Government.</p>
<p>iv<span class="Apple-tab-span"> </span> Issued to TSPs who offer long distance telephony in India</p>
<p>v<span class="Apple-tab-span"> </span> These questions drawn from a template provided in Schwartz, Paul M. “German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance.” Hastings Law Journal 54 (August 25, 2003): 751.</p>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications'>https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications</a>
</p>
No publisherelonnai2012-03-21T10:06:48ZBlog EntryConsumer Privacy - How to Enforce an Effective Protective Regime?
https://cis-india.org/internet-governance/blog/privacy/consumer-privacy
<b>In a typical sense, when people think of themselves as consumers, they just think about what they purchase, how they purchase and how they use their purchase. But while doing this exercise we are always exchanging personally identifiable information, and thus our privacy is always at risk. In this blog post, Elonnai Hickok and Prashant Iyengar through a series of questions look through the whole concept of consumer privacy at the national and international levels. By placing a special emphasis on Indian context, this post details the potential avenues of consumer privacy in India and states the important elements that should be kept in mind when trying to find at an effective protective regime for consumer privacy.</b>
<h2> Who is a consumer? </h2>
<p>According to the Consumer Protection Act,1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. In the typical sense, when people think of themselves being a consumer, they might think about what they purchase through a physical exchange of money for goods or services, ranging from things as simple as fruit or grain to home appliances to cable television, either in a store or through an online exchange where you enter in your credit card information and receive your purchase. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors. Typical examples include hospitals, banks and telecommunications. </p>
<h2>What is Consumer Privacy and how may it be breached? </h2>
<p>Consumer privacy is concerned with the manner in which information disclosed by a consumer to a vendor is collected and used. Specific issues include: behavioral advertising, spyware, identity management, and data security/breach, Increasingly, data that is collected from consumers is stored in databanks. This is then used for both legitimate purposes (such as marketing, research etc) and illegitimate extraneous purposes (as when this data is sold in bulk to third parties). Additionally, the privacy of consumers may be compromised by actions of third parties that are facilitated by the negligence of the vendors (as for instance hacking into databases). The following international examples illustrate the kinds of privacy threats that the collection of data from consumers may pose<strong>[1]</strong></p>
<p><em>Example 1)</em> Toysmart – an online company- collected personal information from its users, promising to keep it private. In 2000, Toysmart entered bankruptcy and in an attempt to avoid losing everything tried to sell its database despite its strict privacy policy. This example illustrates how vendors may attempt to monetize the personal information of customers exceeding the terms of the contract entered into with them. </p>
<p> <em>Example 2)</em> In 2006 it was found that AOL's research site had a stored file that contained information collected from more than 600,000 users between March to May of 2006. Though the file did not indicate each user by name, it was eventually found that there was enough information to correlate specific individuals to their user number. The example of AOL’s demonstrates the danger of online privacy breaches through either oversight or negligence of the vendor in adopting adequate security measures. </p>
<p><em>Example 3)</em> Similar to the previous example ChoicePoint – an all-purpose information broker, whose database contains information about nearly every adult American citizen, had its system hacked. The thieves had access to the names, addresses and social security.</p>
<h2>How is consumer privacy protected- internationally ? </h2>
<h3>Broad guidelines: The OECD Privacy Guidelines <br /></h3>
<p>Though not a law, the OECD Guidelines drafted in 1980 provide a useful set of ‘fair information practices’ within which privacy of consumers may be evaluated. Briefly, the eight principles declared were: 1) Collection limitation principle (there should be limits to the collection of data), 2) data quality principle (data should be accurate and relevant to the purpose collected), 3) purpose specification principle, 4) use limitation principle, 5) security safeguards principle, 6) openness principle (there should be openness about data policies and changes thereof), 7) individual participation principle (enabling the individual to find out if data is being held about him and to obtain a copy of the data and make corrections) and 8) accountability principle <strong>[2]</strong>. </p>
<div>
<h3>The EU Data Protection Directive (Directive 95/46/EC) </h3>
</div>
<div>
<p>This is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes, specifically as it relates to processing, using, or exchanging such data. The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. The basic guidelines of the Directive are <strong>[3]</strong>:</p>
</div>
<div>
<p> <strong><em>Notice: </em></strong>Data subjects must be notified of the: identity of the collector of their personal information, the uses for which the information is being collected, how the data subjects may exercise any available choices regarding the use or disclosure of personal information, where and to whom information may be transferred, and how data subjects may access their personal information. </p>
</div>
<div>
<p><em><strong>Consent</strong>:</em> “Unambiguous consent” of a data subject is required before any personal information may be processed. Special categories such as race, religion, political of philosophical beliefs, health, union membership, sex life, and criminal history have additional processing requirements.</p>
</div>
<p><strong><em>Consistency: </em></strong>Controllers and processors may only use information in accordance with the terms of the notice given.</p>
<div>
<p><strong><em>Access:</em></strong> Controllers must give data subjects access to personal information. </p>
<p><strong><em>Security</em></strong>:Organizations must provide adequate security, using both technical and other means to protect the confidentiality and integrity of the data. </p>
