Centre for Internet and Society

Comparison of the Human DNA Profiling Bill 2012 with: CIS recommendations, Sub-Committee Recommendations, Expert Committee Recommendations, and the Human DNA Profiling Bill 2015

elonnai — 2015-08-10T03:20:59Z

This blog a comparison of 1. The Human DNA Profiling Bill 2012 vs. the Human DNA Profiling Bill 2015, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs. the 2015 Bill 4. The Expert Committee Recommendations vs. the 2015 Bill.

In 2013 the Expert Committee to discuss the draft Human DNA Profiling Bill was constituted by the Department of Biotechnology. The Expert Committee had constituted a Sub-Committee to modify the draft Bill in the light of invited comments/inputs from the members of the Committee

These changes were then deliberated upon by the Expert Committee. The Record Notes and Meeting Minutes of the Expert Committee and Sub-Committee can be found here. The Centre for Internet and Society was a member of the Expert Committee and sat on the Sub-Committee. In addition to input in meetings, CIS submitted a number of recommendations to the Committee. The Committee has drafted a 2015 version of the Bill and the same is to be introduced to Parliament.

Below is a comparison of 1. The 2012 Bill vs. the 2015 Bill, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs. the 2015 Bill 4. The Expert Committee Recommendations vs. the 2015 Bill.

Introduction

CIS Recommendation: Recognition that DNA evidence is not infallible.
Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from 2012 Bill
CIS Recommendation:

Chapter I : Preliminary

Inclusion of an 'Objects Clause' that makes clear that (i) the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times; (ii) DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity; (iii) all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA; (iv) centralized databases are inherently dangerous because of the volume of information that is at risk; (v) forensic DNA profiling is intended to have probative value; therefore, if there is any doubt regarding a DNA profile, it should not be received in evidence by a court; (vi) once adduced, the evidence created by a DNA profile is only corroborative and must be treated on par with other biometric evidence such as fingerprint measurements.

Sub Committee Recommendation: The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.

Expert Committee Recommendation: The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.
2015 Bill: No Change from the 2012 Bill

Chapter II : Definitions

CIS Recommendation:

Removal of 2(1)(a) “analytical procedure”
Removal of 2(1)(b) “audit”
Removal of 2(1)(d) “calibration”
Re-drafting of 2(1)(h) “DNA Data Bank”
Re-naming of 2(1)(i) “DNA Data Bank Manager” to “National DNA Data Bank Manager”
Re-drafting of 2(1)(j) “DNA laboratory”
Re-drafting of 2(1)(l) “DNA Profile”
Re-drafting of 2(1)(o) “forensic material”
Removal of 2(1)(q) “intimate body sample”
Removal of 2(1)(v) “non-intimate body sample”
Removal of 2(1)(r) “intimate forensic procedure”
Removal of 2(1)(w) “non-intimate forensic procedure”
Removal of 2(1)(s) “known samples”
Re-drafting of 2(1)(y) “offender”
Removal of 2(1)(zb) “proficiency testing”
Re-drafting of 2(1)(zi) “suspect”

Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from the 2012 Bill.

Chapter III : DNA Profiling Board

CIS Recommendation:

The board should be made up of no more than five members. The Board must contain at least one ex-Judge or senior lawyer since the Board will perform the legal function of licensing and must obey the tenets of administrative law. To further multi-stakeholder interests, the Board should have an equal representation from civil society – both institutional (e.g NHRC and the State Human Rights Commissions) and non-institutional (well-regarded and experienced civil society persons). The Board should also have privacy advocates. CIS also recommended that the functions of the board be limited to: licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. CIS also recommended a 'duty to consult' with affected or impacted individuals, interested individuals, and the public at large.

Sub-Committee Recommendation:

Reduce the DNA Profiling Board (Section 4) from 16 members to 11 members and include civil society representation on the Board.
Include either clause 4(f) or (g) i.e. Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member or Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member;
Change clause 4(i) i.e., to replace Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member with Chairman, National Human Rights Commissions or his nominee.
Delete Members mentioned in clause 4(l) i.e. Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members;
DPB Members with potential conflict of interest in matters under consideration should recuse themselves in deliberations in respect of such matters (Section 7), and they should be liable to be removed from the Board in case they are found to have not disclosed the nature of such interest.
With regards to the establishment of the DNA Profiling Board (clause 3) the committee clarified that the DNA Board needs to be a body corporate
The functions of the Board should be redrafted with fewer functions, and these should be listed in descending order of priority to sharpen this function – namely regulate process, regulate the labs, regulate databanks.

Expert Committee Recommendation:

Accepted sub-committee recommendation to reduce the Board from 16 to 11 members and the detailed changes.
Accepted sub-committee recommendation to include civil society on the Board.
Accepted sub-committee recommendation to reduce the functions of the Board.

2015 Bill:

Addition in 2015 Bill of Section 4 (b) – “Chairman, National Human Rights Commission or his nominee – ex-officio Member” (2015 Bill) Note: This change represents incorporation of CIS's recommendation, sub-committee recommendation, and expert committee recommendation.
Changing of Section 4 (h) from: “Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member” (2012 Bill) to “Director cum – Chief Forensic Scientist, Directorate of Forensic Science Services, Ministry of Home Affairs, Government of India -ex-officio Member”(2015 Bill) Note: This change represents partial incorporation of the sub-committee recommendation and expert committee recommendation.
Changing of Section 4 (j) from: “Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- ex-officio Member”; (2012 Bill) to “Director of a State Forensic Science Lab to be nominated by MHA ex-officio member” (2015 Bill)
Addition of section 11(4) and 11(5) “(4) The Board shall, in carrying out its functions and activities, consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. (5) The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation.” Note: This change represents partial incorporation of CIS's recommendation and Expert Committee recommendation.

Chapter IV : Approval of DNA Laboratories

CIS Recommendation: N/A
Sub-Committee Recommendation:

Add in section 16 1(d), the words “including audit reports”
Include in section 16(1)(c) that if labs do not file their audit report on an annual basis, the lab will lose approval. If the lab loses their approval - all the materials will be shifted to another lab and the data subject will be informed.

Expert Committee Recommendation: N/A
2015 Bill: No change from the 2012 Bill.

Chapter V : Standards, Quality Control and Quality Assurance

CIS Recommendation: N/A
Sub-Committee Recommendation:

Section 19(2) DNA laboratory to be headed by person possessing a doctorate in a subject germane to molecular biology.
Clauses 20 and 30 should be merged into Clause 20 to read as:

“(1). The staff of every DNA laboratory shall possess such qualifications and experience commensurate with the job requirements as may be specified by the regulations.

(2). Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations.

(3). Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations.

