The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 1 to 15.
AI in India a Policy Agenda
https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda'>https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda</a>
</p>
No publisherelonnai2018-09-05T15:26:08ZFileAnalysis of CLOUD Act and Implications for India
https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india'>https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india</a>
</p>
No publisherelonnai2018-08-22T14:53:50ZFileShort-term Consultant (IETF)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf
<b>The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.</b>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples or other examples of technical work and CV</p>
<p dir="ltr">Contact: sunil@cis-india.org</p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf</a>
</p>
No publisherelonnaiJobsInternet Governance2018-04-21T15:44:49ZPageShort-term Consultant (Cyber Security)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security
<b>The Centre for Internet & Society is seeking an individual with strong understanding of cyber security to contribute research to its cyber security research under its Internet Governance programme.</b>
<p style="text-align: justify; ">Research topics include economic incentives for cyber security, cross border sharing of data, India’s cyber security framework, and cybersecurity dimensions of e-governance .</p>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples and CV</p>
<p dir="ltr">Contact: <a href="mailto:elonnai@cis-india.org">elonnai@cis-india.org</a></p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security</a>
</p>
No publisherelonnaiInternet Governance2018-04-20T01:27:36ZPageAI in Governance
https://cis-india.org/internet-governance/files/ai-in-governance
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/ai-in-governance'>https://cis-india.org/internet-governance/files/ai-in-governance</a>
</p>
No publisherelonnai2018-04-17T14:00:46ZFileAnother Step towards Privacy Law
https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection
<b>A comparison between the 2012 experts’ report and the 2017 white paper on data protection.</b>
<p><span style="text-align: justify; ">The column was published in </span><a class="external-link" href="http://www.governancenow.com/views/columns/another-step-towards-privacy-law-data-protection" style="text-align: justify; ">Governance Now</a><span style="text-align: justify; "> in January 15, 2018 issue.</span></p>
<hr />
<table class="plain">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/PrivacyLaw.png/@@images/e6aec54f-c20a-4f80-8dfe-b5e48e585ee0.png" style="text-align: justify; " title="Privacy Law" class="image-inline" alt="Privacy Law" /></th>
</tr>
<tr>
<td>(Illustration: Ashish Asthana)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">On July 31 the ministry of electronics and information technology (MeitY) constituted a committee of experts, headed by justice (retired) BN Srikrishna, to deliberate on a data protection framework for India. The committee is another step in India’s journey in formulating a national-level privacy legislation.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The formulation of a privacy law started as early as 2010 with an approach paper for a legislation on privacy towards envisioning a privacy framework for India. In 2011, a bill on right to privacy was drafted. In 2012 the planning commission constituted a group of experts, with justice (retired) AP Shah as its chief, which prepared a report recommending a privacy framework.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">A month after the formation of the committee, in August, the sectoral regulator, Telecom Regulatory Authority of India (TRAI), released the consultation paper, ‘Privacy, Security and Ownership of the Data in the Telecom Sector’. In the same month, the supreme court in a landmark decision recognised privacy as a fundamental right.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">In November 2017, the expert group released a ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ to solicit public comments on the contours of a data protection law for India.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">To understand the evolution of the thinking around a privacy framework for India, this article outlines and analyses common themes and differences between (a) the 2012 group of experts’ report, and the 2017 expert committee’s white paper.</p>
<div style="text-align: justify; "></div>
<p style="text-align: justify; "><span>The white paper seeks to gather inputs from the public on key issues towards the development of a data protection law for India. The paper places itself in the context of the NDA government’s Digital India initiative, the justice Shah committee report, and the judicial developments on the right to privacy in India. It is divided into three substantive parts: (1) scope and exemptions, (2) grounds of processing, obligation and entities, individual rights, and (3) regulation and enforcement. Each part is comprised of deep dives into key issues, international practices, preliminary views of the committee, and questions for public consultation.</span></p>
<p style="text-align: justify; ">Broadly, the 2012 report defined nine national-level privacy principles and recommended a co-regulatory framework that consisted of privacy commissioners, courts, self-regulating organisations, data controllers, and privacy officers at the organisational level. At the outset, the 2017 white paper is different from that report simply by the fact that it is a consultation paper soliciting views as compared to a report that recommends a broad privacy framework for India. In doing so, the white paper explores a broader set of issues than those discussed in the justice Shah report – ranging from the implications of emerging technologies on the relevance of traditional privacy principles, data localisation, child’s consent, individual participation rights, the right to be forgotten, cross-border flow of data, breach notification etc. Given that the white paper is a consultation paper, this article examines the provisional views shared in it with the recommendations of the 2012 report.</p>
<p style="text-align: justify; ">Key areas that the both the documents touch upon (though not necessarily agree on) include:</p>
<h3 style="text-align: justify; ">Applicability</h3>
<p style="text-align: justify; ">The 2012 report of experts recommended a privacy legislation that extends the right to privacy to all persons in India, all data that is processed by a company or equipment located in India, and to data that originate in India.</p>
<p style="text-align: justify; ">Provisional views in the white paper reflect this position, but also offer that applicability could be in part determined by the legitimate interest of the state, carrying on a business or offering services or goods in India, and if, despite location, the entity is processing the personal data of Indian citizens. The provisional views also touch upon retrospective application of a data protection law and agree with the 2012 report by recommending that a law apply to privacy and public bodies. They also go a step further by recommending specific exemptions in application for well defined categories of public or private entities.</p>
<h3 style="text-align: justify; ">Exceptions</h3>
<p style="text-align: justify; ">The experts’ report defined the following exceptions to the right to privacy: artistic and journalistic purposes, household purposes, historic and scientific research, and the Right to Information. Exceptions that must be weighed against the principles of proportionality, legality, and necessary in a democratic state included: national security, public order, disclosure in public <span>interest, prevention, detection, investigation, and prosecution of criminal offences, and protection of the individual or of the rights and freedoms of others.</span></p>
<p style="text-align: justify; ">Provisional views in the 2017 white paper broadly mirror the exemptions defined in the experts’ report, but do not weigh exceptions related to national security and public interest etc. against the principles of proportionality, legality, and necessary in a democratic state and instead explored a review mechanism for these exceptions.</p>
<h3 style="text-align: justify; ">Consent</h3>
<p style="text-align: justify; ">Provisional views in the white paper on consent note that aspects of consent should include that it is freely given, informed and specific and that standards for implied consent need to be evolved.</p>
<p style="text-align: justify; ">Though the 2012 experts’ report defined a principle for choice and consent, this principle did not define aspects of what would constitute valid consent, yet it did incorporate an opt-out mechanism.</p>
<h3 style="text-align: justify; ">Notice</h3>
<p style="text-align: justify; ">Provisional views in the white paper hold that notice is important in enabling consent and explore a number of mechanisms that can be implemented to effect meaningful notice such as codes of practice for designing notice, multilayered notices, assessing notices in privacy impact assessments, assigning ‘data trust scores’ based on their data use policy, and having a ‘consent dashboard’ to help individuals manage their consent across entities.</p>
<p style="text-align: justify; ">These views build upon and complement the principle of notice defined in the 2012 report which defined components of a privacy policy as well as other forms of notice including data breach (also addressed in the white paper) and legal access to personal information.</p>
<h3 style="text-align: justify; ">Purpose limitation/minimisation</h3>
<p style="text-align: justify; ">Provisional views in the white paper recognise the challenges that evolving technology is posing to the principle of purpose limitation and recommend that layered privacy policies and the standard of reasonableness can be used to contextualise this principle to actual purposes and uses.</p>
<p style="text-align: justify; ">Though the 2012 report defined a purpose limitation principle, the principle does not incorporate a standard of reasonableness or explore methods of implementation.</p>
<h3 style="text-align: justify; ">Data Retention and Quality</h3>
<p style="text-align: justify; ">Provisional views in the white paper suggest that the principles of data retention and data quality can be guided by the terms “reasonably and necessary” to ensure that they are not overly burdensome on industry.</p>
<p style="text-align: justify; ">The 2012 report of experts briefly touched on data retention in the principle of purpose limitation –holding that practices should be in compliance with the national privacy principles.</p>
<h3 style="text-align: justify; ">Right to Access</h3>
<p style="text-align: justify; ">Provisional views in the white paper recognise the importance of the right confirmation, access, and rectify personal information of the individual, but note that this is increasingly becoming harder to enforce with respect to data that is observed behavioral data and derived from habits. A suggested solution is to impose a fee on individuals for using these rights to deter frivolous requests.</p>
<p style="text-align: justify; ">Though the 2012 report defined a principle of access and correction it did not propose a fee for using this right and it included the caveat that if the access would affect the privacy rights of others, access may not be given by the data controller.</p>
<h3 style="text-align: justify; ">Enforcement Mechanisms</h3>
<p style="text-align: justify; ">Provisional views in the 2017 white paper broadly agree with the appropriateness of the model of co-regulation and development of codes of practice as suggested in the 2012 report. Within the system envisioned in the 2012 report of experts, self-regulating organisations at the indu<span>stry level will have the ability to develop industry specific norms and standards in compliance with the national privacy principles to be approved by the privacy commissioner.</span></p>
<h3 style="text-align: justify; ">Accountability</h3>
<p style="text-align: justify; ">The provisional views of the white paper go beyond the principle of accountability defined in the 2012 report by suggesting that data controllers should not only be held accountable for implementation of defined data protection standards, but in defined circumstances, also for harm that is caused to an individual.</p>
<h3 style="text-align: justify; ">Additional Obligations and Data Controllers</h3>
<p style="text-align: justify; ">Provisional views in the white paper suggest the following mechanisms as methods towards ensuring accountability of specific categories of data controllers: registration, data protection impact assessment, data audits, and data protection officers that are centres of accountability.</p>
<p style="text-align: justify; ">The 2012 experts’ report also envisioned impact assessments and investigations carried out by the privacy commissioner and the role of a data controller, but did not explore registration of these entities.</p>
<h3 style="text-align: justify; ">Authorities and Adjudication</h3>
<p style="text-align: justify; ">The both documents are in agreement on the need for a privacy commissioner/data protection authority and envision similar functions such as conducting privacy impact assessments, audits, investigation, and levying of fines. The white paper differs from the 2012 experts’ report in its view that the appellate tribunals under the IT Act and bodies like the National Commission Disputes Redressal Commission could potentially be appropriate venues for adjudicating and resolving disputes.</p>
<p style="text-align: justify; ">Though the 2012 experts’ report recommended that complaints can be issued through an alternative dispute resolution mechanism, to central and regional level commissioners, or to the courts – for remedies– enforcement of penalties should involve district and high-level courts and the supreme court. The 2012 report specified that a distinct tribunal should not be created nor should existing tribunals be relied upon as there is the possibility that the institution will not have the capacity to rule on a broad right of privacy. Individuals that can be held liable by individuals include data controllers, organisation directors, agency directors, and heads of governmental departments.</p>
<h3 style="text-align: justify; ">Penalty and Remedy</h3>
