The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 61 to 75.
Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India
https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india
<b>The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse. </b>
<p align="justify">The European Court of Justice
(ECJ) has invalidated a European Commission (EC) decision<a class="sdfootnoteanc" name="sdfootnote1anc" href="#sdfootnote1sym"><sup>1</sup></a>
which had previously concluded that the 'Safe Harbor Privacy
Principles'<a class="sdfootnoteanc" name="sdfootnote2anc" href="#sdfootnote2sym"><sup>2</sup></a>
provide adequate protections for European citizens’ privacy rights<a class="sdfootnoteanc" name="sdfootnote3anc" href="#sdfootnote3sym"><sup>3</sup></a>
for the transfer of personal data between European Union and United
States. This challenge stems from the claim that public law
enforcement authorities in America obtain personal data from
organisations in safe harbour for incompatible and disproportionate
purposes in violation of the Safe Harbour Privacy Principles. The
court's judgment follows the advice of the Advocate General of the
Court of Justice of the European Union (CJEU) who recently opined<a class="sdfootnoteanc" name="sdfootnote4anc" href="#sdfootnote4sym"><sup>4</sup></a>
that US practices allow for large-scale collection and transfer of
personal data belonging to EU citizens without them benefiting from
or having access to judicial protection under US privacy laws. The
inadequacies of the framework is not news for the Commission and
action by ECJ has been a long time coming. The ruling raises
important questions about how increasingly the contestations of
personal data are being employed in asserting claims of citizenship
in context of the internet.</p>
<p align="justify">
As the highest court in Europe,
the ECJ's decisions are binding on all member states. With this
ruling the ECJ has effectively restrained US firms from
indiscriminate collection and sharing of European citizens’ data on
American soil. The implications of the decision are significant,
because it shifts the onus of evaluating protections of personal data
for EU citizens from the 4,400 companies<a class="sdfootnoteanc" name="sdfootnote5anc" href="#sdfootnote5sym"><sup>5</sup></a>
subscribing to the system onto EU privacy watchdogs. Most
significantly, in addressing the rights of a citizen against an
established global brand, the judgement goes beyond political and
legal opinion to challenge the power imbalance that exists with
reference to US based firms.</p>
<p align="justify">
Today, the free movement of data
across borders is a critical factor in facilitating trade, financial
services, governance, manufacturing, health and development. However,
to consider the ruling as merely a clarification of transatlantic
mechanisms for data flows misstates the real issue. At the heart of
the judgment is the assessment whether US firms apply the tests of
‘necessity and proportionality’ in the collection and
surveillance of data for national security purposes. Application of
necessity and proportionality test to national security exceptions
under safe harbor has been a sticking point that has stalled the
renegotiation of the agreement that has been underway between the
Commission and the American data protection authorities.<a class="sdfootnoteanc" name="sdfootnote6anc" href="#sdfootnote6sym"><sup>6</sup></a></p>
<p align="justify">
For EU citizens the stake in the
case are even higher, as while their right to privacy is enshrined
under EU law, they have no administrative or judicial means of
redress, if their data is used for reasons they did not intend. In
the EU, citizens accessing and agreeing to use of US based firms are
presented with a false choice between accessing benefits and giving
up on their fundamental right to privacy. In other words, by seeking
that governments and private companies provide better data protection
for the EU citizens and in restricting collection of personal data on
a generalised basis without objective criteria, the ruling is
effectively an assertion of ‘data sovereignty’. The term ‘data
sovereignty’, while lacking a firm definition, refers to a spectrum
of approaches adopted by different states to control data generated
in or passing through national internet infrastructure.<a class="sdfootnoteanc" name="sdfootnote7anc" href="#sdfootnote7sym"><sup>7</sup></a>
Underlying the ruling is the growing policy divide between the US and
EU privacy and data protection standards, which may lead to what is
referred to as the balkanization<a class="sdfootnoteanc" name="sdfootnote8anc" href="#sdfootnote8sym"><sup>8</sup></a>
of the internet in the future.</p>
<p align="justify">
<em>US-EU Data Protection Regime </em></p>
<p align="justify">
The safe harbor pact between the
EU and US was negotiated in the late 1990s as an attempt to bridge
the different approaches to online privacy. Privacy is addressed in
the EU as a fundamental human right while in the US it is defined
under terms of consumer protection, which<em><strong>
</strong></em>allow trade-offs
and exceptions when national security seems to be under threat. In
order to address the lower standards of data protection prevalent in
the US, the pact facilitates data transfers from EU to US by
establishing certain safeguards equivalent to the requirements of the
EU data protection directive. The safe harbor provisions include
firms undertaking not to pass personal information to third parties
if the EU data protection standards are not met and giving users
right to opt out of data collection.<a class="sdfootnoteanc" name="sdfootnote9anc" href="#sdfootnote9sym"><sup>9</sup></a></p>
<p align="justify">
The agreement was due to be
renewed by May 2015<a class="sdfootnoteanc" name="sdfootnote10anc" href="#sdfootnote10sym"><sup>10</sup></a>
and while negotiations have been ongoing for two years, EU discontent
on safe harbour came to the fore following the Edward Snowden
revelations of collection and monitoring facilitated by large private
companies for the PRISM program and after the announcement of the
TransAtlantic Trade and Investment Partnership (TTIP).<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><sup>11</sup></a>
EU member states have mostly stayed silent as they run their own
surveillance programs often times, in cooperation with the NSA. EU
institutions cannot intervene in matters of national security
however, they do have authority on data protection matters. European
Union officials and Members of Parliament have expressed shock and
outrage at the surveillance programs unveiled by Snowden's 2013
revelations. Most recently, following the CJEU Advocate General’s
opinion, 50 Members of European Parliament (MEP) sent a strongly
worded letter the US Congress hitting back on claims of ‘digital
protectionism’ emanating from the US<a class="sdfootnoteanc" name="sdfootnote12anc" href="#sdfootnote12sym"><sup>12</sup></a>.
In no uncertain terms the letter clarified that the EU has different
ideas on privacy, platforms, net neutrality, encryption, Bitcoin,
zero-days, or copyright and will seek to improve and change any
proposal from the EC in the interest of our citizens and of all
people.</p>
<p align="justify">
<em>Towards Harmonization </em></p>
<p align="justify">
In November 2013, as an attempt
to minimize the loss of trust following the Snowden revelations, the
European Commission (EC) published recommendations in its report on
'Rebuilding Trust is EU-US Data Flows'.<a class="sdfootnoteanc" name="sdfootnote13anc" href="#sdfootnote13sym"><sup>13</sup></a>
The recommendations revealed two critical initiatives at the EU
level—first was the revision of the EU-US safe harbor agreement<a class="sdfootnoteanc" name="sdfootnote14anc" href="#sdfootnote14sym"><sup>14</sup></a>
and second the adoption of the 'EU-US Umbrella Agreement<a class="sdfootnoteanc" name="sdfootnote15anc" href="#sdfootnote15sym"><sup>15</sup></a>'—a
framework for data transfer for the purpose of investigating,
detecting, or prosecuting a crime, including terrorism. The Umbrella
Agreement was recently initialed by EU and US negotiators and it only
addresses the exchange of personal data between law enforcement
agencies.<a class="sdfootnoteanc" name="sdfootnote16anc" href="#sdfootnote16sym"><sup>16</sup></a>
The Agreement has gained momentum in the wake of recent cases around
issues of territorial duties of providers, enforcement jurisdictions
and data localisation.<a class="sdfootnoteanc" name="sdfootnote17anc" href="#sdfootnote17sym"><sup>17</sup></a>
However, the adoption of the Umbrella Act depends on US Congress
adoption of the<em><strong>
</strong></em>Judicial Redress
Act (JRA) as law.<a class="sdfootnoteanc" name="sdfootnote18anc" href="#sdfootnote18sym"><sup>18</sup></a></p>
<p align="justify">
<em>Judicial Redress Act </em></p>
<p align="justify">
The JRA is a key reform that the
EC is pushing for in an attempt to address the gap between privacy
rights and remedies available to US citizens and those extended to EU
citizens, including allowing EU citizens to sue in American courts.
The JRA seeks to extend certain protections under the Privacy Act to
records shared by EU and other designated countries with US law
enforcement agencies for the purpose of investigating, detecting, or
prosecuting criminal offenses. The JRA protections would extend to
records shared under the Umbrella Agreement and while it does include
civil remedies for violation of data protection, as noted by the
Center for Democracy and Technology, the present framework does not
provide citizens of EU countries with redress that is at par with
that which US persons enjoy under the Privacy Act.<a class="sdfootnoteanc" name="sdfootnote19anc" href="#sdfootnote19sym"><sup>19</sup></a></p>
<p align="justify">
For example, the measures
outlined under the JRA would only be applicable to countries that
have outlined appropriate privacy protections agreements for data
sharing for investigations and ‘efficiently share’ such
information with the US. Countries that do not have agreements with
US cannot seek these protections leaving the personal data of their
citizens open for collection and misuse by US agencies. Further, the
arrangement leaves determination of 'efficiently sharing' in the
hands of US authorities and countries could lose protection if they
do not comply with information sharing requests promptly. Finally,
JRA protections do not apply to non-US persons nor to records shared
for purposes other than law enforcement such as intelligence
gathering. JRA is also weakened by allowing heads of agencies to
exercise their discretion to seek exemption from the Act and opt out
of compliance.</p>
<p align="justify">
Taken together the JRA, the
Umbrella Act and the renegotiation of the Safe Harbor Agreement need
considerable improvements. It is worth noting that EU’s acceptance
of the redundancy of existing agreements and in establishing the
independence of national data protection authorities in investigating
and enforcing national laws as demonstrated in the Schrems and in the
Weltimmo<a class="sdfootnoteanc" name="sdfootnote20anc" href="#sdfootnote20sym"><sup>20</sup></a>
case point to accelerated developments in the broader EU privacy
landscape.</p>
<p align="justify">
<em>Consequences </em></p>
<p align="justify">
The ECJ Safe Harbor ruling will
have far-reaching consequences for the online industry. Often, costly
government rulings solidify the market dominance of big companies. As
high regulatory costs restrict the entrance of small and medium
businesses the market, competition is gradually wiped out. Further,
complying with high standards of data protection means that US firms
handling European data will need to consider alternative legal means
of transfer of personal data. This could include evolving 'model
contracts' binding them to EU data protection standards. As Schrems
points out, “Big companies don’t only rely on safe harbour: they
also rely on binding corporate rules and standard contractual
clauses.”<a class="sdfootnoteanc" name="sdfootnote21anc" href="#sdfootnote21sym"><sup>21</sup></a></p>
<p align="justify">
The ruling is good news for
European consumers, who can now approach a national regulator to
investigate suspicions of data mishandling. EU data protection
regulators may be be inundated with requests from companies seeking
authorization of new contracts and with consumer complaints. Some are
concerned that the ruling puts a dent in the globalized flow of
data<a class="sdfootnoteanc" name="sdfootnote22anc" href="#sdfootnote22sym"><sup>22</sup></a>,
effectively requiring data localization in Europe.<a class="sdfootnoteanc" name="sdfootnote23anc" href="#sdfootnote23sym"><sup>23</sup></a>
Others have pointed out that it is unclear how this decision sits
with other trade treaties such as the TPP that ban data
localisation.<a class="sdfootnoteanc" name="sdfootnote24anc" href="#sdfootnote24sym"><sup>24</sup></a>
While the implications of the decision will take some time in playing
out, what is certain is that US companies will be have to
restructure management, storage and use of data. The ruling has
created the impetus for India to push for reforms to protect its
citizens from harms by US firms and improve trade relations with EU.</p>
<p align="justify"><em>The Opportunity for India</em></p>
<p align="justify">
Multiple data flows taking place
over the internet simultaneously and that has led to ubiquity of data
transfers o ver the Internet, exposing individuals to privacy risks.
There has also been an enhanced economic importance of data
processing as businesses collect and correlate data using analytic
tools to create new demands, establish relationships and generate
revenue for their services. The primary concern of the Schrems case
may be the protection of the rights of EU citizens but by seeking to
extend these rights and ensure compliance in other jurisdictions, the
case touches upon many underlying contestations around data and
sovereignty.</p>
<p align="justify">
Last year, Mr Ram Narain, India
Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through
network functionality and global norms will go a long way in
increasing the trust and confidence in use of ICT.”<a class="sdfootnoteanc" name="sdfootnote25anc" href="#sdfootnote25sym"><sup>25</sup></a>
In the absence of the recognition of privacy as a right and
empowering citizens through measures or avenues to seek redressal
against misuse of data, the demand of data sovereignty rings empty.
The kind of framework which empowered an ordinary citizen in the EU
to approach the highest court seeking redressal based on presumed
overreach of a foreign government and from harms abetted by private
corporations simply does not exist in India. Securing citizen’s
data in other jurisdictions and from other governments begins with
establishing protection regimes within the country.</p>
<p align="justify">
The Indian government has also
stepped up efforts to restrict transfer of data from India including
pushing for private companies to open data centers in India.<a class="sdfootnoteanc" name="sdfootnote26anc" href="#sdfootnote26sym"><sup>26</sup></a>
Negotiating data localisation does not restrict the power of private
corporations from using data in a broad ways including tailoring ads
and promoting products. Also, data transfers impact any organisation
with international operations for example, global multinationals who
need to coordinate employee data and information. Companies like
Facebook, Google and Microsoft transfer and store data belonging to
Indian citizens and it is worth remembering that the National
Security Agency (NSA) would have access to this data through servers
of such private companies. With no existing measures to restrict such
indiscriminate access, the ruling purports to the need for India to
evolve strong protection mechanisms. Finally, the lack of such
measures also have an economic impact, as reported in a recent
Nasscom-Data Security Council of India (DSCI) survey<a class="sdfootnoteanc" name="sdfootnote27anc" href="#sdfootnote27sym"><sup>27</sup></a>
that pegs revenue losses incurred by the Indian IT-BPO industry at
$2-2.5 billion for a sample size of 15 companies. DSCI has further
estimated that outsourcing business can further grow by $50 billion
per annum once India is granted a “data secure” status by the
EU.<a class="sdfootnoteanc" name="sdfootnote28anc" href="#sdfootnote28sym"><sup>28</sup></a>
EU’s refusal to grant such a status is understandable given the
high standard of privacy as incorporated under the European Union
Data Protection Directive a standard to which India does not match
up, yet. The lack of this status prevents the flow of data which is
vital for Digital India vision and also affects the service industry
by restricting the flow of sensitive information to India such as
information about patient records.</p>
<p align="justify">
Data and information structures
are controlled and owned by private corporations and networks
transcend national borders, therefore the foremost emphasis needs to
be on improving national frameworks. While, enforcement mechanisms
such as the Mutual Legal Assistance Treaty (MLAT) process or other
methods of international cooperation may seem respectful of
international borders and principles of sovereignty,<a class="sdfootnoteanc" name="sdfootnote29anc" href="#sdfootnote29sym"><sup>29</sup></a>
for users that live in undemocratic or oppressive regimes such
agreements are a considerable risk. Data is also increasingly being
stored across multiple jurisdictions and therefore merely applying
data location lens to protection measures may be too narrow. Further
it should be noted that when companies begin taking data storage
decisions based on legal considerations it will impact the speed and
reliability of services.<a class="sdfootnoteanc" name="sdfootnote30anc" href="#sdfootnote30sym"><sup>30</sup></a>
Any future regime must reflect the challenges of data transfers
taking place in legal and economic spaces that are not identical and
may be in opposition. Fundamentally, the protection of privacy will
always act as a barrier to the free flow of information even so, as
the Schrems case ruling points out not having adequate privacy
protections could also restrict flow of data, as has been the case
for India.</p>
<p align="justify">
The time is right for India to
appoint a data controller and put in place national frameworks, based
on nuanced understanding of issues of applying jurisdiction to govern
users and their data. Establishing better protection measures will
not only establish trust and enhance the ability of users to control
data about themselves it is also essential for sustaining economic
and social value generated from data generation and collection.