Accordingly, change the Title: “Qualification, Recruitment and Training of DNA lab personnel.”

Require DNA labs to have in place an evidence control system (Clause 22) Note: This existed in the DNA 2012 Bill
Amend Clause 23(1) to read as ““Every DNA laboratory shall possess and shall follow a validation process as may be specified by the regulations.”
Paraphrase Clause 27 as, “Every DNA laboratory shall have audits conducted annually in accordance with the standards as may be specified by the regulations.” It was agreed that the audits of the DNA Laboratory (clause 27) do not need to be external. Note: This existed in the DNA 2012 Bill.
Bring sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”.

Expert Committee Recommendation: N/A
2015 Bill

Changing of Section 20 (2) from “(2) Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations made by the Board. (2012) to Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations; (2015)” and Addition in 2015 Bill of Section 20 (3) - “Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA profiling and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations” (2015) Note: This is as per the Sub-Committee's recommendation.
Amending of Clause 23(1) to read as ““Every DNA laboratory shall possess and shall follow a validation process as may be specified by the regulations.” Note: This is as per the Sub-Committee's recommendation.
Changing of section 30 from:“Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations made by the Board and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations made by the Board.” (2012) to “Every DNA laboratory shall have installed appropriate security system and system for safety of personnel as may be specified by the regulations.”

Sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”. Note: This is as per the Sub-Committee's recommendation.
CIS Recommendation:

Chapter VI : DNA Data Bank

Removal of section 32(6) which requires the names of individuals to be connected to their profiles and recommended that DNA profiles once developed, should be anonymized and retained separate from the names of their owners.
Section 34(2) to be limited to containing only an offenders' index and a crime scene index
Removal of section 36 which allows for international dicslosures of DNA profiles of Indians.

Sub-Committee Recommendation:

Amend Clause 32(1) to reads as: “The Central Government shall, by notification, establish a National DNA Data Bank”.
Anonymize the volunteer's database.

Expert Committee Recommendation: N/A
2015 Bill: No change from 2012 Bill.

Chapter VII : Confidentiality of and access to DNA profiles, samples, and records

CIS Recommendation:

Re-drafting section 39 and 40 to specify that DNA can only be used for forensic purposes and specify the manner in which DNA profiles may be received in evidence.
Removal of section 40
Removal of section 43
Re-dreaft section 45 as it sets out a post-conviction right related to criminal procedure and evidence. This would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights. However, courts may re-try cases in certain narrow cases when fresh evidence is brought forth that has a nexus to the evidence upon which the person was convicted and if it can be proved that the fresh evidence was not earlier adduced due to bias. Any other fresh evidence that may be uncovered cannot prompt a new trial. Clause 45 is implicated by Article 20(2) of the Constitution of India and by 6 section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.]

Sub-Committee Recommendation:

Amend Clause 40 (f) to read as “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court and to the concerned judicial officer or authority”.Incorporated, but is now located at section 39
Include in Chapter VIII additional Sections: Clause 42A: “A person whose DNA profile has been created shall be given a copy of the DNA profile upon request”. Clause 42B: A person whose DNA profile has been created and stored shall be given information as to who has accessed his DNA profile or DNA information.

Expert Committee: N/A
2015 Bill:

Addition of the phrase in section 39 “with the concurrence of the court”, thus the new clause reads as: “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court” and to the concerned judicial officer or authority”. Note: This as per the recommendations of the Sub-Committee.

Chapter VIII : Finance, Accounts, and Audit

CIS Recommendation: N/A
Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from the 2012 Bill

Chapter IX : Offences and Penalties

CIS Recommendation:

The law prohibits the delegation of “essential legislative functions” [In re Delhi Laws, 1951]. The creation of criminal offences must be conducted by a statute that is enacted by Parliament, and when offences are created via delegated legislation, such as Rules, the quantum of punishment must be pre-set by the parent statute.
Since the listing of offences for DNA profiling will directly affect the fundamental right of personal liberty, it is an undeniable fact that the identification of these offences should be subject to a democratic process of the legislature rather than be determined by the whims of the executive.

Sub-Committee Recommendation:

Ensure a minimal jail term for any offence under the Act from DNA Data Banks without authorization is a period of one month (chapter 10 (53)) Note: This already existed in the 2012 Bill.
Add to Section 56 the phrase “… or otherwise willfully neglects any other duty cast upon him under the provisions of this Act, shall be punishable …”.

Expert Committee: N/A
2015 Bill: No change from 2012 Bill
CIS Recommendation: N/A
Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from 2012 Bill

Chapter X : Miscellaneous

Schedule

CIS Recommendation

The creation of a list of offenses under which upon arrest under which DNA samples may lawfully be collected from the arrested person without his consent including:

Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973; [Alternatively, all cognizable offences under the Indian Penal Code may be listed here]
Every offence punishable under the Immoral Traffic (Prevention) Act, 1956;
Any cognizable offence under the Indian Penal Code, 1860 that is committed by a registered medical practitioner and is not saved under section 3 of the Medical Termination of Pregnancy Act, 1971; [Note that the ITP Act does not itself create or list any offences, it only saves doctors from prosecution from IPC offences if certain conditions are met]
Every offence punishable under the Pre-conception and Pre-natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994;
The offence listed under sub-section (1) of section 31 of the Protection of Women from Domestic Violence Act, 2005;
Every offence punishable under the Protection of Civil Rights Act, 1955;
Every offence punishable under the Scheduled Castes and the Scheduled Tribes (Prevention of Atrocities) Act, 1989.

Sub-Committee Recommendation: N/A
Expert Committee Recommendation: Incorporation of CIS's recommendation to the schedule regarding instances of when DNA samples can be collected without consent.
2015 Bill:

Addition in 2015 of “Part II: List of specified offences - Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973” (2015). Note: This represents partial incorporation of CIS's recommendation.
Expansion of sources of samples for DNA profiling from - “(1) Scene of occurrence or crime (2) Tissue and skeleton remains (3) Clothing and other objects (4) Already preserved body fluids and other samples” (2012) to “1. Scene of occurrence, or scene of crime 2. Tissue and skeleton remains 3. Clothing and other objects 4. Already preserved body fluids and other samples 5. Medical Examination 6. Autopsy examination 7. Exhumation” (2015)” and Deletion of “Manner of collection of samples for DNA: (1) Medical Examination (2) Autopsy examination (3) Exhumation “ (2012)

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-the-human-dna-profiling-bill-2012-with-cis-recommendations-sub-committee-recommendations-expert-committee-recommendations-and-the-human-dna-profiling-bill-2015

Comparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada

elonnai — 2014-03-03T08:20:55Z

A comparison of section 35(1) of the Draft Human DNA Profiling Bill, section 4 of the Identification Act, Revised Statute of Canada, and a review of international best practices.