<p><strong><em>Onward transfer</em></strong>: Personal information may not be transferred to a third party unless that third party has signed a contract with the individual or organization which binds them to use the information consistently with the notice given to the data subjects.</p>
<p><strong><em>Enforcement</em></strong>: Each EU country has established a Data Protection Authority that has the power to investigate complaints, levy fines, initiate criminal actions, and demand changes in businesses information handling practices.</p>
</div>
<h3>Specific Sectoral Legislation and privacy policies </h3>
<div>
<div>
<p>The US takes a sectoral approach to protecting consumer privacy. Legislation that protects consumer privacy includes: Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act. Also, the CAN-SPAM Act bans the sending of commercial electronic messages that contain false information. The most comprehensive act for the consumer in the U.S is the Fair Credit Report Act, which was passed in 1970. Enforcement of the Act is vested in the Federal Trade Commission. The FCRA applies to how consumers information is collected and used, and applies to insurance, employment, and other non-credit consumer transactions. Under the FCRA the information that is protected is broadly defined as 1. Consumer Report- any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer' s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumers eligibility for credit, insurance, and employment purposes. </p>
</div>
</div>
<p> Furthermore the FCRA: </p>
<div>
<p> (a) provides the right for consumers to ensure the accuracy of their data. </p>
<p> (b) includes “right to know” provisions to enable consumers to know all information in their files </p>
<p> (c ) grants consumer dispute rights </p>
<p> (c) limits disclosure of information </p>
<p> (d) requires opt-out options <em></em><strong>[ibid 4]</strong></p>
<h2>Consumer Privacy in India </h2>
<div>
<p>Broadly, there are four potential avenues for the protection of consumer privacy in India. </p>
<p> 1. Individual organizations may voluntarily commit to protect the information of their clients through “Privacy Policies” These become a component of the contractual commitments between the service providers and customers and are enforced through ordinary civil litigation. </p>
<p> 2. Certain professions and industries have codes of privacy that they must statutorily abide by. This is true of such professions as the medical profession and the legal profession in India and the entire banking industry and the telecom industry. Rigorous privacy norms are set for each of these industries by their respective apex governing bodies. Penalties for breach include derecognition and monetary penalties. </p>
</div>
<div>
<p> 3. Consumer privacy may be enforced by the specialized Consumer Dispute Tribunals under the Consumer Protection Act in India. </p>
<p> 4. The newly amended Information Technology Act imposes an obligation on anyone controlling data to indemnify against losses caused by the leakage/improper use of that data. </p>
</div>
<div>
<p>Each of these mechanisms is discussed in some details below: </p>
</div>
<h3>Privacy Policies: </h3>
<div>
<p>Several Indian companies have publicly stated privacy policies that they display on their website. We have profiled the privacy policies of two such companies as a sample. </p>
</div>
<div>
<p>Airtel: Defines personal information, informs users how their information will be used, describes which third parties will have access to your information, provides the ability to opt-out of commercial SMSs, provides an email address for privacy concerns. </p>
<p><em><strong>Rediff</strong></em>: Provides email for customer support, states what personal information is collected from you, what information is collected from you by cookies, what information is collected about you and stored, who will collect the information about you, how the information will be used to advertise to you and tailor to your preferences, states the rights that advertisers have to your information, disclaimer of responsibility for any other websites linked to the page, states that the information released in a chat room is considered public information, defines third party usage, defines security measures taken, lays out what choices the consumer has regarding collection and distribution of their information, contains opt-out clauses, defines personal information, defines cookies, explains that consumers have the ability to correct inaccurate information, requires youth consent <strong>[5]</strong>. </p>
</div>
<div>
<p><em>Examples of Indian organizations without a privacy policy on websites</em>: Canara bank, Andhra Bank, Indian railways, Air-India, BSNL, State Bank of India. </p>
<p><strong><em>Note: </em></strong>The International Guide to Privacy suggests the following be included in privacy policies: description of the personal information collected by the website and third party, description of how the information is used and list of parties with whom it may be shared, a list of the options available regarding the collection, use, sharing and distribution of the information, a description of how inaccuracies can be corrected, a list of the websites that are linked to the organization’s site and a disclaimer that the organization is not responsible for the privacy practices of other sites, a description of how the information is safeguarded (both physically and electronically) against loss, misuse, and alteration, consent for use of personal information <strong>[6]</strong>.</p>
</div>
<div>
<h3>Professional/Industrial Regulations </h3>
</div>
<div>
<p> As mentioned above, several professional bodies have privacy guidelines which their members must abide by. <em><br /></em></p>
<p><strong><em>Advocates</em></strong></p>
</div>
</div>
<p>Rules of Professional Conduct have been framed under the Advocates Act and establishes a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. It is important to note that the obligation of confidentiality continues even after the client relationship is terminated. The Evidence Act further buttresses the confidentiality of clients by making information passed between lawyer and client subject to a special privilege <strong>[7]</strong>.</p>
<p><strong><em> Medical Practitioners </em></strong></p>