Suggestions for such frameworks have been considered previously by
the Group of Experts on Privacy constituted by the Planning
Commission.<a class="sdfootnoteanc" name="sdfootnote31anc" href="#sdfootnote31sym"><sup>31</sup></a>
By incorporating transparency in mechanisms for data and access
requests and premising requests on established necessity and
proportionality Indian government can lead the way in data protection
standards. This will give the Indian government more teeth to
challenge and address both the dangers of theft of data stored on
servers located outside of India and restrain indiscriminate access
arising from terms and conditions of businesses that grant such
rights to third parties. </p>
<div id="sdfootnote1">
<p>
<a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC
of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and
related frequently asked questions issued by the US Department of
Commerce (notified under document number C(2000) 2441) (Text with
EEA relevance.) <em>Official
Journal L 215 , 25/08/2000 P. 0007 -0047 </em>
2000/520/EC:
<u><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">http</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">://</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eur</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">-</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">lex</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">europa</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eu</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">do</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">?</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">uri</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">=</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">CELEX</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:32000</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">D</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">0520:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">EN</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">HTML</a></u></p>
</div>
<div id="sdfootnote2">
<p>
<a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>
Safe Harbour Privacy Principles Issued by the U.S. Department of
Commerce on July 21, 2000
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote3">
<p>
<a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>
Megan Graham, <a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Some</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">on</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">the</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">European</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Court</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">’</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">s</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">,
</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Just</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">security</a></p>
<p>
<u><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">https</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">://</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">www</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">justsecurity</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">org</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/26651/</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">ecj</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/</a></u></p>
</div>
<div id="sdfootnote4">
<p>
<a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>
Advocate
General’s Opinion in Case C-362/14 Maximillian Schrems v Data
Protection Commissioner Court of Justice of the European Union,
Press Release, No 106/15 Luxembourg, 23 September 2015
<u><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">http</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">://</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">curia</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">europa</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">eu</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">jcms</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">upload</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">docs</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">application</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/2015-09/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">cp</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">150106</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">en</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote5">
<p>
<a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour
alternatives’, The Register, October 7, 2015
<u><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">http</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">://</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">www</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">theregister</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">co</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">uk</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/2015/10/07/</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">eu</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">pushes</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">safe</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">harbour</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">alternatives</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/</a></u> </p>
</div>
<div id="sdfootnote6">
<p>
<a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
Draft Report, General Data Protection Regulation, Committee on Civil
Liberties, Justice and Home Affairs, European Parliament, 2009-2014
<a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">http</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">://</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">www</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europarl</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europa</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">eu</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">meetdocs</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/2009_2014/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">documents</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">libe</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pr</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/922/922387/922387</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">en</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pdf</a></p>
</div>
<div id="sdfootnote7">
<p>
<a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS
Characteristics: Data Sovereignty and the Balkanisation of the
Internet’, University of Oxford, July 7, 2014
<u><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">https</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">://</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">www</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">usenix</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">org</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">system</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">files</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">conference</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">polatin</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">reuben</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote8">
<p>
<a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
Sasha
Meinrath, The Future of the Internet: Balkanization and Borders,
Time, October 2013
<u><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">http</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">://</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">ideas</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">time</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">com</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/2013/10/11/</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">future</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">of</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">internet</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">balkanization</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">and</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">borders</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/</a></u></p>
</div>
<div id="sdfootnote9">
<p>
<a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
Safe Harbour Privacy Principles, Issued by the U.S. Department of
Commerce, July 2001
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote10">
<p>
<a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a>
Facebook
case may force European firms to change data storage practices, The
Guardian, September 23, 2015
<u><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">http</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">://</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">www</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">theguardian</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">com</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">news</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/2015/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">sep</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/23/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">intelligence</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">services</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">surveillance</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">privacy</a></u></p>
</div>
<div id="sdfootnote11">
<p>
<a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>
Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013
<u><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">https</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">://</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">iapp</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">.</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">org</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">news</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">a</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">us</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">eu</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">safe</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">harbor</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">under</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">pressure</a></u></p>
</div>
<div id="sdfootnote12">
<p>
<a class="sdfootnotesym" name="sdfootnote12sym" href="#sdfootnote12anc">12</a>
Kieren
McCarthy, Privacy, net neutrality, security, encryption ... Europe
tells Obama, US Congress to back off, The Register, 23 September,
2015
<u><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">http</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">://</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">www</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">theregister</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">co</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">uk</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/2015/09/23/</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">european</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">politicians</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">to</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">congress</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">back</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">off</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/</a></u></p>
</div>
<div id="sdfootnote13">
<p>
<a class="sdfootnotesym" name="sdfootnote13sym" href="#sdfootnote13anc">13</a>
Communication from the Commission to the European Parliament and the
Council, Rebuilding Trust in EU-US Data Flows, European Commission,
November 2013
<u><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">http</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">://</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">ec</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">europa</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">eu</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">justice</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">data</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">-</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">protection</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">files</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">com</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">_2013_846_</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">en</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote14">
<p>
<a class="sdfootnotesym" name="sdfootnote14sym" href="#sdfootnote14anc">14</a>
Safe
Harbor on trial in the European Union, Access Blog, September 2014
<u><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">https</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">://</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">www</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">accessnow</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">org</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">blog</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/2014/11/13/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">safe</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">harbor</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">on</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">trial</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">in</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">the</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">european</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">union</a></u></p>
</div>
<div id="sdfootnote15">
<p>
<a class="sdfootnotesym" name="sdfootnote15sym" href="#sdfootnote15anc">15</a>
European
Commission - Fact Sheet Questions and Answers on the EU-US data
protection "Umbrella agreement", September 8, 2015
<u><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">http</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">://</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">europa</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">eu</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">rapid</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">press</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">release</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">MEMO</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-15-5612_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">en</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">htm</a></u> </p>
</div>
<div id="sdfootnote16">
<p>
<a class="sdfootnotesym" name="sdfootnote16sym" href="#sdfootnote16anc">16</a>
McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data
transfers’, Lexology, September 14, 2015
<u><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">http</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">://</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">www</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">lexology</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">com</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">library</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">detail</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">aspx</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">?</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">g</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">=422</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">bca</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">41-2</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">54-4648-</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">ae</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">57-00</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">678515</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">e</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">1</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">f</a></u></p>
</div>
<div id="sdfootnote17">
<p>
<a class="sdfootnotesym" name="sdfootnote17sym" href="#sdfootnote17anc">17</a>
Andrew
Woods, Lowering the Temperature on the Microsoft-Ireland Case,
Lawfare September, 2015
<u><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">https</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">://</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">www</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lawfareblog</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">com</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">/</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lowering</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">temperature</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">microsoft</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">ireland</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">case</a></u></p>
</div>
<div id="sdfootnote18">
<p>
<a class="sdfootnotesym" name="sdfootnote18sym" href="#sdfootnote18anc">18</a>
Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement
and the Judicial Redress Act: Small Steps Forward for EU Citizens’
Privacy Rights’, October 5, 2015
<u><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">https</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">://</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">cdt</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">.</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">org</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">blog</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">us</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">umbrella</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">agreement</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">and</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">judicial</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">redress</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">act</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">small</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">steps</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">forward</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">for</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">citizens</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">privacy</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">rights</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a></u></p>
</div>
<div id="sdfootnote19">
<p>
<a class="sdfootnotesym" name="sdfootnote19sym" href="#sdfootnote19anc">19</a>
Ibid 18.</p>
</div>
<div id="sdfootnote20">
<p>
<a class="sdfootnotesym" name="sdfootnote20sym" href="#sdfootnote20anc">20</a>
Landmark ECJ data protection ruling could impact Facebook and
Google, The Guardian, 2 October, 2015
<u><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">http</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">://</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">www</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">com</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">technology</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">oct</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/02/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">landmark</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ecj</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">data</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">protection</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ruling</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">google</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">weltimmo</a></u></p>
</div>
<div id="sdfootnote21">
<p>
<a class="sdfootnotesym" name="sdfootnote21sym" href="#sdfootnote21anc">21</a>
Julia Powles, Tech companies like Facebook not above the law, says
Max Schrems, The Guardian, Octover 9, 2015
<a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">http</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">://</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">www</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">com</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">technology</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">oct</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/09/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">data</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">privacy</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">max</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">schrems</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">european</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">court</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">of</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">justice</a></p>
</div>
<div id="sdfootnote22">
<p>
<a class="sdfootnotesym" name="sdfootnote22sym" href="#sdfootnote22anc">22</a>
Adam
Thierer,
Unintended
Consequences of the EU Safe Harbor Ruling, The Technology Liberation
Front, October 6, 2015
<u><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">http</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">://</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">techliberation</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">.</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">com</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/2015/10/06/</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">unintended</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">consequenses</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">of</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">the</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">eu</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">safe</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">harbor</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">ruling</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/#</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">more</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-75831</a></u></p>
</div>
<div id="sdfootnote23">
<p>
<a class="sdfootnotesym" name="sdfootnote23sym" href="#sdfootnote23anc">23</a>
Anupam
Chander, Tweeted ECJ<a href="https://twitter.com/hashtag/schrems?src=hash">
#</a><a href="https://twitter.com/hashtag/schrems?src=hash">schrems</a>
ruling may effectively require data localization within Europe,
<u><a href="https://twitter.com/AnupamChander/status/651369730754801665">https</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">://</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">twitter</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">.</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">com</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">AnupamChander</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">status</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/651369730754801665</a></u></p>
</div>
<div id="sdfootnote24">
<p>
<a class="sdfootnotesym" name="sdfootnote24sym" href="#sdfootnote24anc">24</a>
Lokman Tsui, Tweeted, “If the TPP bans data localization, but the
ECJ ruling effectively mandates it, what does that mean for the
internet?”
<u><a href="https://twitter.com/lokmantsui/status/651393867376275456">https</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">://</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">twitter</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">.</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">com</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">lokmantsui</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">status</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/651393867376275456</a></u></p>
</div>
<div id="sdfootnote25">
<p>
<a class="sdfootnotesym" name="sdfootnote25sym" href="#sdfootnote25anc">25</a>
Statement from Indian Head of Delegation, Mr Ram Narain for WGPL,
<a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Indian</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">statement</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">on</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">ITU</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">and</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Internet</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">at</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">the</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Working</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Group</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Plenary</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">November</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">
4, 2014 </a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">https</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">://</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">ccgnludelhi</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">wordpress</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">com</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">author</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">asukum</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">87/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">page</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/2/</a></p>
</div>
<div id="sdfootnote26">
<p>
<a class="sdfootnotesym" name="sdfootnote26sym" href="#sdfootnote26anc">26</a>
Sounak
Mitra, Xiaomi bets big on India despite problems, Business Standard,
December 2014
<u><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">http</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">://</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">www</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">business</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">standard</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">com</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">article</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">companies</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">xiaomi</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">bets</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">big</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">on</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">india</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">despite</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">problems</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-114122201023_1.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">html</a></u></p>
</div>
<div id="sdfootnote27">
<p>
<a class="sdfootnotesym" name="sdfootnote27sym" href="#sdfootnote27anc">27</a>
Neha
Alawadi, Ruling on data flow between EU & US may impact India’s
IT sector, Economic Times,October 7, 2015
<a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">http</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49250738.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></p>
</div>
<div id="sdfootnote28">
<p>
<a class="sdfootnotesym" name="sdfootnote28sym" href="#sdfootnote28anc">28</a>
Pranav Menon, Data Protection Laws in India and Data Security-
Impact on India and Data Security-Impact on India - EU Free Trade
Agreement, CIS Access to Knowledge, 2011
<u><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">http</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">://</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">cis</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">org</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">a</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">2</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">k</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">blogs</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">data</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">security</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">laws</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote29">
<p>
<a class="sdfootnotesym" name="sdfootnote29sym" href="#sdfootnote29anc">29</a>
Surendra
Kumar Sinha, India wants Mutual Legal Assistance treaty with
Bangladesh, Economic Times, October 7, 2015
h<u><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">ttp</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49262294.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></u></p>
</div>
<div id="sdfootnote30">
<p>
<a class="sdfootnotesym" name="sdfootnote30sym" href="#sdfootnote30anc">30</a>
Pablo
Chavez, Director, Public Policy and Government Affairs, Testifying
before the U.S. Senate on transparency legislation, November 3,
2013
<u><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">http</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">://</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">googlepublicpolicy</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">blogspot</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">in</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">/2013/11/</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">testifying</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">before</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">us</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">senate</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">on</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">htm</a></u> </p>
</div>
<div id="sdfootnote31">
<p>
<a class="sdfootnotesym" name="sdfootnote31sym" href="#sdfootnote31anc">31</a>
Report
of the Group of Experts on Privacy (Chaired by Justice A P Shah,
Former Chief Justice, Delhi High Court), Planning Commission,
October 2012
<u><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">://</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">planningcommission</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">nic</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">in</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">reports</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">genrep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">rep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">_</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">privacy</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">pdf</a></u></p>
<p align="justify"> </p>
</div>
<div id="sdfootnote31">
<p align="justify"> </p>
</div>
<div id="sdfootnote30"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india'>https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india</a>
</p>
No publisherjyotiAccess to KnowledgeDigital EconomyPublic AccountabilityPrivacyPlatform ResponsibilityData ProtectionAccountabilityDigital SecurityDigital IndiaInternet Governance2015-10-14T14:40:08ZBlog EntryPrivacy International's Trip to Asia
https://cis-india.org/news/privacy-internationals-trip-to-asia
<b>In February 2012, the PI team travelled to India, Bangladesh and Hong Kong to meet with our local partners in the region and speak at four conferences they had organized. We also got the chance to interview our partners in India and Bangladesh on the privacy issues facing them at the moment - this video is the result of those conversations. </b>
<p>PI spent the first half of February in Asia, visiting our regional partners and speaking at events. Our trip began in Delhi, where the Centre for Internet and Society (in collaboration with the Society in Action Group) had organized two consecutive privacy conferences – an invite-only conclave on Friday 3rd February and a free symposium open to the public on Saturday 4th February. The conclave consisted of two panels, the first focusing on the relationship between national security and privacy, the second on privacy and the Internet. We were seriously impressed with the calibre of the speakers CIS and SAG had gathered – the panels included a Supreme Court Advocate, a Member of Parliament and the Former Chief of the Research and Analysis Wing (the Indian equivalent of MI-6 and the CIA) – but Gus and Eric held their own!<br /><br />The All India Privacy Symposium the next day was partly intended as a public showcase of the amazing research Privacy India, CIS and SAG have conducted over the past two years, including consultations in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai and Mumbai. The event was organized into five panels: Privacy and Transparency, Privacy and E-Governance Initiatives, Privacy and National Security, Privacy and Banking, and Privacy and Health. A few themes recurred throughout the day – perhaps the most prominent being the repeated allegation that the Indian government's technological illiteracy is putting its citizens at risk. One panellist described how an RTI (right to information) request had recently revealed that the government had no idea how many of its own computers had been hacked or how much data had been stolen – even though this information has been in the public domain since the Wikileaks diplomatic cable releases.<br /><br />On Sunday, our IDRC funder in Delhi very kindly lent us his beautiful house for a PrivAsia strategy meeting. We chatted about how the Indian project had gone thus far, and the sort of activities our partners would like to undertake over the next couple of years. Their main priority at the moment is India's proposed UID (Unique Identification) project, which is riddled with flaws, inconsistencies and logical gaps. The project is also extremely expensive, with estimates ranging from just under $4 billion to $33 billion. Our partners strongly oppose the programme in its current form, and are exploring a number of strategies for fighting it - we'll keep you appraised of their progress...<br /><br />PI then parted ways – Gus headed to Hong Kong and Eric and I flew to Dhaka to meet up with Simon and Ahmed Swapan of Voices for Interactive Choice and Empowerment (VOICE), our partner in Bangladesh. We spent a day at the VOICE offices, getting extremely jealous of their huge kitchen and the fact that they all sit down to a freshly cooked lunch every day. That evening, Ahmed took us to a book fair, which was much livelier than we were expecting! It was held outside and was packed with people socialising, eating deep-fried crayfish and (occasionally) perusing the books and pamphlets on display. The fair is apparently an annual event and VOICE have had their own stand there for the past few years.<br /><br />The following day was the National Convention on the Right to Privacy and Data Protection, organized by VOICE and a group of other Bangladeshi NGOs. We were delighted by the turnout - over 80 people showed up to listen and to voice their own opinions - but Ahmed was unsurprised, explaining that privacy was a hot topic in Bangladesh at the moment. Several issues were clearly extremely controversial, and the debate became very heated when it turned to the relationship between privacy and the right to information (recently enshrined in law in the RTI Act 2009). It was amazing to see how passionate people were, and how eager to improve things. The debate was presided over by retired Justice Golam Rabbani, who urged the government to create a national tribunal for the protection of the citizen's right to privacy.<br /><br />Gus spent a brief 36 hours in Hong Kong but was able to participate in a symposium run by our partners at Hong Kong University's Faculty of Law. The participants at the symposium included the Privacy Commissioner of Hong Kong, academics and industry experts from China, Macau and Taiwan, and guest speakers from Switzerland and Canada. The slides of many of the presentations are available online. Apparently the level of sophistication in the academic research that is now starting to influence the legislative environment in Hong Kong and China is astonishing.<br /><br />Trips like these are exhausting but invaluable - they allow us to see the PrivAsia work in action rather than hearing about it in emails and phone calls, and to discuss progress and problems face-to-face. Eric and Gus are already looking forward to Pakistan in April...</p>
<p><a class="external-link" href="https://www.privacyinternational.org/blog/pis-trip-to-asia">This blog post by Emma Draper was published on the Privacy International blog</a></p>
<hr />
<p>Watch the video about contemporary privacy issues in India and Bangladesh below</p>
<iframe src="http://www.youtube.com/embed/wcIWqyXUc8g" frameborder="0" height="315" width="320"></iframe>
<p>
For more details visit <a href='https://cis-india.org/news/privacy-internationals-trip-to-asia'>https://cis-india.org/news/privacy-internationals-trip-to-asia</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2012-04-25T09:58:12ZNews ItemSupreme Court Order is a Good Start, but is Seeding Necessary?