In continuance of research around the Draft Human DNA Profiling Bill that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.

Indian Provision

35 (1) “On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely –

(a) As to whether the DNA profile received is already contained in the Data Bank; and

(b) Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.

(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”

Canadian Provision vs. Indian Provision

According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:

The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals.
The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank.
The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including:

(a) if the DNA profile is not already contained in the data bank, the fact that it is not;
(b) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;
(c) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and
(d) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (c) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.

While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.

Concerns with 35(1) and Best Practices

The Centre for Internet and Society finds 35(1) problematic because a DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.”

Though it is common for DNA Banks to communicate responses such as “match”, “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:

“The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability.
Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations.
The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made.
The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large.
Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”

Recommendations

Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:

Response to Law enforcement agency and DNA Laboratory: The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .
Response to Court and tribunal: When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:

The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random.
The frequency with which the matching DNA characteristics are likely to be found in the population at large.
The probability of contamination.

The Bill should also provide for the database upon which the calculations were based to be made available when requested. In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.

[]. http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

[2]. http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf

For more details visit https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions

CIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy

elonnai — 2014-02-24T10:49:46Z

The “Fifty Second Report on Cyber Crime, Cyber Security, and Right to Privacy” issued by the 2013 -2014 Standing Committee on Information Technology on February 12th 2014, highlights the urgent need for reform in India’s cyber security framework and the need for the much awaited privacy legislation to be finalized and made into a law.

Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology

The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward.

The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.

Broadly, the Standing Committee sought input from DEITY on eight different aspects of cyber crime, cyber security, and privacy in India - namely: the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime, the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.

The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:

Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act: When asked by the Standing Committee about the right to privacy and cyber security, DEITY highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY should coordinate with the DoPT and become involved in the process.

As recognized by the Standing Committee, the Centre for Internet and Society would like to further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India. Inadequate aspects of the provisions have been pointed out by a number of sources. For example:

The Report of the Group of Experts on Privacy: Prepared by the committee chaired by Justice AP Shah
First Analysis of the Personal Data Protection Law in India: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security
Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha
India’s U-Turns on Data Privacy: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011

Unclear Enforcement of 43A and associated rules: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24). The Standing Committee did not directly respond to this comment.

The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies that have been found to be compliant. The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.

UIDAI not in compliance with 43A and associated Rules: In evidence provided, DEITY noted that “..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.

The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.

The potential harms of metadata: In evidence provided, the Department noted “...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.” (pg.47) The Standing Committee did not respond directly to this comment.

The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.

Inadequacy of the Information Technology Act: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner. DEITY also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.

The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:

Breaking Down Section 66A of the IT Act
Short note on IT Amendment Act, 2008

Implications of domestic servers: In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.

The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.

Incorporation of safeguards into MOU’s for international cooperation: When asked about MOU’s for international cooperation that DEITY has engaged in with other countries, DEITY reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported India entering into MOU’s for purposes of international cooperation, and encouraged DEITY to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.

The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY to ensure that all MOU’s and/or Mutual Legal Assistance Agreements:

Uphold the principle of dual criminality
Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance
Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.
Are clearly documented and publicly available
Contain provisions guaranteeing procedural fairness.[1]

Hactivism as a benefit to society: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.

The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism can benefit society and strengthen cyber security by finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.

This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.[2]

Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.

While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.

Conclusion

Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID, the Centre for Internet and Society welcomes the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.

[1]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance” https://en.necessaryandproportionate.org/text

[2]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: http://www.iwar.org.uk/cyberterror/resources/denning.htm

For more details visit https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy

CIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.

elonnai — 2013-11-30T07:25:18Z

The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights.

On November 26, 2013, the United Nations adopted a non-binding resolution on The Right to Privacy in the Digital Age. The resolution was drafted by Brazil and Germany and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to privacy extending equally to citizens and non-citizens of a country. The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.

The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the Central Monitoring System, should take cognizance of, including in short:

Privacy is a human right: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.
Privacy is integral to the right to free expression: an integral component in recognizing the right to freedom of expression.
Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression.
Exceptions to privacy and freedom of expression should be in compliance with human rights law: Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law.
Mass surveillance may have negative implications for human rights: Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights.
Equal protection for online and offline privacy: The right to privacy must be equally protected online and offline.

The resolution further called upon states to:

Respect and protect the right to privacy, particularly in the context of digital communications.
To ensure that relevant legislation is in compliance with international human rights law
To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.
To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.

The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.

The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.

Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the Necessary and Proportionate principles that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A petition to sign onto the principles and demand an end to mass surveillance is currently underway.

Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.

For more details visit https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d

CIS and International Coalition Calls upon Governments to Protect Privacy

elonnai — 2013-09-25T07:21:09Z

The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.

On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.

The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.

A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.

Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:

"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:

"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."

Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion made clear the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:

"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."

Speaking at the event, the UN Special Rapporteur remarked that:

"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."

Representatives of the Centre for Internet and Society, Privacy International, the Electronic Frontier Foundation,Access,Human Rights Watch,Reporters Without Borders, Association for Progressive Communications, and theCenter for Democracy and Technology all are taking part in the event.

Find out more about the Principles at https://NecessaryandProportionate.org

Contacts

NGOs currently in Geneva for the 24^th Human Rights Council:

Access
Fabiola Carrion: fabiola@accessnow.org

Association for Progressive Communication
Shawna Finnegan: shawna@apc.org

Center for Democracy and Technology
Matthew Shears: mshears@cdt.org

Electronic Frontier Foundation
Katitza Rodriguez: katitza@eff.org - @txitua

Human Rights Watch
Cynthia Wong: wongc@hrw.org

Privacy International
Carly Nyst: carly@privacy.org

Reporters Without Borders
Lucie Morillon: lucie.morillon@rsf.org
Hélène Sackstein: helsack@gmail.com

Signatories

Argentina
Ramiro Alvarez: rugarte@adc.org.ar
Asociación por los Derechos Civiles

Argentina
Beatriz Busaniche: bea@vialibre.org.ar
Fundación Via Libre

Colombia
Carolina Botero: carobotero@gmail.com
Fundación Karisma

Egypt
Ahmed Ezzat: ahmed.ezzat@afteegypt.org
Afteegypt

Honduras
Hedme Sierra-Castro: hedme.sc@gmail.com
ACI-Participa

India
Elonnai Hickok: elonnai@cis-india.org
Center for Internet and Society

Korea
Prof. Park: kyungsinpark@korea.ac.kr
Open Net Korea

Macedonia
Bardhyl Jashari: info@metamorphosis.org.mk
Metamorphosis Foundation for Internet and Society

Mauritania, Senegal, Tanzania
Abadacar Diop: jonction_jonction@yahoo.fr
Jonction

Portugal
Andreia Martins: andreia@coolpolitics.pt
ASSOCIAÇÃO COOLPOLITICS

Peru
Miguel Morachimo: morachimo@gmail.com
Hiperderecho

Russia
Andrei Soldatov: soldatov@agentura.ru
Agentura.ru

Serbia
Djordje Krivokapic: krivokapic@gmail.com
SHARE Foundation

Western Balkans
Valentina Pellizer: valentina.pellizzer@oneworldsee.org
Oneworldsee

Brasil
Marcelo Saldanha: instituto@bemestarbrasil.org.br
IBEBrasil

For more details visit https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy

C.I.S Responds to Privacy Approach Paper

elonnai — 2012-03-21T10:08:10Z

A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation.