<p>Similarly, in 2002, the Medical Council of India notified the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breaches. Several of these relate to privacy, for instance : Every physician is required to maintain medical records pertaining to indoor patients for a period of 3 years from the date of commencement of the treatment <strong>[8]</strong>.</p>
<p><em> Article 2.2: </em> Requires physicians to maintain Confidences concerning individual or domestic life entrusted by patients to a physician. Defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. The rule also requires the physician, controversially to evaluate “whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed”. In such an instance, the rules advice the physician to “act as he would wish another to act toward one of his own family in like circumstances.”</p>
<p> <em>Article 7.14:</em> Enjoins the registered medical practitioner not to disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –</p>
<p>1. in a court of law under orders of the Presiding Judge;</p>
<p> 2. in circumstances where there is a serious and identified risk to a specific</p>
<p>person and / or community; and</p>
<p> 3. notifiable diseases.</p>
<p> <em>Article 7.17</em>: Forbids a medical practitioner from publishing photographs or case reports of patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, however, the consent is not needed.</p>
<p><em>Important Case Law</em></p>
<p>In one of the most important cases to have come up on the issue of privacy, a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. In Mr. X vs Hospital Z, the Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. The supreme court while affirming the duty of confidentiality owed to patients, ruled that the right to privacy was not absolute and was “subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others.”<strong>[9]</strong> This case raises certain questions which might be worthwhile to consider:</p>
<p>1. Are there other ways in which the situation could have been handled – such as through proper counselling. Furthermore, it is important to establish what the role of a hospital is, and where their primary interest lies in protecting their patient and their patients data, and take into consideration the importance of consent in handling and disclosing personal information.</p>
<p> 2. The argument that there is no absolute for privacy raises questions of who is determining the limits for disclosure of the man's HIV status. If his fiancé should be informed of his results, should his workplace , community, church? Do they face the same risks as his fiancé? Who is to be the judge of this risk?</p>
<h3>Banking and Telecom Industry</h3>
<p>The Banking and Telecom industry each have regulatory authorities which have periodically issued guidelines seeking to protect the privacy of customers. Thus, for instance, RBI's Customer Service statement obliges bankers to maintain secrecy, and not to divulge any information to third parties. Likewise, the TRAI has issued regulations on unsolicited commercial communications and has initiated steps to monitor confidentiality measures taken by telecom operators. More details are provided in the accompanying briefs that exclusively deal with the banking and telecom industries.</p>
<p><strong><em>Consumer Protection Act 1986:</em></strong></p>
<p>The Consumer Protection Act which was enacted with the objective to provide for better protection of the interests of the consumer has emerged as a major source of relief to those who have suffered violations of their privacy {10}.</p>
<p><em>Important Case Laws </em></p>
<p>In Rajindre Nagar Post Office vs. Sh Ashok Kriplani a post master was accused of not delivering a registered letter, opening it, and then returning it in a torn condition. It was determined that the tearing of the letter without delivery to addressee was a grave “deficiency in service” on the part of the appellant. It was ruled that the right of privacy of the respondent was infringed upon by the postman. Under the Consumer Protection Act 1986, compensation of Rs. 1000 was awarded as to the mental agony, harassment, and loss arising from the charge of deficiency in service. The importance of this case lies in the willingness of the courts to treat breach of privacy as a “deficiency of service”<strong>[11]</strong>.</p>
<p>In January 2007, the Delhi State Consumer Disputes Redressal Commission imposed a fine of Rs. 75 lakh on a group of defendants including Airtel, ICICI and the American Express Bank for making unsolicited calls, messages and telemarketing. Although this decision was reversed on appeal by the Delhi High Court it confirms a trend of Consumer Dispute Redressal Commissions willing to take up cudgels on behalf of consumers for violations of their privacy.</p>
<h3>Information Technology Act 2000 (Amended 2008)</h3>
<p> In 2008, the Information Technology Act was amended to include an extremely salutary relief to people when a breach of privacy is occasioned by the leakage of data from computerised databases maintained by corporates. Thus, the newly inserted Section 43A states that if a “body corporate” is possessing, dealing, or handling any “sensitive personal data or information” in a computer resource which it owns, controls, or operates, and is negligent in implementing and maintaining “reasonable security practices and procedures” and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.</p>
<p>The Section further stipulates that the Central Government would come up with the reasonable security practices and procedures and would also define what constituted ‘personal sensitive information’.</p>
<p>Likewise, the newly introduced Section 72A declares that if “any person including an intermediary” secures access to any personal information about another person while providing services under the terms of lawful contract, and if he, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses such information without the consent of the person concerned, or in breach of a lawful contract, he is liable to be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both <strong>[12]</strong>.</p>
<h2>Conclusion</h2>
<p>In conclusion it is important to consider many elements when looking at an effective protective regime for consumer privacy :<br />1. Is a comprehensive data protection of a sectoral approach more suited to the needs of India?</p>
<p>2. Does India want to become compliant with international standards for data protection ?</p>
<p>3. How will privacy policies be enforced and how will organizations be held accountable for protection of client privacy under the legislation ?</p>
<p>4. Will consumers be notified if their information is breached? If so – what will be included in the breach notification?</p>