https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary
<b>This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.</b>
<div>
<h3>Introduction</h3>
</div>
<div>
<p style="text-align: justify; ">On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled 'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2</p>
</div>
<div>
<p style="text-align: justify; ">Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.</p>
</div>
<div>
<h3>What is Seeding?</h3>
</div>
<div>
<p style="text-align: justify; ">In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4</p>
</div>
<div>
<p style="text-align: justify; ">According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.</p>
</div>
<div></div>
<div>
<p style="text-align: justify; ">Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8</p>
</div>
<div>
<h3>How does the seeding process work?</h3>
</div>
<div>
<p style="text-align: justify; ">The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9</p>
</div>
<div>
<p style="text-align: justify; ">Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10</p>
</div>
<div>
<p style="text-align: justify; ">According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11</p>
</div>
<div>
<p style="text-align: justify; ">In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13</p>
</div>
<div>
<h3>What are the concerns with seeding?</h3>
</div>
<div>
<p style="text-align: justify; ">With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access, consent and choice. To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.</p>
</div>
<div>
<p style="text-align: justify; ">The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform, and that profiling of individuals can take place through the linking of data points via the Ginger platform.</p>
</div>
<div>
<h3>How does the Supreme Court Order impact the seeding process and what still needs to be clarified?</h3>
</div>
<div>
<p>In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:</p>
</div>
<div><ol>
<li>The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;</li>
<li>The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;</li>
<li>The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;</li>
<li>The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15 </li>
</ol></div>
<div></div>
<div style="text-align: justify; ">
<div>
<p style="text-align: justify; ">In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.</p>
</div>
<div>
<p>These include:</p>
</div>
<div>
<p><b>The Process of Seeding </b></p>
<b> </b></div>
<b> </b>
<div><b> </b>
<p style="text-align: justify; "><b> </b>Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".</p>
</div>
<div>
<p style="text-align: justify; ">However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:</p>
</div>
<div></div>
<ol> </ol>
<div style="text-align: justify; "><b>Access</b>: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.</div>
<div style="text-align: justify; "><br /><b>Consent</b>: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:</div>
<div>
<ul>
<li>"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."</li>
</ul>
</div>
<div>
<ul>
<li>"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number. </li>
</ul>
</div>
<div>
<ul>
<li>"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17 </li>
</ul>
</div>
<div style="text-align: justify; ">Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of consenting to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18</div>
<div style="text-align: justify; "></div>
<div></div>
<div>
<p><b>Withdrawing Consent</b>: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.</p>
</div>
<div>
<p><b>Verification and liability</b>: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22</p>
</div>
<div>
<p><b>The Scope of the UIDAI's mandate and the necessity of seeding </b></p>
<b> </b></div>
<b> </b>
<div><b> </b>
<p><b> </b>Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.</p>
</div>
</div>
<div>
<p style="text-align: justify; ">On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.</p>
</div>
<div>
<p style="text-align: justify; ">In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system, seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26</p>
</div>
<div>
<h3>Conclusion</h3>
</div>
<div>
<p style="text-align: justify; ">Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?</p>
</div>
<div>
<p style="text-align: justify; ">Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.</p>
</div>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12<sup>th</sup> 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf</p>
<p>[<a href="#fr5" name="fn5">5</a>]. Version 1.0 pg. 2</p>
<p>[<a href="#fr6" name="fn6">6</a>]. Version 1.0 pg. 19</p>
<p>[<a href="#fr7" name="fn7">7</a>]. Version 1.1 pg. 3</p>
<p>[<a href="#fr8" name="fn8">8</a>]. Version 1.1 pg. 7</p>
<p>[<a href="#fr9" name="fn9">9</a>]. Version 1.1 pg. 5 -7</p>
<p>[<a href="#fr10" name="fn10">10</a>]. Version 1.1 pg. 7-13</p>
<p>[<a href="#fr11" name="fn11">11</a>]. Version 1.0 pg 19-22</p>
<p>[<a href="#fr12" name="fn12">12</a>]. Version 1.0 pg. 4</p>
<p>[<a href="#fr13" name="fn13">13</a>]. Version 1.1 pg. 5, figure 3.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841</p>
<p>[<a href="#fr16" name="fn16">16</a>]. Version 1.1 pg. 18</p>
<p>[<a href="#fr17" name="fn17">17</a>]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf<i><br /> </i></p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27<sup>th</sup> 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece</p>
<p>[<a href="#fr19" name="fn19">19</a>]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15<sup>th</sup> 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544</p>
<p>[<a href="#fr21" name="fn21">21</a>]. Version 1.1 pg. 3</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841</p>
<p>[<a href="#fr24" name="fn24">24</a>]. Version 1.0 pg.3</p>
<p>[<a href="#fr25" name="fn25">25</a>]. Version 1.0 pg.4</p>
<p>[<a href="#fr26" name="fn26">26</a>]. Version 1.1 pg. 3</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21<sup>st</sup>, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. For example see: Salil Tripathi. A dangerous convergence. July 31<sup>st</sup>. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary'>https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary</a>
</p>
No publisherElonnai Hickok and Rohan GeorgeInternet GovernancePrivacy2015-09-07T13:21:58ZBlog EntryCIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015
https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015
<b>The Centre for Internet & Society (CIS) submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015. </b>
<p class="Standard" style="text-align: justify; ">The Centre for Internet and Society is a non-profit research organisation that works on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. It engages in academic research to explore and affect the shape and form of Internet, along with its relationship with the Society, with particular emphasis on South-South dialogues and exchange. The Centre for Internet and Society was also a member of the Expert Committee which was constituted in the year 2013 by the Department of Biotechnology to discuss the draft Human DNA Profiling Bill.</p>
<p class="Standard" style="text-align: justify; "><b><span>Missing aspects from the Bill</span></b></p>
<p class="Standard" style="text-align: justify; ">The Human DNA Profiling Bill, 2015 has overlooked and has not touched upon the following crucial factors :</p>
<ul style="text-align: justify; ">
<li><span>Objects Clause</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the Bill should incorporate an objects clause that makes clear that</p>
<p class="Standard" style="text-align: justify; ">“DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity, therefore forensic DNA profiling should only have probative value and not be considered as conclusive proof.</p>
<p class="Standard" style="text-align: justify; ">The Act recognises that all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA and in order to protect this right to privacy the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times.”</p>
<ul style="text-align: justify; ">
<li><span>Collection and Consent</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">The Bill does not contain provisions regarding instances when the DNA samples can be collected from the individuals without consent (nor does the Bill establish or refer to an authorization procedure for such collection), when DNA samples can be collected from individuals only with informed consent, and how and in what instances individuals can withdraw their consent. The issue of whether DNA samples can be collected without the consent of the individual is a vexed one and requires complex questions relating to individual privacy as well as the right against self incrimination. While the question of whether an accused can be made to give samples of blood, semen, etc. which had been in issue in a wide gamut of decisions in India has finally been settled by section 53 of the Code of Criminal Procedure, which allows collection of medical evidence from an accused, thus laying to rest any claims based on the right against self incrimination. However there are still issues dealing with the right to privacy and the violation thereof due to the non-consensual collection of DNA samples. This is an issue which needs to be addressed in this Act itself and should not be left unaddressed as this would only lead to a lack of clarity and protracted court cases to determine this issue. An illustration of this problem is where the Bill allows for collection of intimate body samples. There is a need for inclusion of stringent safeguard measures regarding the same since without such safeguards, the collection of intimate body samples would be an outright infringement of privacy. Further, maintaining a database for convicts and suspects is one thing, however collecting and storing intimate samples of individuals is a gross violation of the citizens’ right to privacy, and without adequate mechanisms regarding consent and security, stands at a huge risk of being misused.</p>
<ul style="text-align: justify; ">
<li><span>Privacy Safeguards</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">Presently, the Bill is being introduced without comprehensive privacy safeguards in place on issues such as consent, collection, retention, etc. as is evident from the comments made below. Though the DNA Board is given the responsibility of recommending best practices pertaining to privacy (clause 13 (l)) – this is not adequate given the fact that India does not have a comprehensive privacy legislation. Though <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf">section 43A and associated Rules</a> of the Information Technology Act would apply to the collection, use, and sharing of DNA data by DNA laboratories (as they would fall under the definition of ‘body corporate’ under the IT Act), the National and State Data Banks and the DNA Board would not clearly be body corporate as per the IT Act and would not fall under the ambit of the provision or Rules. Safeguards are needed to protect against the invasion of informational privacy and physical privacy at the level of these State controlled bodies. The fact that the Bill is to be introduced into Parliament prior to the enactment of a privacy legislation in India is significant as according to discussions in the <a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">Record Notes of the </a>4h Meeting of the <a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">Expert Committee</a> - <i>“the Expert Committee also discussed and emphasized that the Privacy Bill is being piloted by the Government. That Bill will over-ride all the other provisions on privacy issues in the DNA Bill.”</i></p>
<ul style="text-align: justify; ">
<li><span>Lack of restriction on type of analysis to be performed</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">The Bill currently does not provide any restriction on the types of analysis that can be performed on a DNA sample or profile. This could allow for DNA samples to be analyzed for purposes beyond basic identification of an individual – such as for health, genetic, or racial purposes. As a form of purpose limitation the Bill should define narrowly the types of analysis that can be performed on a DNA sample.</p>
<ul style="text-align: justify; ">
<li><span>Purpose Limitation</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">The Bill does not explicitly restrict the use of a DNA sample or DNA profile to the purpose it was originally collected and created for. This could allow for the re-use of samples and profiles for unintended purposes.</p>
<ul style="text-align: justify; ">
<li><span>Annual Public Reporting</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">The Bill does not require the DNA Board to disclose publicly available information on an annual basis regarding the functioning and financial aspects of matters contained within the Bill. Such disclosure is crucial in ensuring that the public is able to make informed decisions. Categories that could be included in such reports include: Number of DNA profiles added to each indice within the databank, total number of DNA profiles contained in the database, number of DNA profiles deleted from the database, the number of matches between crime scene DNA profiles and DNA profiles, the number of cases in which DNA profiles were used in and the percentage in which DNA profiles assisted in the final conclusion of the case, and the number and categories of DNA profiles shared with international entities.</p>
<ul style="text-align: justify; ">
<li><span>Elimination Indice</span></li>
</ul>
<p class="Standard" style="text-align: justify; ">An elimination indice containing the profiles of medical professionals, police, laboratory personnel etc. working on a case is necessary in case they contaminate collected samples by accident.</p>
<p class="Standard" style="text-align: justify; "><b><span>Clause by Clause Recommendations</span></b></p>
<p class="Standard" style="text-align: justify; ">As stated the Human DNA Profiling Bill 2015 is to <i>regulate the use of DNA analysis of human body substances profiles and to establish the DNA Profiling Board for laying down the standards for laboratories, collection of human body substances, custody trail from collection to reporting and also to establish a National DNA Data Bank.</i></p>
<p class="Standard" style="text-align: justify; "><b>Comment:</b></p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; ">
<li>As stated, the purpose of the DNA Human Profiling Bill is to broadly regulate the of DNA analysis and establish a DNA Data Bank. Despite this, the majority of provisions in the Bill pertain to the collection, use, access etc. of DNA samples and profiles for civil and criminal purposes. The result of this is an 'unbalanced Bill' - with the majority of provisions focusing on issues related to forensic use. At the same time the Bill is not a comprehensive forensic bill – resulting in legislative gaps.</li>
<li>Additionally, the Bill contains provisions beyond the stated purpose. These include:</li>
</ol>
<ul style="text-align: justify; ">
<li>Facilitating the creation of a Data Bank for statistical purposes (Clause 33(e))</li>
<li>Establishing state and regional level databanks in addition to a national level databank (Clause 24)</li>
<li>Developing procedure and providing for the international sharing of DNA profiles with foreign Governments, organizations, institutions, or agencies. (Clause 29)</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li>The Bill should ideally be limited to regulating the use of DNA samples and profiles for criminal purposes. If the scope remains broad, all purposes should be equally and comprehensively regulated.</li>
<li>The stated purpose of the Bill should address all aspects of the Bill. Provisions beyond the scope of the Bill should be removed.</li>
</ul>
<p class="Standard" style="text-align: justify; "><span>Chapter 1: Preliminary</span></p>
<ul style="text-align: justify; ">
<li><b>Clause 2: </b>This clause defines the terms used in the Bill.</li>
</ul>
<p style="text-align: justify; "><b>Comment: </b>A number of terms are incomplete and some terms used in the Bill have not been included in the list of definitions.</p>
<p style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
</ul>
<ul style="text-align: justify; ">
<li>The definition of DNA Data bank manager - clause 2 (1)(g) - must be renamed as National DNA Data bank manager.</li>
<li>The definition of “DNA laboratory” in clause 2(1)(h) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.</li>
</ul>
<ul style="text-align: justify; ">
<li>The definition of “DNA profile” in clause 2(1)(i) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person. The definition of “DNA profile” does not restrict the analysis to forensic DNA profiles: this means additional information, such as health-related information could be analyzed and stored against the wishes of the individual, even though such information plays no role in solving crimes.</li>
</ul>
<ul style="text-align: justify; ">
<li>The term “known sample” that is defined in clause 2(1)(m) is not used anywhere outside the definitions clause and should be removed.</li>
</ul>
<ul style="text-align: justify; ">
<li>The definition of “offender” in clause 2(1)(q) is vague because it does not specify the offenses for which an “offender” needs to be convicted. It is also linked to an unclear definition of the term “under trial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offenses such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.</li>
</ul>
<ul style="text-align: justify; ">
<li>The term “proficiency testing” that is defined in clause 2(1)(t) is not used anywhere in the text of the DNA Bill and should be removed.</li>
</ul>
<ul style="text-align: justify; ">
<li>The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule making powers under Chapter IX, clause 58. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.</li>
</ul>
<ul style="text-align: justify; ">
<li>The term “suspect” defined in clause 2(1)(za) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").</li>
</ul>
<ul style="text-align: justify; ">
<li>The term volunteer defined in clause 2(zf) only addresses consent from the parent or guardian of a child or an incapable person. This term should be amended to include informed consent from any volunteer.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b><span>Chapter II: DNA Profiling Board</span></b></p>
<ul style="text-align: justify; ">
<li><b>Clause 4:</b> This clause addresses the composition of the DNA Profiling Board.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment</b>: The size and composition of the Board that is staffed under clause 4 is extremely large. The number of members remains to be 15, as it was in the 2012 Bill.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be reduced to no more than five members. The Board must contain at least:</p>
<ul style="text-align: justify; ">
<li>One ex-Judge or senior lawyer</li>
<li>Civil society – both institutional and non-institutional</li>
<li>Privacy advocates</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Note:</b> The reduction of the size of the Board was agreed upon by <a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">the Expert Committee from 16 members (2012 Bill) to 11 member</a>s. This recommendation has not been incorporated.</p>
<ul style="text-align: justify; ">
<li><b>Clause 5(1): </b>The clause specifies the term of the Chairperson of the DNA Profiling Board to be five years and also states that the person shall not be eligible for re-appointment or extension of the term so specified.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b> The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> Clause 4 should be amended to mention the appointment of the Chairperson and other Members.</p>
<ul style="text-align: justify; ">
<li><b>Clause 7: </b> The clause requires members to react on a case-by-case basis to the business of the Board by excusing themselves from deliberations and voting where necessary.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b> This clause addresses the issue of conflict of interest only in narrow cases and does not provide penalty if a member fails to adhere to the laid out procedure.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> The Bill should require members to make full and public disclosures of their real and potential conflicts of interest and the Chairperson must have the power to prevent such members from voting on interested matters. Failure to follow such anti-collusion and anti-corruption safeguards should attract criminal penalties.</p>
<ul style="text-align: justify; ">
<li><b>Clause 12(5)</b>: The clause states that the board shall have the power to co-opt such number of persons as it may deem necessary to attend the meetings of the Board and take part in the proceedings of the board, but such persons will not have the right to vote. </li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b> While serving on the Expert Committee, CIS provided <a href="http://cis-india.org/internet-governance/blog/dna-dissent">language regarding</a> how the Board could consult with the public. This language has not been fully incorporated.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation: </b>As per the recommendation of CIS, the following language should be adopted in the Bill: <i>The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities.</i><i> </i></p>
<ul style="text-align: justify; ">
<li><b>Clause 13:</b> The clause lays down the functions to be performed by the DNA Profiling Board, which includes it’s role in regulation of the DNA Data Banks, DNA Laboratories and techniques to be adopted for collection of the DNA samples.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>While serving on the Expert Committee, <a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">CIS recommended</a> that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.</p>
<p class="Standard" style="text-align: justify; ">Furthermore, this clause delegates a number of functions to the Board that places the Board in the role of a manager and regulator for issues pertaining to DNA Profiling including functions of the DNA Databases, DNA Laboratories, ethical concerns, privacy concerns etc.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation: </b>As per CIS’s recommendations the functions of the Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.</p>
<p class="Standard" style="text-align: justify; ">Towards this, the Board should be comprised of separate Committees to address these different functions. At the minimum, there should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues. Additionally:</p>
<ul style="text-align: justify; ">
<li>Clause 13(j) allows the Board to disseminate best practices concerning the collection and analysis of DNA samples to ensure quality and consistency. The process for collection of DNA samples and analysis should be established in the Bill itself or by regulations. Best practices are not enforceable and do not formalize a procedure.</li>
<li>Clause 13(q) allows the Board to establish procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies. This procedure, at the minimum, should be subject to oversight by the Ministry of External Affairs.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b><span>Chapter III: Approval of DNA Laboratories</span></b></p>
<ul style="text-align: justify; ">
<li><b>Clause 15:</b> This clause states that every DNA Laboratory has to make an application before the Board for the purpose of undertaking DNA profiling and also for renewal.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>Though the Bill requires DNA Laboratories to make an application for the undertaking DNA Profiling, it does not clarify that the Lab must receive approval before collection and analysis of DNA samples and profiles.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> The Bill should clarify that all DNA Laboratories must receive approval for functioning prior to the collection or analysis of any DNA samples and profiles.</p>
<p class="Standard" style="text-align: justify; "><b><span>Chapter IV: Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training</span></b></p>
<ul style="text-align: justify; ">
<li><b>Clause 19: </b>This clause defines the obligations of a DNA laboratory. Sub-section (d) maintains that one such obligation is the sharing of the 'DNA data' prepared and maintained by the laboratory with the State DNA Data Bank and the National DNA Data Bank.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b> ‘DNA Data’ is a new term that has not been defined under Clause 2 of the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records? It is also unclear in what manner and on what basis the information would be shared.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks. The flow of and access to data between the State DNA Data Bank and National DNA Data Bank should also be established in the Bill.</p>
<ul style="text-align: justify; ">
<li><b>Clause 22: </b>The clause lays down the measures to be adopted by a DNA Laboratory and 22(h) includes a provision requiring the conducting of annual audits according to prescribed standards.<b> </b></li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b></p>
<ul style="text-align: justify; ">
<li>The definition of “audit” under Chapter VI in clause 22 under ‘Explanation’ is relevant for measuring the training programmes and laboratory conditions. However, the term “audit” is subsequently used in an entirely different manner in Chapter VII which relates to financial information and transparency.</li>
<li>The standards for the destruction of DNA samples have not been included within the list of measures that DNA laboratories must take. </li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li>The definition of ‘audit’ must be amended or removed as it is being used in different contexts. The term “audit” has a well established use for financial information that does not require a definition.</li>
<li>Standards for the destruction of DNA samples should be developed and included as a measure DNA laboratories must take. </li>
<li><b>Clause 23:</b> This clause lays down the sources for collection of samples for the purpose of DNA profiling. 23(1)(a) includes collection from bodily substances and 23(1)(c) includes clothing and other objects. Explanation (b) provides a definition of 'intimate body sample'.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b></p>
<ul style="text-align: justify; ">
<li>Permitting the collection of DNA samples from bodily substances and clothing and other objects allows for the broad collection of DNA samples without contextualizing such collection. In contrast <i>23(b) Scene of occurrence or scene of crime</i> limits the collection of samples to a specific context.</li>
<li>This clause also raises the issue of consent and invasion of privacy of an individual. If “intimate body samples” are to be taken of individuals, then this would be an invasion of the person’s right to bodily privacy if such collection is done without the person’s consent (except in the specific instance when it is done in pursuance of section 53 of the Criminal Procedure Code).</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li>Sources for the collection of DNA samples should be contextualized to prevent broad, unaccounted for, or unregulated collection. Clause (a) and (c) should be deleted and replaced with contexts in which the collection DNA collection would be permitted. </li>
<li>The Bill should specify circumstances on which non-intimate samples can be collected and the process for the same.</li>
<li>The Bill should specify that intimate body samples can only be taken with informed consent except as per section 53 of the Criminal Procedure Code.</li>
<li>The Bill should require that any individual that has a sample taken (intimate and non-intimate) is provided with notice of their rights and the future uses of their DNA sample and profile.</li>
</ul>
<ul style="text-align: justify; ">
</ul>
<p class="Standard" style="text-align: justify; "><span>Chapter V: DNA Data Bank </span></p>
<ul style="text-align: justify; ">
<li><b>Clause 24:</b>This clause addresses establishment of DNA Data Banks at the State and National Level. 24(5) establishes that the National DNA Data Bank will receive data from State DNA Data Banks and store the approved DNA Profiles as per regulations.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b></p>
<ul style="text-align: justify; ">
<li>As noted previously, ‘DNA Data’ is a new term that has not been defined in the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records? </li>
<li>The process for sharing Data between the State and National Data Banks is not defined.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li>The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks. </li>
<li>The process for the National DNA Data Bank receiving DNA data from State DNA Data Banks and DNA laboratories needs to be defined in the Bill or by regulation. This includes specifying how frequently information will be shared etc.</li>
</ul>
<ul style="text-align: justify; ">
<li><b>Clause 25:</b> This clause establishes standards for the maintenance of indices by DNA databanks. 25(1) states that every DNA Data Bank needs to maintain the prescribed indices for various categories of data including an index for a crime scene, suspects, offenders, missing persons, unknown deceased persons, volunteers, and other indices as may be specified by regulation. <b>25(2) </b>states that in addition to the indices, the DNA Data Bank should contain information regarding each of the DNA profiles. It can either be the identity of the person from whose bodily substance the profile was derived in case of a suspect or an offender, or the case reference number of the investigation associated with such bodily substances in other cases. <b>25(3) </b>states that the indices maintained shall include information regarding the data which is based on the DNA profiling and the relevant records.</li>
</ul>
<ul style="text-align: justify; ">
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment</b>:</p>
<ul style="text-align: justify; ">
<li>25(1): The creation of multiple indices cannot be justified and must be limited since collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast. Specifically a 'volunteer' index could possibly be used for racial/community/religious profiling.</li>
<li>25(2): This clause requires the names of individuals to be connected to their profiles, and hence accessible to persons having access to the databank.</li>
<li>25(3) The clause states that only information related to DNA profiling and will be stored in an indice. Yet, it is unclear what such information might be. This could allow inconsistencies in data stored in an indice and could allow for unnecessary information to be stored on an indice.</li>
</ul>
<ul style="text-align: justify; ">
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li><b>25(1) </b>Ideally, DNA databanks should be created for dedicated purposes. This would mean that a databank for forensic purposes should contain only an offenders’ index and a crime scene index while a databank for missing persons would contain only a missing persons indice etc. If numerous indices are going to be contained in one databank, the Bill needs to recognize the sensitivity of each indice as well as the difference between each indice and lay down appropriate and strict conditions for collection of data for such indice, addition of data into the indice, as well as use, access, and retention of data within the indice.</li>
<li><b>25(2) </b>DNA profiles, once developed, should be maintained with complete anonymity and retained separate from the names of their owners. This amendment becomes even more important if we consider the fact that an “offender” may be convicted by a lower court and have his profile included in the data bank, but may get acquitted later. However, till the time that such person is acquitted, his/her profile with the identifying information would still be in the data bank, which is an invasion of privacy.</li>
<li><b>25(3)</b> What information will be stored in indices should be clearly defined in the Bill and should be tailored appropriately to each category of indice.</li>
</ul>
<ul style="text-align: justify; ">
<li><b>Clause 28:</b> This clause addresses the comparison and communication of DNA profiles. 28(1) states that the DNA profile entered in the offenders or crime scene index shall be compared by the DNA Data Bank Manger against profiles contained in the DNA Data Bank and the DNA Data Bank Manager will communicate such information with any court, tribunal, law enforcement agency, or approved DNA laboratory which he may consider appropriate for the purpose of investigation. 28(2) allows for any information relating to a person's DNA profile contained in the suspect's index or offenders' index to be communicated to authorised persons.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment</b>:</p>
<ul style="text-align: justify; ">
<li>28(1) (a-c) allows for the DNA Bank Manager to communicate the following: 1.) if the DNA profile is not contained in the Data Bank and what information is not contained, 2.) if the DNA profile is contained in the data bank and what information is contained, and if in the opinion of the Manager, 3.) the DNA profile is similar to one stored in the Databank. These options of communication are problematic as they 1. allow for all associated information to be communicated – even if such information is not necessary, 2.) Allows for the DNA Databank Manager to communicate that a profile is 'similar' without defining what 'similar' would constitute.</li>
<li>28(1) only addresses the comparison of DNA profiles entered into the offenders index or the crime scene index against all other profiles entered into the DNA Data Bank.</li>
<li>28(1) gives the DNA Data Bank manager broad discretion in determining if information should be communicated and requires no accountability for such a decision.</li>
<li>28(2) only addresses information in the suspect's and offender's index and does not address information in any other index.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li> Rather than allowing for broad searches across the entire database, the Bill should be clear about which profiles can be compared against which indices. Such distinctions must take into consideration if a profile was taken on consent and what was consented to.</li>
<li>Ideally, the response from the DNA Databank Manager should be limited to a 'yes' or 'no' response and only further information should be revealed on receipt of a court order.</li>
<li>The Bill should define what constitutes 'similar'</li>
<li>A process for determining if information should be communicated should be established in the Bill and followed by the DNA Data Bank Manager. The Manager should also be held accountable through oversight mechanisms for such decisions. This is particularly important, as a DNA laboratory would be a private body.</li>
<li>Information stored in any index should be disclosed to only authorized parties. </li>
</ul>
<ul style="text-align: justify; ">
<li><b>Clause 29: </b>This clause provides for comparison and sharing of DNA profiles with foreign Government, organisations, institutions or agencies. 29(1) allows the DNA Bank Manager to run a comparison of the received profile against all indices in the databank and communicate specified responses through the Central Bureau of Investigation.</li>
</ul>
<ul style="text-align: justify; ">
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>This clause allows for international disclosures of DNA profiles of Indians through a procedure that is to be established by the Board (see clause 13(q))</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> The disclosure of DNA profiles of Indians with international entities should be done via the MLAT process as it is the typical process followed when sharing information with international entities for law enforcement purposes.</p>
<ul style="text-align: justify; ">
<li><b>Clause 30:</b> This clause provides for the permanent retention of information pertaining to a convict in the offenders’ index and the expunging of such information in case of a court order establishing acquittal of a person, or the conviction being set aside.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment</b>: This clause addresses only the retention and expunging of records of a convict stored in the offenders index upon the receipt of a court order or the conviction being set aside. This implies that records in all other indices - including volunteers - can be retained permanently. This clause also does not address situations where an individuals DNA profile is added to the databank, but the case never goes to court.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation</b>: The Bill should establish retention standards and deletion standards for each indice that it creates. Furthermore, the Bill should require the immediate destruction of DNA samples once a DNA profile for identification purposes has been created. An exception to this should be the destruction of samples stored in the crime scene index.</p>
<p class="Standard" style="text-align: justify; "><b><span>Chapter VI: Confidentiality of and Access to DNA Profiles, Samples, and Records</span></b></p>
<ul style="text-align: justify; ">
<li><b>Clause 33</b>: This provision lays down the cases and the persons to which information pertaining to DNA profiles, samples and records stored in the DNA Data Bank shall be made available. Specifically, 33(e) permits disclosure for the creation and maintenance of a population statistics Data Bank.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b></p>
<ul style="text-align: justify; ">
<li>This clause addresses disclosure of information in the DNA Data Bank, but does not directly address the use of DNA samples or DNA profiles. This allows for the possibility of re-use of samples and profiles.</li>
<li>There is no limitation on the information that can be disclosed. The clause allows for any information stored in the Data Bank to be disclosed for a number of circumstances/to a variety of people.</li>
<li>There is no authorization process for the disclosure of such information. Of the circumstances listed – an authorization process is mentioned only for the disclosure of information in the case of investigations relating to civil disputes or other civil matters with the concurrence of the court. This implies that there is no procedure for authorizing the disclosure of information for identification purposes in criminal cases, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for the purpose of taking defence by an accused in a criminal case, and for the creation and maintenance of a population statistics Data Bank.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li>The Bill should establish an authorization process for the disclosure of information stored in a data bank. This process must limit the disclosure of information to what is necessary and proportionate for achieving the requested purpose.</li>