1. What is privacy?

a) In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy.

b) CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts:

1. Physical - physical space, body, home, car, etc.

2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc).

3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.

2. Is there a need for privacy protection?

a) We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data.

b) As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project.

c) However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation.

3. Is there a need for such legislation?

a) We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document.

b) We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy.

4. Legislative Competence:

We agree.

5. Is there a constitutional right to privacy?

a) We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution.

b) However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities.

c) Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified.

d) Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services.

e) We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.

6. Existing legislation:

a) In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc.

b) By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions.

c) We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal.

d) We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent.

e) Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure..

f) Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy.

7. Potential Conflicts between Data Protection Legislation and other Laws:

We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.

7.1 Data Protection and the Right to Information

a) The argument that a privacy legislation would conflict with the RTI is somewhat overstated.

b) Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act.

c) We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example.

d) The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis.

e) As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies.

f) Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance.

g) We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act.

7.2 Data Protection and Credit Verification

a) We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification.

b) All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data.

c) This may include limitations on marketing efforts and disclosure to third-parties.

7.3 Data Protection and Private Investigative Agencies

a) We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws.

b) Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies.

7.4 Data Protection and National Security

a) We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy.

b) We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required.

7.5 Data Protection vs. Transparency in Government

a) We feel that this section engages very sloppily with the issue of transparency/corruption in India.

b) It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell.

c) In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years.

d) The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials.

e) We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue.

8.0 Privacy legislation in other countries:

a) We agree with the recommendations, but would include notification of breach: how, when, what and who.

b) We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties.

9.0 Proposed Framework for Privacy Legislation:

a) Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to.

b) In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs.

c) We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector.

d) We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.

9.1 Applicability

We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:

a) We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.

b) We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law.

9.2 Data

While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:

a) The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age.

b) However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.

9.3 Personal Data

We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person

9.4 Personal Sensitive Data

See comments at 9.2 above

9.5 Data Collection

a) We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week.

b) This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’.

c) Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent.

d) It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines.

e) As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.

9.6 Data Processing

a) We agree with the need to fix primary responsibility for data security on the data controller, however,

b) it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller.

c) We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”.

9.7 Data Storage

a) We concur that data should be stored only until the time the purpose for which it was collected is achieved.

b) Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection.

c) We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary.

d) We endorse the approach paper’s conservative stance on linking of databases.

9.8 Data Security

a) We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held.

b) This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information.

9.9 Data Access

a) We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them.

b) We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right.

9.10 Cross Border Applicability and Transfer

a) We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions.

b) Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted.

9.11 Exemptions

a) We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight.

b) Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.

9.12 Automated Decision Making

a) We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries.

b) In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms.

9.13 Regulatory Set Up

We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .

a) At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context

b) Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim.

c) Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this.

Conclusion

We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.

Approach Paper: 121KB

For more details visit https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

elonnai — 2012-03-21T09:35:06Z

Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.

A set of rules relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.

The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?

On May 19, 2011, through e-mail, I had the opportunity to interview Vijayashankar, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses.

I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages.

The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.

This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen.

Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.

Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?

Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.

My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.

I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.

An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, Calder vs. Jones 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.

A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits.

Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration.

For more details visit https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

elonnai — 2015-08-11T07:01:12Z

Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.

Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.

Below is an initial evaluation of how Big Data could impact India's current data protection standards.

India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000[1] define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:

Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as "Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."

The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.

Definition of personal and sensitive personal data: Rule 2(i) defines personal information as "information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."

Rule 3 defines sensitive personal information as:

Password,
Financial information,
Physical/physiological/mental health condition,
Sexual orientation,
Medical records and history,
Biometric information

The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.

The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.

By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.

Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.

Consent: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.

In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.

Notice of Collection: Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.

Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.

Access and correction: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.

This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.

Purpose Limitation: Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.

In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.

Security: Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.

This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.

Data Breach : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.

Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.

Opt in and out and ability to withdraw consent : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.

The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.

Disclosure of Information: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.

This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.

Privacy Policy : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.

In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.

Remedy : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.

This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.

The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.[2] Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.

Conclusion

The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities[3], city wide CCTV networks with facial recognition capabilities[4], and the implementation of an identity/authentication platform for public and private services[5], are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.

In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?

How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.

[1]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[2]Group of Experts on Privacy. (2012). Report of the Group of Experts on Privacy. New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[3] NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25^th 2015, Available at: http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857. Accessed: July 2^nd 2015.

[4]FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21^st 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/

[5]UIDAI Official Website. Available at: https://uidai.gov.in/

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011

Another Step towards Privacy Law

elonnai — 2018-01-18T01:50:59Z

A comparison between the 2012 experts’ report and the 2017 white paper on data protection.

The column was published in Governance Now in January 15, 2018 issue.


(Illustration: Ashish Asthana)

On July 31 the ministry of electronics and information technology (MeitY) constituted a committee of experts, headed by justice (retired) BN Srikrishna, to deliberate on a data protection framework for India. The committee is another step in India’s journey in formulating a national-level privacy legislation.

The formulation of a privacy law started as early as 2010 with an approach paper for a legislation on privacy towards envisioning a privacy framework for India. In 2011, a bill on right to privacy was drafted. In 2012 the planning commission constituted a group of experts, with justice (retired) AP Shah as its chief, which prepared a report recommending a privacy framework.

A month after the formation of the committee, in August, the sectoral regulator, Telecom Regulatory Authority of India (TRAI), released the consultation paper, ‘Privacy, Security and Ownership of the Data in the Telecom Sector’. In the same month, the supreme court in a landmark decision recognised privacy as a fundamental right.

In November 2017, the expert group released a ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ to solicit public comments on the contours of a data protection law for India.

To understand the evolution of the thinking around a privacy framework for India, this article outlines and analyses common themes and differences between (a) the 2012 group of experts’ report, and the 2017 expert committee’s white paper.