<p>5. How can a legislation ensure that consumers are aware of their privacy rights?</p>
<p>6. How can a privacy legislation address the need for different levels of protection for different types of data?</p>
<h3>Bibliography:</h3>
<p class="discreet">1. Examples drawn from: Oussayef, karim. Selective Privacy: Facilitating Market Based Solutions to Data Breaches by Standardizing Internet Privacy Policies. 14 B U Journal Sci and Tech Law. 105 2008.</p>
<p class="discreet">2. Organisation for Economic Co-operatioin and <em>Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security ,</em> July 25, 2002</p>
<p class="discreet">3. Directive 95/46/EC of European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processting of personal data and on the ree movement of data</p>
<p class="discreet">4. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg.34-4</p>
<p class="discreet">5<a href="http://www.rediff.com/w3c/policy.html">http://www.rediff.com/w3c/policy.html</a></p>
<p class="discreet">
6. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg. 161-164</p>
<p class="discreet">7. The Advocates Act 1961<a href="http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf">http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf</a></p>
<p class="discreet">8 Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations. Published in Part III, Section 4 of the Gazette of India, dated 6th April, 2002<a href="http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf">http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf</a>.</p>
<p class="discreet">9. (1998) 8 SCC 296:<a href="http://indiankanoon.org/doc/382721/">http://indiankanoon.org/doc/382721/</a></p>
<p class="discreet">10. Indian Consumer Protection Act 1986<a href="http://www.legalhelpindia.com/consumer-protection-act.html">http://www.legalhelpindia.com/consumer-protection-act.html</a>.</p>
<p class="discreet">11.<a href="http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm">http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm</a></p>
<p class="discreet">12. Information Technology Act 2000: Amended 2008<a href="http://www.mit.gov.in/content/information-technology-act">http://www.mit.gov.in/content/information-technology-act</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/consumer-privacy'>https://cis-india.org/internet-governance/blog/privacy/consumer-privacy</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:06:04ZBlog EntryPublic Statement to Final Draft of UID Bill
https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID
<b>The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill. </b>
<p>On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.<strong><br /></strong></p>
<ul><li>
<p><strong>Architecture</strong></p>
</li></ul>
<p>The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.</p>
<ul><li>
<p><strong>Scope</strong></p>
</li></ul>
<p>The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits</p>
<ul><li>
<p><strong>Voluntary and not Mandatory</strong></p>
</li></ul>
<p>The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the <em>Aadhaar</em> number is truly voluntary. </p>
<ul><li>
<p><strong>Inadequate Privacy Safeguards</strong></p>
</li></ul>
<p>The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.</p>
<ul><li>
<p><strong>Unwarranted Data Retention</strong></p>
</li></ul>
<p>The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.</p>
<ul><li>
<p><strong>Lack of accountability for all Actors</strong></p>
</li></ul>
<p>The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced. </p>
<ul><li>
<p><strong>Lack of Exceptions</strong></p>
</li></ul>
<p>The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of <em>Aadhaar</em> numbers or authentication of transactions. </p>
<ul><li>
<p><strong>Lack of Anonymity</strong></p>
</li></ul>
<p>The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an<em> Aadhaar </em>number should not be requested.</p>
<ul><li>
<p><strong>Inadequacy of Penalties</strong></p>
</li></ul>
<p>The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.</p>
<ul><li>
<p><strong>Unaffordability of Fees</strong></p>
</li></ul>
<p> It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated. </p>
<ul><li>
<p><strong>Lack of Rollback and Ombudsman Office</strong></p>
</li></ul>
<p>The Bill does not provide adequate redress for system/transaction errors and fraud. </p>
<ul><li>
<p><strong>Inappropriate Structure and Governance</strong></p>
</li></ul>
<p>The Bill does not provide appropriate judicial and parliamentary oversight.</p>
<p> Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant: </p>
<ul><li><strong>Definition of Resident</strong></li></ul>
<p>Section 2 (q): “resident” means an individual usually residing in a
village or rural area or town or ward or demarcated area (demarcated by
the Registrar General of Citizen Registration) within ward in a town
or urban area”<em><strong> </strong></em></p>
<p><em>Comment</em>: This section clarifies the definition of
‘resident’ from the draft Bill, which defined resident as an “individual
usually residing within the territory of India”. By specifying that
individuals in demarcated areas will not receive UID numbers, the
definition of resident is brought into line with the scope of the Bill
as laid out in the preamble. We see this change as a positive revision.<strong></strong></p>
<ul><li><strong>Prohibition of Dissemination of Information</strong></li></ul>
<p>Section 30 (3): “Notwithstanding anything contained in
any other law and save as otherwise provided in this Act, the Authority
or any of its officer or other employee or any agency who maintains the
Central Identities Data Repository shall not, whether during his service
as such or thereafter, reveal any information stored in the Central
Identities Data Repository to any person”</p>
<p><em>Comment</em>: This
section prohibits the dissemination of any information that is stored in
the Central Identities Data Repository. This prohibition extends to
anyone or any entity that handles information, and supersedes other laws
that might permit dissemination of information. We see this change as a
positive revision. <strong><br /></strong></p>
<ul><li><strong>Disclosure of Information in the Case of a National Security<br /></strong></li></ul>
<p> Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”<strong><em> </em></strong><em><br /></em></p>
<p><em>Comment</em>: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID'>https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:48:00ZBlog EntryShould Ratan Tata be Afforded the Right to Privacy?