<p style="text-align: justify; ">The white paper goes much further in its thinking on penalties, remedies and compensation than the 2012 report of experts – discussing potential models for calculation of civil penalties including nature and extent of violation of the data protection obligation, nature of personal information involved, number of individuals affected, whether infringement was intentional or negligent, measures taken by the data controller to mitigate the damage, and previous track record of the data controller.</p>
<p style="text-align: justify; ">The white paper is a progressive and positive step towards formulating a data protection law for India that is effective and relevant nationally and internationally. It will be interesting to see the public response to it and the response of the committee to the inputs received from the consultation as well as how the final recommendations differ, build upon, and incorporate previous policy steps towards a comprehensive privacy framework for India.</p>
<div style="text-align: justify; "></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection'>https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2018-01-18T01:50:59ZBlog EntryRethinking Privacy Principles
https://cis-india.org/internet-governance/files/rethinking-privacy-principles
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/rethinking-privacy-principles'>https://cis-india.org/internet-governance/files/rethinking-privacy-principles</a>
</p>
No publisherelonnai2017-09-11T02:17:02ZFileHere’s why we need a lot more discussion on India’s new DNA Profiling Bill
https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill
<b>The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. </b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.hindustantimes.com/analysis/here-s-why-we-need-a-lot-more-discussion-on-india-s-new-dna-profiling-bill/story-CojTDv2vfMMMBsW0CaLxIP.html">Hindustan Times</a> on August 7, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The first step towards a DNA Profiling Bill was taken in 2007 with the ‘<a href="http://www.prsindia.org/uploads/media/draft/DNA_Bill.pdf">Draft DNA Profiling Bill</a>” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a <a href="http://www.prsindia.org/uploads/media/draft/DNA_Bill.pdf">2012</a>, <a href="http://www.prsindia.org/uploads/media/draft/Draft%20Human%20DNA%20Profiling%20Bill%202015.pdf">2015</a>, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an <a href="https://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">Expert Committee </a>to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.</p>
<p style="text-align: justify; ">Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.</p>
<p style="text-align: justify; ">Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.</p>
<p style="text-align: justify; ">It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.</p>
<p style="text-align: justify; ">The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.</p>
<p style="text-align: justify; ">As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.</p>
<p style="text-align: justify; ">Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill'>https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2017-08-21T23:48:03ZBlog EntryHigh Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017
https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017
<b>This blog post seeks to provide a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions. </b>
<p style="text-align: justify; ">In July 2017 the Law Commission published a report on DNA profiling and the <a href="http://lawcommissionofindia.nic.in/reports/Report271.pdf"><i>“Draft Use and Regulation of DNA Based Technology Bill 2017”</i></a>. India has been contemplating a draft DNA Profiling Bill since 2007. There have been two publicly available versions of the bill, <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">2012,</a> and <a href="http://www.prsindia.org/uploads/media/draft/Draft%20Human%20DNA%20Profiling%20Bill%202015.pdf">2015,</a> and one version in 2016. In 2013, the Department of Biotechnology formulated an <a href="https://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">Expert Committee </a>to discuss different aspects and issues raised regarding the Bill towards finalizing the text. The Centre for Internet and Society was a member of the Expert Committee, and in its conclusion, issued a note of <a href="https://cis-india.org/internet-governance/blog/dna-dissent">dissent to the Expert Committee for DNA Profiling</a>.</p>
<p style="text-align: justify; ">This post provides a high level overview of the Use and Regulation of DNA Based Technology Bill 2017 and calls out positive changes from the 2015 Bill, remaining issues, and missing provisions. The post also calls out if, and where, CIS's recommendations to the Expert Committee have been incorporated.</p>
<p style="text-align: justify; ">If enacted, the 2017 Bill will establish national and regional DNA data banks that will maintain five different types of indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. The data banks will be led by a Director, responsible for communicating information with requesting entities, foreign states, and international organizations. Information relating to DNA profiles, DNA samples, and records maintained in a DNA laboratory can be made available in six instances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. Offences related to unauthorized disclosure of information in the DNA data bank, obtaining information from DNA data banks without authorization, unlawful access to information in the DNA Data Bank, using DNA sample or result without authorization, and destroying, altering, contaminating, or tampering with biological evidence.</p>
<p style="text-align: justify; ">Below are some key positive changes from the 2015 Bill, remaining issues, and missing safeguards from the 2017 Bill:</p>
<p style="text-align: justify; "><b>Positive Changes: </b>The Bill contains a number of positive changes from the 2015 draft. Key ones include: <b> </b></p>
<ol style="text-align: justify; ">
<li><b>Consent:</b> Section 21 prohibits the taking of samples from arrested persons without consent, except in the case of a specified offence - a specified offence being any offence punishable with death or imprisonment for a term exceeding seven years. If consent is refused, a magistrate can order the taking of the sample. This can be in the case of any matter listed in the Schedule of the Act. Section 22 provides for consent from volunteers. It is important to note that despite being an improvement from the 2015 Bill, which did not address instances of collection with our without consent, this provision is still broad as the list of offences under the Schedule is expansive and can be further expanded by the Central Government.<b> </b>Furthermore, the Magistrate can overrule a refusal of consent of the parent or guardian of a voluneet who is a minor, which does not provide adequate protection to childrens' rights.</li>
<li><b>Deletion</b>: Section 31 defines instances for deletion of suspect profiles, under trial profiles, and all other profiles. Though a step in the right direction, as the 2015 Bill only addressed retention and deletion of the offenders index, this provision does not address the automatic removal of innocents.</li>
<li><b>Purpose limitation</b>: Section 33 limits the purpose of profiles in the DNA Data Bank to that of facilitating identification. This is a positive step from the 2015 Bill - which enabled use of DNA profiles for the creation and maintenance of a population statistics data bank. Section 34 also limits the purposes for which information relating to DNA profiles, samples, and records can be made available.</li>
<li><b>Destruction of samples:</b> Section 20 defines instances for destruction of DNA samples. Destruction of samples was not address in the 2015 Bill, and is an important protection as it prevents samples from being re-analyzed.</li>
<li><b>Comparison of profiles</b>: Section 29 clarifies that if the individual is not an offender or a suspect, their information will not be compared with DNA profiles in the offenders’ or suspects index. This creates an important distinction between types of indices held in the data bank and the purpose for the same i.e missing persons are not treated as potential offenders. In the 2015 Bill, profiles entered in the offenders or crime scene index could be compared by the DNA Data Bank Manger against all profiles contained in the DNA Data Bank.</li>
<li><b>Re-testing</b>: Section 24 allows for an accused person to request for a re-examination of fresh bodily substances if it is believed the sample has been contaminated. The closest provision to this in the 2015 was the creation a post - conviction right for DNA profiling - which is now deleted. It is important to note that fresh samples can easily be obtained from individuals, but if contamination happens at a crime scene, it is much more difficult to obtain a fresh sample.</li>
<li><b>Limiting Indices and including a crime scene index</b>: The 2017 Bill limits the number of indices to five - a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. This is an improvement from the 2015 Bill which provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation. </li>
</ol>
<p style="text-align: justify; "><b>Remaining Issues: </b>There are some remaining issues in the 2017 Bill. Some of these include:</p>
<ol style="text-align: justify; ">
<li><b>Delegating and Expanding through Regulation:</b> The Bill delegates a number of procedures to regulation - many which should be in the text of the Bill. For example: the format for receiving and storing DNA profiles, and additional criteria for entry, retention, and deletion of DNA profiles. Furthermore, a number of provisions allow for expansion through regulation. For example, the sources from which DNA can be collected from to be expanded as specified by regulations. Further purposes for making DNA profiles available can be defined by regulation. Important procedures such as privacy and security safeguards are also left to regulation.</li>
<li><b>Broad Powers and Composition of the Board:</b> The Bill designates twenty one responsibilities to the Board. As pointed out in 1, many of these should be detailed in the text of the legislation. </li>
</ol>
<p style="text-align: justify; ">While serving on the Expert Committee,<a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view">CIS recommended</a> that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. This recommendation has not been incorporated.</p>
<p style="text-align: justify; ">Ideally, the Board should also include privacy experts, an expert in ethics, as well as civil society. Towards this, the Board should be comprised of separate Committees to address these different functions. There should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues.<b> </b></p>
<p style="text-align: justify; "><b>As a positive note, the reduction of the size of the Board was agreed upon by </b><a href="http://cis-india.org/internet-governance/blog/expert-committee-meetings.zip/view"><b>the Expert Committee from 16 members (2012 Bill) to 11 member</b></a><b>s. This reccomendation has been incorporated. </b></p>
<p style="text-align: justify; ">CIS also provided <a href="http://cis-india.org/internet-governance/blog/dna-dissent">language regarding</a> how the Board could consult with the public:<i>The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities.</i> This language has not been fully incorporated<i> </i></p>
<ol style="text-align: justify; ">
<li><b>Lack of Authorization Procedure:</b> Though the Bill defines instances of when DNA information can be made available, it fails to establish or refer to an authorization process for making information available and the decision currently seems to rest with the DNA Bank Director.</li>
<li><b>Expansive Schedule:</b> The Bill creates a schedule containing a list of matters for DNA testing which includes whole acts and a range of civil disputes and matters that are broad and do not relate to criminal cases - most notably “issues relating to immigration or emigration and issues relating to establishment of individual identity.”</li>
<li><b>Unclear Data Stored:</b> Though the Bill clarifies the circumstance that the identity of the individual will be associated with a profile, it allows for ‘information of data based on DNA testing and records relating thereto” to be stored, yet it is unclear what information this would entail.</li>
<li><b>Lack of procedures for chain of custody:</b> Presently, the Bill defines quality assurance procedures for a sample that is already at the lab. There are no provisions defining a process for the examination of a crime scene and laying down standards for the chain of custody of a sample from the crime scene to a DNA laboratory. </li>
</ol>
<p style="text-align: justify; "><b>Missing Safeguards: </b></p>
<p style="text-align: justify; ">There are some safeguards that, if added, would strengthen the Bill and ensure rights to the individual:</p>
<ol style="text-align: justify; ">
<li><b>Notification to the individual:</b> There are no provisions that ensure that notification is given to an individual if his/her information is accessed or made available.</li>
<li><b>Right to challenge</b>: There are no provisions that give the individual the right to challenge the storage of their DNA.</li>
<li><b>Established profiling standard</b>: Though the Law Commission report refers to the 13 CODIS standard, the Bill does not mandate the use of the 13 CODIS profiling standard.</li>
<li><b>Reporting standard</b>: There are no standards for how matches or other information should be communicated from the DNA director to the authority or receiving entity including instances of partial matches.</li>
<li><b>Right to access and review:</b> There are no provisions that allow an individual to review his/her information contained in the regional or the national database.</li>
<li><b>Lack of costing:</b> There is no cost estimate in the report or a requirement for one to be carried out.</li>
<li><b>Study for the potential for false matches:</b> This must consider the size of the population and large family size, i.e. relatively large numbers of closely related people and is particularly necessary given the the size over population as large as India's. </li>
</ol>
<p style="text-align: justify; "><b>Importantly</b>, in the DNA Expert Committee, CIS requested the Expert Committee that the Bill be brought in line with the nine national principles defined in the Report of Experts on Privacy led by Justice AP Shah. These include the principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles have not been fully incorporated.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017'>https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017</a>
</p>
No publisherelonnaiFeaturedHomepageInternet GovernancePrivacy2017-08-11T02:16:52ZBlog EntryCybersecurity Compilation
https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf'>https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf</a>
</p>
No publisherelonnai2017-06-18T13:15:49ZFileStand up for Digital Rights
https://cis-india.org/internet-governance/events/stand-up-for-digital-rights
<b>The Centre for Internet & Society (CIS) invites you to a discussion on a set of recommendations for Ethical Tech, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The event will be held at CIS office in Bangalore on June 15, 2016 from 5 p.m. to 7 p.m.</b>
<p style="text-align: justify; ">The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of recommendations for Ethical Tech. This work is the culmination of a year long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:</p>
<div id="_mcePaste">
<ul>
<li><span>General Human Rights Responsibilities and Private Online Intermediaries</span></li>
<li><span>Expanding Access</span></li>
<li><span>Net Neutrality</span></li>
<li><span>Content Moderation</span></li>
<li><span>Privacy</span></li>
<li><span>Transparency and Informed Consent</span></li>
<li><span>Responding to State Interferences</span></li>
</ul>
</div>
<p>We look forward to meeting you and making this forum for knowledge exchange a success.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/stand-up-for-digital-rights'>https://cis-india.org/internet-governance/events/stand-up-for-digital-rights</a>
</p>
No publisherelonnaiEventInternet GovernanceDigital Rights2016-06-13T15:30:12ZEventGNI-Industry Dialogue Learning Session: Human Rights Impact Assessments and Due Diligence in the ICT sector
https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector
<b>Elonnai Hickok attended the meeting organized by Global Network Initiative on March 11, 2016 in Washington D.C.</b>
<p style="text-align: justify; ">The GNI welcomed its new observers from the Telecommunications Industry Dialogue by holding a learning session in conjunction with the GNI Board Meeting on March 10. This learning session aimed to increase understanding between the GNI and the ID by examining some of the common challenges that face ICT companies in the area of human rights due diligence and highlighting good practices. A second objective was to help the GNI develop a learning program and materials that will be useful for its members and draw on their expertise. Finally, this learning session informed the review of the GNI Implementation Guidelines that will take place during 2016.</p>
<p style="text-align: justify; ">The session took place according to the Chatham House Rule. Each short presentation was followed by a space for questions and answers.</p>
<ul>
<li>
<div style="text-align: justify; ">Human Rights Impact Assessments in the ICT sector – Michael Samway</div>
</li>
<li>
<div style="text-align: justify; ">The Human Rights Due Diligence Process at Nokia – Laura Okkonen</div>
</li>
<li>
<div style="text-align: justify; ">Yahoo’s approach to Human Rights Impact Assessments– Nicole Karlebach and Katie Shay</div>
</li>
<li>
<div style="text-align: justify; ">Orange’s challenges and approach to doing business in Africa – Yves Nissim</div>
</li>
<li>
<div style="text-align: justify; ">Microsoft’s human rights impacts and the warrant case – Steve Crown and Bernard Shen</div>
</li>
<li>
<div style="text-align: justify; ">TeliaSonera’s approach to withdrawing from Eurasia – Patrik Hiselius</div>
</li>
<li>
<div style="text-align: justify; ">Considerations for company due diligence on the ground – Kathleen Reen and Babette Ngene, Internews</div>
</li>
</ul>
<p>For discussion:</p>
<ul>
<li>What are some of the common challenges facing current GNI member companies and ID member companies?</li>
<li>What do we consider to be good practices that are applicable to all?</li>
<li>What lessons can be applied to the review of the GNI Implementation Guidelines that will take place during 2016?</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector'>https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2016-04-06T15:42:41ZNews ItemPolicy Brief: Oversight Mechanisms for Surveillance
https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance
<b></b>
<p><a href="https://cis-india.org/internet-governance/blog/oversight-mechanisms-for-surveillance" class="internal-link"><b>Download the PDF </b></a></p>
<hr />
<h2 style="text-align: justify; ">Introduction</h2>
<p style="text-align: justify; ">Across jurisdictions, the need for effective and relevant oversight mechanisms (coupled with legislative safeguards) for state surveillance has been highlighted by civil society, academia, citizens and other key stakeholders.<a href="#fn1" name="fr1">[1] </a>A key part of oversight of state surveillance is accountability of intelligence agencies. This has been recognized at the international level. Indeed, the Organization for Economic Co-operation and Development, The United Nations, the Organization for Security and Cooperation in Europe, the Parliamentary Assembly of the Council of Europe, and the Inter-Parliamentary Union have all recognized that intelligence agencies need to be subject to democratic accountability.<a href="#fn2" name="fr2">[2] </a>Since 2013, the need for oversight has received particular attention in light of the information disclosed through the 'Snowden Revelations'. <a href="#fn3" name="fr3">[3]</a> Some countries such as the US, Canada, and the UK have regulatory mechanisms for the oversight of state surveillance and the intelligence community, while many other countries – India included - have piecemeal oversight mechanisms in place. The existence of regulatory mechanisms for state surveillance does not necessarily equate to effective oversight – and piecemeal mechanisms – depending on how they are implemented, could be more effective than comprehensive mechanisms. This policy brief seeks to explore the purpose of oversight mechanisms for state surveillance, different forms of mechanisms, and what makes a mechanism effective and comprehensive. The brief also reviews different oversight mechanisms from the US, UK, and Canada and provides recommendations for ways in which India can strengthen its present oversight mechanisms for state surveillance and the intelligence community.</p>
<h2 style="text-align: justify; ">What is the purpose and what are the different components of an oversight mechanism for State Surveillance?</h2>
<p style="text-align: justify; ">The International Principles on the Application of Human Rights to Communication Surveillance, developed through a global consultation with civil society groups, industry, and international experts recommends that public oversight mechanisms for state surveillance should be established to ensure transparency and accountability of Communications Surveillance. To achieve this, mechanisms should have the authority to:</p>
<ul style="text-align: justify; ">
<li>Access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information;</li>
<li>Assess whether the State is making legitimate use of its lawful capabilities;</li>
<li>Evaluate whether the State has been comprehensively and accurately publishing information about the use and scope of Communications Surveillance techniques and powers in accordance with its Transparency obligations publish periodic reports and other information relevant to Communications Surveillance;</li>
<li>Make public determinations as to the lawfulness of those actions, including the extent to which they comply with these Principles<a href="#fn4" name="fr4">[4] </a></li>
</ul>
<h2 style="text-align: justify; ">What can inform oversight mechanisms for state surveillance?</h2>
<p style="text-align: justify; ">The development of effective oversight mechanisms for state surveillance can be informed by a number of factors including:</p>
<ul style="text-align: justify; ">
<li>Rapidly changing technology – how can mechanisms adapt, account for, and evaluate perpetually changing intelligence capabilities?</li>
<li>Expanding surveillance powers – how can mechanisms evaluate and rationalize the use of expanding agency powers?</li>
<li style="text-align: justify; ">Tensions around secrecy, national interest, and individual rights – how can mechanisms respect, recognize, and uphold multiple competing interests and needs including an agency's need for secrecy, the government's need to protect national security, and the citizens need to have their constitutional and fundamental rights upheld?</li>
<li style="text-align: justify; ">The structure, purpose, and goals of specific intelligence agencies and circumstances– how can mechanisms be sensitive and attuned to the structure, purpose, and functions of differing intelligence agencies and circumstances? </li>
</ul>
<p style="text-align: justify; ">These factors lead to further questions around:</p>
<ul style="text-align: justify; ">
<li style="text-align: justify; ">The purpose of an oversight mechanism: Is an oversight mechanism meant to ensure effectiveness of an agency? Perform general reviews of agency performance? Supervise the actions of an agency? Hold an agency accountable for misconduct?</li>
<li>The structure of an oversight mechanism: Is it internal? External? A combination of both? How many oversight mechanisms that agencies should be held accountable to?</li>
<li>The functions of an oversight mechanism: Is an oversight mechanism meant to inspect? Evaluate? Investigate? Report?</li>
<li style="text-align: justify; ">The powers of an oversight mechanism: The extent of access that an oversight mechanism needs and should have to the internal workings of security agencies and law enforcement to carry out due diligence? The extent of legal backing that an oversight mechanism should have to hold agencies legally accountable.</li>
</ul>
<h2 style="text-align: justify; ">What oversight mechanisms for State Surveillance exist in India?</h2>
<p style="text-align: justify; ">In India the oversight 'ecosystem' for state surveillance is comprised of:</p>
<ol style="text-align: justify; ">
<li style="text-align: justify; "><b>Review committee</b>: Under the Indian Telegraph Act 1885 and the Rules issued thereunder (Rule 419A), a Central Review Committee that consists of the Cabinet Secretary, Secretary of Legal Affairs to the Government of India, Secretary of Department of Telecommunications to the Government of India is responsible for meeting on a bi-monthly basis and reviewing the legality of interception directions. The review committee has the power to revoke the directions and order the destruction of intercepted material.<a href="#fn5" name="fr5">[5]</a> This review committee is also responsible for evaluating interception, monitoring, and decryption orders issued under section 69 of the Information Technology Act 2000.<a href="#fn6" name="fr6">[6]</a> and orders for the monitoring and collection of traffic data under section 69B of the Information Technology Act 2000.<a href="#fn7" name="fr7">[7]</a></li>
<li style="text-align: justify; "><b>Authorizing Authorities</b>: The Secretary in the Ministry of Home Affairs of the Central Government is responsible for authorizing requests for the interception, monitoring, and decryption of communications issued by central agencies.<a href="#fn8" name="fr8">[8]</a> The Secretary in charge of the Home Department is responsible for authorizing requests for the interception, monitoring, and decryption of communications from state level agencies and law enforcement.<a href="#fn9" name="fr9">[9]</a> The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is responsible for authorizing requests for the monitoring and collection of traffic data.<a href="#fn10" name="fr10">[10]</a> Any officer not below the rank of Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary in this behalf, may authorize the interception of communications in case of an emergency.<a href="#fn11" name="fr11">[11]</a> A Commissioner of Police, District Superintendent of Police or Magistrate may issue requests for stored data to any postal or telegraph authority.<a href="#fn12" name="fr12">[12]</a></li>
<li style="text-align: justify; "><b>Administrative authorities</b>: India does not have an oversight mechanism for intelligence agencies, but agencies do report to different authorities. For example: The Intelligence Bureau reports to the Home Minister, the Research and Anaylsis Wing is under the Cabinet Secretariat and reports to the Prime Minister, the Joint Intelligence Committee (JIC), National Technical Research Organisation (NTRO) and Aviation Research Centre (ARC) report to the National Security Adviser; and the National Security Council Secretariat under the NSA which serves the National Security Council.<a href="#fn13" name="fr13">[13] </a></li>
</ol>
<p style="text-align: justify; ">It is important to note that though India has a Right to Information Act, but most of the security agencies are exempt from the purview of the Act<a href="#fn14" name="fr14">[14]</a> as is disclosure of any information that falls under the purview of the Official Secrets Act 1923.<a href="#fn15" name="fr15">[15]</a> [Note: There is no point in listing out all the exceptions given in section 8 and other sections as well. I think the point is sufficiently made when we say that security agencies are exempt from the purview of the Act.] The Official Secrets Act does not provide a definition of an 'official secret' and instead protects information: pertaining to national Security, defence of the country, affecting friendly relations with foreign states, etc.<a href="#fn16" name="fr16">[16] </a>Information in India is designated as classified in accordance to the Manual of Departmental Security Instruction which is circulated by the Ministry of Home Affairs. According to the Public Records Rules 1997, “classified records" means the files relating to the public records classified as top-secret, confidential and restricted in accordance with the procedure laid down in the Manual of Departmental Security Instruction circulated by the Ministry of Home affairs from time to time;”<a href="#fn17" name="fr17">[17] </a>Bi-annually officers evaluate and de-classify classified information and share the same with the national archives.<a href="#fn18" name="fr18">[18] </a>In response to questions raised in the Lok Sabha on the 5th of May 2015 regarding if the Official Secrets Act, 1923 will be reviewed, the number of classified files stored with the Government under the Act, and if the Government has any plans to declassify some of the files – the Ministry of Home Affairs clarified that a committee consisting of Secretaries of the Ministry of Home Affairs, the Department of Personnel and Training, and the Department of Legal Affairs has been established to examine the provisions of the Official Secrets Act, 1923 particularly in light of the Right to Information Act, 2005. The Ministry of Home Affairs also clarified that the classification and declassification of files is done by each Government Department as per the Manual of Departmental Security Instructions, 1994 and thus there is no 'central database of the total number of classified files'.<a href="#fn19" name="fr19">[19] </a></p>
<h3 style="text-align: justify; ">How can India's oversight mechanism for state surveillance be clarified?</h3>
<p style="text-align: justify; ">Though these mechanisms establish a basic framework for an oversight mechanism for state surveillance in India, there are aspects of this framework that could be clarified and there are ways in which the framework could be strengthened.</p>
<p style="text-align: justify; ">Aspects of the present review committee that could be clarified:</p>
<ol style="text-align: justify; ">
<li style="text-align: justify; ">Powers of the review committee: Beyond having the authority to declare that orders for interception, monitoring, decryption, and collection of traffic data are not within the scope of the law and order for destruction of any collected information – what powers does the review committee have? Does the committee have the power to compel agencies to produce additional or supporting evidence? Does the committee have the power to compel information from the authorizing authority?</li>
<li style="text-align: justify; ">Obligations of the review committee: The review committee is required to 'record its findings' as to whether the interception orders issued are in accordance with the law. Is there a standard set of questions/information that must be addressed by the committee when reviewing an order? Does the committee only review the content of the order or do they also review the implementation of the order? Beyond recording its findings, are there any additional reporting obligations that the review committee must fulfill?</li>
<li style="text-align: justify; ">Accountability of the review committee: Does the review committee answer to a higher authority? Do they have to submit their findings to other branches of the government – such as Parliament? Is there a mechanism to ensure that the review committee does indeed meet every two months and review all orders issued under the relevant sections of the Indian Telegraph Act 1885 and the Information Technology Act 2008?</li>
</ol>
<h2 style="text-align: justify; ">Proposed oversight mechanisms in India</h2>
<p style="text-align: justify; ">Oversight mechanisms can help with avoiding breaches of national security by ensuring efficiency and effectiveness in the functioning of security agencies. The need for the oversight of state surveillance is not new in India. In 1999 the Union Government constituted a Committee with the mandate of reviewing the events leading up to Pakistani aggression in Kargil and to recommend measures towards ensuring national security. Though the Kargil Committee was addressing surveillance from the perspective of gathering information on external forces, there are parellels in the lessons learned for state surveillance. Among other findings, in their Report the Committee found a number of limitations in the system for collection, reporting, collation, and assessment of intelligence. The Committee also found that there was a lack of oversight for the intelligence community in India – resulting in no mechanisms for tasking the agencies, monitoring their performance and overall functioning, and evaluating the quality of the work.</p>
<p style="text-align: justify; ">The Committee also noted that such a mechanism is a standard feature in jurisdictions across the world. The Committee emphasized this need from an economic perspective – that without oversight – the Government and the nation has no way of evaluating whether or not they are receiving value for their money. The Committee recommended a review of the intelligence system with the objective of solving such deficiencies.<a href="#fn20" name="fr20">[20] </a></p>
<p style="text-align: justify; ">In 2000 a Group of Ministers was established to review the security and intelligence apparatus of the country. In their report issued to the Prime Minister, the Group of Ministers recommended the establishment of an Intelligence Coordination Group for the purpose of providing oversight of intelligence agencies at the Central level. Specifically the Intelligence Coordination Group would be responsible for:</p>
<ul style="text-align: justify; ">
<li>Allocation of resources to the intelligence agencies</li>
<li>Consideration of annual reviews on the quality of inputs</li>
<li>Approve the annual tasking for intelligence collection</li>
<li>Oversee the functions of intelligence agencies</li>
<li>Examine national estimates and forecasts<a href="#fn21" name="fr21">[21] </a></li>
</ul>
<p style="text-align: justify; ">Past critiques of the Indian surveillance regime have included the fact that intelligence agencies do not come under the purview of any overseeing mechanism including Parliament, the Right to Information Act 2005, or the General Comptroller of India.</p>
<p style="text-align: justify; ">In 2011, Manish Tewari, who at the time was a Member of Parliament from Ludhiana, introduced the Private Member's Bill - “The Intelligence Services (Powers and Regulation) Bill” proposed stand alone statutory regulation of intelligence agencies. In doing so it sought to establish an oversight mechanism for intelligence agencies within and outside of India. The Bill was never introduced into Parliament.<a href="#fn22" name="fr22">[22]</a> Broadly, the Bill sought to establish: a National Intelligence and Security Oversight Committee which would oversee the functionings of intelligence agencies and would submit an annual report to the Prime Minister, a National Intelligence Tribunal for the purpose of investigating complaints against intelligence agencies, an Intelligence Ombudsman for overseeing and ensuring the efficient functioning of agencies, and a legislative framework regulating intelligence agencies.<a href="#fn23" name="fr23">[23] </a></p>
<p style="text-align: justify; ">Proposed policy in India has also explored the possibility of coupling surveillance regulation and oversight with private regulation and oversight. In 2011 the Right to Privacy Bill was drafted by the Department of Personnel and Training. The Bill proposed to establish a “Central Communication Interception Review Committee” for the purposes of reviewing orders for interception issued under the Telegraph Act. The Bill also sought to establish an authorization process for surveillance undertaken by following a person, through CCTV's, or other electronic means.<a href="#fn24" name="fr24">[24] </a>In contrast, the 2012 Report of the Group of Experts on Privacy, which provided recommendations for a privacy framework for India, recommended that the Privacy Commissioner should exercise broad oversight functions with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.<a href="#fn25" name="fr25">[25] </a></p>
<p style="text-align: justify; ">A 2012 report by the Institute for Defence Studies and Analyses titled “A Case for Intelligence Reforms in India” highlights at least four 'gaps' in intelligence that have resulted in breaches of national security including: zero intelligence, inadequate intelligence, inaccurate intelligence, and excessive intelligence – particularly in light of additional technical inputs and open source inputs.<a href="#fn26" name="fr26">[26]</a> In some cases, an oversight mechanism could help in remediating some of these gaps. Returning to the 2012 IDSA Report, the Report recommends the following steps towards an oversight mechanism for Indian intelligence:</p>
<ul style="text-align: justify; ">
<li>Establishing an Intelligence Coordination Group (ICG) that will exercise oversight functions for the intelligence community at the Central level. This could include overseeing functions of the agencies, quality of work, and finances. </li>
<li>Enacting legislation defining the mandates, functions, and duties of intelligence agencies.</li>
<li>Holding intelligence agencies accountable to the Comptroller & Auditor General to ensure financial accountability. </li>
<li>Establishing a Minister for National Security & Intelligence for exercising administrative authority over intelligence agencies. </li>
<li>Establishing a Parliamentary Accountability Committee for oversight of intelligence agencies through parliament. </li>
<li>Defining the extent to which intelligence agencies can be held accountable to reply to requests pertaining to violations of privacy and other human rights issued under the Right to Information Act.</li>
</ul>
<p style="text-align: justify; ">Highlighting the importance of accountable surveillance frameworks, in 2015 the external affairs ministry director general of India Santosh Jha stated at the UN General Assembly that the global community needs to "to create frameworks so that Internet surveillance practices motivated by security concerns are conducted within a truly transparent and accountable framework.”<a href="#fn27" name="fr27">[27] </a></p>
<h2 style="text-align: justify; ">In what ways can India's mechanisms for state surveillance be strengthened?</h2>
<p style="text-align: justify; ">Building upon the recommendations from the Kargil Committee, the Report from the Group of Ministers, the Report of the Group of Experts on Privacy, the Draft Privacy Bill 2011, and the IDSA report, ways in which the framework for oversight of state surveillance in India could be strengthened include:</p>
<ul style="text-align: justify; ">
<li style="text-align: justify; ">Oversight to enhance public understanding, debate, accountability, and democratic governance: State surveillance is unique in that it is enabled with the objective of protecting a nations security. Yet, to do so it requires citizens of a nation to trust the actions taken by intelligence agencies and to allow for possible access into their personal lives and possible activities that might infringe on their constitutional rights (such as freedom of expression) for a larger outcome of security. Because of this, oversight mechanisms for state surveillance must balance securing national security while submitting itself to some form of accountability to the public.</li>
<li style="text-align: justify; ">Independence of oversight mechanisms: Given the Indian context, it is particularly important that an oversight mechanism for surveillance powers and the intelligence community is capable of addressing and being independent from political interference. Indeed, the majority of cases regarding illegal interceptions that have reached the public sphere pertain to the surveillance of political figures and political turf wars.<a href="#fn28" name="fr28">[28] </a>Furthermore, though the current Review Committee established in the Indian Telegraph Act does not have a member from the Ministry of Home Affairs (the Ministry responsible for authorizing interception requests), it is unclear how independent this committee is from the authorizing Ministry. To ensure non-biased oversight, it is important that oversight mechanisms are independent.</li>
<li style="text-align: justify; ">Legislative regulation of intelligence agencies: Currently, intelligence agencies are provided surveillance powers through the Information Technology Act and the Telegraph Act, but beyond the National Intelligence Agency Act which establishes the National Intelligence Agency, there is no legal mechanism creating, regulating and overseeing intelligence agencies using these powers. In the 'surveillance ecosystem' this creates a policy vacuum, where an agency is enabled through law with a surveillance power and provided a procedure to follow, but is not held legally accountable for the effective, ethical, and legal use of the power. To ensure legal accountability of the use of surveillance techniques, it is important that intelligence are created through legislation that includes oversight provisions.</li>
<li style="text-align: justify; ">Comprehensive oversight of all intrusive measures: Currently the Review Committee established under the Telegraph Act is responsible for the evaluation of orders for the interception, monitoring, decryption, and collection of traffic data. The Review Committee is not responsible for reviewing the implementation or effectiveness of such orders and is not responsible for reviewing orders for access to stored information or other forms of electronic surveillance. This situation is a result of 1. Present oversight mechanisms not having comprehensive mandates 2. Different laws in India enabling different levels of access and not providing a harmonized oversight mechanism and 3.Indian law not formally addressing and regulating emerging surveillance technologies and techniques. To ensure effectiveness, it is important for oversight mechanisms to be comprehensive in mandate and scope.</li>
<li style="text-align: justify; ">Establishment of a tribunal or redress mechanism: India currently does not have a specified means for individuals to seek redress for unlawful surveillance or surveillance that they feel has violated their rights. Thus, individuals must take any complaint to the courts. The downsides of such a system include the fact that the judiciary might not be able to make determinations regarding the violation, the court system in India is overwhelmed and thus due process is slow, and given the sensitive nature of the topic – courts might not have the ability to immediately access relevant documentation. To ensure redress, it is important that a tribunal or a redress mechanism with appropriate powers is established to address complaints or violations pertaining to surveillance.</li>
<li style="text-align: justify; ">Annual reporting by security agencies, law enforcement, and service providers: Information regarding orders for surveillance and the implementation of the same is not disclosed by the government or by service providers in India.<a href="#fn29" name="fr29">[29] </a> Indeed, service providers by law are required to maintain the confidentiality of orders for the interception, monitoring, or decryption of communications and monitoring or collection of traffic data. At the minimum, an oversight mechanism should receive annual reports from security agencies, law enforcement, and service providers with respect to the surveillance undertaken. Edited versions of these Reports could be shared with Parliament and the public.</li>
<li style="text-align: justify; ">Consistent and mandatory reviews of relevant legislation: Though committees have been established to review various legislation and policy pertaining to state surveillance, the time frame for these reviews is not clearly defined by law. These reviews should take place on a consistent and publicly stated time frame. Furthermore, legislation enabling surveillance in India do not require review and assessment for relevance, adequacy, necessity, and proportionality after a certain period of time. Mandating that legislation regulating surveillance is subject to review on a consistent is important in ensuring that the provisions are relevant, proportionate, adequate, and necessary. </li>
<li style="text-align: justify; ">Transparency of classification and declassification process and centralization of de-classified records: Currently, the Ministry of Home Affairs establishes the process that government departments must follow for classifying and de-classifying information. This process is not publicly available and de-classified information is stored only with the respective department. For transparency purposes, it is important that the process for classification of records be made public and the practice of classification of information take place in exceptional cases. Furthermore, de-classified records should be stored centrally and made easily accessible to the public. </li>
<li style="text-align: justify; ">Executive and administrative orders regarding establishing of agencies and surveillance projects should be in the public domain: Intelligence agencies and surveillance projects in India are typically enabled through executive orders. For example, NATGRID was established via an executive order, but this order is not publicly available. As a form of transparency and accountability to the public, it is important that if executive orders establish an agency or a surveillance project, these are made available to the public to the extent possible.</li>
<li style="text-align: justify; ">Oversight of surveillance should incorporate privacy and cyber/national security: Increasingly issues of surveillance, privacy, and cyber security are interlinked. Any move to establish an oversight mechanism for surveillance and the intelligence committee must incorporate and take into consideration privacy and cyber security. This could mean that an oversight mechanism for surveillance in India works closely with CERT-IN and a potential privacy commissioner or that the oversight mechanism contains internal expertise in these areas to ensure that they are adequately considered. </li>
<li style="text-align: justify; ">Oversight by design: Just like the concept of privacy by design promotes the ideal that principles of privacy are built into devices, processes, services, organizations, and regulation from the outset – oversight mechanisms for state surveillance should also be built in from the outset of surveillance projects and enabling legislation. In the past, this has not been the practice in India– the National Intelligence Grid was an intelligence system that sought to link twenty one databases together – making such information easily and readily accessible to security agencies – but the oversight of such a system was never defined.<a href="#fn30" name="fr30">[30]</a> Similarly, the Centralized Monitoring System was conceptualized to automate and internalize the process of intercepting communications by allowing security agencies to intercept communications directly and bypass the service provider.<a href="#fn31" name="fr31">[31]</a> Despite amending the Telecom Licenses to provide for the technical components of this project, oversight of the project or of security agencies directly accessing information has yet to be defined.<a href="#fn32" name="fr32">[32] </a></li>
</ul>
<h2 style="text-align: justify; ">Examples of oversight mechanisms for State Surveillance: US, UK, Canada and United States</h2>
<h3 style="text-align: justify; ">United States</h3>
<p style="text-align: justify; ">In the United States the oversight 'ecosystem' for state surveillance is made up of:</p>
<p style="text-align: justify; "><b>The Foreign Intelligence Surveillance Court</b></p>
<p style="text-align: justify; ">The U.S Foreign Intelligence Surveillance Court (FISA) is the predominant oversight mechanism for state surveillance and oversees and authorizes the actions of the Federal Bureau of Investigation and the National Security Agency.<a href="#fn33" name="fr33">[33]</a> The court was established by the enactment of the Foreign Intelligence Surveillance Act 1978 and is governed by Rules of Procedure, the current Rules being formulated in 2010.<a href="#fn34" name="fr34">[34] </a>The Court is empowered to ensure compliance with the orders that it issues and the government is obligated to inform the Court if orders are breached.<a href="#fn35" name="fr35">[35] </a>FISA allows for individuals who receive an order from the Court to challenge the same,<a href="#fn36" name="fr36">[36] </a>and public filings are available on the Court's website.<a href="#fn37" name="fr37">[37] </a>Additionally, organizations, including the American Civil Liberties Union<a href="#fn38" name="fr38">[38] </a>and the Electronic Frontier Foundation, have filed motions with the Court for release of records. <a href="#fn39" name="fr39">[39] </a>Similarly, Google has approached the Court for the ability to publish aggregate information regarding FISA orders that the company recieves.<a href="#fn40" name="fr40">[40] </a></p>
<p style="text-align: justify; "><b>Government Accountability Office </b></p>
<p style="text-align: justify; ">The U.S Government Accountability Office (GAO) is an independent office that works for Congress and conducts audits, investigates, provides recommendations, and issues legal decisions and opinions with regard to federal government spending of taxpayer's money by the government and associated agencies including the Defence Department, the FBI, and Homeland Security.<a href="#fn41" name="fr41">[41] </a>The head of the GAO is the Comptroller General of the United States and is appointed by the President. The GAO will initiate an investigation if requested by congressional committees or subcommittees or if required under public law or committee reports. The GOA has reviewed topics relating to Homeland Security, Information Security, Justice and Law Enforcement, National Defense, and Telecommunications.<a href="#fn42" name="fr42">[42] </a>For example, in June 2015 the GOA completed an investigation and report on 'Foreign Terrorist Organization Process and U.S Agency Enforcement Actions” <a href="#fn43" name="fr43">[43] </a>and an investigation on “Cyber Security: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies”.<a href="#fn44" name="fr44">[44]</a></p>
<p style="text-align: justify; "><b>Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence</b></p>
<p style="text-align: justify; ">The U.S. Senate Select Committee on Intelligence is a standing committee of the U.S Senate with the mandate to review intelligence activities and programs and ensure that these are inline with the Constitution and other relevant laws. The Committee is also responsible for submitting to Senate appropriate proposals for legislation, and for reporting to Senate on intelligence activities and programs.<a href="#fn45" name="fr45">[45] </a>The House Permanent Select Committee holds similar jurisdiction. The House Permanent Select Committee is committed to secrecy and cannot disclose classified information excepted authorized to do so. Such an obligation does not exist for the Senate Select Committee on Intelligence and the committee can disclose classified information publicly on its own.<a href="#fn46" name="fr46">[46]</a></p>
<p style="text-align: justify; "><b>Privacy and Civil Liberties Oversight Board</b> (PCLOB)</p>
<p style="text-align: justify; ">The Privacy and Civil Liberties Oversight Board was established by the Implementing Recommendations of the 9/11 Commission Act of 2007 and is located within the executive branch.<a href="#fn47" name="fr47">[47] </a>The objective of the PCLOB is to ensure that the Federal Government's actions to combat terrorism are balanced against privacy and civil liberties. Towards this, the Board has the mandate to review and analyse ant-terrorism measures the executive takes and ensure that such actions are balanced with privacy and civil liberties, and to ensure that privacy and civil liberties are liberties are adequately considered in the development and implementation of anti-terrorism laws, regulations and policies.<a href="#fn48" name="fr48">[48] </a>The Board is responsible for developing principles to guide why, whether, when, and how the United States conducts surveillance for authorized purposes. Additionally, officers of eight federal agencies must submit reports to the PCLOB regarding the reviews that they have undertaken, the number and content of the complaints, and a summary of how each complaint was handled. In order to fulfill its mandate, the Board is authorized to access all relevant records, reports, audits, reviews, documents, papers, recommendations, and classified information. The Board may also interview and take statements from necessary personnel. The Board may request the Attorney General to subpoena on the Board's behalf individuals outside of the executive branch.<a href="#fn49" name="fr49">[49]</a></p>
<p style="text-align: justify; ">To the extent possible, the Reports of the Board are made public. Examples of recommendations that the Board has made in the 2015 Report include: End the NSA”s bulk telephone records program, add additional privacy safeguards to the bulk telephone records program, enable the FISC to hear independent views on novel and significant matters, expand opportunities for appellate review of FISC decisions, take advantage of existing opportunities for outside legal and technical input in FISC matters, publicly release new and past FISC and DISCR decisions that involve novel legal, technical, or compliance questions, publicly report on the operation of the FISC Special Advocate Program, Permit Companies to Disclose Information about their receipt of FISA production orders and disclose more detailed statistics on surveillance, inform the PCLOB of FISA activities and provide relevant congressional reports and FISC decisions, begin to develop principles for transparency, disclose the scope of surveillance authorities affecting US Citizens.<a href="#fn50" name="fr50">[50]</a></p>
<p style="text-align: justify; "><b>The Wiretap Report </b></p>
<p style="text-align: justify; ">The Wiretap Report is an annual compilation of information provided by federal and state officials regarding applications for interception orders of wire, oral, or electronic communications, data address offenses under investigation, types and locations of interception devices, and costs and duration of authorized intercepts.<a href="#fn51" name="fr51">[51] </a>When submitting information for the report a judge will include the name and jurisdiction of the prosecuting official who applied for the order, the criminal offense under investigation, the type of intercept device used, the physical location of the device, and the duration of the intercept. Prosecutors provide information related to the cost of the intercept, the number of days the intercept device was in operation, the number of persons whose communications were intercepted, the number of intercepts, and the number of incriminating intercepts recorded. Results of the interception orders such as arrest, trials, convictions, and the number of motions to suppress evidence are also noted in the prosecutor reports. The Report is submitted to Congress and is legally required under Title III of the Omnibus Crime Control and Safe Streets Act of 1968. The report is issued by the Administrative Office of the United States Courts.<a href="#fn52" name="fr52">[52] </a></p>
<h3 style="text-align: justify; ">United Kingdom</h3>
<p style="text-align: justify; "><b>The Intelligence and Security Committee (ISC) of Parliament </b></p>
<p style="text-align: justify; ">The Intelligence Security Committee was established by the Intelligence Services Act 1994. Members are appointed by the Prime Minster and the Committee reports directly to the same. Additionally, the Committee submits annual reports to Parliament. Towards this, the Committee can take evidence from cabinet ministers, senior officials, and from the public.<a href="#fn53" name="fr53">[53] </a>The most recent report of the Committee is the 2015 “Report on Privacy and Security”.<a href="#fn54" name="fr54">[54] </a>Members of the Committee are subject to the Official Secrets Act 1989 and have access to classified material when carrying out investigations.<a href="#fn55" name="fr55">[55]</a></p>
<p style="text-align: justify; "><b>Joint Intelligence Committee (JIC)</b></p>
<p style="text-align: justify; ">This Joint Intelligence Committee is located in the Cabinet office and is broadly responsible for overseeing national intelligence organizations and providing advice to the Cabinet on issues related to security, defense, and foreign affairs. The JIC is overseen by the Intelligence and Security Committee.<a href="#fn56" name="fr56">[56]</a></p>
<p style="text-align: justify; "><b>The Interception of Communications Commissioner </b></p>
<p style="text-align: justify; ">The Interception of Communications Commissioner is appointed by the Prime Minster under the Regulation of Investigatory Powers Act 2000 for the purpose of reviewing surveillance conducted by intelligence agencies, police forces, and other public authorities. Specifically, the Commissioner inspects the interception of communications, the acquisition and disclosure of communications data, the interception of communications in prisons, and the unintentional electronic interception.<a href="#fn57" name="fr57">[57] </a>The Commissioner submits an annual report to the Prime Minister. The Reports of the Commissioner are publicly available.<a href="#fn58" name="fr58">[58]</a></p>
<p style="text-align: justify; "><b>The Intelligence Services Commissioner </b></p>
<p style="text-align: justify; ">The Intelligence Services Commissioner is an independent body appointed by the Prime Minister that is legally empowered through the Regulation of Investigatory Powers Act (RIPA) 2000. The Commissioner provides independent oversight on the use of surveillance by UK intelligence services.<a href="#fn59" name="fr59">[59] </a>Specifically, the Commissioner is responsible for reviewing authorized interception orders and the actions and performance of the intelligence services.<a href="#fn60" name="fr60">[60]</a> The Commissioner is also responsible for providing assistance to the Investigatory Powers Tribunal, submitting annual reports to the Prime Minister on the discharge of its functions, and advising the Home Office on the need of extending the Terrorism Prevention and Investigation Measures regime.<a href="#fn61" name="fr61">[61] </a>Towards these the Commissioner conducts in-depth audits on the orders for interception to ensure that the surveillance is within the scope of the law, that the surveillance was necessary for a legally established reason, that the surveillance was proportionate, that the information accessed was justified by the privacy invaded, and that the surveillance authorized by the appropriate official. The Commissioner also conducts 'site visits' to ensure that orders are being implemented as per the law.<a href="#fn62" name="fr62">[62] </a>As a note, the Intelligence Services Commissioner does not undertake any subject that is related to the Interception of Communications Commissioner. The Commissioner has access to any information that he feels is necessary to carry out his investigations. The Reports of the Intelligence Service Commissioner are publicly available.<a href="#fn63" name="fr63">[63] </a></p>
<p style="text-align: justify; "><b>Investigatory Powers Tribunal </b></p>
<p style="text-align: justify; ">The Investigatory Powers Tribunal is a court which investigates complaints of unlawful surveillance by public authorities or intelligence/law enforcement agencies.<a href="#fn64" name="fr64">[64]</a> The Tribunal was established under the Regulation of Investigatory Powers Act 2000 and has a range of oversight functions to ensure that public authorities act and agencies are in compliance with the Human Rights Act 1998.<a href="#fn65" name="fr65">[65]</a> The Tribunal specifically is an avenue of redress for anyone who believes that they have been a victim of unlawful surveillance under RIPA or wider human rights infringements under the Human Rights Act 1998. The Tribunal can provide seven possible outcomes for any application including 'found in favor of complainant, no determination in favour of complainant, frivolous or vexatious, out of time, out of jurisdiction, withdrawn, or no valid complaint.<a href="#fn66" name="fr66">[66] </a>The Tribunal has the authority to receive and consider evidence in any form, even if inadmissible in an ordinary court.<a href="#fn67" name="fr67">[67]</a> Where possible, cases are available on the Tribunal's website. Decisions by the Tribunal cannot be appealed, but can be challenged in the European Court of Human Rights.<a href="#fn68" name="fr68">[68] </a></p>
<h3 style="text-align: justify; ">Canada</h3>
<p style="text-align: justify; ">In Canada the oversight 'ecosystem' for state surveillance includes:</p>
<p style="text-align: justify; "><b>Security Intelligence Review Committee </b></p>
<p style="text-align: justify; ">The Security Intelligence Review Committee is an independent body that is accountable to the Parliament of Canada and reports on the Canadian Security Intelligence Service.<a href="#fn69" name="fr69">[69]</a> Members of the Security Intelligence Review Committee are appointed by the Prime Minister of Canada. The committee conducts reviews on a pro-active basis and investigates complaints. Committee members have access to classified information to conduct reviews. The Committee submits an annual report to Parliament and an edited version is publicly available. The 2014 Report was titled “Lifting the Shroud of Secrecy”<a href="#fn70" name="fr70">[70] </a>and includes reviews of the CSIS's activities, reports on complaints and subsequent investigations, and provides recommendations.</p>
<p style="text-align: justify; "><b>Office of the Communications Security Establishment Commissioner </b></p>
<p style="text-align: justify; ">The Communications Security Commissioner conducts independent reviews of Communications Security Establishment (CSE) activities to evaluate if they are within the scope of Canadian law.<a href="#fn71" name="fr71">[71] </a>The Commissioner submits a report to Parliament on an annual basis and has a number of powers including the power to subpoena documents and personnel.<a href="#fn72" name="fr72">[72]</a> If the Commissioner believes that the CSE has not complied with the law – it must report this to the Attorney General of Canada and to the Minister of National Defence. The Commissioner may also receive information from persons bound to secrecy if they deem it to be in the public interest to disclose such information.<a href="#fn73" name="fr73">[73] </a>The Commissioner is also responsible for verifying that the CSE does not surveil Canadians and for promoting measures to protect the privacy of Canadians.<a href="#fn74" name="fr74">[74] </a>When conducting a review, the Commissioner has the ability to examine records, receive briefings, interview relevant personnel, assess the veracity of information, listen to intercepted voice recordings, observe CSE operators and analysts to verify their work, examine CSI electronic tools, systems and databases to ensure compliance with the law.<a href="#fn75" name="fr75">[75] </a></p>
<p style="text-align: justify; "><b>Office of the Privacy Commissioner</b></p>
<p style="text-align: justify; ">The Office of the Privacy Commissioner of Canada (OPC) oversees the implementation of and compliance with the Privacy Act and the Personal information and Electronic Documents Act.<a href="#fn76" name="fr76">[76] </a></p>
<p style="text-align: justify; ">The OPC is an independent body that has the authority to investigate complaints regarding the handling of personal information by government and private companies, but can only comment on the activities of security and intelligence agencies. For example, in 2014 the OPC issued the report “Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber Surveillance”<a href="#fn77" name="fr77">[77]</a> The OPC can also provide testimony to Parliament and other government bodies.<a href="#fn78" name="fr78">[78] </a>For example, the OPC has made appearances before the Senate Standing Committee of National Security and Defense on Bill C-51.<a href="#fn79" name="fr79">[79]</a> The OPC cannot conduct joint audits or investigations with other bodies.<a href="#fn80" name="fr80">[80]</a></p>
<p style="text-align: justify; "><b>Annual Interception Reports</b></p>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; ">Under the Criminal Code of Canada, regional governments must issue annual interception reports. The reports must include number of individuals affected by interceptions, average duration of the interception, type of crimes investigated, numbers of cases brought to court, and number of individuals notified that interception had taken place.<a href="#fn81" name="fr81">[81] </a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The presence of multiple and robust oversight mechanisms for state surveillance does not necessarily correlate to effective oversight. The oversight mechanisms in the UK, Canada, and the U.S have been criticised. For example, Canada . For example, the Canadian regime has been characterized as becoming weaker it has removed one of its key over sight mechanisms – the Inspector General of the Canadian Security Intelligence Service which was responsible for certifying that the Service was in compliance with law.<a href="#fn82" name="fr82">[82] </a></p>
<p style="text-align: justify; ">Other weaknesses in the Canadian regime that have been highlighted include the fact that different oversight bodies do not have the authority to share information with each other, and transparency reports do not include many new forms of surveillance.<a href="#fn83" name="fr83">[83]</a> Oversight mechanisms in the U.S on the other hand have been criticized as being opaque<a href="#fn84" name="fr84">[84] </a>or as lacking the needed political support to be effective.<a href="#fn85" name="fr85">[85]</a> The UK oversight mechanism has been criticized for not having judicial authorization of surveillance requests, have opaque laws, and for not having a strong right of redress for affected individuals.<a href="#fn86" name="fr86">[86] </a>These critiques demonstrate that there are a number of factors that must come together for an oversight mechanism to be effective. Public transparency and accountability to decision making bodies such as Parliament or Congress can ensure effectiveness of oversight mechanisms, and are steps towards providing the public with means to debate in an informed manner issues related to state surveillance and allows different bodies within the government the ability to hold the state accountable for its actions.</p>
<ol style="text-align: justify; "> </ol><ol style="text-align: justify; "> </ol><ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
<hr />
<p style="text-align: justify; ">.[<a href="#fr1" name="fn1">1</a>]. For example, “Public Oversight” is one of the thirteen Necessary and Proportionate principles on state communications surveillance developed by civil society and academia globally, that should be incorporated by states into communication surveillance regimes. The principles can be accessed here: https://en.necessaryandproportionate.org/</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Hans Born and Ian Leigh, “Making Intelligence Accountable. Legal Standards and Best Practice for Oversight of Intelligence Agencies.” Pg. 13. 2005. Available at: http://www.prsindia.org/theprsblog/wp-content/uploads/2010/07/making-intelligence.pdf. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. For example, this point was made in the context of the UK. For more information see: Nick Clegg, 'Edward Snowden's revelations made it clear: security oversight must be fit for the internet age,”. The Guardian. March 3rd 2014. Available at: <a href="http://www.theguardian.com/commentisfree/2014/mar/03/nick-clegg-snowden-security-oversight-internet-age">http://www.theguardian.com/commentisfree/2014/mar/03/nick-clegg-snowden-security-oversight-internet-age</a>. Accessed: July 27, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance. Available at: https://en.necessaryandproportionate.org/</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Sub Rules (16) and (17) of Rule 419A, Indian Telegraph Rules, 1951. Available at:http://www.dot.gov.in/sites/default/files/march2007.pdf Note: This review committee is responsible for overseeing interception orders issued under the Indian Telegraph Act and the Information Technology Act.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. Information Technology Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009. Definition q. Available at: <a href="http://dispur.nic.in/itact/it-procedure-interception-monitoring-decryption-rules-2009.pdf">http://dispur.nic.in/itact/it-procedure-interception-monitoring-decryption-rules-2009.pdf</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, 2009). Definition (n). Available at: <a href="http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. This authority is responsible for authorizing interception requests issued under the Indian Telegraph Act and the Information Technology Act. Section 2, Indian Telegraph Act 1885 and Section 4, Information Technology Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009</p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. This authority is responsible for authorizing interception requests issued under the Indian Telegraph Act and the Information Technology Act. Section 2, Indian Telegraph Act 1885 and Section 4, Information Technology Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Definition (d) and section 3 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, 2009). Available at: <a href="http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009</a></p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Rule 1, of the 419A Rules, Indian Telegraph Act 1885. Available at:http://www.dot.gov.in/sites/default/files/march2007.pdf This authority is responsible for authorizing interception requests issued under the Indian Telegraph Act and the Information Technology Act.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Section 92, CrPc. Available at: http://www.icf.indianrailways.gov.in/uploads/files/CrPC.pdf</p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Press Information Bureau GOI. Reconstitution of Cabinet Committees. June 19th 2014. Available at: <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=105747">http://pib.nic.in/newsite/PrintRelease.aspx?relid=105747</a>. Accessed August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Press Information Bureau, Government of India. Home minister proposes radical restructuring of security architecture. Available at: <a href="http://www.pib.nic.in/newsite/erelease.aspx?relid=56395">http://www.pib.nic.in/newsite/erelease.aspx?relid=56395</a>. Accessed August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Section 24 read with Schedule II of the Right to Information Act 2005. Available at: http://rti.gov.in/rti-act.pdf</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Section 8 of the Right to Information Act 2005. Available at: http://rti.gov.in/rti-act.pdf</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Abhimanyu Ghosh. “Open Government and the Right to Information”. Legal Services India. Available at: <a href="http://www.legalservicesindia.com/articles/og.htm">http://www.legalservicesindia.com/articles/og.htm</a>. Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Public Record Rules 1997. Section 2. Definition c. Available at: <a href="http://nationalarchives.nic.in/writereaddata/html_en_files/html/public_records97.html">http://nationalarchives.nic.in/writereaddata/html_en_files/html/public_records97.html</a>. Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Times of India. Classified information is reviewed after 25-30 years. April 13th 2015. Available at: <a href="http://timesofindia.indiatimes.com/india/Classified-information-is-reviewed-after-25-30-years/articleshow/46901878.cms">http://timesofindia.indiatimes.com/india/Classified-information-is-reviewed-after-25-30-years/articleshow/46901878.cms</a>. Accessed: August 8, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Government of India. Ministry of Home Affairs. Lok Sabha Starred Question No 557. Available at: <a href="http://mha1.nic.in/par2013/par2015-pdfs/ls-050515/557.pdf">http://mha1.nic.in/par2013/par2015-pdfs/ls-050515/557.pdf</a>.</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. The Kargil Committee report Executive Summanry. Available at: http://fas.org/news/india/2000/25indi1.htm. Accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. PIB Releases. Group of Ministers Report on Reforming the National Security System”. Available at: <a href="http://pib.nic.in/archieve/lreleng/lyr2001/rmay2001/23052001/r2305200110.html">http://pib.nic.in/archieve/lreleng/lyr2001/rmay2001/23052001/r2305200110.html</a>. Last accessed: August 6, 2015</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Observer Research Foundation. “Manish Tewari introduces Bill on Intelligence Agencies Reform. August 5th 2011. Available at: <a href="http://www.observerindia.com/cms/sites/orfonline/modules/report/ReportDetail.html?cmaid=25156&mmacmaid=20327">http://www.observerindia.com/cms/sites/orfonline/modules/report/ReportDetail.html?cmaid=25156&mmacmaid=20327</a>. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. The Intelligence Services (Powers and Regulation) Bill, 2011. Available at: <a href="http://www.observerindia.com/cms/export/orfonline/documents/Int_Bill.pdf">http://www.observerindia.com/cms/export/orfonline/documents/Int_Bill.pdf</a>. Accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. The Privacy Bill 2011. Available at: https://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. The Report of Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Institute for Defence Studies and Analyses. “A Case for Intelligence Reforms in India”. Available at: <a href="http://www.idsa.in/book/AcaseforIntelligenceReformsinIndia.html">http://www.idsa.in/book/AcaseforIntelligenceReformsinIndia.html</a>. Accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. India Calls for Transparency in internet Surveillance. NDTV. July 3rd 2015. Available at: <a href="http://gadgets.ndtv.com/internet/news/india-calls-for-transparency-in-internet-surveillance-710945">http://gadgets.ndtv.com/internet/news/india-calls-for-transparency-in-internet-surveillance-710945</a>. Accessed: July 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Lovisha Aggarwal. “Analysis of News Items and Cases on Surveillance and Digital Evidence in India”. Available at: http://cis-india.org/internet-governance/blog/analysis-of-news-items-and-cases-on-surveillance-and-digital-evidence-in-india.pdf</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. Rule 25 (4) of the Information Technology (Procedures and Safeguards for the Interception, Monitoring, and Decryption of Information Rules) 2011. Available at: http://dispur.nic.in/itact/it-procedure-interception-monitoring-decryption-rules-2009.pdf</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. Ministry of Home Affairs, GOI. National Intelligence Grid. Available at: <a href="http://www.davp.nic.in/WriteReadData/ADS/eng_19138_1_1314b.pdf">http://www.davp.nic.in/WriteReadData/ADS/eng_19138_1_1314b.pdf</a>. Last accessed: August 6, 2015</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. Press Information Bureau, Government of India. Centralised System to Monitor Communications Rajya Sabha. Available at: <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679">http://pib.nic.in/newsite/erelease.aspx?relid=54679</a>. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. Department of Telecommunications. Amendemnt to the UAS License agreement regarding Central Monitoring System. June 2013. Available at: http://cis-india.org/internet-governance/blog/uas-license-agreement-amendment</p>
<p style="text-align: justify; ">[<a href="#fr34" name="fn34">34</a>]. United States Foreign Intelligence Surveillance Court. July 29th 2013. Available at: <a href="http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf">http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf</a>. Last accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr35" name="fn35">35</a>]. United States Foreign Intelligence Surveillance Court. Rules of Procedure 2010. Available at: http://www.fisc.uscourts.gov/sites/default/files/FISC%20Rules%20of%20Procedure.pdf</p>
<p style="text-align: justify; ">[<a href="#fr36" name="fn36">36</a>]. United States Foreign Intelligence Court. Honorable Patrick J. Leahy. 2013. Available at: http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf</p>
<p>[<a href="#fr37" name="fn37">37</a>]. United States Foreign Intelligence Surveillance Court. July 29th 2013. Available at: <a href="http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf">http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf</a>. Last accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr38" name="fn38">38</a>]. Public Filings – U.S Foreign Intelligence Surveillance Court. Available at: http://www.fisc.uscourts.gov/public-filings</p>
<p style="text-align: justify; ">[<a href="#fr39" name="fn39">39</a>]. ACLU. FISC Public Access Motion – ACLU Motion for Release of Court Records Interpreting Section 215 of the Patriot Act. Available at: https://www.aclu.org/legal-document/fisc-public-access-motion-aclu-motion-release-court-records-interpreting-section-215</p>
<p style="text-align: justify; ">[<a href="#fr40" name="fn40">40</a>]. United States Foreign Intelligence Surveillance Court Washington DC. In Re motion for consent to disclosure of court records or, in the alternative a determination of the effect of the Court's rules on statutory access rights. Available at: https://www.eff.org/files/filenode/misc-13-01-opinion-order.pdf</p>
<p style="text-align: justify; ">[<a href="#fr41" name="fn41">41</a>]. Google Official Blog. Shedding some light on Foreign Intelligence Surveillance Act (FISA) requests. February 3rd 2014. Available at: http://googleblog.blogspot.in/2014/02/shedding-some-light-on-foreign.html</p>
<p style="text-align: justify; ">[<a href="#fr42" name="fn42">42</a>]. U.S Government Accountability Office. Available at: http://www.gao.gov/key_issues/overview#t=1. Last accessed: August 8, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr43" name="fn43">43</a>]. Report to Congressional Requesters. Combating Terrorism: Foreign Terrorist Organization Designation Proces and U.S Agency Enforcement Actions. Available at: http://www.gao.gov/assets/680/671028.pdf. Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr44" name="fn44">44</a>]. United States Government Accountability Office. Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies. Available: http://www.gao.gov/assets/680/670935.pdf. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr45" name="fn45">45</a>]. Committee Legislation. Available at: http://ballotpedia.org/United_States_Senate_Committee_on_Intelligence_(Select)#Committee_legislation</p>
<p style="text-align: justify; ">[<a href="#fr46" name="fn46">46</a>]. Congressional Research Service. Congressional Oversight of Intelligence: Current Structure and Alternatives. May 14th 2012. Available at: https://fas.org/sgp/crs/intel/RL32525.pdf. Last Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr40" name="fn47">47</a>]. The Privacy and Civil Liberties Oversight Board: About the Board. Available at: https://www.pclob.gov/aboutus.html</p>
<p style="text-align: justify; ">[<a href="#fr48" name="fn48">48</a>]. The Privacy and Civil Liberties Oversight Board: About the Board. Available at: https://www.pclob.gov/aboutus.html</p>
<p style="text-align: justify; ">[<a href="#fr49" name="fn49">49</a>]. Congressional Research Service. Congressional Oversight of Intelligence: Current Structure and Alternatives. May 14th 2012. Available at: https://fas.org/sgp/crs/intel/RL32525.pdf. Last Accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr50" name="fn50">50</a>]. United States Courts. Wiretap Reports. Available at: http://www.uscourts.gov/statistics-reports/analysisreports/wiretap-reports</p>
<p style="text-align: justify; ">[<a href="#fr51" name="fn51">51</a>]. United States Courts. Wiretap Reports. Available at: http://www.uscourts.gov/statisticsreports/<br />analysis-reports/wiretap-reports/faqs-wiretap-reports#faq-What-information-does-the-AO-receive-from-prosecutors?. Last Accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr52" name="fn52">52</a>]. Intelligence and Security Committee of Parliament. Transcripts and Public Evidence. Available at: http://isc.independent.gov.uk/public-evidence. Last accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr53" name="fn53">53</a>]. Intelligence and Security Committee of Parliament. Special Reports. Available at http://isc.independent.gov.uk/committee-reports/special-reports. Last accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr54" name="fn54">54</a>]. Hugh Segal. The U.K. has legislative oversight of surveillance. Why not Canada. The Globe and Mail. June 12th 2013. Available at: http://www.theglobeandmail.com/globe-debate/uk-haslegislative-oversight-of-surveillance-why-not-canada/article12489071/. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr55" name="fn55">55</a>]. The Joint Intelligence Committee home page. For more information see: https://www.gov.uk/government/organisations/national-security/groups/joint-intelligence-committee</p>
<p style="text-align: justify; ">[<a href="#fr56" name="fn56">56</a>]. Interception of Communications Commissioner's Office. RIPA. Available at: http://www.iocco-uk.info/sections.asp?sectionID=2&type=top. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr57" name="fn57">57</a>]. Interception of Communications Commissioner's Office. Reports. Available at: http://www.iocco-uk.info/sections.asp?sectionID=1&type=top. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr58" name="fn58">58</a>]. The Intelligence Services Commissioner's Office Homepage. For more information see: http://intelligencecommissioner.com/</p>
<p style="text-align: justify; ">[<a href="#fr59" name="fn59">59</a>]. The Intelligence Services Commissioner's Office – The Commissioner's Statutory Functions. Available at: http://intelligencecommissioner.com/content.asp?id=4</p>
<p style="text-align: justify; ">[<a href="#fr60" name="fn60">60</a>]. The Intelligence Services Commissioner's Office – The Commissioner's Statutory Functions. Available at: http://intelligencecommissioner.com/content.asp?id=4</p>
<p style="text-align: justify; ">[<a href="#fr61" name="fn61">61</a>]. The Intelligence Services Commissioner's Office. What we do. Available at: http://intelligencecommissioner.com/content.asp?id=5. Last Accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr62" name="fn62">62</a>]. The Intelligence Services Commissioner's Office. Intelligence Services Commissioner's Annual Reports. Available at: http://intelligencecommissioner.com/content.asp?id=19. Last<br />accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr63" name="fn63">63</a>]. The Investigatory Powers Tribunal Homepage. Available at: http://www.ipt-uk.com/</p>
<p style="text-align: justify; ">[<a href="#fr64" name="fn64">64</a>]. The Investigatory Powers Tribunal – Functions – Key role. Available at: http://www.ipt-uk.com/section.aspx?pageid=1</p>
<p style="text-align: justify; ">[<a href="#fr65" name="fn65">65</a>]. Investigatory Powers Tribunal. Functions – Decisions available to the Tribunal. Available at: http://www.ipt-uk.com/section.aspx?pageid=4. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr66" name="fn66">66</a>]. Investigator Powers Tribunal. Operation - Available at: http://www.ipt-uk.com/section.aspx?pageid=7</p>
<p style="text-align: justify; ">[<a href="#fr67" name="fn67">67</a>]. Investigatory Powers Tribunal. Operation- Differences to the ordinary court system. Available at: http://www.ipt-uk.com/section.aspx?pageid=7. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr68" name="fn68">68</a>]. Security Intelligence Review Committee – Homepage. Available at: http://www.sirc-csars.gc.ca/index-eng.html</p>
<p style="text-align: justify; ">[<a href="#fr69" name="fn69">69</a>]. SIRC Annual Report 2013-2014: Lifting the Shroud of Secrecy. Available at: http://www.sirccsars. gc.ca/anrran/2013-2014/index-eng.html. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr70" name="fn70">70</a>]. The Office of the Communications Security Establishment – Homepage. Available at: http://www.ocsecbccst.gc.ca/index_e.php</p>
<p style="text-align: justify; ">[<a href="#fr71" name="fn71">71</a>]. The Office of the Communications Security Establishment – Homepage. Available at: http://www.ocsecbccst.gc.ca/index_e.php</p>
<p style="text-align: justify; ">[<a href="#fr72" name="fn72">72</a>]. The Office of the Communications Security Establishment – Mandate. Available at: http://www.ocsecbccst.gc.ca/mandate/index_e.php</p>
<p style="text-align: justify; ">[<a href="#fr73" name="fn73">73</a>]. The Office of the Communications Security Establishment – Functions. Available at: http://www.ocsecbccst.gc.ca/functions/review_e.php</p>
<p style="text-align: justify; ">[<a href="#fr74" name="fn74">74</a>]. The Office of the Communications Security Establishment – Functions. Available at: http://www.ocsecbccst.gc.ca/functions/review_e.php</p>
<p style="text-align: justify; ">[<a href="#fr75" name="fn75">75</a>]. Office of the Privacy Commissioner of Canada. Homepage. Available at: https://www.priv.gc.ca/index_e.ASP</p>
<p style="text-align: justify; ">[<a href="#fr76" name="fn76">76</a>]. Office of the Privacy Commissioner of Canada. Reports and Publications. Special Report to Parliament “Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance. January 28th 2014. Available at: https://www.priv.gc.ca/information/srrs/201314/sr_cic_e.asp</p>
<p style="text-align: justify; ">[<a href="#fr77" name="fn77">77</a>]. Office of the Privacy Commissioner of Canada. Available at: https://www.priv.gc.ca/index_e.asp. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr78" name="fn78">78</a>]. Office of the Privacy Commissioner of Canada. Appearance before the Senate Standing Commitee National Security and Defence on Bill C-51, the Anti-Terrorism Act, 2015. Available at: https://www.priv.gc.ca/parl/2015/parl_20150423_e.asp. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr79" name="fn79">79</a>]. Office of the Privacy Commissioner of Canada. Special Report to Parliament. January 8th 2014. Available at: https://www.priv.gc.ca/information/sr-rs/201314/sr_cic_e.asp. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr80" name="fn80">80</a>]. Telecom Transparency Project. The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians. Available at: http://www.telecomtransparency.org/wp-content/uploads/2015/05/Governance-of-Telecommunications-Surveillance-Final.pdf. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr81" name="fn81">81</a>]. Patrick Baud. The Elimination of the Inspector General of the Canadian Security Intelligence Serive. May 2013. Ryerson University. Available at; http://www.academia.edu/4731993/The_Elimination_of_the_Inspector_General_of_the_Canadian_Security_Intelligence_Service</p>
<p style="text-align: justify; ">[<a href="#fr82" name="fn82">82</a>]. Telecom Transparency Project. The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians. Available at: http://www.telecomtransparency.org/wp-content/uploads/2015/05/Governance-of-Telecommunications-Surveillance-Final.pdf. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr83" name="fn83">83</a>]. Glenn Greenwald. Fisa court oversight: a look inside a secret and empty process. The Guardian. June 19th 2013. Available at: http://www.theguardian.com/commentisfree/2013/jun/19/fisa-court-oversight-process-secrecy, Nadia Kayyali. Privacy and Civil Liberties Oversight Board to NSA: Why is Bulk Collection of Telelphone Records Still Happening? February 2105. Available at :https://www.eff.org/deeplinks/2015/02/privacy-and-civil-liberties-oversight-board-nsa-whybulk-collection-telephone. Last accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr84" name="fn84">84</a>]. Scott Shance. The Troubled Life of the Privacy and Civil Liberties Oversight Board. August 9th 2012. The Caucus. Available at: http://thecaucus.blogs.nytimes.com/2012/08/09/thetroubled-life-of-the-privacy-and-civil-liberties-oversight-board/?_r=0. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr85" name="fn85">85</a>]. The Open Rights Group. Don't Spy on Us. Reforming Surveillance in the UK. September 2014. Available at: https://www.openrightsgroup.org/assets/files/pdfs/reports/DSOU_Reforming_surveillance_old.pdf</p>
<p style="text-align: justify; ">[<a href="#fr86" name="fn86">86</a>].</p>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance'>https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-11-24T06:09:01ZBlog EntryA Review of the Policy Debate around Big Data and Internet of Things
https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things
<b>This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.</b>
<h3>Defining and Connecting Big Data and Internet of Things</h3>
<p style="text-align: justify; ">The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the <i>velocity</i> at which data is generated, the <i>volume</i> of data that is generated, and the <i>variety</i> of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.</p>
<h3>General Implications of Big Data and Internet of Things</h3>
<p style="text-align: justify; ">Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.</p>
<p style="text-align: justify; ">At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article <i>"Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon"</i> propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " <i>The Societal Impact of the Internet of Things</i>" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]</p>
<p style="text-align: justify; ">Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]</p>
<h3>Regulation of Big Data and Internet of Things</h3>
<p style="text-align: justify; ">The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article <i>"Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"</i>stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article <i>"Big Data's Disparate Impact"</i> explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]</p>
<p><strong>The Impact of Big Data and IoT on Data Protection Principles</strong></p>
<p style="text-align: justify; ">In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:</p>
<ol>
<li style="text-align: justify; "><strong>Collection Limitation:</strong> As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]</li>
<li><strong>Consent: </strong>As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]</li>
<li><strong>Data Minimization:</strong> As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]</li>
<li><strong>Notice:</strong> As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]</li>
<li><strong>Purpose Limitation:</strong> As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]</li>
<li><strong>Necessity: </strong>As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]</li>
<li><strong>Access and Correction:</strong> As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]</li>
<li><strong>Opt In and Opt Out Choices: </strong>Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]</li>
<li><strong>PI:</strong> As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]</li>
<li><strong>Data Controller:</strong> In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]</li>
</ol>
<h3 style="text-align: justify; ">Possible Technical and Policy Solutions</h3>
<p style="text-align: justify; ">In a Report titled "<i>Internet of Things: Privacy & Security in a Connected World</i>" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:</p>
<ul>
<li>Automatically delete data after a specified period of time [21] (addressing concerns of data retention)</li>
<li>Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)</li>
<li style="text-align: justify; ">Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)</li>
<li style="text-align: justify; ">Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)</li>
<li style="text-align: justify; ">Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)</li>
<li style="text-align: justify; ">Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)</li>
<li>Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)</li>
<li>Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)</li>
</ul>
<p style="text-align: justify; ">Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]</p>
<p>Experts have also suggested that more emphasis should be placed on the principles and practices of:</p>
<ul>
<li>Transparency,</li>
<li> Access and correction,</li>
<li>Use/misuse</li>
<li>Breach notification</li>
<li>Remedy</li>
<li>Ability to withdraw consent</li>
</ul>
<p style="text-align: justify; ">Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]</p>
<h3>Possible Regulatory Frameworks</h3>
<p style="text-align: justify; ">To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]</p>
<h3>Conclusion</h3>
<p style="text-align: justify; ">A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.</p>
<p style="text-align: justify; ">Answering the 'how do we regulate Big Data” question requires <strong>re-conceptualization of data ownership and realities</strong>. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of <strong>critical</strong> <strong>national infrastructure of a nation, </strong>and accorded the security, protections, and legal backing thereof to <strong>prevent the misuse of the resource by the private or public sectors, local or foreign governments</strong>. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.</p>
<p style="text-align: justify; ">In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a <strong>National Data Archive</strong> with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.</p>
<hr />
<p style="text-align: justify; ">[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</p>
<p style="text-align: justify; "><i>[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/</i></p>
<p style="text-align: justify; ">[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: <a href="https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf">https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564</p>
<p style="text-align: justify; ">[5] Danah Boyd, Kate Crawford. <a href="http://www.tandfonline.com/doi/abs/10.1080/1369118X.2012.678878">CRITICAL QUESTIONS FOR BIG DATA</a>. In<a href="http://www.tandfonline.com/toc/rics20/15/5">formation, Communication & Society </a> Vol. 15, Iss. 5, 2012. Available at: <a href="http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878">http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: <a href="http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf">http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[7] ARTICLE 29 Data Protection Working Party. (2014). <i>Opinion 8/2014 on the on Recent Developments on the Internet of Things.</i> European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</p>
<p style="text-align: justify; ">[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784</p>
<p style="text-align: justify; ">[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899</p>
<p style="text-align: justify; ">[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899</p>
<p style="text-align: justify; ">[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.</p>
<p style="text-align: justify; ">[13] Omer Tene and Jules Polonetsky, <i>Big Data for All: Privacy and User Control in the Age of Analytics</i>, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).</p>
<p style="text-align: justify; ">[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf</p>
<p style="text-align: justify; ">[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14<sup>th</sup> 2013. Available at: <a href="http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf">http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[20] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[21] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[22] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[23] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[24] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[31] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[33] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1<sup>st</sup> 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf</p>
<p style="text-align: justify; ">[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25<sup>th</sup> 2015. Available at: <a href="http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/">http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/</a>. Accessed: August 8<sup>th</sup> 2015.</p>
<p style="text-align: justify; ">[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7<sup>th</sup> 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415</p>
<p style="text-align: justify; ">[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10<sup>th</sup> 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things'>https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things</a>
</p>
No publisherelonnaiInternet GovernanceBig Data2015-08-17T08:36:18ZBlog EntryBig Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011
https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011
<b>Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.</b>
<p>Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.</p>
<p>Below is an initial evaluation of how Big Data could impact India's current data protection standards.</p>
<p style="text-align: justify; ">India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000<a href="#_ftn1" name="_ftnref1">[1]</a> define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:</p>
<p style="text-align: justify; "><b>Scope of Rules: </b>Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as <i>"Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."</i></p>
<p style="text-align: justify; ">The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.</p>
<p style="text-align: justify; "><b>Definition of personal and sensitive personal data: </b>Rule 2(i) defines personal information as <i>"information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."</i></p>
<p>Rule 3 defines sensitive personal information as:</p>
<ul>
<li>Password,</li>
<li>Financial information,</li>
<li>Physical/physiological/mental health condition,</li>
<li>Sexual orientation,</li>
<li>Medical records and history,</li>
<li>Biometric information</li>
</ul>
<p style="text-align: justify; ">The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.</p>
<p style="text-align: justify; ">The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.</p>
<p style="text-align: justify; ">By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.</p>
<p style="text-align: justify; ">Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.</p>
<p style="text-align: justify; "><b>Consent</b>: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.</p>
<p style="text-align: justify; ">In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.</p>
<p style="text-align: justify; "><b>Notice of Collection: </b>Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.</p>
<p style="text-align: justify; ">Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.</p>
<p style="text-align: justify; "><b>Access and correction</b>: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.</p>
<p style="text-align: justify; ">This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.</p>
<p><b>Purpose Limitation:</b> Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.</p>
<p>In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.</p>
<p style="text-align: justify; "><b>Security:</b> Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.</p>
<p style="text-align: justify; ">This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.</p>
<p style="text-align: justify; "><b>Data Breach</b> : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.</p>
<p style="text-align: justify; ">Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.</p>
<p style="text-align: justify; "><b>Opt in and out and ability to withdraw consent</b> : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.</p>
<p style="text-align: justify; ">The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.</p>
<p style="text-align: justify; "><b>Disclosure of Information</b>: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.</p>
<p style="text-align: justify; ">This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.</p>
<p style="text-align: justify; "><b>Privacy Policy</b> : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.</p>
<p style="text-align: justify; ">In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.</p>
<p style="text-align: justify; "><b>Remedy</b> : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.</p>
<p style="text-align: justify; ">This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.</p>
<p style="text-align: justify; ">The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.<a href="#_ftn2" name="_ftnref2">[2]</a> Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.</p>
<h3></h3>
<h3>Conclusion</h3>
<p style="text-align: justify; ">The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities<a href="#_ftn3" name="_ftnref3">[3]</a>, city wide CCTV networks with facial recognition capabilities<a href="#_ftn4" name="_ftnref4">[4]</a>, and the implementation of an identity/authentication platform for public and private services<a href="#_ftn5" name="_ftnref5">[5]</a>, are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.</p>
<p style="text-align: justify; ">In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?</p>
<p style="text-align: justify; ">How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.</p>
<hr />
<p><a href="#_ftnref1" name="_ftn1">[1]</a>Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</p>
<p><a href="#_ftnref2" name="_ftn2">[2]</a>Group of Experts on Privacy. (2012). <i>Report of the Group of Experts on Privacy.</i> New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p><a href="#_ftnref3" name="_ftn3">[3]</a> NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25<sup>th</sup> 2015, Available at: <a href="http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857">http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p><a href="#_ftnref4" name="_ftn4">[4]</a>FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21<sup>st</sup> 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/</p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a>UIDAI Official Website. Available at: https://uidai.gov.in/</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011'>https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011</a>
</p>
No publisherelonnaiInternet GovernanceBig DataPrivacy2015-08-11T07:01:12ZBlog Entry