The white paper seeks to gather inputs from the public on key issues towards the development of a data protection law for India. The paper places itself in the context of the NDA government’s Digital India initiative, the justice Shah committee report, and the judicial developments on the right to privacy in India. It is divided into three substantive parts: (1) scope and exemptions, (2) grounds of processing, obligation and entities, individual rights, and (3) regulation and enforcement. Each part is comprised of deep dives into key issues, international practices, preliminary views of the committee, and questions for public consultation.

Broadly, the 2012 report defined nine national-level privacy principles and recommended a co-regulatory framework that consisted of privacy commissioners, courts, self-regulating organisations, data controllers, and privacy officers at the organisational level. At the outset, the 2017 white paper is different from that report simply by the fact that it is a consultation paper soliciting views as compared to a report that recommends a broad privacy framework for India. In doing so, the white paper explores a broader set of issues than those discussed in the justice Shah report – ranging from the implications of emerging technologies on the relevance of traditional privacy principles, data localisation, child’s consent, individual participation rights, the right to be forgotten, cross-border flow of data, breach notification etc. Given that the white paper is a consultation paper, this article examines the provisional views shared in it with the recommendations of the 2012 report.

Key areas that the both the documents touch upon (though not necessarily agree on) include:

Applicability

The 2012 report of experts recommended a privacy legislation that extends the right to privacy to all persons in India, all data that is processed by a company or equipment located in India, and to data that originate in India.

Provisional views in the white paper reflect this position, but also offer that applicability could be in part determined by the legitimate interest of the state, carrying on a business or offering services or goods in India, and if, despite location, the entity is processing the personal data of Indian citizens. The provisional views also touch upon retrospective application of a data protection law and agree with the 2012 report by recommending that a law apply to privacy and public bodies. They also go a step further by recommending specific exemptions in application for well defined categories of public or private entities.

Exceptions

The experts’ report defined the following exceptions to the right to privacy: artistic and journalistic purposes, household purposes, historic and scientific research, and the Right to Information. Exceptions that must be weighed against the principles of proportionality, legality, and necessary in a democratic state included: national security, public order, disclosure in public interest, prevention, detection, investigation, and prosecution of criminal offences, and protection of the individual or of the rights and freedoms of others.

Provisional views in the 2017 white paper broadly mirror the exemptions defined in the experts’ report, but do not weigh exceptions related to national security and public interest etc. against the principles of proportionality, legality, and necessary in a democratic state and instead explored a review mechanism for these exceptions.

Consent

Provisional views in the white paper on consent note that aspects of consent should include that it is freely given, informed and specific and that standards for implied consent need to be evolved.

Though the 2012 experts’ report defined a principle for choice and consent, this principle did not define aspects of what would constitute valid consent, yet it did incorporate an opt-out mechanism.

Notice

Provisional views in the white paper hold that notice is important in enabling consent and explore a number of mechanisms that can be implemented to effect meaningful notice such as codes of practice for designing notice, multilayered notices, assessing notices in privacy impact assessments, assigning ‘data trust scores’ based on their data use policy, and having a ‘consent dashboard’ to help individuals manage their consent across entities.

These views build upon and complement the principle of notice defined in the 2012 report which defined components of a privacy policy as well as other forms of notice including data breach (also addressed in the white paper) and legal access to personal information.

Purpose limitation/minimisation

Provisional views in the white paper recognise the challenges that evolving technology is posing to the principle of purpose limitation and recommend that layered privacy policies and the standard of reasonableness can be used to contextualise this principle to actual purposes and uses.

Though the 2012 report defined a purpose limitation principle, the principle does not incorporate a standard of reasonableness or explore methods of implementation.

Data Retention and Quality

Provisional views in the white paper suggest that the principles of data retention and data quality can be guided by the terms “reasonably and necessary” to ensure that they are not overly burdensome on industry.

The 2012 report of experts briefly touched on data retention in the principle of purpose limitation –holding that practices should be in compliance with the national privacy principles.

Right to Access

Provisional views in the white paper recognise the importance of the right confirmation, access, and rectify personal information of the individual, but note that this is increasingly becoming harder to enforce with respect to data that is observed behavioral data and derived from habits. A suggested solution is to impose a fee on individuals for using these rights to deter frivolous requests.

Though the 2012 report defined a principle of access and correction it did not propose a fee for using this right and it included the caveat that if the access would affect the privacy rights of others, access may not be given by the data controller.

Enforcement Mechanisms

Provisional views in the 2017 white paper broadly agree with the appropriateness of the model of co-regulation and development of codes of practice as suggested in the 2012 report. Within the system envisioned in the 2012 report of experts, self-regulating organisations at the industry level will have the ability to develop industry specific norms and standards in compliance with the national privacy principles to be approved by the privacy commissioner.

Accountability

The provisional views of the white paper go beyond the principle of accountability defined in the 2012 report by suggesting that data controllers should not only be held accountable for implementation of defined data protection standards, but in defined circumstances, also for harm that is caused to an individual.

Additional Obligations and Data Controllers

Provisional views in the white paper suggest the following mechanisms as methods towards ensuring accountability of specific categories of data controllers: registration, data protection impact assessment, data audits, and data protection officers that are centres of accountability.

The 2012 experts’ report also envisioned impact assessments and investigations carried out by the privacy commissioner and the role of a data controller, but did not explore registration of these entities.

Authorities and Adjudication

The both documents are in agreement on the need for a privacy commissioner/data protection authority and envision similar functions such as conducting privacy impact assessments, audits, investigation, and levying of fines. The white paper differs from the 2012 experts’ report in its view that the appellate tribunals under the IT Act and bodies like the National Commission Disputes Redressal Commission could potentially be appropriate venues for adjudicating and resolving disputes.

Though the 2012 experts’ report recommended that complaints can be issued through an alternative dispute resolution mechanism, to central and regional level commissioners, or to the courts – for remedies– enforcement of penalties should involve district and high-level courts and the supreme court. The 2012 report specified that a distinct tribunal should not be created nor should existing tribunals be relied upon as there is the possibility that the institution will not have the capacity to rule on a broad right of privacy. Individuals that can be held liable by individuals include data controllers, organisation directors, agency directors, and heads of governmental departments.

Penalty and Remedy

The white paper goes much further in its thinking on penalties, remedies and compensation than the 2012 report of experts – discussing potential models for calculation of civil penalties including nature and extent of violation of the data protection obligation, nature of personal information involved, number of individuals affected, whether infringement was intentional or negligent, measures taken by the data controller to mitigate the damage, and previous track record of the data controller.