https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata
<b>The Ratan Tata case has raised many important questions pertaining to privacy. This note looks at a few of those questions, and the debate that centers around them. </b>
<h3>Introduction</h3>
<p>In 2008 and 2009 conversations between Nira Radia- a professional corporate lobbyist , and many different individuals were intercepted by Income Tax officials. The interception was approved by the Ministry of Home Affairs. The interception was conducted for suspected tax evasion, possible money laundering, and restricted financial practices. The individuals included: A. Raja, the then Cabinet Minister of the Ministry of Communications and Information Technology; Ratan Tata, a client of Nira Radia and Chairman of the Tata group of companies; and various journalists including: Barkha Dutt, NDTV journalist alleged to have lobbied in support of A. Raja’s appointment as minister, and Vir Sanghvi, editor of the Hindustan Times alleged to have edited articles reducing the blame in the Nira Radia tapes. Earlier this year, these conversations were leaked to the media by an unknown source. The leak exposed a scam to manipulate the upcoming auctioning off of the 2G spectrum. In response to his leaked conversations with his consultant Nira Radia, Ratan Tata has filed a petition in the Supreme Court, claiming that his privacy has been invaded. Tata claims that the conversations were private, and that the tapes should be withdrawn from the public. He has not objected to the use of the tapes in court, acknowledging that they were obtained legally. On December 2nd the Supreme Court issued a notice to restrain the unauthorised publication of the intercepted tapes [1].</p>
<h3>Questions of Privacy</h3>
<p>The Nira Radia tapes case raises many important questions about privacy, wiretapping, transparency and ethics. It will be interesting to see how the court rules on different issues as the case progresses. First, it will be meaningful to see how the court responds to Tata’s plea for privacy. Indian courts have seen only a handful of cases that have directly appealed for protection of privacy as a fundamental right [2]. The type of privacy that has been invaded in this situation is unclear. If one looks at the privacy invasion as the data that was improperly protected, thus leading to the leak, the Tax Department may be found to have violated the informational privacy of Tata. If one looks at the invasion of privacy as the fact that personal contents of conversations were made public with the intent to expose the 2G scam, the claim is really one that his personal privacy has been invaded. Because India does not have a specific legislation on privacy, there is no clear definition of what privacy is, and whether or not Tata has had his privacy invaded. The decision by the courts will help to clarify how Indian society defines privacy, and where the line between public and private falls.</p>
<h3>Is the Information Public Knowledge?</h3>
<p>Whether or not the information intercepted in the phone conversations is public knowledge is an important question to answer. Though the 2G spectrum belongs to the people, and the conversations that were intercepted were planning a scam to defraud the Indian exchequer, the conversations were meant to be private. So, does the public have a right to know the content of the conversations, or does Ratan Tata have the right to privacy. The legislation that addresses the release of public information, and defines the categories of information that are considered to be private, is the Right to Information Act 2005. In India in recent years the right to knowledge has become a cornerstone of Indian civil liberties. The Right to Information Act 2005 embodies this liberty. The RTI mandates timely response to a citizen’s request for government information, and in its preamble affirms the policy that “…democracy requires an informed citizenry and transparency of information which are vital to its functioning and also to contain corruption and to hold Governments and their instrumentalities accountable to the governed”[3]. Under the Act, public information about or held by the government must be given to citizens upon request. Unlike in some countries, such as Canada, where the Right to Information is bolstered by a privacy law [4], the Indian legislation only contains sections that detail exceptions of data that cannot be disclosed, and the conditions for third party release. These exceptions are laid out in section 8, and in section 11 release of records to a third party is outlined.</p>
<h3>Are the Conversations Considered Public Knowledge and Would they be Released by an RTI?</h3>
<p>In a recent interview Prashant Bhushan, Supreme Court Advocate responded to a similar question with the following statement [5]:</p>
<p>Bhushan: <em>"Firstly the conversations which have come out in the public domain are not private conversations. They are conversations between Nira Radia with various public servants, with various journalists etc in her official capacity as a paid professional lobbyist and fixer for her principles.Therefore, there is hardly anything personal in these conversations. These are all professional conversations or conversations about deal making, fixing, subverting public policy etc.These conversations would be available to every citizen even under the Right to Information Act because the only objection that one could raise would be on the ground of 81(J) of the Right to Information Act which says - information which relates to personal information, the disclosure of which has no relationship to any public activity or interest. This information has relationship to public activity or interest. It also says - or which would cause unwarranted invasion of the privacy of the individual unless the public authority is satisfied, unless the information officer is satisfied that the larger public interest justifies the disclosure of such an information. In this case there is overwhelming public interest which warrants the disclosure of this information because this shows all kinds of deal making, fixing going on.</em>"</p>
<p>As Bushan has pointed out, it is possible to make the argument that the taped conversations should be categorized as public knowledge. They took place between public officials and journalists, and pertain to an issue that deeply impacts the public as a whole. Thus, a preliminary question that should be asked is whether Tata’s conversations would be revealed through an RTI, or whether his conversation would fall under the exemption of personal information found in section 8(j):</p>
<p align="left">“ <em>Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: </em></p>
<p align="left"><em>Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.</em>”</p>