<li> Clause 33(e) should be deleted as the non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The use of the database for statistical purposes should be limited to purposes pertaining to understanding effectiveness of the databank.</li>
<li>Clause 33(f) should be deleted as it is not necessary for DNA profiles to be stored in a database to be useful for civil purposes. Instead samples for civil purposes are only needed as per the relevant case and specified persons.</li>
<li>Clause 33(g) should be deleted as it allows for the scope of cases in which DNA can be disclosed to by expanded as prescribed.</li>
</ul>
<ul style="text-align: justify; ">
<li><b>Clause 34: </b>This clause allows for access to information for operation maintenance and training.</li>
<li><b>Comment</b>: This clause would allow individuals in training access to data stored on the database for training purposes. This places the security of the databank and the data stored in the databank at risk.</li>
<li><b>Recommendation:</b> Training of individuals should be conducted via simulation only.</li>
</ul>
<ul style="text-align: justify; ">
<li><b>Clause 35: </b>This clause allows for access to information in the DNA Data Bank for the purpose of a one time keyboard search. A one time keyboard search allows for information from a DNA sample to be compared with information in the index without the information from the DNA sample being included in the index. The clause allows for an authorized individual to carry out such a search on information obtained from an DNA sample lawfully collected for the purpose of criminal investigation, except if the DNA sample was submitted for elimination purposes.</li>
<li><b>Comment: </b>The purpose of this clause is unclear as is the scope. The clause allows for the sample to be compared against 'the index' without specifying which index. The clause also allows for 'information obtained from a DNA sample' rather than a profile. Thus, the clause appears to allow for any information derived from a DNA sample collected for a criminal investigation to be compared against all data within the databank – without recording such information. Such a comparison is vast in scope and open to abuse.</li>
<li><b>Recommendation: </b>To ensure that this provision is not used for conducting searches outside of the scope of the original purpose, only DNA profiles, rather than 'information derived from a sample' should be allowed to be compared, only the indices relevant to the sample should be compared, and the search should be authorized and justified.</li>
<li><b>Clause 36</b> : This clause addresses the restriction of access to information in the crime scene index if the individual is a victim of a specified offense or if the person has been eliminated as a suspect of an investigation.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b></p>
<ul style="text-align: justify; ">
<li>This clause only addresses restriction of access to the crime scene index and does not address restriction of access to other indices.</li>
<li>This clause only restricts access to the indice for certain category of individual and for a specific status of a person. Oddly, the clause does not include authorization or rank as a means for determining or restricting access.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b></p>
<ul style="text-align: justify; ">
<li>This clause should be amended to lay down standards for restriction of access for all indices.</li>
<li>Access to all information in the databank should be restricted by default and permission should be based on authorization rather than category or status of individual.</li>
</ul>
<ul style="text-align: justify; ">
<li><b>Clause 38</b>: This clause sets out a post-conviction right related to criminal procedure and evidence.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>This clause would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> This clause should be deleted and the issue of post conviction rights related to criminal procedure and evidence referenced to the appropriate legislation. Clause 38 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.] The person must be duly accorded with a right to know rules may provide for- the authorized persons to whom information relating to a person’s DNA profile contained in the offenders’ index shall be communicated. Alternatively, this right could be limited only to accused persons who’s trial is still at the stage of production of evidence in the Trial Court. This suggestion is being made because unless the right as it currently stands, is limited in some manner, every convict with the means to engage a lawyer would ask for DNA analysis of the evidence in his/her case thereby flooding the system with useless requests risking a breakdown of the entire machinery.</p>
<p class="Standard" style="text-align: justify; "><b><span>Chapter VII: Finance, Accounts, and Audit</span></b></p>
<p class="Standard" style="text-align: justify; "><b>Clause 39: </b>This clause allows the Central Government to make grants and loans to the DNA Board after due appropriation by Parliament.</p>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>This clause allows the Central Government to grant and loan money to the DNA Board, but does not require any proof or justification for the sum of money being given.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation: </b>This clause should require a formal cost benefit analysis, and financial assessment prior to the giving of any grants or loans.</p>
<p class="Standard" style="text-align: justify; "><b><span>Chapter VIII: Offences and Penalties</span></b></p>
<p class="Standard" style="text-align: justify; "><b><span>Chapter IX: Miscellaneous</span></b></p>
<p class="Standard" style="text-align: justify; "><b>Clause 53: </b>This clause allows protects the Central Government and the Members of the Board from suit, prosecution, or other legal proceedings for actions that they have taken in good faith.</p>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>Though it is important to take into consideration if an action has been taken in good faith, absolving the Government and Board from accountability for actions leaves little course of redress for the individual. This is particularly true as the Central Government and the Board are given broad powers under the Bill.<b> </b></p>
<p class="Standard" style="text-align: justify; "><b>Recommended: </b>If the Central Government and the Board will be protected for actions taken in good faith, their powers should be limited. Specifically, they should not have the ability to widen the scope of the Bill.</p>
<p class="Standard" style="text-align: justify; "><b>Clause 57:</b> This clause states that the Central Government will have the powers to make Rules for a number of defined issues.</p>
<p class="Standard" style="text-align: justify; "><b>Comment:</b> 57(d) allows for the regulations to be created regarding the use of population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> 57(d) should be deleted as any use for the creation of a population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control is beyond the scope of the Bill.</p>
<ul style="text-align: justify; ">
<li><b>Clause 58: </b>This clause empowers the Board to make regulations regarding a number of aspects related to the Bill.</li>
<li><b>Comment</b>: There a number of functions that the Board can make regulations for that should be defined within the Bill itself to ensure that the scope of the Bill does not expand without Parliamentary oversight and approval.</li>
<li><b>Recommendation:</b> 58(2)(g) should be deleted as it allows the Board to create regulations for other relevant uses of DNA techniques and technologies, 58(2)(u) should be deleted as it allows the Board to include new categories of indices to databanks, and 58(2) (aa) should be deleted as it allows the Board to decide which other indices a DNA profile may be compared with in the case of sharing of DNA profiles with foreign Governments, organizations, or institutions.</li>
</ul>
<ul style="text-align: justify; ">
</ul>
<p style="text-align: justify; "><b>Clause 61:</b> This clause states that no civil court will have jurisdiction to entertain any suit or proceeding in respect of any matter which the Board is empowered to determine and no injunction shall be granted.</p>
<ul style="text-align: justify; ">
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment:</b> This clause in practice will limit the recourse that individuals can take and will exclude the Board from the oversight of civil or criminal courts.</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation:</b> The power to collect, store and analyse human DNA samples has wide reaching consequences for people whose samples are being utilised for this purpose, specially if their samples are being labeled in specific indexes such as “index of offenders”, etc. The individual should therefore have a right to approach the court of law to safeguard his/her rights. Therefore this provision barring the jurisdiction of the courts should be deleted.</p>
<p class="Standard" style="text-align: justify; "><b><span>Schedule</span></b></p>
<ul style="text-align: justify; ">
<li><b>Schedule A:</b> The schedule refers to section 33(f) which allows for disclosure of information in relation to DNA profiles, DNA samples, and records in a DNA Data Bank to be communicated in cases of investigations relating to civil disputes or other civil matters or offenses or cases listed in the schedule with the concurrence of the court.</li>
</ul>
<p class="Standard" style="text-align: justify; "><b>Comment: </b>As 33(f) requires the concurrence of the court for disclosure of information, it is unclear what purpose the schedule serves. If the Schedule is meant to serve as a guide to the Court on appropriate instances for the disclosure of information stored in the DNA databank – the schedule is too general by listing entire Acts, while at the same time being too specific by naming specific Acts. Ideally, courts should use principles and the greater public interest to reach a decision as to whether or not disclosure of information in the DNA databank is appropriate. At a minimum these principles should include necessity (of the disclosure) and proportionality (of the type/amount of information disclosed).</p>
<p class="Standard" style="text-align: justify; "><b>Recommendation: </b>As we recommended the deletion of clause 33(f) as it is not necessary to databank DNA profiles for civil purposes, the schedule should also be deleted.</p>
<ul style="text-align: justify; ">
<li><b>Note: </b>The schedule differs drastically from previous drafts and from discussions held in the Expert Committee and recommendations agreed upon. As per the Meeting Minutes of the<a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view"> Expert Committee</a> meeting held on November 10th 2014 <i>“The Committee recommended incorporation of the comments received from the members of the Expert Committee appropriately in the draft Bill...Point no. 1 suggested by Mr. Sunil Abraham in the Schedule of the draft Bill to define the cases in which DNA samples can be collected without consent by incorporating point no. 1 (I.e 'Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the code of Criminal Procedure, 1973)</i>”</li>
</ul>
<hr />
<p>Download CIS submission <a href="https://cis-india.org/internet-governance/blog/cis-human-dna-profiling-bill-2015" class="internal-link">here</a>. See the cover letter <a href="https://cis-india.org/internet-governance/blog/cover-letter-for-dna-profiling-bill-2015" class="internal-link">here</a>.</p>
<ul style="text-align: justify; ">
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015'>https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015</a>
</p>
No publisherElonnai Hickok, Vipul Kharbanda and Vanya RakeshDNA ProfilingInternet GovernancePrivacy2015-09-02T17:09:04ZBlog EntryData Flow in the Unique Identification Scheme of India
https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india
<b>This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.</b>
<p><i>Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback</i></p>
<hr />
<p style="text-align: justify; ">These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:<a href="#_ftn1" name="_ftnref1">[1]</a></p>
<ol> </ol>
<h3><b>Data Capture</b></h3>
<ul>
<li style="text-align: justify; "><i>Filling out an enrollment form</i> – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center. </li>
</ul>
<p style="padding-left: 30px; text-align: justify; ">Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><i>The 'introducer' system</i>: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerability</span>: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.<a href="#_ftn2" name="_ftnref2">[2]</a></p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><i>Categories of data for enrollment</i>: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; ">Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..<a href="#_ftn3" name="_ftnref3">[3]</a></p>
<ol> </ol>
<ul>
<li><i>Verification of Resident’s Documents</i>: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”<a href="#_ftn4" name="_ftnref4">[4]</a></li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerability</span>: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “<i>The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency”</i> and states that the <i>“Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.”</i> <a href="#_ftn5" name="_ftnref5">[5]</a> The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.</p>
<p><b> </b></p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><i>Data collection for enrollment</i>: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; ">Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.<a href="#_ftn6" name="_ftnref6">[6]</a> There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse<a href="#_ftn7" name="_ftnref7">[7]</a> and loss of data is a very real possibility, and irregularities have been reported as well.<a href="#_ftn8" name="_ftnref8">[8]</a> By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><i>Import pre-enrolment data into Aadhaar enrollment client</i>, <i>Syncing NPR/census data into the software</i>: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerability</span>: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.</p>
<ol> </ol>
<ul>
<li><i> Resident’s consent</i>: for “whether the resident has agreed to <b>share the captured information</b> with organizations engaged in delivery of welfare services.”</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerability</span>: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “<i>‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” </i>Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.<i> </i></p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><i>Biometric exceptions</i>: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerability</span>: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. <a href="#_ftn9" name="_ftnref9">[9]</a><i> </i></p>
<ul>
<li style="text-align: justify; "><i>Operator checks if resident wants Aadhaar enabled bank account</i>: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.<span> </span></li>
</ul>
<p style="text-align: justify; padding-left: 30px; "><span> Vulnerability</span>: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.</p>
<ol> </ol> <ol> </ol>
<ul>
<li style="text-align: justify; "><i>Capturing biometrics- </i>The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.<a href="#_ftn10" name="_ftnref10">[10]</a> The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.<a href="#_ftn11" name="_ftnref11">[11]</a></li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerabilities</span>: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.<a href="#_ftn12" name="_ftnref12">[12]</a> Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.</p>
<p style="padding-left: 30px; ">After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.</p>
<ol> </ol>
<ul>
<li><i>Operator Sign off</i> – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.</li>
</ul>
<ol> </ol>
<p style="padding-left: 30px; text-align: justify; "><span>Vulnerability:</span><i> Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. </i>For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.<a href="#_ftn13" name="_ftnref13">[13]</a></p>
<p style="padding-left: 30px; text-align: justify; ">After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.<b> </b></p>
<h3><b>Document Storage, Back up and Sync</b></h3>
<p style="text-align: justify; ">After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.</p>
<p><span>Vulnerability</span>: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. <a href="#_ftn14" name="_ftnref14">[14]</a></p>
<ol> </ol>
<h3><b>Transfer of Demographic and Biometric Data Collected to CIDR</b></h3>
<p>“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.</p>
<ol> </ol>
<p style="text-align: justify; "><span>Vulnerability</span>: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database<a href="#_ftn15" name="_ftnref15">[15]</a> but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.</p>
<ol> </ol>
<h3><b>Data De-duplication and Aadhar Generation at CIDR</b></h3>
<p>On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.</p>
<p><span>Vulnerability</span>:</p>
<ul>
<li style="text-align: justify; ">This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.<a href="#_ftn16" name="_ftnref16">[16]</a></li>
<li>The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. <a href="#_ftn17" name="_ftnref17">[17]</a></li>
<li>General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,<a href="#_ftn18" name="_ftnref18">[18]</a> and innumerable examples of faulty Aadhaar cards being issued.<a href="#_ftn19" name="_ftnref19">[19]</a></li>
</ul>
<hr />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1">[1]</a> Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> <i>UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram</i>, Economic Times, (Jan 31, 2012), <a href="http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register">http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register</a>.</p>
<p><a href="#_ftnref3" name="_ftn3">[3]</a>See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “<i>States as handmaidens of UIDAI</i>”, The Statesman (August 8, 2013).</p>
<p><a href="#_ftnref4" name="_ftn4">[4]</a>http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf</p>
<p><a href="#_ftnref6" name="_ftn6">[6]</a> Arindham Mukherjee, Lola Nayar, <i>Aadhaar,A Few Basic Issues</i>, Outlook India, (December 5, 2011)<i>, </i><a href="http://dataprivacylab.org/TIP/2011sept/India4.pdf">http://dataprivacylab.org/TIP/2011sept/India4.pdf</a>.</p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a> <i>Aadhaar: UIDAI probing several cases of misuse of personal data, </i>The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.</p>