The white paper is a progressive and positive step towards formulating a data protection law for India that is effective and relevant nationally and internationally. It will be interesting to see the public response to it and the response of the committee to the inputs received from the consultation as well as how the final recommendations differ, build upon, and incorporate previous policy steps towards a comprehensive privacy framework for India.

For more details visit https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection

Analysis of CLOUD Act and Implications for India

elonnai — 2018-08-22T14:53:50Z

For more details visit https://cis-india.org/internet-governance/files/analysis-of-cloud-act-and-implications-for-india

An Open Letter to the Finance Committee: SCOSTA Standards

elonnai — 2013-12-20T03:58:09Z

The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.

Introduction

This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that Aadhaar biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.

A background of the two standards

The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:

1. Compliant with the international standard ISO-7816 for smart cards.

2. Based on a public/private key and pin authentication factor

3. Authentication factor refers to an individuals keys, pass-phrases, and pin.

The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:

1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.

2. Based on a symmetric authentication factor

A comparison of the two standards

Standard	SCOSTA - MNIC smart card	Aadhaar Biometric - UID number
Architecture	Decentralized SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner	Centralized Aadhaar biometric standards require symmetric authentication factors, and thus must be structured in a centralized manner
Standards for Technology	Open standard Creates security through transparency	Closed standard Creates security though obscurity
Points of failure	Multiple points of failure The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.	Single point of failure The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost
Impact on local industry	Encourages Open standards allow local industry to compete in manufacturing technology	Discourages Closed standards allow foreign players to monopolize the manufacturing of technology
Cost analysis	Cost effective Increased competition keeps prices low	Cost ineffective Decreased competition keeps prices high
Revocation	Revocable If the key pair and pin are stolen, a new set of passwords can be issued	Permanent If the biometrics of an individual are stolen, they cannot be re-issued
Possibility of fraudulent authentication	Lower A thief must steal your smart card and your secret pin to commit fraud	Higher A thief only needs to collect your fingerprints using a glass tumbler to commit fraud
Viability of Technology	Proven effective for large populations	Not proven effective for large populations

For more details visit https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee

An Interview with Suresh Ramasubramanian

elonnai — 2013-09-06T09:37:47Z

Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud.

You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?
a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.

In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.

This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.

There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.
In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?
a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.

The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.

It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.

Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.

There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.
What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?
a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.

Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.

Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.

The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.
How is the jurisdiction of the data on the cloud determined?
This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.

However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.

The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.

In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.

In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.
Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?
a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].

A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.
What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?
a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.

Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html). Some standards you absolutely have to comply with for legal reasons.

Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.

The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.
What do you see as the big challenges for privacy in the cloud in the coming years?
a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.
Do you think encryption the answer to the private and public institutions snooping?
a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.

There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.

As a very popular XKCD cartoon that has been shared around social media and has been cited in multiple security papers says -

“A crypto nerd’s imagination”

“His laptop’s encrypted. Let us build a million dollar cluster to crack it”
“No good! It is 4096 bit RSA”
“Blast, our evil plan is foiled”

“What would actually happen”
“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”
“Got it”
Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?
a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.

The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.

Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.

Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.

Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.
There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?
a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.

Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.

Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.

This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.

User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian

An Interview with Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party

elonnai — 2013-10-25T04:50:56Z

The Centre for Internet and Society interviewed Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party.

What activities and functions does your office undertake?

The activities and functions of the Dutch data protection authority can roughly be divided in 4 different categories: supervisory activities, giving advise on draft legislation, raising awareness and international tasks.

The Dutch DPA supervises the legislation applicable in the Netherlands with regard to the use of personal data. The most important law is the Dutch Data Protection Act, but the Dutch DPA also supervises for example the Acts governing data processing by police and justice as well as parts of the Telecoms Act.

The supervisory activities mainly consist of investigating, ex officio, violations of the law, with the focus on violations that are serious, structural and impact a large amount of people. Where necessary, the Dutch DPA can use its sanctioning powers, including imposing a conditional fine, to enforce the law. The Dutch DPA can also decide to examine sector-wide codes of conduct that are submitted to it and provide its views in the form of a formal opinion.

In addition to investigations, the Dutch DPA advises the government, and sometimes the parliament, on draft legislation related to the processing of personal data. Following the Data Protection Act, the government is obliged to submit both primary and secondary legislation related to data processing to the DPA for advice.

As regards awareness-raising, next to publishing the results of the investigations, its views on codes of conduct and its advice on legislation, the Dutch DPA also issues guidelines, on its own initiative, explaining legal norms. Via its websites, the Dutch DPA provides more information to both data subjects and controllers on how data can and cannot be processed. Specifically for data subjects, self-empowerment tools – including standard letters to exercise their rights – are made available. Furthermore, they can contact the Dutch DPA daily via a telephone hotline.

Last but not least, the Dutch DPA participates in several International and European fora, including the Article 29 Working Party of which I am the Chair, the European and the International Conference of data protection and privacy commissioners, of whose Executive Committee I am also the Chair.

What powers does your office have? in your opinion are these sufficient? Which powers have been most useful? If there is a lack, what do you feel is needed?

The Dutch DPA has a broad range investigative powers, including the power to order the controller to hand over all relevant information and entering the premises of the controller unannounced. All organisations subjected to the supervision of the Dutch DPA are obligated to cooperate.

The Dutch DPA also has a considerable range of sanctioning powers, it can for example order the suspension or termination of certain processing operations and can also impose a conditional fine. Currently a bill is before Parliament to provide the Dutch DPA with fining powers as well.

Especially when the bill providing the Dutch DPA with fining powers will be passed, I feel the powers are sufficient, giving us all the necessary enforcement tools to ensure compliance with the law.

How is your office funded?

The Dutch DPA is funded through the government who, together with the parliament, each year determines the budget for the next year. The budget is drafted on the basis of a proposal from the Dutch DPA.

What is the organizational structure of your office and the responsibilities of the key executives?

The Dutch DPA consists of a college of commissioners and the supporting Secretariat, itself consisting of 6 departments and headed by the Director. The Dutch DPA has 2 supervision departments, one for the private and one for the public sector, a legal department, a communications department, an international department and a department providing the operational support.

If India creates a framework of co-regulation, how would you suggest the overseeing body be structured?

Considering the many differences between India and the Netherlands - and Europe - this is a very hard question to answer. But whatever construction is chosen in India, it is of utmost importance to guarantee the independence of the supervisory authorit(y)(ies), who shall be provided with sufficient and scalable powers to be able to sanction violations.

What legal challenges has your office faced?

The biggest legal challenge we face at the moment is the new European legal framework currently being discussed. It is as yet uncertain whether and when this will enter into force, but it is clear that it will bring new challenges for our office.

What are the main differences between your offices?