<p>It is interesting to note the structure of this exemption. By the use of the word “or” the legislation suggests that unwarranted invasion of individual privacy may trigger the exemption, even if the information has a relationship to a public activity or interest. But the added caveat says that the larger public interest could justify the release of even purely private information. In addition, what constitutes “personal” information is never defined in the legislation. Thus, whether Tata’s conversations were personal in nature will have to be determined by the courts. Even if the nature of Tata’s wiretapped conversations was deemed not to be personal information, there still is an argument that they could still not be released to the public through an RTI, because Tata is not a Tax Department official, and the RTI requires disclosure of information about the Tax Department or officials in the tax department, not information about individuals who are under investigation by the Tax department.</p>
<h3>Was the Leak of the Tape Legal?</h3>
<p>Though the recording of the tapes by the Tax Department appears to be legal under the Telegraph Act 1885 section 5(2), the leak of the tape was not. Section 5(2) reads:</p>
<p><em>Section 5(2) – (2) On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order:</em></p>
<p><em>Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.</em></p>
<p>Though the Telegraph Act does not lay out specific procedures as to how wiretapped information is to be protected and secured, under section 23 and 24 it is not permitted for any person to illegally obtain the contents of an intercepted telegraph.</p>
<p><em>23. Intrusion into signal-room, trespass in telegraph office or obstruction – If any person –</em></p>
<p><em> 1. without permission of competent authority, enters the signal-room of a telegraph office of the Government, or of a person licensed under this Act, or</em></p>
<p><em> 2. enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or</em></p>
<p><em> 3. refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein,or</em></p>
<p><em> 4. willfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to five hundred rupees.</em></p>
<p><em> 24. Unlawfully attempting to learning the contents of messages – If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.</em></p>
<h3>Is it Important that the Leak was Illegal: A Question About the Public Good</h3>
<p>Clearly, from the above clauses, and in this situation, the Tax Department could argue that firstly they are not responsible for the leak, and that the illegality of the release of the tapes is subservient to the need to protect public safety. But what constitutes the greater good? In the case of Babu Ram 8 Verma Vs. State of Uttar Pradesh (1971) the Supreme Court has interpreted that the expression “public interest” as an act beneficial to the general public and an action taken for public purpose[6]. When considering whether the information is for the public good, the simple answer seems to be yes, the exposure of the 2G scam does benefit the “public interest”, but this should not be the complete answer. The reason that there are laws to regulate the dissemination of information is to protect information from being presented in a way that prejudices a person or discloses information that the public does not have a right to know. It is courts – not individuals – who should decide that the public does have a right to know before the information is disseminated. The information on the tapes could have been brought to the public’s attention by other - legal - means. Namely, the Tax Department could have filed for a new warrant to use the wiretapped information pertaining to the 2G scam, and disclosed the materials in connection with the Comptroller and Auditor General of India.</p>
<h3>Concerns about Privacy and the Right to Information: Not a Balance, but a Partnership</h3>
<p>The concern that privacy will be used to weaken transparency and to conceal crimes and corruption is often voiced as an obstacle to instituting a firm privacy law. Privacy is not a shield, and should not be misunderstood for one. A privacy legislation should bring clarity to the Right to Information. It should create a concise framework and understanding of what information is always acceptable to disclose, and what information is not acceptable to disclose without court authorization. In this situation, a privacy law could have clarified that conversations among private citizens are presumptively private, and that a court must determine otherwise. Though many people believe that the right to privacy and the right to transparency is a balance in which one right will always subordinate the other, this is not necessarily true. For instance if we look at how the two rights are at work when a voter is about to go to the polling stations, it is easy to see how they are related. The right to privacy can be understood, inter alia, as the right to be safe in one’s own identity. This is crucial for voting. If you look at this with focus on the candidate for election, there is a both the need to know as much information about that individual in order to make a informed choice, but if too much, unrelated information is known about a candidate, the election could be compromised.</p>
<h3>Conclusion: Will Ratan Tata be Afforded the Right to Privacy? </h3>
<p>In conclusion, the Nira Radia and Ratan Tata case raises many fundamental questions about privacy. In his white paper on privacy Vakul Sharma pointed out two important cases that could pertain to this situation. The first case is the case of People’s Union for Civil Liberties (PUCL) v. Union of India6, the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India. Right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. The said right cannot be curtailed “except according to procedure established by law”[7]. It will be interesting to see if the courts follow a similar reasoning in this case, because though the tap was legal, the leak was illegal. Or,i f exceptions will be made under the assumption of the greater public good. The second important case was State v. Charulata Joshi, in which the Supreme Court held that “the constitutional right to freedom of speech and expression conferred by Article 19(1)(a) of the Constitution which includes the freedom of the press is not an absolute right. The press must first obtain the willingness of the person sought to be interviewed and no court can pass any order if the person to be interviewed expresses his unwillingness”[8]. Perhaps the courts will instead follow the logic in this case, and rule that the press had no right to publish the recorded and that by doing so, Ratan Tata’s privacy was invaded. No matter what the court’s decision is, it is clear that in light of the Nira Radia case, the UID, and many other arising situations – India needs to come to a decision about whether it wants privacy legislation, and, if so, what a privacy legislation should look like.</p>
<h3>Bibliography:</h3>
<p>1. http://en.wikipedia.org/wiki/2G_spectrum_scam http://economictimes.indiatimes.com/news/politics/nation/On-Tatas-plea-apex-court-sends-notice-to-govt /articleshow /7028580.cms</p>
<p> http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html</p>
<p> http://economictimes.indiatimes.com/news/politics/nation/Phone-taps-should-not-be-leaked-Chidambaram/articleshow/7036765.cm</p>