<p><a href="#_ftnref8" name="_ftn8">[8]</a> Harsimran Julka, <i>UIDAI wins court battle against HCL technologies, </i>The Economic Times, (October 4, 2011), <a href="http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm">http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm</a>.</p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> Chetan Chauhan, <i>UIDAI cancels 3.84 lakh fake Aadhaar numbers</i>, The Hindustan Times, (December 26, 2012), <a href="http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx">http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx</a>.</p>
<p><a href="#_ftnref10" name="_ftn10">[10]</a> Usha Ramanathan, “<i>Inclusion project that excludes the poor</i>”, The Statesman (July 4, 2013).</p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) <a href="http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html">http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html</a>.</p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a> Snehal Sengupta, <i>Queue up again to apply for Aadhaar</i>, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko</p>
<p><a href="#_ftnref13" name="_ftn13">[13]</a> Chauhan, <i>supra </i>note 7.</p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> Usha Ramanathan, <i>Three Supreme Court Orders Later, What’s the Deal with Aadhaar? </i>Yahoo News, (April 13, 2015), <a href="https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html">https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html</a>.</p>
<p><a href="#_ftnref15" name="_ftn15">[15]</a> Usha Ramanathan, “<i>Threat of Exclusion and of Surveillance</i>”<i>,</i> The Statesman (July 2, 2013).</p>
<p><a href="#_ftnref16" name="_ftn16">[16]</a> <i>Over 9 Crore Aadhaar enrolments rejected by UIDAI, </i>Zee News (May 8, 2015).</p>
<p><a href="#_ftnref17" name="_ftn17">[17]</a> Usha Ramanathan, “<i>States as handmaidens of UIDAI</i>”, The Statesman (August 8, 2013).</p>
<p><a href="#_ftnref18" name="_ftn18">[18]</a> Surabhi Agarwal, <i>Duplicate Aadhar numbers within estimate, </i>Live Mint (March 5, 2013).</p>
<p><a href="#_ftnref19" name="_ftn19">[19]</a> Usha Ramanathan, “<i>Outsourcing enrolment, gathering dogs and trees</i>”, The Statesman (August 7, 2013).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india'>https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india</a>
</p>
No publishervidushiInternet GovernancePrivacy2015-09-03T17:02:44ZBlog EntryThe seedy underbelly of revenge porn
https://cis-india.org/internet-governance/blog/the-times-of-india-sandhya-soman-august-23-2015-the-seedy-underbelly-of-revenge-porn
<b>Intimate photos posted by angry exes are becoming part of an expanding online body of dirty work.</b>
<p style="text-align: justify; ">The article by Sandhya Soman was published in the <a class="external-link" href="http://timesofindia.indiatimes.com/home/sunday-times/deep-focus/The-seedy-underbelly-of-revenge-porn/articleshow/48627922.cms?from=mdr">Times of India</a> on August 23, 2015.</p>
<hr />
<p style="text-align: justify; "><span id="advenueINTEXT" style="float:left; ">Three lakh 'Likes' aren't easy to come by. But Geeta isn't gloating. She's livid, and waiting for the day a video-sharing site will take down the popular clip of her having sex with her vengeful ex-husband. "Every other day somebody calls or messages to say they've seen me," says Geeta.<br /> <br /> She is not alone. Two weeks ago, law student Shrutanjaya Bhardwaj Whatsapped women he knew asking if any of them had come across cases of online sexual harassment. In a few hours, his phone was filled with tales of harassment by ex-boyfriends and strangers. Instances ranged from strangers publishing morphed photographs on Facebook, to ex-husbands and boyfriends circulating intimate photos and videos on porn sites. Of the 40 responses, around 25 were cases of abuse by former partners. "I have heard friends talking about the problem, but never realized it was this bad," says Bhardwaj.<br /> <br /> These days, revenge is best served online - it travels faster and has potential for greater damage. But despite the widespread nature of the crime, many targets hesitate to complain for fear of being shamed and blamed. "A 15-year-old girl is going to worry about how her parents will react if she talks about it," says Chinmayi Arun, research director, Centre for Communication Governance at Delhi National Law University. There is also fear of harassment by the police, says Rohini Lakshane, researcher, Centre for Internet and Society. Worst of all is the waiting. "Even if a police complaint is filed, it takes ages to find out who shot it, who uploaded it and where it is circulated. Such content is mirrored across many sites," she says.<br /> <br /> Geeta is familiar with the routine. Her harassment started with photographs sent to family, friends and colleagues. After an acrimonious divorce, several videos were released in 2013. "There were some 25-30 videos on various sites.<br /> <br /> After an FIR was filed, the police wrote to websites and some of the links were removed," says Geeta, who has been flagging content on a popular site, which has not yet responded to her privacy violation report. "My face is seen clearly on it. People even come up to me in restaurants saying they've seen it. How do I get on with my life?" asks a distraught Geeta. She also recently filed an affidavit supporting the controversial porn ban PIL in a last-ditch effort to erase the abuse that began after her divorce.<br /> <br /> The cyber cell officer in charge of her case says he had got websites to shut down several URLs but was thwarted by the repeal of section 66A of the IT Act that dealt with offensive messages sent electronically. When asked why section 67 (cyber pornography) of the same act and various sections in the criminal law couldn't be used, the officer says that only 66A is applicable to the evidence he has. "I asked for more links and she sent them to me. We'll see if other sections can be applied," he says. Lawyers and activists, argue that existing laws are good enough like sections 354A (sexual harassment), 354C (voyeurism), 354D (stalking) and 509 (outraging modesty) of the IPC.<br /> <br /> Though there are no official statistics for what is popularly referred to as 'revenge' porn, there is a flood of such images online. Lakshane, who studied consent in amateur pornography for the NGO-run EroTICs India project in 2014, found clandestinely shot clips to exhibitionist ones where faces are blurred or cropped.<br /> <br /> Social activist Sunita Krishnan has raised the red flag over several video clips, including two that show gang rape, which were circulated on Whatsapp. Some of the content she came across showed familiarity between the man and woman, indicating an existing relationship. In one clip, the man says: "How dare you go with that fellow. What you did it to him, do it to me."<br /> <br /> Most home-grown clips end up on desi sites with servers abroad, making it difficult to take down content. Some do have a policy of asking for consent of people in the frame. But Lakshane, who wanted to test this policy, says when she approached one website that has servers abroad saying that she had a sexually explicit video, the reply was a one-liner asking her to send it. "They didn't ask for any consent emails," she says. In lieu of payment, they offered her a free account on another file-sharing site, which seemed to partner with the site. With no financial links to those submitting videos, sites like these make money out of subscriptions from consumers, or ads.<br /> <br /> A few months ago, the CBI arrested a man from Bengaluru for uploading porn clips, using high-end editing software and cameras. Kaushik Kuonar allegedly headed a syndicate and was supposed to be behind the rape clips reported by Krishnan. "I am skeptical of the idea of amateur porn being randomly available across the Internet. There seem to be people like the man in Bengaluru who are apparently sourcing, distributing and making money out of it," says Chinmayi Arun. "He had 474 clips, including some of rape," adds Krishnan.<br /> <br /> Social media companies, meanwhile, say they're working with authorities to prevent such violations. Facebook spokesperson says the company removes content that violates its community standards. It also works with the women and child development ministry to help women stay safe online. Google, Microsoft, Twitter and Reddit have promised to remove links to revenge porn on request, while countries like Japan and Israel have made it illegal.<br /> <br /> In India, the National Commission for Women started a consultation on online harassment but is yet to submit a report. In the absence of clarity, activists like Krishnan endorse the banning of porn sites. Not all agree with sweeping solutions. Lakshane says sometimes a court order helps to get tech companies to act faster on requests as in the case of a 2012 sex tape scandal where Google removed search results to 360 web pages. Also, the term 'revenge' porn, she says, is a misnomer as the videos are meant to shame women. "These are not movies where actors get paid. Somebody else is making money off this gross violation of privacy." </span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-times-of-india-sandhya-soman-august-23-2015-the-seedy-underbelly-of-revenge-porn'>https://cis-india.org/internet-governance/blog/the-times-of-india-sandhya-soman-august-23-2015-the-seedy-underbelly-of-revenge-porn</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2015-09-27T14:25:43ZBlog EntryHuman DNA Profiling Bill 2012 v/s 2015 Bill
https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-2012-vs-2015
<b>This entry analyses the Human DNA Profiling Bill introduced in 2012 with the provisions of the 2015 Bill </b>
<p>A comparison of changes that have been introduced in the <a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">Human DNA Profiling Bill, June 2015.</a><b><span style="text-decoration: underline;"> </span></b></p>
<ul>
<li> <b>Definitions:</b> </li>
</ul>
<p>1. 2012 Bill: The definition of "<span style="text-decoration: underline;">analytical procedure</span>" was included under clause 2 (1) (a) and was defined as an orderly step by step procedure designed to ensure operational uniformity.</p>
<p>2015 Bill: This definition has been included under the Explanation under clause 22 which provides for measures to be taken by DNA Laboratory.</p>
<p>2. 2012 Bill: The definition of "<span style="text-decoration: underline;">audit</span>" was earlier defined under clause 2 (1) (b) and was defined as an inspection used to evaluate, confirm or verify activity related to quality.</p>
<p>2015 Bill: This definition has been included under the Explanation under clause 22 which provides for measures to be taken by DNA Laboratory.</p>
<p>3. 2012 Bill: There was no definition of "<span style="text-decoration: underline;">bodily substance</span>".</p>
<p>2015 Bill: Clause 2(1) (b) defines bodily substance to be any biological material of or from a body of the person (whether living or dead) and includes intimate/non-intimate body samples as well.</p>
<p>4. 2012 Bill: The definition of "<span style="text-decoration: underline;">calibration</span>" was included under clause 2 (1) (d) in the previous Bill.</p>
<p>2015 Bill: The definition has been removed from the definition clause and has been included as an explanation under clause 22.</p>
<p>5. 2012 Bill: Previously "<span style="text-decoration: underline;">DNA Data Bank</span>" was defined under clause 2(1)(h) as a consolidated DNA profile storage and maintenance facility, whether in computerized or other form, containing the indices as mentioned in the Bill.</p>
<p>2015 Bill: However, in this version, the definition has been briefed under clause 2(1) (f) to mean as a DNA Data Bank as established under clause 24.</p>
<p>6. 2012 Bill: Previously a "<span style="text-decoration: underline;">DNA Data Bank Manager</span>" was defined clause 2(1) (i) as the person responsible for supervision, execution and maintenance of the DNA Data Bank.</p>
<p>2015 Bill: In the new Bill, it is defined clause 2(1) (g) as a person appointed under clause 26.</p>
<p>7. 2012 Bill: Under clause 2(1) (j), the definition of "<span style="text-decoration: underline;">DNA laboratory</span>" was defined to be any laboratory established to perform DNA procedures.</p>
<p>8. 2015 Bill: Under clause 2(1) (h) "DNA laboratory" has been now defined to be any laboratory established to perform DNA profiling.</p>
<p>9. 2012 Bill: "<span style="text-decoration: underline;">DNA procedure</span>" was defined under clause 2(1) (k) as a procedure to develop DNA profile for use in the applicable instances as specified in the Schedule.</p>
<p>2015 Bill: This definition has been removed from the Bill.</p>
<p>10. 2012 Bill: There was no definition of "<span style="text-decoration: underline;">DNA Profiling</span>".</p>
<p>2015 Bill: DNA profiling has been defined under clause 2(1) (j) as a procedure to develop DNA profile for human identification.</p>
<p>11. 2012 Bill: "<span style="text-decoration: underline;">DNA testing</span>" was defined under clause 2(1) (n) as the identification and evaluation of biological evidence using DNA technologies for use in the applicable instances.</p>
<p>2015 Bill: This definition has been removed.</p>
<p>12. 2012 Bill: "<span style="text-decoration: underline;">forensic material</span>" was defined under clause 2(1) (o) as biological material of or from the body of a person living or dead, and representing an intimate body sample or non-intimate body sample.</p>
<p>2015 Bill: This definition has been included under the definition of "bodily substance" under clause 2(1) (b).</p>
<p>13. 2012 Bill: "<span style="text-decoration: underline;">intimate body sample</span>" was defined under clause 2(1) (q).</p>
<p>2015 Bill: This has been removed from the definitions clause and has been included as an explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.</p>
<p>14. 2012 Bill: "<span style="text-decoration: underline;">intimate forensic procedure</span>" was defined under 2(1) (r).</p>
<p>2015 Bill: This has been removed from the definitions clause and has been included as an explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.</p>
<p>15. 2012 Bill: "<span style="text-decoration: underline;">non-intimate body sample</span>" was defined under clause 2(1) (v) in 2012 Bill.</p>
<p>2015 Bill: The definition of "non-intimate body sample" has not been included in the definitions clause and has been included as an Explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.</p>
<p>16. 2012 Bill: "<span style="text-decoration: underline;">non-intimate forensic procedure</span>" was defined under clause 2(1) (w) in 2012 Bill.</p>
<p>2015 Bill: The definition of "non-intimate forensic procedure" has not been included in the definitions clause and has been included as an Explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.</p>
<p>17. 2012 Bill: "<span style="text-decoration: underline;">undertrial</span>" was defined under clause 2(1) (zk) as a person against whom a criminal proceeding is pending in a court of law.</p>
<p>2015 Bill: The definition now states such a person against whom charges have been framed for a specified offence in a court of law under clause 2(1) (zc).</p>
<ul>
<li> <b>DNA Profiling Board:</b> </li>
</ul>
<p>1. 2012 Bill: Under clause 4 (a), the Bill stated that a renowned molecular biologist must be appointed as the Chairperson.</p>
<p>2015 Bill: Under clause 4 addressing Composition of the Board, the Bill states that the Board shall consist of a Chairperson who shall be appointed by the Central Government and must have at least fifteen years' experience in the field of biological sciences.</p>
<p>2. 2012 Bill: Under clause 4 (i), the Chairman of National Bioethics Committee of Department of Biotechnology, Government of India was to be included as a member under the DNA Profiling Board.</p>
<p>2015 Bill: This member has been removed from the composition.</p>
<p>3. 2012 Bill: Under clause 4 (m), the term of 1 person from the field of genetics was not mentioned in the 2012 Bill.</p>
<p>2015 Bill: In this Bill under clause 4 (m), it has been stated that such a person must have minimum experience of twelve years in the field.</p>
<p>4. 2012 Bill: The term of 2 people from the field of biological sciences was not mentioned in the 2012 Bill under clause 4 (l).</p>
<p>2015 Bill: Under clause 4 (l), it has been stated that such 2 people must have minimum experience of twelve years in the field.</p>
<p>5. The following members have been included in the 2015 Bill-</p>
<p>i. Chairman of National Human Rights Commission or his nominees, as an ex-officio member under clause 4 (a).</p>
<p>ii. Secretary to Government of India, Ministry of Law and Justice or his nominees (not below rank of Joint Secretary), as an ex-officio member under clause 4 (b).</p>
<p>6. 2012 Bill: Under clause 5, the term of the members was not uniform and varied for all members.</p>
<p>2015 Bill: The term of people from the field of biological sciences and the person from the field of genetics has been states to be five years from the date of their entering upon the office, and would be eligible for re-appointment for not more than 2 consecutive terms.</p>
<p>Also, the age of a Chairperson or a member cannot exceed seventy years.</p>
<p>The term of members under clauses (c), (f), (h), and (i) of clause 4 is 3 years and for others the term shall continue as long as they hold the office.</p>
<ul>
<li> <b>Chief Executive Officer:</b> </li>
</ul>
<p><b></b> 2012 Bill: Earlier it was stated in the Bill under clause 10 (3) that such a person should be a scientist with understanding of genetics and molecular biology.</p>
<p style="text-align: justify; ">2015 Bill: The Bill states under clause 11 (3) that the CEO shall be a person possessing qualifications and experience in science or as specified under regulations. The specific experience has been removed.</p>
<p style="text-align: justify; ">A new clause- 12(5) addresses power of the Board to co-opt the number of people for attending the meetings and take part in proceedings; however such a person shall be devoid of voting rights. Also, such a person shall be entitled to specified allowances for attending the meetings.</p>
<ul>
<li> <b>Officers and Other Employees of Board:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The Bill stated under clause 11 (3) that the Board may appoint consultants required to assist in the discharge of its functions on such terms and conditions as may be specified by the regulations.</p>
<p style="text-align: justify; ">2015 Bill: The 2015 Bill states under clause 12 (3) that the Board may appoint experts to assist for discharging its functions and may hold consultations with people whose rights may be affected by DNA profiling.</p>
<ul>
<li> <b>Functions of the Board:</b> </li>
</ul>
<p>2012 Bill: 26 functions were stated in the 2012 Bill.</p>
<p>2015 Bill: The number of the functions has been reduced to 22 with a few changes based on recommendations of Expert Committee.</p>
<ul>
<li> <b>Power of Board to withdraw approval:</b> </li>
</ul>
<p style="text-align: justify; ">2015 Bill: The circumstances in which the Board could withdraw its approval have not been changed from the 2012 Bill (previously under clause 16). There's an addition to the list as provided under clause 17 (1) (d) wherein the Board can also withdraw its approval in case the DNA laboratory fails to comply with any directions issued by the DNA Profiling Board or any such regulatory Authority under any other Act.</p>
<ul>
<li> <b>Obligations of DNA Laboratory:</b> </li>
</ul>
<p>2015 Bill: There is an addition to the list of obligations to be undertaken by a DNA laboratory under clause 19 (d). The laboratory has an additional obligation to share the DNA data prepared and maintained by it with the State DNA Data Bank and the National DNA Data Bank.</p>
<ul>
<li> <b>Qualification and experience of Head, technical and managerial staff and employees of DNA Laboratory:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The previous Bill clearly mandated under clause 19 (2) the qualifications of the Head of every DNA laboratory to be a person possessing educational qualifications of Doctorate in Life Sciences from a recognised University with knowledge and understanding of the foundation of molecular genetics as applied to DNA work and such other qualifications as may be specified by regulations made by the Board.</p>
<p style="text-align: justify; ">2015 Bill: The provision has been generalized and provides under clause 20 (1) for a person to be possess the specified educational qualifications and experience.</p>
<ul>
<li> <b>Measures to be taken by DNA Laboratory:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: In the previous Bill, there were separate clauses with regard to security, minimization of contamination, evidence control system, validation process, analytical procedure, equipment calibration and maintenance, audits of laboratory to be followed by a DNA Laboratory.</p>
<p>2015 Bill: In the 2015 Bill, these measures to be adopted by DNA Laboratory have been included under one clause itself-clause 22.</p>
<ul>
<li> <b>Infrastructure and training:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The specific provisions regarding infrastructure, fee, recruitment, training and installing of security system in the DNA Laboratory were present in the Bill under clauses 28-31.</p>
<p>2015 Bill: These provisions have been removed from the 2015 Bill.</p>
<ul>
<li> <b>Sources and manner of collection of samples for DNA profiling:</b> </li>
</ul>
<p>2012 Bill: Part II of the Schedule in the Bill provided for sources and manner of collection of samples for DNA Profiling.</p>
<p>The sources include: Tissue and skeleton remains and Already preserved body fluids and other samples.</p>
<p>Also, it provided for a list of the manner in which the profiling can be done:</p>
<p>(1) Medical Examination (2) Autopsy examination (3) Exhumation</p>
<p>Also, provision for collection of intimate and non-intimate body samples was provided as an Explanation.</p>
<p>2015 Bill: Under Clause 23, the sources include bodily substances and other sources as specified in Regulations. The other sources remain unchanged.</p>
<p>Also, provision for collection of intimate and non-intimate body samples is addressed in clause 23(2).</p>
<p style="text-align: justify; ">The explanation to the provision states what would be implied by the terms medical practitioner, intimate body sample, intimate forensic procedure, non-intimate body sample and non-intimate forensic procedure.</p>
<ul>
<li> <b>DNA Data Bank:</b> </li>
</ul>
<p>- Establishment:</p>
<p>2012 Bill: The Bill did not specify any location for establishment of the National DNA Data Bank.</p>
<p>2015 Bill: The Bill states under clause 24 (1) that the Central Government shall establish a National DNA Data Bank at Hyderabad.</p>
<p>-Maintenance of indices of DNA Data Bank:</p>
<p style="text-align: justify; ">2012 Bill: Apart from the DNA profiles, every DNA Data Bank shall contain the identity of the person from whose body the substances are taken in case of a profile in the offenders' index as under clause 32 (6) (a).</p>
<p>2015 Bill: Clause 25 (2) (a) states that the DNA Data Bank shall contain the identity for the suspects' or offenders' index.</p>
<ul>
<li> DNA Data Bank Manager: </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The Bill States under clause 33 (1) that a DNA Data Bank Manger shall be appointed for conducting all operations of the National DNA Data Bank. The functions were not specific.</p>
<p style="text-align: justify; ">2015 Bill: The Bill states under clause 26 (1) specifically that a DNA Data Bank Manger shall be appointed for the purposes of execution, maintenance and supervision of the National DNA Data Bank.</p>
<p>- Qualification:</p>
<p style="text-align: justify; ">2012 Bill: In the previous Bill, it was stated under clause 33 (3) that the DNA Data Bank Manager must be a scientist with understanding of computer applications and statistics.</p>
<p style="text-align: justify; ">2015: The Bill states under clause 26 (2) that the DNA Data Bank Manager must possess educational qualification in science and any such experience as prescribed by the regulations.</p>
<ul>
<li> <b>Officers and other employees of the National DNA Data Bank:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The Bill stated under clause 34 (3) that the Board may appoint consultants required to assist in the discharge of the functions of the DNA Data Banks.</p>
<p style="text-align: justify; ">2015 Bill: The Bill provides under clause 27 (3) that the Board may appoint experts required to assist in the discharge of the functions of the DNA Data Banks</p>
<ul>
<li> <b>Comparison and Communication of DNA profiles:</b> </li>
</ul>
<p style="text-align: justify; ">2015 Bill: The New Bill specifically addresses comparison and communication the DNA profiles as that in the offenders' or crime scene index under clause 28 (1). Also, there is an additional provision under clause 29 (3) which states that the National DNA Data Bank Manger may communicate a DNA profile through Central Bureau of Investigation on request of a court, tribunal, law enforcement agency or DNA laboratory to the Government of a foreign State, an international organization or institution of Government.</p>
<ul>
<li> <b>Use of DNA profiles and DNA samples and records:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The Bill provided under clause 39 that all DNA profiles, samples and records would be used solely for purpose of facilitating identification of perpetrator of an offence as listed under the Schedule. The proviso to this provision addressed the fact that such samples could be used to identify victims of accidents or disaster or missing persons, or any purpose of civil dispute.</p>
<p style="text-align: justify; ">2015 Bill: The Bill restricts the use of all DNA profiles, samples and records solely for purpose of facilitating identification of a person under the Act under clause 32.</p>
<ul>
<li> <b>DNA Profiling Board Fund:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The Bill stated under clause 47 (2) that the financial power for the application of monies of the Fund shall be delegated to the Board in such manner as may be prescribed and as may be specified by the regulations made by the Board.</p>
<p>Also, the Bill stated that the Fund shall be applied for meeting remuneration requirements to be paid to the consultants under clause 47 (3) (c).</p>
<p style="text-align: justify; ">2015 Bill: This provision has not been included in the Bill. Also, the Bill does not include the provision of paying the remuneration to the experts from the Fund.</p>
<ul>
<li> <b>Delegation of Powers:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: The Bill provided under clause 61 that The Board may delegate its powers and functions to the Chairperson or any other Member or officer of the Board subject to such conditions, if necessary.</p>
<p>2015 Bill: This provision has not been included in the 2015 Bill.</p>
<ul>
<li> <b>Powers of Board to make rules:</b> </li>
</ul>
<p>2012 Bill: The Bill provided for an exhaustive list consisting of 33 powers listed under clause 65.</p>
<p>2015 Bill: The Bill provides for a list of 27 powers of the Board under clause 57.</p>
<ul>
<li> <b>Schedule:</b> </li>
</ul>
<p style="text-align: justify; ">2012 Bill: In the list of offense where human DNA profiling would be applicable, there was an inclusion of any law as may be specified by the regulations made by the Board.</p>
<p style="text-align: justify; ">2015 Bill: This provision has been removed from the 2015 Bill.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-2012-vs-2015'>https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-2012-vs-2015</a>
</p>
No publishervanyaDNA ProfilingInternet GovernancePrivacy2015-09-06T14:10:26ZBlog EntryThe Government’s Increased Focus on Regulating Non-Personal Data: A Look at the Draft National Data Governance Framework Policy
https://cis-india.org/internet-governance/blog/national-data-governance-framework-policy
<b>Digvijay Chaudhary and Anamika Kundu wrote an article on the National Data Governance Framework Policy. It was edited by Shweta Mohandas.</b>
<h2>Introduction</h2>
<p style="text-align: justify; ">Non Personal Data (‘NPD’) can be <a href="https://www.taylorfrancis.com/chapters/edit/10.4324/9780429022241-8/regulating-non-personal-data-age-big-data-bart-van-der-sloot">understood</a> as any information not relating to an identified or identifiable natural person. The origin of such data can be both human and non-human. Human NPD would be such data which has been anonymised in such a way that the person to whom the data relates cannot be re-identified. Non-human NPD would mean any such data that did not relate to a human being in the first place, for example, weather data. There has been a gradual demonstrated interest in NPD by the government in recent times. This new focus on regulating non personal data can be owed to the economic incentive it provides. In its report, the Sri Krishna committee, released in 2018 agreed that NPD holds considerable strategic or economic interest for the nation, however, it left the questions surrounding NPD to a future committee.</p>
<h2 style="text-align: justify; ">History of NPD Regulation</h2>
<p dir="ltr" style="text-align: justify; ">In 2020, the Ministry of Electronics and Information Technology (‘MEITY’) constituted an expert committee (‘NPD Committee’) to study various issues relating to NPD and to make suggestions on the regulation of non-personal data. The NPD Committee differentiated NPD into human and non-human NPD, based on the data’s origin. Human NPD would include all information that has been stripped of any personally identifiable information and non-human NPD meant any information that did not contain any personally identifiable information in the first place (eg. weather data). The final report of the NPD Committee is awaited but the Committee came out with a <a href="https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf">revised draft</a> of its recommendations in December 2020. In its December 2020 report, the NPD Committee proposed the creation of a National Data Protection Authority (‘NPDA’) as it felt this is a new and emerging area of regulation. Thereafter, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (‘JPC’) came out with its <a href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf">version of the Data Protection Bill </a>where it amended the short title of the PDP Bill 2019 to Data Protection Bill, 2021 widening the ambit of the Bill to include all types of data. The JPC report focuses only on human NPD, noting that non-personal data is essentially derived from one of the three sets of data - personal data, sensitive personal data, critical personal data - which is either anonymized or is in some way converted into non-re-identifiable data.</p>
<p dir="ltr" style="text-align: justify; ">On February 21, 2022, the Ministry of Electronics and Information Technology (‘MEITY’) came out with the <a href="https://www.meity.gov.in/content/draft-india-data-accessibility-use-policy-2022">Draft India Data Accessibility and Use Policy, 2022</a> (‘Draft Policy’). The Draft Policy was strongly criticised mainly due to its aims to monetise data through its sale and licensing to body corporates. The Draft Policy had stated that anonymised and non-personal data collected by the State that has “<a href="https://www.medianama.com/2022/06/223-new-data-governance-policy-privacy/">undergone value addition</a>” could be sold for an “appropriate price”. During the Draft Policy’s consultation process, it had been withdrawn several times and then finally removed from the website.<a href="https://www.meity.gov.in/writereaddata/files/Draft%20India%20Data%20Accessibility%20and%20Use%20Policy_0.pdf"> The National Data Governance Framework Policy</a> (‘NDGF Policy’) is a successor to this Draft Policy. There is a change in the language put forth in the NDGF Policy from the Draft Policy, where the latter mainly focused on monetary growth. The new NDGF Policy aims to regulate anonymised non-personal data (‘NPD’) kept with governmental authorities and make it accessible for research and improving governance. It wishes to create an ‘India Datasets programme’ which will consist of the aforementioned datasets. While MEITY has opened the draft for public comments, is a need to spell out the procedure in some ways for stakeholders to draft recommendations for the NDGF policies in an informed manner. Through this piece, we discuss the NDGF Policy in terms of issues related to the absence of a comprehensive Data Protection Framework in India and the jurisdictional overlap of authorities under the NDGF Policy and DPB.</p>
<h2 dir="ltr" style="text-align: justify; ">What the National Data Governance Framework Policy Says</h2>
<p dir="ltr" style="text-align: justify; ">Presently in India, NPD is stored in a variety of governmental departments and bodies. It is difficult to access and use this stored data for governmental functions without modernising collection and management of governmental data. Through the NDGF Policy, the government aims to build an Indian data storehouse of anonymised non-personal datasets and make it accessible for both improving governance and encouraging research. It imagines the establishment of an Indian Data Office (‘IDO’) set up by MEITY , which shall be responsible for consolidating data access and sharing of non-personal data across the government. In addition, it also mandates a Data Management Unit for every Ministry/department that would work closely with the IDO. IDO will also be responsible for issuing protocols for sharing NPD. The policy further imagines an Indian Data Council (‘IDC’) whose function would be to define frameworks for important datasets, finalise data standards, and Metadata standards and also review the implementation of the policy. The NDGF Policy has provided a broad structure concerning the setting up of anonymisation standards, data retention policies, data quality, and data sharing toolkit. The NDGF Policy states that these standards shall be developed and notified by the IDO or MEITY or the Ministry in question and need to be adhered to by all entities.</p>
<h2 dir="ltr" style="text-align: justify; ">The Data Protection Framework in India</h2>
<p dir="ltr" style="text-align: justify; ">The report adopted by the JPC, felt that it is simpler to enact a single law and a single regulator to oversee all the data that originates from any data principal and is in the custody of any data fiduciary. According to the JPC, the draft Bill deals with various kinds of data at various levels of security. The JPC also recommended that since the Data Protection Bill (‘DPB’) will handle both personal and non-personal data, any further policy / legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation. The draft DPB states that what is to be done with the NDP shall be decided by the government from time to time according to its policy. As such, neither the DPB, 2021 nor the NDGF Policy go into details of regulating NPD but only provide a broad structure of facilitating free-flow of NPD, without taking into account the <a href="https://cis-india.org/internet-governance/cis-comments-revised-npd-report/view">specific concerns</a> that have been raised since the NPD committee came out with its draft report on regulating NPD dated December 2020.</p>
<h2 dir="ltr" style="text-align: justify; ">Jurisdictional overlaps among authorities and other concerns</h2>
<p dir="ltr" style="text-align: justify; ">Under the NDGF policy, all guidelines and rules shall be published by a body known as the Indian Data Management Office (‘IDMO’). The IDMO is set to function under the MEITY and work with the Central government, state governments and other stakeholders to set standards. Currently, there is no sign of when the DPB will be passed as law. According to the JPC, the reason for including NPD within the DPB was because of the impossibility to differentiate between PD and NPD. There are also certain overlaps between the DPB and the NDGF which are not discussed by the NDGF. NDGF does not discuss the overlap between the IDMO and Data Protection Authority (‘DPA’) established under the DPB 2021.</p>
<p dir="ltr" style="text-align: justify; ">Under the DPB, the DPA is tasked with specifying codes of practice under clause 49. On the other hand, the NDGF has imagined the setting up of IDO, IDMO, and the IDC, which shall be responsible for issuing codes of practice such as data retention, and data anonymisation, and data quality standards. As such, there appears to be some overlap in the functions of the to-be-constituted DPA and the NDGF Policy.</p>
<p dir="ltr" style="text-align: justify; ">Furthermore, while the NDGF Policy aims to promote openness with respect to government data, there is a conflict with <a href="https://opengovdata.org/">open government data (‘OGD’) principle</a>s when there is a price attached to such data. OGD is data which is collected and processed by the government for free use, reuse and distribution. Any database created by the government must be publicly accessible to ensure compliance with the OGD principles.</p>
<h2 dir="ltr" style="text-align: justify; ">Conclusion</h2>
<p dir="ltr" style="text-align: justify; ">Streamlining datasets across different authorities is a huge challenge for the government and hence the NGDF policy in its current draft requires a lot of clarification. The government can take inspiration from the European Union which in 2018, came out with a principles-based approach coupled with self-regulation on the framework of the free flow of non-personal data. The <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52019DC0250&from=EN">guidance</a> on the free-flow of non-personal data defines non-personal data based on the origin of data - data which originally did not relate to any personal data (non-human NPD) and data which originated from personal data but was subsequently anonymised (human NPD). The <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52019DC0250&from=EN">regulation</a> further realises the reality of mixed data sets and regulates only the non-personal part of such datasets and where the datasets are inextricably linked, the GDPR would apply to such datasets. Moreover, any policy that seeks to govern the free flow of NPD ought to make it clear that in case of re-identification of anonymised data, such re-identified data would be considered personal data. The DPB, 2021 and the NGDF, both fail to take into account this difference.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/national-data-governance-framework-policy'>https://cis-india.org/internet-governance/blog/national-data-governance-framework-policy</a>
</p>
No publisherDigvijay Chaudhary and Anamika KunduOpen DataOpen Government DataInternet GovernancePrivacy2022-06-30T13:24:35ZBlog EntryDeployment of Digital Health Policies and Technologies: During Covid-19
https://cis-india.org/internet-governance/blog/deployment-of-digital-health-policies-and-technologies-during-covid-19
<b>In the last twenty years or so, the Indian government has adopted several digital mechanisms to deliver services to its citizens. </b>
<p style="text-align: justify; ">Digitisation of public services in India began with taxation, land record keeping, and passport details recording, but it was soon extended to cover most governmental services - with the latest being public health. The digitisation of healthcare system in India had begun prior to the pandemic. However, given the push digital health has received in recent years especially with an increase in the intensity of activity during the pandemic, we thought it is important to undertake a comprehensive study of India's digital health policies and implementation. The project report comprises a desk-based research review of the existing literature on digital health technologies in India and interviews with on-field healthcare professionals who are responsible for implementing technologies on the ground.</p>
<hr />
<p style="text-align: justify; ">The report by Privacy International and the Centre for Internet & Society can be <a href="https://cis-india.org/internet-governance/deployment-of-digital-health-policies-and-technologies" class="internal-link"><strong>accessed here</strong></a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/deployment-of-digital-health-policies-and-technologies-during-covid-19'>https://cis-india.org/internet-governance/blog/deployment-of-digital-health-policies-and-technologies-during-covid-19</a>
</p>
No publisherpallaviPrivacyDigitalisationDigital HealthDigital KnowledgeInternet GovernanceDigital MediaDigital TechnologiesDigitisation2022-07-21T14:49:56ZBlog EntrySurveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar
https://cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar
<b>Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.</b>
<p style="text-align: justify; ">In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report <a href="https://cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa" class="internal-link">here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar'>https://cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar</a>
</p>
No publisherShruti Trikanad and Vrinda BhandariSurveillanceAadhaarInternet GovernancePrivacy2022-08-09T08:17:32ZBlog EntryUnique Identity Number (UID), National Population Register (NPR), and Governance
https://cis-india.org/internet-governance/events/uid-and-npr
<b>The Centre for Internet and Society and the Say No to UID campaign invite you to a workshop to discuss and learn about the present state of the UID and the NPR schemes. The event will be held on Saturday, March 2, 2013, at TERI, Bangalore, from 10.30 a.m. to 2.00 p.m.</b>
<p><b>Among other questions, the workshop will address:<br /></b></p>
<ul>
<li>What is the UID and NPR?</li>
<li>How do the UID and NPR impact citizenship?</li>
<li>Will NPR and UID schemes transform governance? </li>
<li>Why and how is national security linked with UID / NPR?</li>
<li>What is the relationship between UID and Big Data?</li>
</ul>
<ol></ol>
<p style="text-align: left; "><b>Speakers:</b></p>
<ul>
<li>Usha Ramanathan<i>, Independent Law Researcher and Human Rights Activist</i></li>
<li>Anant Maringanti<i>, Hyderabad</i><i> Urban Labs & Right to the City Foundation</i></li>
<li>Kaveri R<i>, Researcher, CES, IISc</i></li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/uid-and-npr'>https://cis-india.org/internet-governance/events/uid-and-npr</a>
</p>
No publisherpraskrishnaEventInternet GovernancePrivacy2013-03-01T04:32:06ZEventElectoral Databases – Privacy and Security Concerns
https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns
<b>In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.</b>
<p></p>
<p> </p>
<p style="text-align: justify; ">The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.<a href="#_edn1" name="_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> After due consideration, the ECI has decided to drop the plan.<a href="#_edn2" name="_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a></p>
<p style="text-align: justify; ">The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.</p>
<p style="text-align: justify; "><b>Publication of Electoral Rolls</b><br />The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.</p>
<p style="text-align: justify; ">The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document<a href="#_edn3" name="_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> given that the roll is published and can be circulated on the direction of the ECI.</p>
<p style="text-align: justify; ">With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.<a href="#_edn4" name="_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> In addition to that, the electoral rolls for the entire country are available on the ECI website.<a href="#_edn5" name="_ednref5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.<a href="#_edn6" name="_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a></p>
<p style="text-align: justify; "><b>Security Concerns</b><br />The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.</p>
<p style="text-align: justify; ">In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “<i>With Great Computing Power Comes Great Surveillance”</i><a href="#_edn7" name="_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a> Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain</p>
<p style="text-align: justify; ">For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.</p>
<p style="text-align: justify; "><b>Current IT Laws does not mandate the protection of the electoral database</b><br />A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”<a href="#_edn8" name="_ednref8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> However, the appropriate Government has not notified the electoral database as a protected system<a href="#_edn9" name="_ednref9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a>. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.</p>
<p style="text-align: justify; ">The Information Technology Rules (IT Rules) are also not applicable to electoral databases, <i>per se</i>. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (<i>hereinafter </i>Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”<a href="#_edn10" name="_ednref10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> and should arguably be made subject to the Rules.</p>
<p style="text-align: justify; ">The intent of the ECI for hosting the entire country’s electoral database online <i>inter alia</i> is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”<a href="#_edn11" name="_ednref11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.</p>
<p style="text-align: justify; ">The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.</p>
<p style="text-align: justify; ">It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.</p>
<div>
<hr align="left" size="1" width="100%" />
<div id="edn1">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref1" name="_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at <a class="external-link" href="http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss">http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss</a></p>
</div>
<div id="edn2">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref2" name="_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
<div id="edn3">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref3" name="_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> Section 74, Indian Evidence Act, 1872</p>
</div>
<div id="edn4">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref4" name="_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/the_function.aspx">eci.nic.in/eci_main1/the_function.aspx</a></p>
</div>
<div id="edn5">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref5" name="_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx">http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx</a></p>
</div>
<div id="edn6">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref6" name="_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a> “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at e<a class="external-link" href="http://eci.nic.in/eci_main/eroll&epic/ins06012010.pdf">ci.nic.in/eci_main/eroll&epic/ins06012010.pdf</a><span dir="RTL"></span></p>
</div>
<div id="edn7">
<p class="MsoEndnoteText"><a href="#_ednref7" name="_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a><a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf"><span><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"> </span></span></span>http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/</a></p>
</div>
<div id="edn8">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref8" name="_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> Section 70, Information Technology Act, 2000</p>
</div>
<div id="edn9">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref9" name="_edn9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a> Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure</p>
</div>
<div id="edn10">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref10" name="_edn10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
</div>
<div id="edn11">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref11" name="_edn11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns'>https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns</a>
</p>
No publishersnehashishDigital GovernancePrivacyCybersecurityData ProtectionInternet GovernanceSafetyInformation TechnologyCyber SecuritySecuritye-GovernanceTransparency, PoliticsE-Governance2014-01-16T11:07:21ZBlog EntryA judicial overreach into matters of regulation
https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation
<b>A PIL on Aadhaar sheds light on some problematic trends</b>
<p style="text-align: justify; ">The article by Gurshabad Grover was <a class="external-link" href="https://www.thehindu.com/opinion/op-ed/a-judicial-overreach-into-matters-of-regulation/article29262148.ece">published in the Hindu</a> on August 27, 2019.</p>
<hr />
<p style="text-align: justify; ">The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.</p>
<p style="text-align: justify; ">The first issue is how the courts, as Anuj Bhuwania has argued in the book <em>Courting the People</em>, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?</p>
<p style="text-align: justify; ">After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.</p>
<h2 style="text-align: justify; ">Government’s support</h2>
<p style="text-align: justify; ">Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.</p>
<p style="text-align: justify; ">Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.</p>
<h2 style="text-align: justify; ">Problems of investigation</h2>
<p style="text-align: justify; ">That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.</p>
<p style="text-align: justify; ">To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.</p>
<p style="text-align: justify; "><span>(</span><em>Disclosure: The CIS is a recipient of research grants from Facebook.</em><span>)</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation'>https://cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation</a>
</p>
No publishergurshabadAadhaarInternet GovernancePrivacy2019-08-28T01:28:52ZBlog EntryWhat Centre will tell Supreme Court on Aadhaar and social media account linkage
https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage
<b>The top court had held in the Aadhaar case that the government can make the linking of the 12-digit-number mandatory only in the case of availing subsidies and welfare benefits. Consequently, Section 57 of the Aadhaar Act was struck down.</b>
<p style="text-align: justify; ">The article by Amrita Madhukalya was published in <a class="external-link" href="https://www.hindustantimes.com/india-news/what-centre-will-tell-supreme-court-on-aadhaar-and-social-media-account-linkage/story-KSnf1PHpsTboHQh6sk7VxK.html">Hindustan Times</a> on August 28, 2019. Gurshabad Grover was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Centre will refer to the Aadhaar Act and the Supreme Court’s 2017 privacy judgement when it is directed by the top court to put forward its view on whether the unique identification number should be made mandatory in opening and managing accounts on Facebook, Twitter, WhatsApp and other social media platforms.</p>
<p style="text-align: justify; ">“While we are yet to receive a notice from the SC asking for our reply, the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, and the apex court’s 2017 judgement upholding the Right to Privacy will guide us in drafting a response,” a senior official of the ministry of electronics and information technology, who did not wish to be named, said.</p>
<p style="text-align: justify; ">The top court had held in the Aadhaar case that the government can make the linking of the 12-digit-number mandatory only in the case of availing subsidies and welfare benefits. Consequently, Section 57 of the Aadhaar Act was struck down.</p>
<p style="text-align: justify; ">As a division bench of Madras High Court continues to hear two writ petitions on whether social media profiles should be linked to Aadhaar so that users in cases where pornographic material, fake news and communal content is posted on these sites can be traced, Facebook had simultaneously filed a plea to transfer all similar cases in the high courts of Madras, Bombay as well as Madhya Pradesh. The top court will hear the matter on September 13.</p>
<p style="text-align: justify; ">During its hearings, Madras High Court made it clear that it will not rule on Aadhaar-linking and the case will concentrate on traceability now. As of now, only one of the transfer petitions, the one in Jabalpur, deals with Aadhaar linking.</p>
<p style="text-align: justify; ">Meanwhile, the top court has already asked social media companies for their stand on the matter. Senior lawyers Mukul Rohatgi and Kapil Sibal, who have been representing Facebook and WhatsApp respectively in Madras High Court case, have already said that as both the companies are headquartered outside of India, with operations in dozens of countries, the high court’s judgement will have ramifications globally.</p>
<p style="text-align: justify; ">Both Twitter and Google declined to comment on the matter, as the matter is sub-judice, while Facebook was not available.</p>
<p style="text-align: justify; ">However, in March this year, Facebook CEO Mark Zuckerberg said that privacy, encryption and secure data storage were some of these principles while unveiling the company’s “vision and principles” in building a “privacy-focused” social platform.</p>
<p style="text-align: justify; ">Wherein people can have “clear control over who can communicate with them and confidence that no one else can access what they share”, such communication could be secure with end-to-end encryption, and Facebook will not store sensitive data in countries with “weak records on human rights”.</p>
<p style="text-align: justify; ">Gurshabad Grover of the Centre for Internet Security says he welcomes the Centre’s stand but adds that the petition should not have been allowed by the Madras High Court in the first place.</p>
<p style="text-align: justify; ">“The case is now deliberating on policy, which is the responsibility of the government. This goes against the basis of separation of power,” he says.</p>
<p style="text-align: justify; ">The Centre is dealing with issues surrounding traceability through the Intermediaries Guidelines, which is due in the next few weeks.</p>
<p style="text-align: justify; ">The solution, Grover says, lies in diplomatic negotiations.</p>
<p style="text-align: justify; ">“Instruments like the US’ Clarifying Lawful Overseas Use of Data Act can come in handy if India can fight for better executive agreements there, provided we have data protection laws in line with human rights standards,” he said.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage'>https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage</a>
</p>
No publisherAmrita MadhukalyaInternet GovernancePrivacy2019-09-02T04:28:45ZNews ItemSubmission to Global Commission on Stability of Cyberspace on the definition of Cyber Stability
https://cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-september-9-2019-submission-to-global-commission-on-stability-of-cyberspace
<b>"The Global Commission on the Stability of Cyberspace released a public consultation process that sought to solicit comments and obtain feedback on the definition of “Stability of Cyberspace”, as developed by the Global Commission on the Stability of Cyberspace (GCSC).</b>
<p style="text-align: justify;">The definition of cyberspace the GCSC provided was :</p>
<p style="text-align: justify;"><em>Stability of cyberspace is the condition where individuals and institutions can be reasonably confident in their ability to use cyberspace safely and securely, where the availability and integrity of services in cyberspace is generally assured, where change is managed in relative peace, and where tensions are resolved in a peaceful manner.</em></p>
<p style="text-align: justify;" class="moz-quote-pre">CIS gave detailed commentary on the definitions [attached] and suggested a new definition of cyber stability documented below:</p>
<p style="text-align: justify;" class="moz-quote-pre">Stability of cyberspace is the objective where individuals, i<strong>nstitutions and communities </strong>are confident in the safety and security of cyberspace; the <strong>accessibility,</strong>availability and integrity of services in cyberspace can be relied upon and where change is managed and tensions ranging from <strong>external interference in sovereign processes to the use of force in cyberspace </strong>are resolved peacefully in <strong>line with the tenets of International Law,specifically the principles of the UN Charter and universally recognised human rights.</strong></p>
<p style="text-align: justify;" class="moz-quote-pre"><strong>Cyber stability can only be fostered if key stakeholders in cyberspace conform to a due diligence obligation of not undertaking and preventing actions that may prevent cyber stability. The end goal of cyber stability must minimize or eliminate immaterial or peripheral incentives while preserving and potentially legitimizing those cyber offensive operations that can further effective deterrence and thereby foster stability, while also minimising any collateral damage to civilian life or property.</strong></p>
<p style="text-align: justify;" class="moz-quote-pre"><a class="external-link" href="https://cis-india.org/internet-governance/files/gcsc-response">Click to view the detailed submission here</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-september-9-2019-submission-to-global-commission-on-stability-of-cyberspace'>https://cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-september-9-2019-submission-to-global-commission-on-stability-of-cyberspace</a>
</p>
No publisherArindrajit Basu and Elonnai HickokInternet GovernancePrivacy2019-09-11T14:52:25ZBlog Entry