Generally, I think that the differences between my office and the UK and Canadian offices mostly stem from our different legal and cultural backgrounds, especially the difference between the common law and codified law systems.

In addition, the norms and powers differ per supervisory authority. The Dutch DPA for example can enter a building without prior notice, while the ICO, if I understand correctly, can only enter with the consent of the supervised organisation.

I however prefer to look at the similarities and possibilities to overcome our differences, because I think that we all feel that providing a high level of data protection and ensuring user control are all of our main priorities.

Naturally, I am very curious to hear from Chrisopher and Chantal as well.

What are the most recent privacy developments for each of your respective offices?

The technological developments of the past decades and the increasing use of smartphones and tablets, have also made privacy developments necessary and have obliged us, as data protection authorities, to consider the rules and norms in this new environment.

What would you broadly recommend for a privacy legislation for India?

In my view the privacy legislation in India should in any case contain the basic principles of the protection of personal data, applicable to both the public and the private sector. Naturally with some exceptions for law enforcement purposes.

Furthermore, the Indian law should protect the imported data of citizens from other parts of the world as well, including the EU.

And as mentioned in my answer to question 5, it is of utmost importance that the Indian legislation guarantees the establishment of (a) completely independent supervisory authorit(y)(ies), provided with sufficient sanctioning powers, to supervise compliance with the legislation also of the government, including police and justice.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm

An Interview with Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada

elonnai — 2011-12-03T01:26:04Z

Elonnai Hickok interviewed Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada. The full interview is reproduced below.

When Canada weighed a broad privacy legislation against sectoral legislation, was the decision close? What were the most decisive factors?

Canada’s legislative privacy regime consists of both broad and sectoral privacy legislation.

Broadly, the use of personal information in Canadian commercial activities is regulated by federal legislation under the Personal Information Protection and Electronic Documents Act (PIPEDA), or by provincial legislation that is “substantially similar” to PIPEDA, or by provincial legislation that is “substantially similar” to PIPEDA.

Sectorally, a prime example is the protection of personal health information under Ontario's Personal Health Information Protection Act, 2004 (PHIPA).

Regarding the decisive factors surrounding Parliament's passing of a broad private sector privacy statute, you may know that oversight of PIPEDA falls within the jurisdiction of the Office of the Privacy Commissioner of Canada (OPC). Accordingly, you may wish to focus your contact with the OPC regarding your question. In addition, Industry Canada may have some helpful resources regarding the federal government’s decision to enact PIPEDA.
Do you see the different perceptions and cultural understandings of privacy as something to be addressed through legislation? If not, do you think it should be addressed at all? How?

In an era marked by the widespread use of new information technologies, globalization, and the international flow of personal information, the establishment of global privacy standards is required to effectively protect personal privacy. Fortunately, an international community of data protection commissioners is hard at work contributing to the establishment of a set of global privacy principles. At the annual International Data Protection Commissioners Conference in 2005, Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, chaired a Working Group of Data Protection Commissioners that led to the Creation of a Global Privacy Standard. Such a principled but flexible approach can also be seen, for example, in the landmark Privacy by Design (PbD) resolution adopted unanimously, in 2010, by the international Privacy Authorities and Regulators at the International Conference of Data Protection and Privacy Commissioners in Jerusalem.[1]

The resolution recognizes PbD as an “essential component of fundamental privacy protection” – an International Standard, and urges its adoption in regulations and legislation around the world. Governments that employ this internationally recognized standard will be able to both protect privacy and address local and national priorities.[2]
How does the Canadian model implement self-regulation of privacy standards? How is that balanced against legal enforcement of privacy legislation?

In Canada, as elsewhere, private sector privacy regulation recognizes the dual purposes of protecting the individual's right to privacy, on the one hand, and recognizing the commercial need for access to personal information, on the other.[3]

PIPEDA furthers these two purposes by tying a set of flexible, technology-neutral privacy principles to a statutory framework of rules governing the collection, use, and disclosure of personal information.

In particular, Part I of PIPEDA provides the overarching statutory framework, while Schedule I, which was borrowed from the Canadian Standards Association’s Model Code for the Protection of Personal Information, provides flexible, technology-neutral privacy principles. To accomplish the dual purposes that animate PIPEDA and its Schedule, Canada’s Federal Court of Appeal has directed that the interpretation and application of this regulatory framework should be guided by "flexibility, common sense and pragmatism."[4]

Such an approach allows organizations to address their own goals and priorities within a privacy protective framework. Moreover, by incorporating the flexible principles of PbD, organizations can "go beyond mere legal compliance with notice, choice, access, security and enforcement requirements." Instead, they can be empowered to design their own responsive approaches to risk management and privacy-related innovation, within the context of the relevant regulatory framework. This approach allows organizations to develop doubly-enabling, positive-sum solutions that are win/win in nature and appropriate given the size and nature of the organization, the personal information it manages, and the range of risks, opportunities, and solutions available.
Does Canada favor private forms of redress or agency/state enforcement to prevent and remedy privacy violations? In what circumstances is one more effective than the other?

Canadian privacy legislation includes both state enforcement and private forms of redress; neither is necessarily favoured.

For example, under PHIPA, the Attorney General may impose fines of up to $50,000 for individuals and $250,000 for corporations who are found to be in breach of PHIPA. Further, our office has broad powers of investigation and can directly order a custodian to comply with its obligations. An individual affected by a Commissioner’s final PHIPA order may commence a proceeding in the Ontario Superior Court for damages for actual harm suffered.

Another example is under PIPEDA where contravention can result in fines of up to $100,000 depending upon the type and severity of the matter. Further, the federal privacy Commissioner has powers to investigate and report findings with respect to privacy complaints. Following the release of the Commissioner’s report, a complainant may apply to the Federal Court to seek remedies that include damages and an order requiring an organization to correct its practices.

Generally, fines and other penalties imposed on individuals and corporations by the government are effective in deterring certain actions and protecting the public from a variety of harmful practices. On the other hand, a private right of action may be effective when a particular individual is harmed by an individual or corporation and is seeking damages to compensate or redress that particular harm.
What types of privacy violations are the most common? How have these been addressed?

The most common types of privacy violations are inadvertent disclosures or privacy breaches of personal information, including personal health information. In particular, these violations usually stem from the improper retention, transfer and disclosure of personal information.

Privacy breaches are addressed in a variety of ways, depending on the type and amount of information disclosed. For example, under PHIPA, if health information is stolen, lost, or accessed by unauthorized persons, the health information custodian must notify the affected individual at the first reasonable opportunity and should take immediate steps to contain the breach. Further, the Commissioner may order the health information custodian to take corrective action such as requiring the custodian to implement a certain procedure when handling personal health information or conduct privacy training.
What forms of privacy education has Canada pursued? What audiences have been targeted? Which efforts have been the most successful and why?