<p>2.The following are a few cases that pertain to privacy: R. Rajagopal v. State of Tamil Nadu5, People’s Union for Civil Liberties (PUCL) v. Union of India6, Gobind v. State of M.P.</p>
<p>3.The Right to Information Act 2005. Preamble.</p>
<p>4.The Canadian Access to Information Act was created in 1985, and is meant to complement the Privacy Act</p>
<p>5.http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html</p>
<p>6.Chakraborty, B.K. RTI and Protection of Individual Privacy. Tripura Information Commissio</p>
<p>7.Sharma, Vakul. White Paper on Privacy Protection in India. Section 5</p>
<p>8.Sharma, Vakul. White Paper on Privacy Protection in India. Section 3</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata'>https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata</a>
</p>
No publisherelonnai2012-03-21T10:03:20ZBlog Entry UID & Privacy - A Call for Papers
https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers
<b>Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010. </b>
<h3>Topic<br /></h3>
<p>Privacy and the UID</p>
<h3>Submission Deadline</h3>
<p> By 15 January 2010 to admin@privacyindia.org</p>
<h3>Word Length</h3>
<p> 3,000-5,000 words</p>
<h3>Topic Summary</h3>
<p>The <em>Aadhaar</em> scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate. </p>
<p>As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.</p>
<p>We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:</p>
<ul><li> Comparative studies on privacy and national identity card schemes in other countries</li></ul>
<ul><li> Privacy and the UID Bill </li></ul>
<ul><li> How will a project such as the UID change the relationship between the state, the individual, and the market? </li></ul>
<p>Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.</p>
<h3>Who We Are</h3>
<p> Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see <a class="external-link" href="http://www.privacyinternational.org/">www.privacyinternational.org</a>). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers'>https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T10:03:44ZBlog EntryThe Privacy Rights of Whistleblowers
https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers
<b>The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy. </b>
<h3>Introduction<br /></h3>
<p>In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"</p>
<h3>What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks? <br /></h3>
<p>Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.</p>
<h3>Privacy and Whistleblowing</h3>
<p>As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.</p>
<hr />
<h3>Sources:</h3>
<ul><li> http://www.ctv.ca/generic/generated/static/business/article1833688.html</li></ul>
<ul><li> Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act. </li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers'>https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:47:16ZBlog EntryAn Open Letter to the Finance Committee: SCOSTA Standards
https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee
<b>The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.</b>
<h3>Introduction</h3>
<p>This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that <span class="Apple-style-span">Aadhaar</span> biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.</p>
<h3>A background of the two standards</h3>
<p>The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:</p>
<p>1. Compliant with the international standard ISO-7816 for smart cards.</p>
<p>2. Based on a public/private key and pin authentication factor</p>
<p>3. Authentication factor refers to an individuals keys, pass-phrases, and pin.</p>
<p>The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:</p>
<p>1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.</p>
<p>2. Based on a symmetric authentication factor</p>
<h3>A comparison of the two standards</h3>
<table class="plain">
<tbody>
<tr>
<td><b>Standard </b><br /></td>
<td><b>SCOSTA - MNIC smart card</b><br /></td>
<td><b>Aadhaar Biometric - UID number </b><br /></td>
</tr>
<tr>
<td><b>Architecture </b><br /></td>
<td><b>Decentralized </b><br />SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner <br /></td>
<td><b>Centralized</b><br />Aadhaar biometric standards require symmetric <br />authentication factors, and thus must be structured in a centralized manner <br /></td>
</tr>
<tr>
<td><b>Standards for Technology </b><br /></td>
<td><b>Open standard<br /></b>Creates security through transparency <br /></td>
<td><b>Closed standard </b><br />Creates security though obscurity <br /></td>
</tr>
<tr>
<td><b>Points of failure </b><br /></td>
<td><b>Multiple points of failure</b><br />The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.<br /></td>
<td><b>Single point of failure </b><br />The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost<br /></td>
</tr>
<tr>
<td><b>Impact on local industry </b><br /></td>
<td><b>Encourages</b><br />Open standards allow local industry to compete in manufacturing technology<br /></td>
<td><b>Discourages</b><br />Closed standards allow foreign players to monopolize the manufacturing of technology <br /></td>
</tr>
<tr>
<td><b>Cost analysis </b><br /></td>
<td><b>Cost effective </b><br />Increased competition keeps prices low <br /></td>
<td><b>Cost ineffective </b><br />Decreased competition keeps prices high<br /></td>
</tr>
<tr>
<td><b>Revocation</b></td>
<td><b>Revocable</b><br /> If the key pair and pin are stolen, a new set of passwords can be issued<br /></td>
<td><b>Permanent</b> <br />If the biometrics of an individual are stolen, they cannot be re-issued <br /></td>
</tr>
<tr>
<td><b>Possibility of fraudulent authentication </b><br /></td>
<td><b>Lower</b><br />A thief must steal your smart card and your secret pin to commit fraud <br /></td>
<td><b>Higher</b><br />A thief only needs to collect your fingerprints using a glass tumbler to commit fraud <br /></td>
</tr>
<tr>
<td><b>Viability of Technology</b></td>
<td><b>Proven effective for large populations </b><br /></td>
<td><b>Not proven effective for large populations</b><br /></td>
</tr>
</tbody>
</table>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee'>https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee</a>
</p>
No publisherelonnaiPrivacy2013-12-20T03:58:09ZBlog EntryBloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert
https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy
<b>Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.</b>
<p>A set of <a class="external-link" href="http://www.mit.gov.in/sites/upload_files/dit/files/RNUS_CyberLaw_15411.pdf">rules</a> relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.</p>
<p>The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?</p>
<p>On May 19, 2011, through e-mail, I had the opportunity to interview <a class="external-link" href="http://www.naavi.org/naavi_profile.html">Vijayashankar</a>, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses. </p>
<p>I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages. </p>
<p>The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.</p>
<p>This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen. </p>
<p>Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.</p>
<p>Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?</p>
<p>Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.</p>
<p>My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.</p>
<p>I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.</p>
<p>An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, <a class="external-link" href="http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=search&court=US&case=/us/465/783.html"><em>Calder vs. Jones</em></a> 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.</p>
<p>A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits. </p>
<p>Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy'>https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T09:35:06ZBlog Entry An Interview with Activist Shubha Chacko: Privacy and Sex Workers
https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers
<b>On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation. </b>
<h3>Introduction<br /></h3>
<p>In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well. </p>
<p>When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.</p>
<h3>Basic Facts and Background Information:</h3>
<ul><li>Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1] </li></ul>
<ul><li>Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client. </li></ul>
<ul><li>Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.</li></ul>
<h3>Understanding the Challenge of the Public and the Private</h3>
<p>My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]</p>
<table class="plain">
<tbody>
<tr>
<td><strong>What is the Challenge of the Public and the Private? </strong><br />
<p>“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”</p>
<br /><strong>How does this tension of the public and the private translate into privacy violations? </strong><br /><br />
<p>"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.</p>
<p>The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."</p>
</td>
</tr>
</tbody>
</table>
<h3>Stigma, Discrimination, and Identity</h3>
<p>Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out</p>
<p>In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How Restricting is the Stigma? </strong><br />
<p>“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.</p>
</td>
</tr>
</tbody>
</table>
<h3>HIV Initiatives, Medical Counseling , and Privacy</h3>
<p> Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.</p>
<p><strong>HIV Initiatives</strong></p>
<p>HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How do Government HIV Initiatives Violate Privacy?</strong> <br />
<p>“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Line Listing </strong></p>
<p>The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>Line Listing and Privacy </strong><br />
<p>“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>HIV Counselors and Doctors</strong></p>
<p>HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How does HIV Counseling compromise Privacy? </strong><br />
<p>“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”</p>
</td>
</tr>
</tbody>
</table>
<h3>Media and Research</h3>
<p><strong>Media </strong></p>
<p>Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.</p>
<p><em>“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]</em></p>
<p>The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How does the media violate the privacy of sex workers? </strong><br />
<p>“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Research/Films </strong></p>
<p>Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>Research and Privacy </strong><br />
<p>“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”</p>
</td>
</tr>
</tbody>
</table>
<h3>The Role of a Privacy Legislation</h3>
<p>In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction. </p>
<table class="plain">
<tbody>
<tr>
<td><strong>Could a Privacy Legislation help? </strong><br />
<p>“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”</p>
</td>
</tr>
</tbody>
</table>
<h3>The Current Law</h3>
<p>In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”</p>
<h3>Solutions</h3>
<p>One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers <br />union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.</p>
<h3>Bibliography </h3>
<ol><li><a class="external-link" href="http://www.dnaindia.com/bangalore/report_karnataka-sex-workers-want-right-to-work_1517602">http://www.dnaindia.com/bangalore/report_karnataka-sex-workers-want-right-to-work_1517602</a></li><li><a class="external-link" href="http://timesofindia.indiatimes.com/home/specials/assembly-elections-2011/west-bengal/Special-booth-for-sex-workers/articleshow/7880039.cms">http://timesofindia.indiatimes.com/home/specials/assembly-elections-2011/west-bengal/Special-booth-for-sex-workers/articleshow/7880039.cms</a></li><li><a class="external-link" href="http://www.thehindu.com/news/article1594609.ece">http://www.thehindu.com/news/article1594609.ece</a></li><li><a class="external-link" href="http://www.expressindia.com/latest-news/sex-workers-allege-excesses-in-police-raid-to-submit-evidence-to-commissioner/739326/">http://www.expressindia.com/latest-news/sex-workers-allege-excesses-in-police-raid-to-submit-evidence-to-commissioner/739326/ </a></li><li><a class="external-link" href="http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf">http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf</a></li><li><a class="external-link" href="http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf">http://ncpcr.gov.i /Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf</a></li><li><a class="external-link" href="http://cflr.org/ITPA%20Amendment%20bill.htm">http://cflr.org/ITPA%20Amendment%20bill.htm</a></li><li><a class="external-link" href="http://www.prsindia.org/uploads/media/1167469313/1167469313_immoral_traffic_prevention_amendment_bill2006.pdf">http://www.prsindia.org/uploads/media/1167469313/1167469313_immoral_traffic_prevention_amendment_bill2006.pdf</a></li><li><a class="external-link" href="http://theindiapost.com/2008/07/21/itpa-amendment-has-a-provision-of-jail-term-and-penalties-for-the-clients-of-prostitutes-who-were-so-far-kept-out-of-the-ambit-of-prosecution/">http://theindiapost.com/2008/07/21/itpa-amendment-has-a-provision-of-jail-term-and-penalties-for-the-clients-of-prostitutes-who-were-so-far-kept-out-of-the-ambit-of-prosecution/</a></li><li><a class="external-link" href="http://www.expressindia.com/latest-news/Sex-workers-to-go-on-hungerstrike-over-ITPA/330250/">http://www.expressindia.com/latest-news/Sex-workers-to-go-on-hungerstrike-over-ITPA/330250/</a></li><li><a class="external-link" href="http://www.trust.org/trustlaw/blogs/the-word-on-women/rehabilitation-cuts-no-ice-with-indias-sex-workers">http://www.trust.org/trustlaw/blogs/the-word-on-women/rehabilitation-cuts-no-ice-with-indias-sex-workers</a></li></ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers'>https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-28T06:26:03ZBlog Entry