Canadian institutions and organizations have pursued a wide variety of privacy education initiatives including programs that award professional designations (e.g. IAPP, CAPAPA, University of Toronto Identity, Privacy and Security Initiative, University of Alberta Program).

Our Office has led a wide variety of educational initiatives to spread the word about privacy protection and freedom of information under our Ontario legislation. We have focused on a variety of audiences from the general public to individuals who deal with privacy and access to information issues as part of their daily professional role.

Initiatives include frequent contact between our Information Officers and the public, and dozens of marketing materials geared to providing guidance (e.g. “Circle of Care: Sharing of Personal Health Information for Health-Care purposes”, “What to do When Faced With a Privacy Breach: Guidelines for the Health Sector”). Our Office has developed Educational Resource Guides (Grade 5, Grade 10, Grades 11/12), which have been added to the formal Ontario curriculum to help teachers educate about privacy protection. Commissioner Cavoukian participates in extensive presentations and speeches at numerous conferences and events. As well, representatives from our Office reach out into the community to educate about our offerings and role (hospitals, conference, community events etc.). In addition, to educate Ontarians about privacy protection, the IPC also allots significant resources to many marketing initiatives including a quarterly e-newsletter, video production, and social media outreach. Most recently, we circulated an online tool kit (available via USB as well), to assist new Freedom of Information and Protection of Privacy Co-ordinators in the public sector. Most of our resources are available in English and French.

Without a doubt, the IPC’s most successful educational effort thus far is in the area of PbD, now an international standard. This Ontario-made solution was created by Commissioner Cavoukian who has led the IPC in partnering with global stalwarts such as IBM, Intel, and Nokia to advance Privacy by Design, and to foster innovation in many fields, including biometrics, the Smart Grid and even Targeted Advertising. Privacy by Design knows no boundaries and makes sense for everyone — especially businesses. Not only is it cheaper to build in privacy before a breach occurs, it is also a compelling way to win the trust of clients and build a successful brand.
What [have] proven to be [the main] challenges or obstacles to protecting privacy in Canada?

The most common obstacle to protecting privacy is that key stakeholders hold on to misconceptions about privacy.
Misconception #1 – Privacy is dead or obsolete.
Misconception #2 – Privacy stops us from performing our job.
Misconception #3 – With the massive growth of online social media, you cannot have both widespread connectivity and privacy.

Not only do these misconceptions contradict each other, they are both dead wrong!

Privacy is alive and well and more relevant than ever. Consider, for example, that the same technologies that serve to threaten privacy may also be enlisted to support it. Properly understood, privacy is becoming increasingly critical to achieving success in the new economy. In this environment, PbD offers a principled, flexible, and technology-neutral vehicle for engaging with privacy issues, and for resolving them in ways that support multiple outcomes in a full functionality, positive-sum, win-win scenario.

It does so by ensuring that privacy is built in right up front, directly into the design specifications and architecture of new systems and processes.

PbD seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies or unnecessary trade-offs, such as privacy vs. security, demonstrating that it is possible to have both. For more on PbD, go to www.privacybydesign.ca

Dr. Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada

Dr. Ann Cavoukian is recognized as one of the leading privacy experts in the world. Noted for her seminal work on Privacy Enhancing Technologies (PETs) in 1995, her concept of Privacy by Design seeks to proactively embed privacy into the design specifications of information technology and accountable business practices, thereby achieving the strongest protection possible. In October, 2010, regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. This was followed by the U.S. Federal Trade Commission’s inclusion of Privacy by Design as one of its three recommended practices for protecting online privacy – a major validation of its significance.

An avowed believer in the role that technology can play in the protection of privacy, Dr. Cavoukian’s leadership has seen her office develop a number of tools and procedures to ensure that privacy is strongly protected, not only in Canada, but around the world. She has been involved in numerous international committees focused on privacy, security, technology and business, and endeavours to focus on strengthening consumer confidence and trust in emerging technology applications.

Dr. Cavoukian serves as the Chair of the Identity, Privacy and Security Institute at the University of Toronto, Canada. She is also a member of several Boards including, the European Biometrics Forum, Future of Privacy Forum, RIM Council, and has been conferred a Distinguished Fellow of the Ponemon Institute. Dr. Cavoukian was honoured with the prestigious Kristian Beckman Award in 2011 for her pioneering work on Privacy by Design and privacy protection in modern international environments. In the same year, Dr. Cavoukian was also named by Intelligent Utility Magazine as one of the Top 11 Movers and Shakers for the Global Smart Grid industry, received the SC Canada Privacy Professional of the Year Award and was honoured by the University of Alberta Information Access and Protection of Privacy Program for her positive contribution to the field of privacy. Most recently in November 2011, Dr. Cavoukian was ranked by Women of Influence Inc. as one of the top 25 Women of Influence recognizing her contribution to the Canadian and global economy. This award follows her recognition in 2007 by the Women’s Executive Network as one of the Top 100 Most Powerful Women in Canada.

Notes

[1].Information and Privacy Commissioner/Ontario, Landmark Resolution passed to preserve the Future of Privacy, http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf
[2].For a discussion of how governments might employ an PbD approach to privacy regulation, see Commissioner Cavoukian’s White Paper, Privacy by Design in Law, Policy, and Practice available at:
http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095
[3].See the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.), http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html.
[4].Englander v. Telus Communications Inc., 2004 FCA 387, Locus Para. 38-46.

For more details visit https://cis-india.org/internet-governance/interview-with-anne-cavoukian

An Interview with Activist Shubha Chacko: Privacy and Sex Workers

elonnai — 2012-03-28T06:26:03Z

On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.

Introduction

In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well.

When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.

Basic Facts and Background Information:

Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1]

Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client.

Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.

Understanding the Challenge of the Public and the Private

My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]

What is the Challenge of the Public and the Private?

“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”

How does this tension of the public and the private translate into privacy violations?

"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.

The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."

Stigma, Discrimination, and Identity

Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out

In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.

How Restricting is the Stigma?

“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.

HIV Initiatives, Medical Counseling , and Privacy

Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.

HIV Initiatives

HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.

How do Government HIV Initiatives Violate Privacy?

“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”

Line Listing

The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.

Line Listing and Privacy

“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”

HIV Counselors and Doctors

HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.

How does HIV Counseling compromise Privacy?

“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”

Media and Research

Media

Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.

“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]

The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].

How does the media violate the privacy of sex workers?

“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”

Research/Films

Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.

Research and Privacy

“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”

The Role of a Privacy Legislation

In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction.

Could a Privacy Legislation help?

“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”

The Current Law

In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”

Solutions

One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers
union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.

Bibliography

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers