The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 71 to 85.
An Open Letter to the Finance Committee: SCOSTA Standards
https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee
<b>The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.</b>
<h3>Introduction</h3>
<p>This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that <span class="Apple-style-span">Aadhaar</span> biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.</p>
<h3>A background of the two standards</h3>
<p>The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:</p>
<p>1. Compliant with the international standard ISO-7816 for smart cards.</p>
<p>2. Based on a public/private key and pin authentication factor</p>
<p>3. Authentication factor refers to an individuals keys, pass-phrases, and pin.</p>
<p>The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:</p>
<p>1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.</p>
<p>2. Based on a symmetric authentication factor</p>
<h3>A comparison of the two standards</h3>
<table class="plain">
<tbody>
<tr>
<td><b>Standard </b><br /></td>
<td><b>SCOSTA - MNIC smart card</b><br /></td>
<td><b>Aadhaar Biometric - UID number </b><br /></td>
</tr>
<tr>
<td><b>Architecture </b><br /></td>
<td><b>Decentralized </b><br />SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner <br /></td>
<td><b>Centralized</b><br />Aadhaar biometric standards require symmetric <br />authentication factors, and thus must be structured in a centralized manner <br /></td>
</tr>
<tr>
<td><b>Standards for Technology </b><br /></td>
<td><b>Open standard<br /></b>Creates security through transparency <br /></td>
<td><b>Closed standard </b><br />Creates security though obscurity <br /></td>
</tr>
<tr>
<td><b>Points of failure </b><br /></td>
<td><b>Multiple points of failure</b><br />The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.<br /></td>
<td><b>Single point of failure </b><br />The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost<br /></td>
</tr>
<tr>
<td><b>Impact on local industry </b><br /></td>
<td><b>Encourages</b><br />Open standards allow local industry to compete in manufacturing technology<br /></td>
<td><b>Discourages</b><br />Closed standards allow foreign players to monopolize the manufacturing of technology <br /></td>
</tr>
<tr>
<td><b>Cost analysis </b><br /></td>
<td><b>Cost effective </b><br />Increased competition keeps prices low <br /></td>
<td><b>Cost ineffective </b><br />Decreased competition keeps prices high<br /></td>
</tr>
<tr>
<td><b>Revocation</b></td>
<td><b>Revocable</b><br /> If the key pair and pin are stolen, a new set of passwords can be issued<br /></td>
<td><b>Permanent</b> <br />If the biometrics of an individual are stolen, they cannot be re-issued <br /></td>
</tr>
<tr>
<td><b>Possibility of fraudulent authentication </b><br /></td>
<td><b>Lower</b><br />A thief must steal your smart card and your secret pin to commit fraud <br /></td>
<td><b>Higher</b><br />A thief only needs to collect your fingerprints using a glass tumbler to commit fraud <br /></td>
</tr>
<tr>
<td><b>Viability of Technology</b></td>
<td><b>Proven effective for large populations </b><br /></td>
<td><b>Not proven effective for large populations</b><br /></td>
</tr>
</tbody>
</table>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee'>https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee</a>
</p>
No publisherelonnaiPrivacy2013-12-20T03:58:09ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog EntryAn Interview with Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party
https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm
<b>The Centre for Internet and Society interviewed Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party.</b>
<h3 style="text-align: justify; ">What activities and functions does your office undertake?</h3>
<p style="text-align: justify; ">The activities and functions of the Dutch data protection authority can roughly be divided in 4 different categories: supervisory activities, giving advise on draft legislation, raising awareness and international tasks. <br /><br />The Dutch DPA supervises the legislation applicable in the Netherlands with regard to the use of personal data. The most important law is the Dutch Data Protection Act, but the Dutch DPA also supervises for example the Acts governing data processing by police and justice as well as parts of the Telecoms Act. <br /><br />The supervisory activities mainly consist of investigating, ex officio, violations of the law, with the focus on violations that are serious, structural and impact a large amount of people. Where necessary, the Dutch DPA can use its sanctioning powers, including imposing a conditional fine, to enforce the law. The Dutch DPA can also decide to examine sector-wide codes of conduct that are submitted to it and provide its views in the form of a formal opinion. <br /><br />In addition to investigations, the Dutch DPA advises the government, and sometimes the parliament, on draft legislation related to the processing of personal data. Following the Data Protection Act, the government is obliged to submit both primary and secondary legislation related to data processing to the DPA for advice. <br /><br />As regards awareness-raising, next to publishing the results of the investigations, its views on codes of conduct and its advice on legislation, the Dutch DPA also issues guidelines, on its own initiative, explaining legal norms. Via its websites, the Dutch DPA provides more information to both data subjects and controllers on how data can and cannot be processed. Specifically for data subjects, self-empowerment tools – including standard letters to exercise their rights – are made available. Furthermore, they can contact the Dutch DPA daily via a telephone hotline.<br /><br />Last but not least, the Dutch DPA participates in several International and European fora, including the Article 29 Working Party of which I am the Chair, the European and the International Conference of data protection and privacy commissioners, of whose Executive Committee I am also the Chair.</p>
<h3 style="text-align: justify; ">What powers does your office have? in your opinion are these sufficient? Which powers have been most useful? If there is a lack, what do you feel is needed?</h3>
<p style="text-align: justify; ">The Dutch DPA has a broad range investigative powers, including the power to order the controller to hand over all relevant information and entering the premises of the controller unannounced. All organisations subjected to the supervision of the Dutch DPA are obligated to cooperate. <br /><br />The Dutch DPA also has a considerable range of sanctioning powers, it can for example order the suspension or termination of certain processing operations and can also impose a conditional fine. Currently a bill is before Parliament to provide the Dutch DPA with fining powers as well.</p>
<p style="text-align: justify; ">Especially when the bill providing the Dutch DPA with fining powers will be passed, I feel the powers are sufficient, giving us all the necessary enforcement tools to ensure compliance with the law.</p>
<h3 style="text-align: justify; ">How is your office funded?</h3>
<p>The Dutch DPA is funded through the government who, together with the parliament, each year determines the budget for the next year. The budget is drafted on the basis of a proposal from the Dutch DPA.</p>
<h3 style="text-align: justify; ">What is the organizational structure of your office and the responsibilities of the key executives?</h3>
<p style="text-align: justify; ">The Dutch DPA consists of a college of commissioners and the supporting Secretariat, itself consisting of 6 departments and headed by the Director. The Dutch DPA has 2 supervision departments, one for the private and one for the public sector, a legal department, a communications department, an international department and a department providing the operational support.</p>
<h3 style="text-align: justify; ">If India creates a framework of co-regulation, how would you suggest the overseeing body be structured?</h3>
<p style="text-align: justify; ">Considering the many differences between India and the Netherlands - and Europe - this is a very hard question to answer. But whatever construction is chosen in India, it is of utmost importance to guarantee the independence of the supervisory authorit(y)(ies), who shall be provided with sufficient and scalable powers to be able to sanction violations.</p>
<h3 style="text-align: justify; ">What legal challenges has your office faced?</h3>
<p style="text-align: justify; ">The biggest legal challenge we face at the moment is the new European legal framework currently being discussed. It is as yet uncertain whether and when this will enter into force, but it is clear that it will bring new challenges for our office.</p>
<h3 style="text-align: justify; ">What are the main differences between your offices?</h3>
<p style="text-align: justify; ">Generally, I think that the differences between my office and the UK and Canadian offices mostly stem from our different legal and cultural backgrounds, especially the difference between the common law and codified law systems. <br /><br />In addition, the norms and powers differ per supervisory authority. The Dutch DPA for example can enter a building without prior notice, while the ICO, if I understand correctly, can only enter with the consent of the supervised organisation. <br /><br />I however prefer to look at the similarities and possibilities to overcome our differences, because I think that we all feel that providing a high level of data protection and ensuring user control are all of our main priorities.<br /><br />Naturally, I am very curious to hear from Chrisopher and Chantal as well.</p>
<h3 style="text-align: justify; ">What are the most recent privacy developments for each of your respective offices?</h3>
<p style="text-align: justify; ">The technological developments of the past decades and the increasing use of smartphones and tablets, have also made privacy developments necessary and have obliged us, as data protection authorities, to consider the rules and norms in this new environment.</p>
<h3 style="text-align: justify; ">What would you broadly recommend for a privacy legislation for India?</h3>
<p style="text-align: justify; ">In my view the privacy legislation in India should in any case contain the basic principles of the protection of personal data, applicable to both the public and the private sector. Naturally with some exceptions for law enforcement purposes. <br /><br />Furthermore, the Indian law should protect the imported data of citizens from other parts of the world as well, including the EU. <br /><br />And as mentioned in my answer to question 5, it is of utmost importance that the Indian legislation guarantees the establishment of (a) completely independent supervisory authorit(y)(ies), provided with sufficient sanctioning powers, to supervise compliance with the legislation also of the government, including police and justice.<br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm'>https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-25T04:50:56ZBlog EntryAn Interview with Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada
https://cis-india.org/internet-governance/interview-with-anne-cavoukian
<b>Elonnai Hickok interviewed Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada. The full interview is reproduced below.</b>
<ol><li><strong>When Canada weighed a broad privacy legislation against sectoral legislation, was the decision close? What were the most decisive factors?</strong><br /><br />Canada’s legislative privacy regime consists of both broad and sectoral privacy legislation.<br /><br />Broadly, the use of personal information in Canadian commercial activities is regulated by federal legislation under the <em><a class="external-link" href="http://www.priv.gc.ca/leg_c/leg_c_p_e.cfm">Personal Information Protection and Electronic Documents Act (PIPEDA)</a></em>, or by provincial legislation that is “substantially similar” to PIPEDA, or by provincial legislation that is “substantially similar” to <em>PIPEDA</em>.<br /><br />Sectorally, a prime example is the protection of personal health information under Ontario's <em><a class="external-link" href="http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm">Personal Health Information Protection Act, 2004 (PHIPA)</a></em>.<br /><br />Regarding the decisive factors surrounding Parliament's passing of a broad private sector privacy statute, you may know that oversight of PIPEDA falls within the jurisdiction of the <a class="external-link" href="http://www.priv.gc.ca/leg_c/leg_c_p_e.cfm">Office of the Privacy Commissioner of Canada (OPC)</a>. Accordingly, you may wish to focus your contact with the OPC regarding your question. In addition, <a class="external-link" href="http://www.ic.gc.ca/ic_wp-pa.htm">Industry Canada</a> may have some helpful resources regarding the federal government’s decision to enact <em>PIPEDA</em>.<br /><br /></li><li><strong>Do you see the different perceptions and cultural understandings of privacy as something to be addressed through legislation? If not, do you think it should be addressed at all? How? </strong><br /><br />In an era marked by the widespread use of new information technologies, globalization, and the international flow of personal information, the establishment of global privacy standards is required to effectively protect personal privacy. Fortunately, an international community of data protection commissioners is hard at work contributing to the establishment of a set of global privacy principles. At the annual International Data Protection Commissioners Conference in 2005, Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, chaired a Working Group of Data Protection Commissioners that led to the <a class="external-link" href="http://www.ipc.on.ca/images/Resources/gps.pdf">Creation of a Global Privacy Standard</a>. Such a principled but flexible approach can also be seen, for example, in the landmark <a class="external-link" href="http://www.privacybydesign.ca/content/uploads/2010/11/pbd-resolution.pdf"><em>Privacy by Design</em> (PbD) resolution</a> adopted unanimously, in 2010, by the international Privacy Authorities and Regulators at the International Conference of Data Protection and Privacy Commissioners in Jerusalem.<a name="fr1" href="#fn1">[1]</a><br /><br />The resolution recognizes <em><a class="external-link" href="http://privacybydesign.ca/about/principles/">PbD</a></em> as an “essential component of fundamental privacy protection” – an International Standard, and urges its adoption in regulations and legislation around the world. Governments that employ this internationally recognized standard will be able to both protect privacy and address local and national priorities.<a name="fr2" href="#fn2">[2]<br /><br /></a></li><li><strong>How does the Canadian model implement self-regulation of privacy standards? How is that balanced against legal enforcement of privacy legislation?</strong><br /><br />In Canada, as elsewhere, private sector privacy regulation recognizes the dual purposes of protecting the individual's right to privacy, on the one hand, and recognizing the commercial need for access to personal information, on the other.<a name="fr3" href="#fn3">[3]</a><em><br /><br />PIPEDA</em> furthers these two purposes by tying a set of flexible, technology-neutral privacy principles to a statutory framework of rules governing the collection, use, and disclosure of personal information.<br /><br />In particular, Part I of PIPEDA provides the overarching statutory framework, while Schedule I, which was borrowed from the Canadian Standards Association’s Model Code for the Protection of Personal Information, provides flexible, technology-neutral privacy principles. To accomplish the dual purposes that animate PIPEDA and its Schedule, Canada’s Federal Court of Appeal has directed that the interpretation and application of this regulatory framework should be guided by "flexibility, common sense and pragmatism."<a name="fr4" href="#fn4">[4]</a><br /><br />Such an approach allows organizations to address their own goals and priorities within a privacy protective framework. Moreover, by incorporating the flexible principles of PbD, organizations can "go beyond mere legal compliance with notice, choice, access, security and enforcement requirements." Instead, they can be empowered to design their own responsive approaches to risk management and privacy-related innovation, within the context of the relevant regulatory framework. This approach allows organizations to develop doubly-enabling, positive-sum solutions that are win/win in nature and appropriate given the size and nature of the organization, the personal information it manages, and the range of risks, opportunities, and solutions available.<br /><br /></li><li><strong>Does Canada favor private forms of redress or agency/state enforcement to prevent and remedy privacy violations? In what circumstances is one more effective than the other?</strong><br /><br />Canadian privacy legislation includes both state enforcement and private forms of redress; neither is necessarily favoured.<br /><br />For example, under <em>PHIPA</em>, the Attorney General may impose fines of up to $50,000 for individuals and $250,000 for corporations who are found to be in breach of <em>PHIPA</em>. Further, our office has broad powers of investigation and can directly order a custodian to comply with its obligations. An individual affected by a Commissioner’s final <em>PHIPA </em>order may commence a proceeding in the Ontario Superior Court for damages for actual harm suffered.<br /><br />Another example is under <em>PIPEDA</em> where contravention can result in fines of up to $100,000 depending upon the type and severity of the matter. Further, the federal privacy Commissioner has powers to investigate and report findings with respect to privacy complaints. Following the release of the Commissioner’s report, a complainant may apply to the Federal Court to seek remedies that include damages and an order requiring an organization to correct its practices.<br /><br />Generally, fines and other penalties imposed on individuals and corporations by the government are effective in deterring certain actions and protecting the public from a variety of harmful practices. On the other hand, a private right of action may be effective when a particular individual is harmed by an individual or corporation and is seeking damages to compensate or redress that particular harm.<br /><br /></li><li><strong>What types of privacy violations are the most common? How have these been addressed?<br /></strong><br />The most common types of privacy violations are inadvertent disclosures or privacy breaches of personal information, including personal health information. In particular, these violations usually stem from the improper retention, transfer and disclosure of personal information.<br /><br />Privacy breaches are addressed in a variety of ways, depending on the type and amount of information disclosed. For example, under <em>PHIPA</em>, if health information is stolen, lost, or accessed by unauthorized persons, the health information custodian must notify the affected individual at the first reasonable opportunity and should take immediate steps to contain the breach. Further, the Commissioner may order the health information custodian to take corrective action such as requiring the custodian to implement a certain procedure when handling personal health information or conduct privacy training.<br /><br /></li><li><strong>What forms of privacy education has Canada pursued? What audiences have been targeted? Which efforts have been the most successful and why?</strong><br /><br />Canadian institutions and organizations have pursued a wide variety of privacy education initiatives including programs that award professional designations (e.g. <a class="external-link" href="https://www.privacyassociation.org/certification/">IAPP</a>, <a class="external-link" href="http://capapa.org/">CAPAPA</a>, <a class="external-link" href="http://www.ipsi.utoronto.ca/">University of Toronto Identity, Privacy and Security Initiative</a>, <a class="external-link" href="http://www.extension.ualberta.ca/study/government-studies/iapp/">University of Alberta Program</a>).<br /><br />Our Office has led a wide variety of educational initiatives to spread the word about privacy protection and freedom of information under our Ontario legislation. We have focused on a variety of audiences from the general public to individuals who deal with privacy and access to information issues as part of their daily professional role.<br /><br />Initiatives include frequent contact between our Information Officers and the public, and dozens of marketing materials geared to providing guidance (e.g. “<a class="external-link" href="http://www.ipc.on.ca/images/Resources/circle-care.pdf">Circle of Care: Sharing of Personal Health Information for Health-Care purposes</a>”, “<a class="external-link" href="http://www.ipc.on.ca/images/Resources/hprivbreach-e.pdf">What to do When Faced With a Privacy Breach: Guidelines for the Health Sector</a>”). Our Office has developed Educational Resource Guides (<a class="external-link" href="http://www.ipc.on.ca/english/Resources/Educational-Material/Educational-Material-Summary/?id=183">Grade 5</a>, <a class="external-link" href="http://www.ipc.on.ca/english/Resources/Educational-Material/Educational-Material-Summary/?id=184">Grade 10</a>, <a class="external-link" href="http://www.ipc.on.ca/english/Resources/Educational-Material/Educational-Material-Summary/?id=1110">Grades 11/12</a>), which have been added to the formal Ontario curriculum to help teachers educate about privacy protection. Commissioner Cavoukian participates in extensive presentations and speeches at numerous conferences and events. As well, representatives from our Office reach out into the community to educate about our offerings and role (hospitals, conference, community events etc.). In addition, to educate Ontarians about privacy protection, the IPC also allots significant resources to many marketing initiatives including a <a class="external-link" href="http://www.ipc.on.ca/english/Resources/Newsletters/Newsletters-Summary/?id=1100">quarterly e-newsletter</a>, video production, and social media outreach. Most recently, we circulated an <a class="external-link" href="http://www.ipc.on.ca/english/Resources/IPC-Corporate/IPC-Corporate-Summary/?id=482">online tool kit </a>(available via USB as well), to assist new Freedom of Information and Protection of Privacy Co-ordinators in the public sector. Most of our resources are available in English and French.<br /><br />Without a doubt, the IPC’s most successful educational effort thus far is in the area of PbD, now an international standard. This Ontario-made solution was created by Commissioner Cavoukian who has led the IPC in partnering with global stalwarts such as IBM, Intel, and Nokia to advance Privacy by Design, and to foster innovation in many fields, including <a class="external-link" href="http://www.privacybydesign.ca/content/uploads/2011/02/pbd-olg-facial-recog.pdf">biometrics</a>, the <a class="external-link" href="http://www.privacybydesign.ca/content/uploads/2011/02/pbd-ont-smartgrid-casestudy.pdf">Smart Grid</a> and even <a class="external-link" href="http://www.ipc.on.ca/images/Resources/AVAwhite6.pdf">Targeted Advertising</a>. <em>Privacy by Design</em> knows no boundaries and makes sense for everyone — especially businesses. Not only is it cheaper to build in privacy before a breach occurs, it is also a compelling way to win the trust of clients and build a successful brand.<br /><br /></li><li><strong>What [have] proven to be [the main] challenges or obstacles to protecting privacy in Canada?</strong><br /><br />The most common obstacle to protecting privacy is that key stakeholders hold on to misconceptions about privacy. <br />Misconception #1 – Privacy is dead or obsolete. <br />Misconception #2 – Privacy stops us from performing our job.<br />Misconception #3 – With the massive growth of online social media, you cannot have both widespread connectivity and privacy.<br /><br />Not only do these misconceptions contradict each other, they are both dead wrong!<br /><br />Privacy is alive and well and more relevant than ever. Consider, for example, that the same technologies that serve to threaten privacy may also be enlisted to support it. Properly understood, privacy is becoming increasingly critical to achieving success in the new economy. In this environment, PbD offers a principled, flexible, and technology-neutral vehicle for engaging with privacy issues, and for resolving them in ways that support multiple outcomes in a full functionality, positive-sum, win-win scenario.<br /><br />It does so by ensuring that privacy is built in right up front, directly into the design specifications and architecture of new systems and processes. <em><br /><br />PbD</em> seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies or unnecessary trade-offs, such as privacy vs. security, demonstrating that it is possible to have both. For more on PbD, go to <a class="external-link" href="http://www.privacybydesign.ca/">www.privacybydesign.ca<br /><br /></a></li></ol>
<h3>Dr. Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada</h3>
<p>Dr. Ann Cavoukian is recognized as one of the leading privacy experts in the world. Noted for her seminal work on Privacy Enhancing Technologies (PETs) in 1995, her concept of Privacy by Design seeks to proactively embed privacy into the design specifications of information technology and accountable business practices, thereby achieving the strongest protection possible. In October, 2010, regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark Resolution recognizing <em>Privacy by Design</em> as an essential component of fundamental privacy protection. This was followed by the U.S. Federal Trade Commission’s inclusion of <em>Privacy by Design</em> as one of its three recommended practices for protecting online privacy – a major validation of its significance.</p>
<p>An avowed believer in the role that technology can play in the protection of privacy, Dr. Cavoukian’s leadership has seen her office develop a number of tools and procedures to ensure that privacy is strongly protected, not only in Canada, but around the world. She has been involved in numerous international committees focused on privacy, security, technology and business, and endeavours to focus on strengthening consumer confidence and trust in emerging technology applications.</p>
<p>Dr. Cavoukian serves as the Chair of the Identity, Privacy and Security Institute at the University of Toronto, Canada. She is also a member of several Boards including, the European Biometrics Forum, Future of Privacy Forum, RIM Council, and has been conferred a Distinguished Fellow of the Ponemon Institute. Dr. Cavoukian was honoured with the prestigious <em>Kristian Beckman Award</em> in 2011 for her pioneering work on <em>Privacy by Design</em> and privacy protection in modern international environments. In the same year, Dr. Cavoukian was also named by<em> Intelligent Utility </em>Magazine as one of the Top 11 Movers and Shakers for the Global Smart Grid industry, received the SC Canada Privacy Professional of the Year Award and was honoured by the University of Alberta Information Access and Protection of Privacy Program for her positive contribution to the field of privacy. Most recently in November 2011, Dr. Cavoukian was ranked by Women of Influence Inc. as one of the top 25 Women of Influence recognizing her contribution to the Canadian and global economy. This award follows her recognition in 2007 by the Women’s Executive Network as one of the Top 100 Most Powerful Women in Canada.</p>
<hr />
<p><strong>Notes</strong></p>
<p>[<a name="fn1" href="#fr1">1</a>].Information and Privacy Commissioner/Ontario, Landmark Resolution passed to preserve the Future of Privacy, <a class="external-link" href="http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf">http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf</a><br />[<a name="fn2" href="#fr2">2</a>].For a discussion of how governments might employ an PbD approach to privacy regulation, see Commissioner Cavoukian’s White Paper, Privacy by Design in Law, Policy, and Practice available at:<br /><a class="external-link" href="http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095">http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095</a><br />[<a name="fn3" href="#fr3">3</a>].See the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.), <a class="external-link" href="http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html">http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html</a>.<br />[<a name="fn4" href="#fr4">4</a>].<em>Englander v. Telus Communications Inc.</em>, 2004 FCA 387, Locus Para. 38-46.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/interview-with-anne-cavoukian'>https://cis-india.org/internet-governance/interview-with-anne-cavoukian</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2011-12-03T01:26:04ZBlog Entry An Interview with Activist Shubha Chacko: Privacy and Sex Workers
https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers
<b>On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation. </b>
<h3>Introduction<br /></h3>
<p>In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well. </p>
<p>When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.</p>
<h3>Basic Facts and Background Information:</h3>
<ul><li>Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1] </li></ul>
<ul><li>Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client. </li></ul>
<ul><li>Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.</li></ul>
<h3>Understanding the Challenge of the Public and the Private</h3>
<p>My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]</p>
<table class="plain">
<tbody>
<tr>
<td><strong>What is the Challenge of the Public and the Private? </strong><br />
<p>“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”</p>
<br /><strong>How does this tension of the public and the private translate into privacy violations? </strong><br /><br />
<p>"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.</p>
<p>The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."</p>
</td>
</tr>
</tbody>
</table>
<h3>Stigma, Discrimination, and Identity</h3>
<p>Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out</p>
<p>In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How Restricting is the Stigma? </strong><br />
<p>“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.</p>
</td>
</tr>
</tbody>
</table>
<h3>HIV Initiatives, Medical Counseling , and Privacy</h3>
<p> Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.</p>
<p><strong>HIV Initiatives</strong></p>
<p>HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How do Government HIV Initiatives Violate Privacy?</strong> <br />
<p>“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Line Listing </strong></p>
<p>The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>Line Listing and Privacy </strong><br />
<p>“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>HIV Counselors and Doctors</strong></p>
<p>HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How does HIV Counseling compromise Privacy? </strong><br />
<p>“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”</p>
</td>
</tr>
</tbody>
</table>
<h3>Media and Research</h3>
<p><strong>Media </strong></p>
<p>Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.</p>
<p><em>“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]</em></p>
<p>The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How does the media violate the privacy of sex workers? </strong><br />
<p>“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Research/Films </strong></p>
<p>Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>Research and Privacy </strong><br />
<p>“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”</p>
</td>
</tr>
</tbody>
</table>
<h3>The Role of a Privacy Legislation</h3>
<p>In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction. </p>
<table class="plain">
<tbody>
<tr>
<td><strong>Could a Privacy Legislation help? </strong><br />
<p>“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”</p>
</td>
</tr>
</tbody>
</table>
<h3>The Current Law</h3>
<p>In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”</p>
<h3>Solutions</h3>
<p>One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers <br />union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.</p>
<h3>Bibliography </h3>
<ol><li><a class="external-link" href="http://www.dnaindia.com/bangalore/report_karnataka-sex-workers-want-right-to-work_1517602">http://www.dnaindia.com/bangalore/report_karnataka-sex-workers-want-right-to-work_1517602</a></li><li><a class="external-link" href="http://timesofindia.indiatimes.com/home/specials/assembly-elections-2011/west-bengal/Special-booth-for-sex-workers/articleshow/7880039.cms">http://timesofindia.indiatimes.com/home/specials/assembly-elections-2011/west-bengal/Special-booth-for-sex-workers/articleshow/7880039.cms</a></li><li><a class="external-link" href="http://www.thehindu.com/news/article1594609.ece">http://www.thehindu.com/news/article1594609.ece</a></li><li><a class="external-link" href="http://www.expressindia.com/latest-news/sex-workers-allege-excesses-in-police-raid-to-submit-evidence-to-commissioner/739326/">http://www.expressindia.com/latest-news/sex-workers-allege-excesses-in-police-raid-to-submit-evidence-to-commissioner/739326/ </a></li><li><a class="external-link" href="http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf">http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf</a></li><li><a class="external-link" href="http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf">http://ncpcr.gov.i /Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf</a></li><li><a class="external-link" href="http://cflr.org/ITPA%20Amendment%20bill.htm">http://cflr.org/ITPA%20Amendment%20bill.htm</a></li><li><a class="external-link" href="http://www.prsindia.org/uploads/media/1167469313/1167469313_immoral_traffic_prevention_amendment_bill2006.pdf">http://www.prsindia.org/uploads/media/1167469313/1167469313_immoral_traffic_prevention_amendment_bill2006.pdf</a></li><li><a class="external-link" href="http://theindiapost.com/2008/07/21/itpa-amendment-has-a-provision-of-jail-term-and-penalties-for-the-clients-of-prostitutes-who-were-so-far-kept-out-of-the-ambit-of-prosecution/">http://theindiapost.com/2008/07/21/itpa-amendment-has-a-provision-of-jail-term-and-penalties-for-the-clients-of-prostitutes-who-were-so-far-kept-out-of-the-ambit-of-prosecution/</a></li><li><a class="external-link" href="http://www.expressindia.com/latest-news/Sex-workers-to-go-on-hungerstrike-over-ITPA/330250/">http://www.expressindia.com/latest-news/Sex-workers-to-go-on-hungerstrike-over-ITPA/330250/</a></li><li><a class="external-link" href="http://www.trust.org/trustlaw/blogs/the-word-on-women/rehabilitation-cuts-no-ice-with-indias-sex-workers">http://www.trust.org/trustlaw/blogs/the-word-on-women/rehabilitation-cuts-no-ice-with-indias-sex-workers</a></li></ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers'>https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-28T06:26:03ZBlog EntryAmerican Bar Association Online Privacy Conference: A Report
https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference
<b>On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take. </b>
<h3>Introduction</h3>
<p>On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:</p>
<ul><li>Lisa Sotto, a private practitioner in the US</li><li>Billy Hawkes, Commissioner of Data Protection, Ireland</li><li>Bojana Bellamy, Director of Data Privacy, London, UK</li><li>Hugh Stevenson, Deputy Director of the Federal Trade Commission, US</li><li> Jennifer Stoddart, Privacy Commissioner, Canada.</li></ul>
<p>The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.</p>
<h3>Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer</h3>
<p>When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.</p>
<h3>Privacy Seals Globally? Privacy Seals in India?</h3>
<p>If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.</p>
<h3>Accountability:</h3>
<p>In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.</p>
<h3>Data Breaches:</h3>
<p>The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:</p>
<p>Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?</p>
<ul><li>How will the balance between over-reporting breaches with under-reporting breaches be maintained?</li><li>Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?</li><li>If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?</li></ul>
<p>These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation. </p>
<h3> E-Privacy Directive Breach Notification:</h3>
<p>Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:</p>
<p>1. The type of information and compromised number of records</p>
<p>2. The circumstances of the loss, release, or corruption</p>
<p>3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed</p>
<p>4. details of how the breach is being investigated,</p>
<p>5. whether any other regulatory bodies have been informed and, if so, their responses</p>
<p>6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment. </p>
<h3>Accountability, breach notification: What material should India think about for a legal privacy structure?</h3>
<p>Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:</p>
<p>· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?</p>
<p>· If India wants a broad privacy framework how will this be set up?</p>
<p>· What will be the tools used for civil education?</p>
<p>· How will enforcement take place ? </p>
<p>· Is self regulated accountability or statuary accountability better?</p>
<p>· Will there be a privacy tribunal?</p>
<p>· How will data be categorized? </p>
<p>· Will breaches be notified?</p>
<p>· Will standardized privacy policies be created?</p>
<p> As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference'>https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:08:36ZBlog EntryAI in India a Policy Agenda
https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda'>https://cis-india.org/internet-governance/files/ai-in-india-a-policy-agenda</a>
</p>
No publisherelonnai2018-09-05T15:26:08ZFileAI in Governance
https://cis-india.org/internet-governance/files/ai-in-governance
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/ai-in-governance'>https://cis-india.org/internet-governance/files/ai-in-governance</a>
</p>
No publisherelonnai2018-04-17T14:00:46ZFileAadhaar Number vs the Social Security Number
https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number
<b>This blog calls out the differences between the Aadhaar Number and the Social Security Number </b>
<p style="text-align: justify; ">In response to news items that reported the Government of India running pilot projects to enroll children at the time of birth for Aadhaar numbers - an idea that government officials in the news items claimed was along the lines of the social security number - this note seeks to point out the ways in which the Aadhaar number and the social security number are different.<a href="#_ftn1" name="_ftnref1">[1]</a></p>
<h2 style="text-align: justify; ">Governance</h2>
<p style="text-align: justify; "><b>SSN is governed by Federal legislation: </b> The issuance, collection, and use of the SSN is governed by a number of Federal and State legislation with the most pertinent being the Social Security Act 1935<a href="#_ftn2" name="_ftnref2">[2]</a> - which provides legal backing for the number, and the Privacy Act 1974 which regulates the collection, access, and sharing of the SSN by Federal Executive agencies.<a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; "><b>Aadhaar was constituted under the Planning Commission: </b> The UIDAI was constituted as an attached office under the Planning Commission in 2009.<a href="#_ftn4" name="_ftnref4">[4]</a> A Unique Identification Authority Bill has been drafted, but has not been enacted.<a href="#_ftn5" name="_ftnref5">[5]</a> Though portions of the Information Technology Act 2008 apply to the UID scheme, section 43A and associated Rules (India's data protection standards) do not clearly apply to the UIDAI as the provision has jurisdiction only over body corporate.</p>
<h2 style="text-align: justify; "></h2>
<h2 style="text-align: justify; ">Purpose<b> </b></h2>
<p style="text-align: justify; "><b>SSN was created as a number record keeping scheme for government services: </b> The Social Security Act provides for the creation of a record keeping scheme - the SSN. Originally, the SSN was used as a means to track an individuals earnings in the Social Security system.<a href="#_ftn6" name="_ftnref6">[6]</a> In 1943 via an executive order, the number was adopted across Federal agencies. Eventually the number has evolved from being a record keeping scheme into a means of identity. In 1977 it was clarified by the Carter administration that the number could act as a means to validate the status of an individual (for example if he or she could legally work in the country) but that it was not to serve as a national identity document.<a href="#_ftn7" name="_ftnref7">[7]</a> Today the SSN serves as a number for tracking individuals in the social security system and as one (among other) form of identification for different services and businesses. Alone, the SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. <a href="#_ftn8" name="_ftnref8">[8]</a></p>
<p style="text-align: justify; "><b>Aadhaar was created as a biometric based authenticator and a single unique proof of identity:</b> The Aadhaar number was established as a single proof of identity and address for any resident in India that can be used to authenticate the identity of an individual in transactions with organizations that have adopted the number. The scheme as been promoted as a tool for reducing fraud in the public distribution system and enabling the government to better deliver public benefits.<a href="#_ftn9" name="_ftnref9">[9]</a></p>
<h2 style="text-align: justify; ">Applicability</h2>
<p style="text-align: justify; "><b>SSN is for citizens and non-citizens authorized to work: </b> The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.<a href="#_ftn10" name="_ftnref10">[10]</a></p>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; "><b>Aadhaar is for residents: </b> The aadhaar number is available to any resident of India.<a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; "><b><span> </span></b></p>
<h2 style="text-align: justify; ">Storage, Access, and Disclosure</h2>
<p style="text-align: justify; "><b>SSN and applications are stored in the Numident:</b> The numident is a centralized database containing the individuals original SNN and application and any re-application for the same. All information stored in the Numident is protected under the Privacy Act. Individuals may request records of their own personal information stored in the Numident. With the exception of the Department of Homeland Security and U.S Citizenship and Immigration Services, third parties may only request access to Numident records with the consent of the concerned individual.<a href="#_ftn12" name="_ftnref12">[12]</a> Federal agencies and private entities that collect the SSN for a specific service store the number at the organizational level. The Privacy Act and various state level legislation regulates the disclosure, access, and sharing of the SSN number collected by agencies and organizations.</p>
<p style="text-align: justify; "><b><span> </span></b></p>
<p style="text-align: justify; "><b>Aadhaar and data generated at multiple sources is stored in the CIDR and processed in the data warehouse: </b> According to the report "Analytics, Empowering Operations", <i> "At UIDAI, data generated at multiple sources would typically come to the CIDR (Central ID Repository), UIDAIs Data centre, through an online mechanism. There could be certain exceptional sources, like Contact centre or Resident consumer surveys, that will not feed into the Data center directly. Data is then processed in the Data Warehouse using Business Intelligence tools and converted into forms that can be accessed and shared easily." </i> Examples of data that is stored in the CIDR include enrollments, letter delivery, authentication, processing, resident survey, training, and data from contact centres.<a href="#_ftn13" name="_ftnref13">[13]</a> It is unclear if organizations that authenticate individuals via the Adhaar number store the number at the organizational level. Biometrics are listed as a form of sensitive personal information in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) 2011, thus if any body corporate collects biometrics with the Aadhaar number - the storage, access, and disclosure of this information would be protected as per the Rules, but the Aadhaar number is not explicitly protected. <a href="#_ftn14" name="_ftnref14">[14]</a></p>
<h2 style="text-align: justify; ">Use by public and private entities</h2>
<p style="text-align: justify; "><b>Public and private entities can request SSN: </b> Public and private entities can request the SSN to track individuals in a system or as a form of identifying an individual. Any private business is allowed to request and use the SSN as long as the use does not violate federal or state law. Legally, an individual is only required to provide their SSN to a business if they are engaging in a transaction that requires notification to the Internal Revenue Service or the individual is initiating a transaction that is subject to federal Customer Identification Program rules.<a href="#_ftn15" name="_ftnref15">[15]</a> Thus, an individual can refuse to provide their SSN, but a private business can also refuse to provide a service.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<p style="text-align: justify; ">Any public authority requesting the SSN must provide a disclosure notice to the individual explaining if the provision of SSN is required or optional. According to the Privacy Act of 1974, no individual can be denied a government service or benefit for not providing the SSN unless Federal law specifically requires the number for a particular service.<a href="#_ftn17" name="_ftnref17">[17]</a> Thus, there are a number of Federal legislation in the U.S that specifically require the SSN. For example, the Social Security Independence and Program Improvements Act 1994 allows for the use of the SSN for jury selection and allows for cross matching of SSNs and Employer Identification Numbers for investigation into violation of Federal Laws. <a href="#_ftn18" name="_ftnref18">[18]</a></p>
<p style="text-align: justify; "><b>Public and private entities can request Aadhaar:<span> </span></b> The Aadhaar number can be adopted by any public or private entity as a single means of identifying an individual. The UIDAI has stated that the Aadhaar number is not mandatory,<a href="#_ftn19" name="_ftnref19">[19]</a> and the Supreme Court of India has clarified that services cannot be denied on the grounds that an individual does not have an Aadhaar number.<a href="#_ftn20" name="_ftnref20">[20]</a></p>
<h2 style="text-align: justify; "></h2>
<h2 style="text-align: justify; ">Verification</h2>
<p style="text-align: justify; "><b>The SSN can be verified only in certain circumstances: </b> The SSA will only respond to requests for SSN verification in certain circumstances:</p>
<p style="text-align: justify; "><b> </b></p>
<ul>
<li>Before issuing a replacement SSN, posting a wage item to the Master Earnings File, or establishing a claims record - the SSA will verify that the name and the number match as per their records.</li>
<li>When legally permitted, the SSA verification system will verify SSNs for government agencies.</li>
<li>When legally permitted the SSA verification system will verify a workers SSN for pre-registered and approved private employers.</li>
<li>If an individual has provided his/her consent, the SSA will verify a SSN request from a third party.</li>
</ul>
<p style="text-align: justify; ">For verification the SSN number must be submitted with an accompanying name to be matched to and additional information such as date of birth, fathers name, mothers name etc. When verifying submitted SSN's, the system will respond with either confirmation that the information matches or that it does not match. It is important to note that because SSN is verified only in certain circumstances, it is not guaranteed that the person providing an SSN number is the person whom the number was assigned.<a href="#_ftn21" name="_ftnref21">[21]</a></p>
<p style="text-align: justify; "><b>The Aadhaar number can be verified in any transaction: </b> If an organization, department, or platform has adopted the Aadhaar number as a form of authentication, they can send requests for verification to the UIDAI. The UIDAI will respond with a yes or no answer. When using their Aadhaar number as a form of authentication individuals can submit their number and demographic information or their number and biometrics for verification.<a href="#_ftn22" name="_ftnref22">[22]</a></p>
<p style="text-align: justify; "><b><span> </span></b></p>
<h2 style="text-align: justify; ">Lost or stolen</h2>
<p style="text-align: justify; "><b>SSN can be replaced: </b> If an individual loses his/her SSN card lost or their number is fraudulently used, they can apply for a replacement SSN card or a new SNN number. <a href="#_ftn23" name="_ftnref23">[23]</a></p>
<p style="text-align: justify; "><b>Aadhaar number can be replaced: </b> If an individual has lost their Aadhaar number, there is a process that they can follow to have their number re-sent to them. If the number cannot be located by the UIDAI , the individual has the option of re-enrolling for a new Aadhaar number.<a href="#_ftn24" name="_ftnref24">[24]</a> <b> </b>The UIDAI has built the scheme with the understanding the biometrics are a unique identifier that cannot be lost or stolen, and thus have not created a system to address the possibility of stolen or fraudulent use of biometrics.</p>
<h2 style="text-align: justify; ">Implementation</h2>
<p style="text-align: justify; "><b>Legislation and formal roll out: </b> The SSN program was brought into existence via the Social Security Act and officially rolled out while eventually being adopted across Federal Departments.</p>
<p style="text-align: justify; "><b>Bill and pilot studies:</b> The UID scheme has been envisioned as being brought into existence via the Unique Identification Authority Bill 2010 which has not been passed. Thus far, the project has been implemented in pilot phases across States and platforms.</p>
<p style="text-align: justify; "><b><span> </span></b></p>
<p style="text-align: justify; "><b><span>Enrollment</span></b></p>
<p style="text-align: justify; "><b>Social Security Administration: </b> The Social Security Agency is the soul body in the US that receives and processes applications for SSN and issues SSN numbers. <a href="#_ftn25" name="_ftnref25">[25]</a></p>
<p style="text-align: justify; "><b>UIDAI, registrars, and enrolling agencies: </b> The UIDAI is the soul body that issues Aadhaar numbers. Registrars (contracted bodies under the UIDAI_ - and enrolling agencies (contracted bodies under Registrars) are responsible for receiving and processing enrollments into the UID scheme.</p>
<h2 style="text-align: justify; ">Required supporting documents</h2>
<p style="text-align: justify; "><b>SSN requires proof of age, identity, and citizenship: </b> To obtain a SSN you must be able to provide proof of your age, your identity, and US citizenship. The application form requires the following information:</p>
<ul>
<li>Name to be shown on the card</li>
<li>Full name at birth, if different</li>
<li>Other names used</li>
<li>Mailing address</li>
<li>Citizenship or alien status</li>
<li>Sex</li>
<li>Race/ethnic description (SSA does not receive this information under EAB)</li>
<li>Date of birth</li>
<li>Place of birth</li>
<li>Mother's name at birth</li>
<li>Mother's SSN (SSA collects this information for the Internal Revenue Service (IRS) on an original application for a child under age 18. SSA does not retain these data.)</li>
<li>Fathers' name</li>
<li>Father's SSN (SSA collects this information for IRS on an original application for a child under age 18. SSA does not retain these data).</li>
<li>Whether applicant ever filed for an SSN before</li>
<li>Prior SSNs assigned</li>
<li>Name on most recent Social Security card</li>
<li>Different date of birth if used on an earlier SSN application.</li>
<li>Date application completed</li>
<li>Phone number</li>
<li>Signature</li>
<li>Applicant's relationship to the number holder.<a href="#_ftn26" name="_ftnref26">[26]</a></li>
</ul>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; "><b>Aadhaar requires proof of age, address, birth, and residence and biometric information:</b> The application form requires the following information:</p>
<ul>
<li>Name</li>
<li>Date of birth</li>
<li>Gender</li>
<li>Address</li>
<li>Parent/guardian details</li>
<li>Email</li>
<li>Mobile number</li>
<li>Indication of consenting or not consenting to the sharing of information provided to the UIDAI with Public services including welfare services</li>
<li>Indication of if the individual wants the UIDAI to facilitate the opening of a bank account linked to the Aadhaar number and permits the sharing of information for this purpose</li>
<li>If the individual has no objection to linking their present bank account to the Aadhaar number and the relevant bank details</li>
<li>Signature<a href="#_ftn27" name="_ftnref27">[27]</a></li>
</ul>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Sahil Makkar, "PM's idea to track kids from birth hits practical hurdles", Business Standard. April 11<sup>th</sup> 2015. Available at: http://www.business-standard.com/article/current-affairs/pm-s-idea-to-track-kids-from-birth-hits-practical-hurdles-115041100828_1.html</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> The Social Security Act of 1935. Available at: http://www.ssa.gov/history/35act.html</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage</p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> Government of India Planning Commission "Notification". Available at: https://uidai.gov.in/images/notification_28_jan_2009.pdf</p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> The National Identification Authority of India Bill 2010. Available at: http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010.pdf</p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> History of SSA 1993 - 2000. Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html</p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7">[7]</a> Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html</p>
</div>
<div id="ftn8">
<p><a href="#_ftnref8" name="_ftn8">[8]</a> History of SSA 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html</p>
</div>
<div id="ftn9">
<p><a href="#_ftnref9" name="_ftn9">[9]</a> UID FAQ: Aadhaar Features, Eligibility. Available at: https://resident.uidai.net.in/faqs</p>
</div>
<div id="ftn10">
<p><a href="#_ftnref10" name="_ftn10">[10]</a> Social Security Numbers for Noncitizens. Available at: http://www.ssa.gov/pubs/EN-05-10096.pdf</p>
</div>
<div id="ftn11">
<p><a href="#_ftnref11" name="_ftn11">[11]</a> Aapka Aadhaar. Available at: https://uidai.gov.in/aapka-aadhaar.html</p>
</div>
<div id="ftn12">
<p><a href="#_ftnref12" name="_ftn12">[12]</a> Program Operations Manual System. Available at: https://secure.ssa.gov/poms.nsf/lnx/0203325025</p>
</div>
<div id="ftn13">
<p><a href="#_ftnref13" name="_ftn13">[13]</a> UIDAI Analytics -Empowering Operations - the UIDAI Experience. Available at: https://uidai.gov.in/images/commdoc/other_doc/uid_doc_30012012.pdf</p>
</div>
<div id="ftn14">
<p><a href="#_ftnref14" name="_ftn14">[14]</a> Information Technology (Reasonable security practices and procedures and sensitive personal data or information rules 2011) available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</p>
</div>
<div id="ftn15">
<p><a href="#_ftnref15" name="_ftn15">[15]</a> IdentityHawk, "Who can lawfully request my social security number?" Available at: http://www.identityhawk.com/Who-Can-Lawfully-Request-My-Social-Security-Number</p>
</div>
<div id="ftn16">
<p><a href="#_ftnref16" name="_ftn16">[16]</a> SSA FAQ " Can I refuse to give my social security number to a private business?" Available at: https://faq.ssa.gov/link/portal/34011/34019/Article/3791/Can-I-refuse-to-give-my-Social-Security-number-to-a-private-business</p>
</div>
<div id="ftn17">
<p><a href="#_ftnref17" name="_ftn17">[17]</a> The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage</p>
</div>
<div id="ftn18">
<p><a href="#_ftnref18" name="_ftn18">[18]</a> Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html</p>
</div>
<div id="ftn19">
<p><a href="#_ftnref19" name="_ftn19">[19]</a> Aapka Aadhaar. Available at: https://uidai.gov.in/what-is-aadhaar.html</p>
</div>
<div id="ftn20">
<p><a href="#_ftnref20" name="_ftn20">[20]</a> Business Standard, "Aadhaar not mandatory to claim any state benefit, says Supreme Court" March 17<sup>th</sup>, 2015. Available at: http://www.business-standard.com/article/current-affairs/aadhaar-not-mandatory-to-claim-any-state-benefit-says-supreme-court-115031600698_1.html</p>
</div>
<div id="ftn21">
<p><a href="#_ftnref21" name="_ftn21">[21]</a> Social Security History 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html</p>
</div>
<div id="ftn22">
<p><a href="#_ftnref22" name="_ftn22">[22]</a> Aapka Aadhaar. Available at: https://uidai.gov.in/auth.html</p>
</div>
<div id="ftn23">
<p><a href="#_ftnref23" name="_ftn23">[23]</a> SSA. New or Replacement Social Security Number Card. Available at: http://www.ssa.gov/ssnumber/</p>
</div>
<div id="ftn24">
<p><a href="#_ftnref24" name="_ftn24">[24]</a> UIDAI, Lost EID/UID Process. Available at: https://uidai.gov.in/images/mou/eiduid_process_ver5_2_27052013.pdf</p>
</div>
<div id="ftn25">
<p><a href="#_ftnref25" name="_ftn25">[25]</a> Social Security. Availabl at: http://www.ssa.gov/</p>
</div>
<div id="ftn26">
<p><a href="#_ftnref26" name="_ftn26">[26]</a> Social Security Administration, Application for a Social Security. Available at: http://www.ssa.gov/forms/ss-5.pdf</p>
</div>
<div id="ftn27">
<p><a href="#_ftnref27" name="_ftn27">[27]</a> Aadhaar enrollment/correction form. Available at: http://hstes.in/pdf/2013_pdf/Genral%20Notification/Aadhaar-Enrolment-Form_English.pdf</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number'>https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number</a>
</p>
No publisherelonnaiAadhaarInternet GovernancePrivacy2015-07-24T01:24:00ZBlog EntryA Study of the Privacy Policies of Indian Service Providers and the 43A Rules
https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules
<b></b>
<p>Written by Prachi Arya and Kartik Chawla<br />Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra</p>
<hr />
<p><a href="https://cis-india.org/internet-governance/blog/study-of-privacy-policies-indian-service-providers.pdf" class="internal-link">Click to download the PDF</a></p>
<table class="plain">
<tbody>
<tr>
<th>Contents<br /></th>
</tr>
<tr>
<td><a href="#_Toc406957920">Executive Summary</a></td>
</tr>
<tr>
<td><a href="#_Toc406957921">Introduction</a></td>
</tr>
<tr>
<td><a href="#_Toc406957922">Objective, Methodology, and Scope of the Study</a></td>
</tr>
<tr>
<td><a href="#_Toc406957923">Objective of Research</a></td>
</tr>
<tr>
<td><a href="#_Toc406957924">Methodology</a></td>
</tr>
<tr>
<td><a href="#_Toc406957925">Scope</a></td>
</tr>
<tr>
<td><a href="#_Toc406957926">Criteria for selection of companies being studied</a></td>
</tr>
<tr>
<td><a href="#_Toc406957927">Overview of Company Privacy Policy and Survey Results</a></td>
</tr>
<tr>
<td><a href="#_Toc406957928">Vodafone</a></td>
</tr>
<tr>
<td><a href="#_Toc406957929">Tata Teleservices Limited</a></td>
</tr>
<tr>
<td><a href="#_Toc406957930">Airtel</a></td>
</tr>
<tr>
<td><a href="#_Toc406957931">Aircel</a></td>
</tr>
<tr>
<td><a href="#_Toc406957932">Atria Convergence Technologies</a></td>
</tr>
<tr>
<td><a href="#_Toc406957933">Observations</a></td>
</tr>
<tr>
<td><a href="#_Toc406957934">International Best Practices</a></td>
</tr>
<tr>
<td><a href="#_Toc406957935">Australia</a></td>
</tr>
<tr>
<td><a href="#_Toc406957936">European Union</a></td>
</tr>
<tr>
<td><a href="#_Toc406957937">Recommendations</a></td>
</tr>
<tr>
<td><a href="#_Toc406957938">Annexure 1</a></td>
</tr>
<tr>
<td><a href="#_Toc406957939">Annexure 2</a></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.gjdgxs"></a></p>
<hr />
<h1 style="text-align: justify; "><a name="_Toc406957920">Executive Summary</a> <a name="h.30j0zll"></a> <a name="h.1fob9te"></a></h1>
<p style="text-align: justify; "><br />India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a> With over 164.8 Million people accessing the internet <a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a></p>
<p style="text-align: justify; ">While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a> Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.</p>
<p style="text-align: justify; ">The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.</p>
<p style="text-align: justify; ">The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.</p>
<h1 style="text-align: justify; "></h1>
<h1 style="text-align: justify; "><a name="_Toc406957921"></a> <a name="h.3znysh7"></a> Introduction</h1>
<p style="text-align: justify; ">The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) <a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a> pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. <a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></p>
<p style="text-align: justify; ">Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a <i>quid pro quo </i>by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.</p>
<p style="text-align: justify; ">In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. <a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a> In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.</p>
<p style="text-align: justify; ">However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. <a href="#_ftn8" name="_ftnref8"><sup><sup>[8]</sup></sup></a> The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which<b> </b>extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,<a href="#_ftn9" name="_ftnref9"><sup><sup>[9]</sup></sup></a> for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.<a name="h.2et92p0"></a></p>
<h1 style="text-align: justify; "><a name="_Toc406957922">Objective, Methodology, and Scope of the Study</a></h1>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; "><a name="_Toc406957923"></a> <a name="h.tyjcwt"></a> Objective of Research</h2>
<p style="text-align: justify; ">This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.</p>
<h2 style="text-align: justify; "><a name="_Toc406957924"></a> <a name="h.3dy6vkm"></a> Methodology</h2>
<p style="text-align: justify; ">The Privacy Policies<a href="#_ftn10" name="_ftnref10"><sup><sup>[10]</sup></sup></a> of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.</p>
<p style="text-align: justify; ">Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.</p>
<h2 style="text-align: justify; "><a name="_Toc406957925"></a> <a name="h.1t3h5sf"></a> Scope</h2>
<h3 style="text-align: justify; "><a name="_Toc406957926">Criteria for selection of companies being studied</a></h3>
<p style="text-align: justify; ">For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.</p>
<p style="text-align: justify; ">The privacy policies of the following service providers have been analyzed:</p>
<p style="text-align: justify; ">1. State Owned Companies<a href="#_ftn11" name="_ftnref11"><sup><sup>[11]</sup></sup></a></p>
<p style="text-align: justify; ">a. <b>BSNL<a href="#_ftn12" name="_ftnref12"><sup><b><sup>[12]</sup></b></sup></a>:</b> Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, <i>inter alia</i>, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. <a href="#_ftn13" name="_ftnref13"><sup><sup>[13]</sup></sup></a> It had a monopoly in India except for Mumbai and New Delhi till 1992.</p>
<p style="text-align: justify; ">b. <b>MTNL<a href="#_ftn14" name="_ftnref14"><sup><b><sup>[14]</sup></b></sup></a>:</b> Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, <i>inter alia</i>, Telephone, Mobile, 3G, and Broadband services. <a href="#_ftn15" name="_ftnref15"><sup><sup>[15]</sup></sup></a></p>
<p style="text-align: justify; ">2. Multinational Companies</p>
<p style="text-align: justify; ">a. <b>Bharti Airtel Ltd:<a href="#_ftn16" name="_ftnref16"><sup><b><sup>[16]</sup></b></sup></a></b> Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. <a href="#_ftn17" name="_ftnref17"><sup><sup>[17]</sup></sup></a> The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.<a href="#_ftn18" name="_ftnref18">[18]</a></p>
<p style="text-align: justify; ">b. <b>Vodafone</b><a href="#_ftn19" name="_ftnref19"><sup><sup>[19]</sup></sup></a><b>:</b> Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. <a href="#_ftn20" name="_ftnref20"><sup><sup>[20]</sup></sup></a> The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994<a href="#_ftn21" name="_ftnref21"><sup><sup>[21]</sup></sup></a>, and it bought out Essar's share in the same in the year 2007.<a href="#_ftn22" name="_ftnref22"><sup><sup>[22]</sup></sup></a> As of today, it has the second largest subscriber base in India. After Airtel, <a href="#_ftn23" name="_ftnref23"><sup><sup>[23]</sup></sup></a> Vodafone is the largest provider of telecommunications and mobile internet services in India.<a href="#_ftn24" name="_ftnref24"><sup><sup>[24]</sup></sup></a></p>
<p style="text-align: justify; ">3. Joint Ventures</p>
<p style="text-align: justify; ">a. <b>Tata Teleservices<a href="#_ftn25" name="_ftnref25"><sup><b><sup>[25]</sup></b></sup></a></b> - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. <a href="#_ftn26" name="_ftnref26"><sup><sup>[26]</sup></sup></a> Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. <sup> <a href="#_ftn27" name="_ftnref27"><sup>[27]</sup></a></sup></p>
<p style="text-align: justify; ">b. <b>Aircel<a href="#_ftn28" name="_ftnref28"><sup><b><sup>[28]</sup></b></sup></a>:</b> Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. <a href="#_ftn29" name="_ftnref29"><sup><sup>[29]</sup></sup></a> Aircel provides telecommunications and mobile internet services in the aforementioned regions.</p>
<p style="text-align: justify; ">4. India based Companies/Domestic Companies -</p>
<p style="text-align: justify; ">a. <b>Atria Convergence Technologies (ACT)<a href="#_ftn30" name="_ftnref30"><sup><b><sup>[30]</sup></b></sup></a>:</b> Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.</p>
<h2 style="text-align: justify; "><a name="_Toc406957927">Overview of Company Privacy Policy and Survey Results</a></h2>
<p> </p>
<p style="text-align: justify; ">This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p>VODAFONE<a href="#_ftn31" name="_ftnref31"><b>[31]</b></a>: 43A Rules Survey</p>
</td>
</tr>
<tr>
<td>
<p>Criteria</p>
</td>
<td>
<p>Yes/No</p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of publicly available documents of the body corporate that collect personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Type</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p><i> Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Grievance Officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Purpose of Collection and usage of information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Disclosure of Information </b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Reasonable Security practices and procedures</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="h.4d34og8"></a> <br clear="all" /> <a name="_Toc406957928"></a> <a name="h.2s8eyo1"></a> Vodafone</h2>
<p style="text-align: justify; ">Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.</p>
<p style="text-align: justify; ">Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.</p>
<p style="text-align: justify; ">There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.</p>
<p style="text-align: justify; ">The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.</p>
<p style="text-align: justify; ">Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.</p>
<p style="text-align: justify; ">With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Tata Teleservices Limited<a href="#_ftn32" name="_ftnref32"><b>[32]</b></a>: 43A Rules Survey </b></p>
</td>
</tr>
<tr>
<td>
<p><b>Criteria</b></p>
</td>
<td>
<p><b>Yes/No</b></p>
</td>
</tr>
<tr>
<td>
<p><b>Clear and Accessible statements of its practices and policies</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Collection of personal or sensitive personal data/information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Type</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Option</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Grievance Officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><b>Purpose of Collection and usage of information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively? <ins cite="mailto:Vipul" datetime="2014-07-01T14:26"> </ins></p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Disclosure of Information </b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Reasonable Security practices and procedures</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_Toc406957929"></a> <a name="h.17dp8vu"></a> Tata Teleservices Limited</h2>
<p style="text-align: justify; ">Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.</p>
<p style="text-align: justify; ">The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.</p>
<p style="text-align: justify; ">The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.</p>
<p style="text-align: justify; ">The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.</p>
<p style="text-align: justify; ">As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.</p>
<p style="text-align: justify; ">TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Airtel<a href="#_ftn33" name="_ftnref33"><b>[33]</b></a>: 43A Rules Survey </b></p>
</td>
</tr>
<tr>
<td>
<p><b>Criteria</b></p>
</td>
<td>
<p><b>Yes/No</b></p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the name and contact information of the grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Purpose of Collection and usage of information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively? <ins cite="mailto:Vipul" datetime="2014-07-01T14:44"> </ins></p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Disclosure of Information </b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Reasonable Security practices and procedures</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.3rdcrjn"></a></p>
<h2 style="text-align: justify; "><a name="_Toc406957930">Airtel</a></h2>
<p style="text-align: justify; ">Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.</p>
<p style="text-align: justify; ">Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.</p>
<p style="text-align: justify; ">While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Aircel<a href="#_ftn34" name="_ftnref34"><b>[34]</b></a>: 43A Rules Survey </b></p>
</td>
</tr>
<tr>
<td>
<p>Criteria</p>
</td>
<td>
<p>Yes/No</p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>no</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Purpose of Collection and usage of information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of Information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Reasonable Security practices and procedures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?<ins cite="mailto:Vipul" datetime="2014-07-01T14:58"> </ins></p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.26in1rg"></a> <b> </b></p>
<h2 style="text-align: justify; "><a name="_Toc406957931">Aircel</a></h2>
<p style="text-align: justify; ">Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.</p>
<p style="text-align: justify; ">Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.</p>
<p style="text-align: justify; ">In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.</p>
<p style="text-align: justify; ">In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Atria Convergence Technologies<a href="#_ftn35" name="_ftnref35"><b>[35]</b></a>: 43A Rules Survey</b></p>
</td>
</tr>
<tr>
<td>
<p><b>Criteria</b></p>
</td>
<td>
<p><b>Yes/No</b></p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>information not available</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Purpose of Collection and usage of information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of Information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Reasonable Security practices and procedures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_Toc406957932"></a> <a name="h.lnxbz9"></a> Atria Convergence Technologies</h2>
<p style="text-align: justify; ">Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p>BSNL: 43A Rules Survey</p>
</td>
</tr>
<tr>
<td>
<p>Criteria</p>
</td>
<td>
<p>Yes/No</p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly states that it is collecting SPD/I?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Purpose of Collection and usage of information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of Information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Reasonable Security practices and procedures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.35nkun2"></a></p>
<p style="text-align: justify; "><b>BSNL</b></p>
<p style="text-align: justify; ">BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .</p>
<p style="text-align: justify; ">BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.</p>
<p style="text-align: justify; ">As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.</p>
<p style="text-align: justify; ">With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.</p>
<p style="text-align: justify; "><a name="h.1ksv4uv"></a> <b>MTNL</b></p>
<p style="text-align: justify; "><b>MTNL does not provide a publicly available Privacy Policy. </b></p>
<h1 style="text-align: justify; "><a name="_Toc406957933"></a> <a name="h.44sinio"></a> Observations</h1>
<p style="text-align: justify; ">This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.</p>
<p style="text-align: justify; "><b>1. </b> <b>Access and Location of Privacy Policy</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.<a href="#_ftn36" name="_ftnref36"><sup><sup>[36]</sup></sup></a></p>
<p style="text-align: justify; "><b>Observation</b> : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:</p>
<p style="text-align: justify; "><b>a. </b> <b>Privacy Policy on main website:</b> Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.</p>
<p style="text-align: justify; "><b>b. </b> <b>Privacy Policy not on website</b> : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.</p>
<p style="text-align: justify; "><b>c. </b> <b>Privacy Policy not accessible through main website</b> : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. <a href="#_ftn37" name="_ftnref37"><sup><sup>[37]</sup></sup></a></p>
<p style="text-align: justify; "><b>d. </b> <b>Privacy Policy not included in Customer Application form</b> : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.</p>
<p style="text-align: justify; "><b>e. </b> <b>Collection of personal information before Privacy Policy: </b> In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.</p>
<p style="text-align: justify; "><b>2. </b> <b>Sharing of information with Government</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.</p>
<p style="text-align: justify; "><b>Observation</b> : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:</p>
<p style="text-align: justify; "><b>a.) </b> <b>Listing circumstances for disclosure to law enforcement</b> : The Privacy Policy of ACT states <i> "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". <a href="#_ftn38" name="_ftnref38"><sup><b><sup>[38]</sup></b></sup></a> </i> The Privacy Policy of Airtel on the other hand states <i> "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." <a href="#_ftn39" name="_ftnref39"><sup><b><sup>[39]</sup></b></sup></a> </i> Lastly, TTL states<i> </i>" <i> To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". <a href="#_ftn40" name="_ftnref40"><sup><b><sup>[40]</sup></b></sup></a> </i></p>
<p style="text-align: justify; "><b>b.) </b> <b>Listing authorities to whom information will be disclosed to</b> : The privacy policy of<i> </i>Aircel states <i> "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".<a href="#_ftn41" name="_ftnref41"><sup><b><sup>[41]</sup></b></sup></a> </i> Similarly<i>, </i>Vodafone<i> </i>states <i> "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." <a href="#_ftn42" name="_ftnref42"><sup><b><sup>[42]</sup></b></sup></a> </i> While BSNL states <i> "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".<a href="#_ftn43" name="_ftnref43"><sup><b><sup>[43]</sup></b></sup></a> </i></p>
<p style="text-align: justify; "><b>3. </b> <b>Readability of Privacy Policies</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle</b> : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "<i>clear and accessible</i>". Similarly, the Notice Principle requires that the data controller give a " <i>simple-to-understand notice of its information practices to all individuals, in clear and concise language</i>".</p>
<p style="text-align: justify; "><b>Observation</b> : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:</p>
<p style="text-align: justify; ">a. <b>Vague terminology: </b>For example, in the Privacy Policy of ACT, it states as a purpose of collection <i>"conduct research" </i>while for the collection and disclosure of information it states <i> ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." <a href="#_ftn44" name="_ftnref44"><sup><b><sup>[44]</sup></b></sup></a> </i> Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect <i> "any other information collected in relation to your use of our products and services". <a href="#_ftn45" name="_ftnref45"><sup><b><sup>[45]</sup></b></sup></a> </i></p>
<p style="text-align: justify; ">b. <b>Undefined terminology:</b> On disclosure of information TTL's privacy policy states disclosure is <i> "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" <a href="#_ftn46" name="_ftnref46"><sup><b><sup>[46]</sup></b></sup></a> </i> Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.</p>
<p style="text-align: justify; "><b>4. </b> <b>Information about security practices</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.</p>
<p style="text-align: justify; "><b>Observation</b> : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:</p>
<p style="text-align: justify; ">a. <b>Comprehensive information about security practices in privacy policy</b>: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.</p>
<p style="text-align: justify; ">b. <b>Information about security practice, but not in privacy policy</b>: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.</p>
<p style="text-align: justify; ">c. <b>Broad reference to security practices</b>: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only <i>"we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL</i>." <a href="#_ftn47" name="_ftnref47"><sup><sup>[47]</sup></sup></a></p>
<p style="text-align: justify; ">d. <b>No information about security practices: </b>Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.</p>
<p style="text-align: justify; "><b>5. </b> <b>Grievance mechanisms</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.</p>
<p style="text-align: justify; "><b>Observation</b> : It was found that adherence with this requirement varied depending on service provider. For example:</p>
<p style="text-align: justify; ">a. <b>No Grievance Officer:</b> ACT and MTNL do not provide details of a grievance officer on their websites.</p>
<p style="text-align: justify; ">b. <b>Grievance Officer, but no process details</b>: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.</p>
<p style="text-align: justify; ">c. <b>Grievance Officer and details of process: </b>Aircel<b> </b>provides details of the grievance officer and grievance process.</p>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; "><b>As a note:</b> All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. <a href="#_ftn48" name="_ftnref48"><sup><sup>[48]</sup></sup></a> It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.</p>
<p style="text-align: justify; "><b>6. </b> <b>Consent Mechanism </b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle</b> : Rules 5 and 6 of the Rules<a href="#_ftn49" name="_ftnref49"><sup><sup>[49]</sup></sup></a> on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. <a href="#_ftn50" name="_ftnref50"><sup><sup>[50]</sup></sup></a> Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules<a href="#_ftn51" name="_ftnref51"><sup><sup>[51]</sup></sup></a> and the National Privacy Principles <a href="#_ftn52" name="_ftnref52"><sup><sup>[52]</sup></sup></a>.</p>
<p style="text-align: justify; "><b>Observation:</b> Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:</p>
<p style="text-align: justify; "><b>a. </b> <b>Obtaining consent:</b> Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.</p>
<p style="text-align: justify; "><b>b. </b> <b>No Consent or choice offered:</b> Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.</p>
<p style="text-align: justify; "><b>c. </b> <b>Consent for limited circumstances: </b> Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.</p>
<p style="text-align: justify; ">There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.</p>
<p style="text-align: justify; "><b>7. </b> <b>Transparency mechanism</b> :</p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> The Openness Principle specifically recommends transparency in all activities of the data controller. <a href="#_ftn53" name="_ftnref53"><sup><sup>[53]</sup></sup></a> The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.</p>
<p style="text-align: justify; "><b>Observation: </b> All service providers fail in implementing adequate mechanisms for transparency.</p>
<p style="text-align: justify; "><b>8. </b> <b>Scope</b> :</p>
<p style="text-align: justify; "><b>Applicable Rule and Principle</b> : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " <i> collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. </i> "</p>
<p style="text-align: justify; "><b>Observation</b> : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.</p>
<h1 style="text-align: justify; "><a name="_Toc406957934"></a> <a name="h.2jxsxqh"></a> International Best Practices</h1>
<h3><b>Canada</b></h3>
<p style="text-align: justify; ">The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' <a href="#_ftn54" name="_ftnref54"><sup><sup>[54]</sup></sup></a> made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). <a href="#_ftn55" name="_ftnref55"><sup><sup>[55]</sup></sup></a></p>
<p style="text-align: justify; ">The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.</p>
<p style="text-align: justify; ">Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.<a href="#_ftn56" name="_ftnref56"><sup><sup>[56]</sup></sup></a></p>
<p style="text-align: justify; ">ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.</p>
<h2 style="text-align: justify; "><a name="_Toc406957935">Australia</a></h2>
<p style="text-align: justify; ">The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.<a href="#_ftn57" name="_ftnref57"><sup><sup>[57]</sup></sup></a> These principles govern the following: collection,<a href="#_ftn58" name="_ftnref58"><sup><sup>[58]</sup></sup></a> use and disclosure,<a href="#_ftn59" name="_ftnref59"><sup><sup>[59]</sup></sup></a> data quality,<a href="#_ftn60" name="_ftnref60"><sup><sup>[60]</sup></sup></a> security,<a href="#_ftn61" name="_ftnref61"><sup><sup>[61]</sup></sup></a> openness,<a href="#_ftn62" name="_ftnref62"><sup><sup>[62]</sup></sup></a> access and correction,<a href="#_ftn63" name="_ftnref63"><sup><sup>[63]</sup></sup></a> identifiers,<a href="#_ftn64" name="_ftnref64"><sup><sup>[64]</sup></sup></a> anonymity,<a href="#_ftn65" name="_ftnref65"><sup><sup>[65]</sup></sup></a> trans-border data flows,<a href="#_ftn66" name="_ftnref66"><sup><sup>[66]</sup></sup></a> and sensitive information. <a href="#_ftn67" name="_ftnref67"><sup><sup>[67]</sup></sup></a></p>
<p style="text-align: justify; ">The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, <a href="#_ftn68" name="_ftnref68"><sup><sup>[68]</sup></sup></a> but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.</p>
<h2 style="text-align: justify; "></h2>
<h2 style="text-align: justify; "><a name="_Toc406957936">European Union</a></h2>
<p style="text-align: justify; ">The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). <a href="#_ftn69" name="_ftnref69"><sup><sup>[69]</sup></sup></a> The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.<a href="#_ftn70" name="_ftnref70"><sup><sup>[70]</sup></sup></a> The Directive differentiates between Personal Data and Sensitive Personal Data, <a href="#_ftn71" name="_ftnref71"><sup><sup>[71]</sup></sup></a> with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. <a href="#_ftn72" name="_ftnref72"><sup><sup>[72]</sup></sup></a> The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. <a href="#_ftn73" name="_ftnref73"><sup><sup>[73]</sup></sup></a></p>
<p style="text-align: justify; ">In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications<a href="#_ftn74" name="_ftnref74"><sup><sup>[74]</sup></sup></a> and the Data Retention Directive. <a href="#_ftn75" name="_ftnref75"><sup><sup>[75]</sup></sup></a> The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.</p>
<p style="text-align: justify; ">The established practices considered above have the following principles, relevant to the study at hand, in common:</p>
<p style="text-align: justify; ">1. Notice</p>
<p style="text-align: justify; ">2. Collection Limitation</p>
<p style="text-align: justify; ">3. Use Limitation</p>
<p style="text-align: justify; ">4. Access and Corrections</p>
<p style="text-align: justify; ">5. Security</p>
<p style="text-align: justify; ">6. Data Quality and Accuracy</p>
<p style="text-align: justify; ">7. Consent</p>
<p style="text-align: justify; ">8. Transparency</p>
<p style="text-align: justify; ">And the following principles are common between two of the three regimes discussed above:</p>
<p style="text-align: justify; ">1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.</p>
<p style="text-align: justify; ">2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act</p>
<p style="text-align: justify; ">3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.</p>
<h1 style="text-align: justify; "><a name="_Toc406957937"></a> <a name="h.z337ya"></a> Recommendations</h1>
<p style="text-align: justify; ">Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.</p>
<p style="text-align: justify; ">1. <b>Access and location of privacy policy:</b> Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.</p>
<p style="text-align: justify; ">2. <b>Scope of privacy policy:</b> The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.</p>
<p style="text-align: justify; ">3. <b>Defining consent</b>: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.</p>
<p style="text-align: justify; ">4. <b>Clear language:</b> The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.</p>
<p style="text-align: justify; ">5. <b>Transparent security practices:</b> The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.</p>
<p style="text-align: justify; ">6. <b>Defined and specified third parties:</b> The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.</p>
<p style="text-align: justify; ">7. <b>Comprehensive grievance mechanism: </b>The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.</p>
<p style="text-align: justify; ">8. <b>Specify laws governing disclosure to governmental agencies and law enforcement:</b> The Privacy Policy should specify under what laws and service providers are required disclose personal information to.</p>
<p style="text-align: justify; ">9. <b>Inclusion of data retention practices:</b> The Privacy Policy should include provisions defining the retention practices of the company.</p>
<h1 style="text-align: justify; "><a name="_Toc406957938"></a> <a name="h.3j2qqm3"></a> Annexure 1</h1>
<p style="text-align: justify; "><a name="h.1y810tw"></a> Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
<p style="text-align: justify; ">Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.</p>
<p style="text-align: justify; ">The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.</p>
<p style="text-align: justify; "><b>Relevant provisions that pertain to the privacy policy of body corporate </b></p>
<p style="text-align: justify; "><b>Rule 3:</b> This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:</p>
<p style="text-align: justify; ">i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"<a href="#_ftn76" name="_ftnref76"><sup><sup>[76]</sup></sup></a>.</p>
<p style="text-align: justify; ">ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" <a href="#_ftn77" name="_ftnref77"><sup><sup>[77]</sup></sup></a></p>
<p style="text-align: justify; ">iii. Physical, physiological and mental health condition</p>
<p style="text-align: justify; ">iv. Sexual orientation</p>
<p style="text-align: justify; ">v. Medical records and history</p>
<p style="text-align: justify; ">vi. Biometric information</p>
<p style="text-align: justify; ">The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. <a href="#_ftn78" name="_ftnref78"><sup><sup>[78]</sup></sup></a></p>
<p style="text-align: justify; ">The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.</p>
<p style="text-align: justify; ">Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " <i> any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person </i> "<a href="#_ftn79" name="_ftnref79"><sup><sup>[79]</sup></sup></a></p>
<p style="text-align: justify; "><b>Interpretation:</b> While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.<a href="#_ftn80" name="_ftnref80"><sup><sup>[80]</sup></sup></a> While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. <a href="#_ftn81" name="_ftnref81"><sup><sup>[81]</sup></sup></a> Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.</p>
<p style="text-align: justify; ">As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.</p>
<p style="text-align: justify; ">On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.</p>
<p style="text-align: justify; ">In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.</p>
<p style="text-align: justify; "><b>Rule 4:</b> This rule mandates that a "<i>body corporate that collects, receives possess, stores, deals or handles information of the provider of information</i>". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.</p>
<p style="text-align: justify; ">The following details have to be included in the privacy policy -</p>
<p style="text-align: justify; ">"(i) Clear and easily accessible statements of its practices and policies;</p>
<p style="text-align: justify; ">(ii) Type of personal or sensitive personal data or information collected under rule 3;</p>
<p style="text-align: justify; ">(iii) Purpose of collection and usage of such information;</p>
<p style="text-align: justify; ">(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;</p>
<p style="text-align: justify; ">(v) Reasonable security practices and procedures as provided under rule 8."<a href="#_ftn82" name="_ftnref82"><sup><sup>[82]</sup></sup></a></p>
<p style="text-align: justify; "><b>Interpretation</b> : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.</p>
<p style="text-align: justify; "><b>Rule 5:</b> This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. <a href="#_ftn83" name="_ftnref83"><sup><sup>[83]</sup></sup></a></p>
<p style="text-align: justify; ">Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -</p>
<p style="text-align: justify; ">a. The fact that the information is being collected.</p>
<p style="text-align: justify; ">b. The purpose of such collection.</p>
<p style="text-align: justify; ">c. Intended recipients of the collected information.</p>
<p style="text-align: justify; ">d. Names and addresses of the agency or agencies collecting and retaining information.</p>
<p style="text-align: justify; ">Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.</p>
<p style="text-align: justify; ">This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.</p>
<p style="text-align: justify; ">It also requires that a Grievance Officer be instated to redress the grievance " <i>expeditiously but within one month from the date of receipt of grievance.</i>" The Grievance Redressal process has been discussed in more detail later.</p>
<p style="text-align: justify; "><b>Interpretation:</b> Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]</p>
<p style="text-align: justify; "><i>Prima facie</i> , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle <a href="#_ftn84" name="_ftnref84"><sup><sup>[84]</sup></sup></a>, Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.</p>
<p style="text-align: justify; ">In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.</p>
<p style="text-align: justify; "><b>Rule 6:</b> This rule lays down the conditions and procedure for disclosure of information.<a href="#_ftn85" name="_ftnref85"><sup><sup>[85]</sup></sup></a> Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -</p>
<p style="text-align: justify; ">a. The body corporate is required to obtain prior permission from the provider of the information, or</p>
<p style="text-align: justify; ">b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or</p>
<p style="text-align: justify; ">c. Disclosure is necessary for the compliance of a legal obligation.</p>
<p style="text-align: justify; ">An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.</p>
<p style="text-align: justify; "><b>Interpretation</b> :</p>
<p style="text-align: justify; ">The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.</p>
<p style="text-align: justify; "><b>Rule 7</b> : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.</p>
<p style="text-align: justify; "><b>Interpretation</b> : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.</p>
<p style="text-align: justify; "><b>Rule 8:</b> This Rule details the criteria for reasonable security practices and procedures.<a href="#_ftn86" name="_ftnref86"><sup><sup>[86]</sup></sup></a> It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "<i>managerial, technical, operational and physical security control measures</i>". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.</p>
<p style="text-align: justify; "><b>Interpretation</b> : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task<a href="#_ftn87" name="_ftnref87"><sup><sup>[87]</sup></sup></a>. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.</p>
<p style="text-align: justify; "><b>Other Relevant Policies:</b></p>
<p style="text-align: justify; "><b>Empanelled Information Technology Security Auditors</b> - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.<a href="#_ftn88" name="_ftnref88"><sup><sup>[88]</sup></sup></a> The empanelled IT security auditing organization is required to, <i>inter alia</i>, conduct a " <i> Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." </i> <a href="#_ftn89" name="_ftnref89"><sup><sup>[89]</sup></sup></a> and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.<a href="#_ftn90" name="_ftnref90"><sup><sup>[90]</sup></sup></a> For this purpose CERT-In maintains a list of IT Security Auditing Organizations<a href="#_ftn91" name="_ftnref91"><sup><sup>[91]</sup></sup></a>.</p>
<p style="text-align: justify; "><a name="h.4i7ojhp"></a> <b>Criteria for analysis of company policies based on the 43A Rules </b></p>
<p style="text-align: justify; ">1. Clear and Accessible statements of its practices and policies<a href="#_ftn92" name="_ftnref92"><sup><sup>[92]</sup></sup></a> -</p>
<p style="text-align: justify; ">i. Whether the privacy policy is accessible through the main website of the body corporate?</p>
<p style="text-align: justify; ">ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
<p style="text-align: justify; ">iii. Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
<p style="text-align: justify; ">2. Type and acknowledgment of personal or sensitive personal data/information collected <a href="#_ftn93" name="_ftnref93"><sup><sup>[93]</sup></sup></a>-</p>
<p style="text-align: justify; ">i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.</p>
<p style="text-align: justify; ">ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
<p style="text-align: justify; ">3. Option to not provide information and withdrawal of consent<a href="#_ftn94" name="_ftnref94"><sup><sup>[94]</sup></sup></a> -</p>
<p style="text-align: justify; ">i. Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
<p style="text-align: justify; ">ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
<p style="text-align: justify; ">4. Existence of Grievance Officer -</p>
<p style="text-align: justify; ">i. Whether the privacy policy mentions the existence of a grievance officer?</p>
<p style="text-align: justify; ">ii. Whether the privacy policy provides details of the grievance redressal mechanism?</p>
<p style="text-align: justify; ">iii. Whether the privacy policy provides the names and contact information of the grievance officer?</p>
<p style="text-align: justify; ">5. Purpose of Collection and usage of information -</p>
<p style="text-align: justify; ">i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
<p style="text-align: justify; ">6. Disclosure of Information -</p>
<p style="text-align: justify; ">i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?</p>
<p style="text-align: justify; ">ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?</p>
<p style="text-align: justify; ">7. Reasonable Security practices and procedures -</p>
<p style="text-align: justify; ">i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?</p>
<p style="text-align: justify; "><br clear="all" /></p>
<p style="text-align: justify; "><a name="h.2xcytpi"></a> <a name="h.3whwml4"></a> <b> </b></p>
<h1 style="text-align: justify; "><a name="_Toc406957939">Annexure 2</a></h1>
<p style="text-align: justify; "><a name="h.2bn6wsx"></a> Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY</p>
<p style="text-align: justify; "><b>1. Bharti Airtel Ltd.</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel's Privacy Policy<a href="#_ftn95" name="_ftnref95"><sup><sup>[95]</sup></sup></a> is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.</p>
<p style="text-align: justify; "><b>2. </b> <b>Type and acknowledgement of personal or sensitive personal data/information collected: Yes </b></p>
<p style="text-align: justify; ">b. <b>Rationale: </b>Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information<a href="#_ftn96" name="_ftnref96"><sup><sup>[96]</sup></sup></a>, and specifies specific types of personal<a href="#_ftn97" name="_ftnref97"><sup><sup>[97]</sup></sup></a> and sensitive personal information <a href="#_ftn98" name="_ftnref98"><sup><sup>[98]</sup></sup></a> that will be collected.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide data or information and subsequent withdrawal of consent: Yes</b></p>
<p style="text-align: justify; ">c. <b>Rationale: </b>The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.<a href="#_ftn99" name="_ftnref99"><sup><sup>[99]</sup></sup></a></p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel provides for the contact details of nodal officers<a href="#_ftn100" name="_ftnref100"><sup><sup>[100]</sup></sup></a> and appellate authorities <a href="#_ftn101" name="_ftnref101"><sup><sup>[101]</sup></sup></a> on its website.<b> </b>Additionally the website provides for the 'Office of the Ombudsperson'<a href="#_ftn102" name="_ftnref102"><sup><sup>[102]</sup></sup></a>, which is an independent forum for employees and external stakeholders<a href="#_ftn103" name="_ftnref103"><sup><sup>[103]</sup></sup></a> of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.<a href="#_ftn104" name="_ftnref104"><sup><sup>[104]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Comprehensive disclosure of purpose of collection and usage of information: Partial </b></p>
<p style="text-align: justify; "><b>Rationale: </b> Airtel's Privacy Policy indicates eight purposes<a href="#_ftn105" name="_ftnref105"><sup><sup>[105]</sup></sup></a> that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.</p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information<a href="#_ftn106" name="_ftnref106"><sup><b><sup>[106]</sup></b></sup></a>: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information<a href="#_ftn107" name="_ftnref107"><sup><sup>[107]</sup></sup></a>, how collected personal information may be collected internally <a href="#_ftn108" name="_ftnref108"><sup><sup>[108]</sup></sup></a>, the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract<a href="#_ftn109" name="_ftnref109"><sup><sup>[109]</sup></sup></a>, the possible transfer of personal information and its purposes<a href="#_ftn110" name="_ftnref110"><sup><sup>[110]</sup></sup></a>, and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) <a href="#_ftn111" name="_ftnref111"><sup><sup>[111]</sup></sup></a></p>
<p style="text-align: justify; "><b>7. </b> <b>Existence of reasonable security practices and procedures</b> <a href="#_ftn112" name="_ftnref112"><sup><sup>[112]</sup></sup></a> <b>: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant <a href="#_ftn113" name="_ftnref113"><sup><sup>[113]</sup></sup></a>, that access is restricted to a need to know basis and that employees are bound by codes of confidentiality<a href="#_ftn114" name="_ftnref114"><sup><sup>[114]</sup></sup></a>, and that Airtel works to ensure that third parties also have strong security procedures in place.<a href="#_ftn115" name="_ftnref115"><sup><sup>[115]</sup></sup></a> The policy also provides details on the retention<a href="#_ftn116" name="_ftnref116"><sup><sup>[116]</sup></sup></a> and destruction <a href="#_ftn117" name="_ftnref117"><sup><sup>[117]</sup></sup></a> procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.<a href="#_ftn118" name="_ftnref118"><sup><sup>[118]</sup></sup></a></p>
<p style="text-align: justify; "><b>1. </b> <b>Tata Telecommunication Services (DoCoMo and Virgin Mobile)</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies</b> : Partial</p>
<p style="text-align: justify; ">a. <b>Rationale</b>: Though Tata DoCoMo has a comprehensive Data Privacy Policy <a href="#_ftn119" name="_ftnref119"><sup><sup>[119]</sup></sup></a> that is applicable to Tata Teleservices Limited's ("<b>TTL</b>") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. <a href="#_ftn120" name="_ftnref120"><sup><sup>[120]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Type of personal or sensitive personal data/information collected: Partial </b></p>
<p style="text-align: justify; ">a. <b>Rational: </b>TTL defines personal information<a href="#_ftn121" name="_ftnref121"><sup><sup>[121]</sup></sup></a> but only provides general examples of types of personal information<a href="#_ftn122" name="_ftnref122"><sup><sup>[122]</sup></sup></a> (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. <a href="#_ftn123" name="_ftnref123"><sup><sup>[123]</sup></sup></a></p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent: N/A</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.</p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> TTL has various methods to lodge complaints and provides for an appellate authority. <a href="#_ftn124" name="_ftnref124"><sup><sup>[124]</sup></sup></a> Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.<a href="#_ftn125" name="_ftnref125"><sup><sup>[125]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> In its' Privacy Policy, TTL describes the way in which collected information is used. <a href="#_ftn126" name="_ftnref126"><sup><sup>[126]</sup></sup></a> The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, <a href="#_ftn127" name="_ftnref127"><sup><sup>[127]</sup></sup></a> and the use of aggregate and anonymized data.<a href="#_ftn128" name="_ftnref128"><sup><sup>[128]</sup></sup></a></p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties<a href="#_ftn129" name="_ftnref129"><sup><sup>[129]</sup></sup></a>, with law enforcement/governmental agencies<a href="#_ftn130" name="_ftnref130"><sup><sup>[130]</sup></sup></a>, and with other TTL companies. <a href="#_ftn131" name="_ftnref131"><sup><sup>[131]</sup></sup></a> Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. <a href="#_ftn132" name="_ftnref132"><sup><sup>[132]</sup></sup></a></p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: Partial</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. <a href="#_ftn133" name="_ftnref133"><sup><sup>[133]</sup></sup></a> Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012<a href="#_ftn134" name="_ftnref134"><sup><sup>[134]</sup></sup></a>. Information on IT security standards adopted by other circles could not be found on the internet.</p>
<p style="text-align: justify; "><b>2. </b> <b>Vodafone </b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes </b></p>
<p style="text-align: justify; "><b>Rationale: </b> Vodafone's Privacy Policy<a href="#_ftn135" name="_ftnref135"><sup><sup>[135]</sup></sup></a> is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. <a href="#_ftn136" name="_ftnref136"><sup><sup>[136]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Collection of personal or sensitive personal data/information: No </b></p>
<p style="text-align: justify; "><b>Rationale: </b> Type -</p>
<p style="text-align: justify; ">a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as '<i>amongst other things</i>', implying that information other than that which is notified is being collected.<a href="#_ftn137" name="_ftnref137"><sup><sup>[137]</sup></sup></a></p>
<p style="text-align: justify; ">b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b> The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.</p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.<a href="#_ftn138" name="_ftnref138"><sup><sup>[138]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Partial</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, <a href="#_ftn139" name="_ftnref139"><sup><sup>[139]</sup></sup></a> but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.</p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.<a href="#_ftn140" name="_ftnref140"><sup><sup>[140]</sup></sup></a> The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.</p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: Yes</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. <a href="#_ftn141" name="_ftnref141"><sup><sup>[141]</sup></sup></a> Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website <a href="#_ftn142" name="_ftnref142"><sup><sup>[142]</sup></sup></a> states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard<a href="#_ftn143" name="_ftnref143"><sup><sup>[143]</sup></sup></a><b>.</b></p>
<p style="text-align: justify; "><b>3. </b> <b>Aircel</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes </b></p>
<p style="text-align: justify; "><b>Rationale: </b></p>
<p style="text-align: justify; ">The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.<a href="#_ftn144" name="_ftnref144"><sup><sup>[144]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Type of personal or sensitive personal data/information collected: Partial</b></p>
<p style="text-align: justify; "><b>Rationale: </b> Type -</p>
<p style="text-align: justify; ">a. Personal Information</p>
<p style="text-align: justify; ">In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. <a href="#_ftn145" name="_ftnref145"><sup><sup>[145]</sup></sup></a> The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.</p>
<p style="text-align: justify; ">a. Sensitive Personal Data or Information</p>
<p style="text-align: justify; ">The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent - Yes</b></p>
<p style="text-align: justify; "><b>Rationale</b> : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. <a href="#_ftn146" name="_ftnref146"><sup><sup>[146]</sup></sup></a></p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. <a href="#_ftn147" name="_ftnref147"><sup><sup>[147]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Partial </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.<a href="#_ftn148" name="_ftnref148"><sup><sup>[148]</sup></sup></a></p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Though<b> </b>the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. <a href="#_ftn149" name="_ftnref149"><sup><sup>[149]</sup></sup></a></p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: Yes</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.<a href="#_ftn150" name="_ftnref150"><sup><sup>[150]</sup></sup></a></p>
<p style="text-align: justify; "><b>4. </b> <b>Atria Convergence Technologies Private Limited (ACT)</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.<a href="#_ftn151" name="_ftnref151"><sup><sup>[151]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Type of personal or sensitive personal data/information collected: Partial</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">Type -</p>
<p style="text-align: justify; ">a. Personal Information - Yes -</p>
<p style="text-align: justify; ">The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. <a href="#_ftn152" name="_ftnref152"><sup><sup>[152]</sup></sup></a></p>
<p style="text-align: justify; ">a. Sensitive Personal Data or Information -</p>
<p style="text-align: justify; ">The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale</b>: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.</p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.<a href="#_ftn153" name="_ftnref153"><sup><sup>[153]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.<a href="#_ftn154" name="_ftnref154"><sup><sup>[154]</sup></sup></a> The list of purposes for collection given in the Privacy Policy is a very general list.</p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.<a href="#_ftn155" name="_ftnref155"><sup><sup>[155]</sup></sup></a> At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.</p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. <a href="#_ftn156" name="_ftnref156"><sup><sup>[156]</sup></sup></a></p>
<div style="text-align: justify; ">
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> . Telecom Regulatory Authority of India, Press Release 143/2012,(< <a href="http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf"> http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf </a> >)</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> . The Indian Telecom Service Performance Indicators, January-March 2013, Telecom Regulatory Authority of India,. (< <a href="http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf"> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf </a> >)</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < <a href="http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece"> http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece </a> ></p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> . In addition, the Unified Access License Framework which allows for a single license for multiple services such as telecom, the internet and television, provides certain security guidelines. As per the model UIL Agreements, privacy of communications is to be maintained and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. For internet services, the Agreement stipulates the keeping an Internet Protocol Detail Record (IPDR) and copies of packets from customer premises equipment (CPE). Accessed at < <a href="http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf">http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf</a>></p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> . See >> <a href="http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf"> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf </a> >></p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < <a href="http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece"> http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece </a> > Accessed..</p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7">[7]</a> . Starting with <i>Kharak Singh</i> v. <i>State of UP </i>1963 AIR SC 1295<i>, </i>the<i> </i>right to privacy has been further confirmed and commented on in other cases, like <i>Govind v.State of M.P</i> (1975) 2 SCC 148: 1975 SCC (Cri) 468. A full history of the development of the Right to Privacy can be found in B.D. Agarwala, <i>Right to Privacy: A Case-By-Case Development</i>, (1996) 3 SCC (Jour) 9, available at http://www.ebc-india.com/lawyer/articles/96v3a2.htm.</p>
</div>
<div id="ftn8">
<p><a href="#_ftnref8" name="_ftn8">[8]</a> . White Paper on EU Adequacy Assessment of India, 3, ("<i>Based on an overall </i></p>
<p><i> analysis against the identifiable principles under Article 25, the 2010 Report concludes that India does not at present provide adequate protection to personal data in relation to any sector or to the whole of its private sector or to the whole of its public sector. </i> ") available at < <a href="https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf"> https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf </a> ></p>
</div>
<div id="ftn9">
<p><a href="#_ftnref9" name="_ftn9">[9]</a> . Planning Commission<i>, Report of the Group of Experts on Privacy</i>, 2012, (< <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</a>>)</p>
</div>
<div id="ftn10">
<p><a href="#_ftnref10" name="_ftn10">[10]</a> . Though a company's Privacy Policy was the main document analysed for this research, when applicable a company's Terms of Service wavas also reviewed.</p>
</div>
<div id="ftn11">
<p><a href="#_ftnref11" name="_ftn11">[11]</a> . BSNL and MTNL are government companies as defined under section 617, Indian Companies Act, 1956, incorporated under the Indian Companies Act, 1956. Under section 43 A (i) of the Act, a 'body corporate' has been broadly defined as "any company…sole proprietorship or other association of individuals engaged in commercial or professional activities". Therefore, for the purpose of this survey, BSNL and MTNL are recognized as bodies corporate.</p>
</div>
<div id="ftn12">
<p><a href="#_ftnref12" name="_ftn12">[12]</a> . Documents Reviewed<i>:</i> http://portal.bsnl.in/portal/privacypolicy.html</p>
</div>
<div id="ftn13">
<p><a href="#_ftnref13" name="_ftn13">[13]</a> . A full list of its services are available here: < <a href="http://bsnl.co.in/opencms/bsnl/BSNL/services/">http://bsnl.co.in/opencms/bsnl/BSNL/services/</a>></p>
</div>
<div id="ftn14">
<p><a href="#_ftnref14" name="_ftn14">[14]</a> . The MTNL website does not provide access to a privacy policy</p>
</div>
<div id="ftn15">
<p><a href="#_ftnref15" name="_ftn15">[15]</a> . A full list of its services are available here <<http://mtnldelhi.in>></p>
</div>
<div id="ftn16">
<p><a href="#_ftnref16" name="_ftn16">[16]</a> . Documents Reviewed: <a href="http://www.airtel.in/forme/privacy-policy">http://www.airtel.in/forme/privacy-policy</a> , <a href="http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp">http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp</a>, <a href="http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp"> http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp </a> , <a href="http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office"> http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office </a></p>
</div>
<div id="ftn17">
<p><a href="#_ftnref17" name="_ftn17">[17]</a> . A full list of services provided by Bharti Airtel is available here: <<a href="http://www.airtel.in">www.airtel.in</a>></p>
</div>
<div id="ftn18">
<p><a href="#_ftnref18" name="_ftn18">[18]</a> . http://submarinenetworks.com/stations/asia/india/chennai-bharti</p>
</div>
<div id="ftn19">
<p><a href="#_ftnref19" name="_ftn19">[19]</a> . Documents Reviewed: <a href="http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html"> http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html </a> <a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker">https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker</a> , <a href="http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html"> http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html </a></p>
</div>
<div id="ftn20">
<p><a href="#_ftnref20" name="_ftn20">[20]</a> . See < <a href="http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html."> http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html. </a> ></p>
</div>
<div id="ftn21">
<p><a href="#_ftnref21" name="_ftn21">[21]</a> . <i>Vodafone International Holdings v Union of India</i>, WP 1325/2010, Bombay High Court</p>
</div>
<div id="ftn22">
<p><a href="#_ftnref22" name="_ftn22">[22]</a> . 'Vodafone to Buy Additional Essar India Stake for $5 Billion',(<i>Bloomberg</i>, March 31, 2011) < <a href="http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html"> http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html </a> >Accessed 26 May 2014</p>
</div>
<div id="ftn23">
<p><a href="#_ftnref23" name="_ftn23">[23]</a> . See <<a href="https://www.vodafone.in/pages/aboutus.aspx?cid=ker.">https://www.vodafone.in/pages/aboutus.aspx?cid=ker.</a>></p>
</div>
<div id="ftn24">
<p><a href="#_ftnref24" name="_ftn24">[24]</a> . Vodafone, <i>supra</i> note 13.</p>
</div>
<div id="ftn25">
<p><a href="#_ftnref25" name="_ftn25">[25]</a> . Documents Reviewed:<a href="http://www.tatadocomo.com/downloads/data-privacy-policy.pdf">http://www.tatadocomo.com/downloads/data-privacy-policy.pdf</a>, <a href="http://www.tatateleservices.com/t-customercare.aspx">http://www.tatateleservices.com/t-customercare.aspx</a>, <a href="http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf"> http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf </a></p>
</div>
<div id="ftn26">
<p><a href="#_ftnref26" name="_ftn26">[26]</a> . 'Japan's Docomo acquires 26% stake in Tata Tele'(The Hindu Business Line, November 13 2008) < <a href="http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm"> http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm </a> .></p>
</div>
<div id="ftn27">
<p><a href="#_ftnref27" name="_ftn27">[27]</a> . Further details are available at: < <a href="http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx">http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx</a>></p>
</div>
<div id="ftn28">
<p><a href="#_ftnref28" name="_ftn28">[28]</a> . Documents Reviewed</p>
<p><a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061"> http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 </a> , <a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page"> http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page </a> , <a href="http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf"> http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf </a></p>
</div>
<div id="ftn29">
<p><a href="#_ftnref29" name="_ftn29">[29]</a> . See < <a href="http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book."> http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book. </a> ></p>
</div>
<div id="ftn30">
<p><a href="#_ftnref30" name="_ftn30">[30]</a> . Documents Reviewed: <a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a></p>
</div>
<div id="ftn31">
<p><a href="#_ftnref31" name="_ftn31">[31]</a> . https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker</p>
</div>
<div id="ftn32">
<p><a href="#_ftnref32" name="_ftn32">[32]</a> . <a href="http://www.tatadocomo.com/downloads/data-privacy-policy.pdf">http://www.tatadocomo.com/downloads/data-privacy-policy.pdf</a></p>
</div>
<div id="ftn33">
<p><a href="#_ftnref33" name="_ftn33">[33]</a> . http://www.airtel.in/forme/privacy-policy</p>
</div>
<div id="ftn34">
<p><a href="#_ftnref34" name="_ftn34">[34]</a> .http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061</p>
</div>
<div id="ftn35">
<p><a href="#_ftnref35" name="_ftn35">[35]</a> . <a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a></p>
</div>
<div id="ftn36">
<p><a href="#_ftnref36" name="_ftn36">[36]</a> . In 2012, the Minister of State for Communications & Information Technology informed the Rajya Sabha that " <i>(a)ny change in the privacy policy is not within the purview of amended Information Technology Act, 2000</i>",, while discussing changes to Google's privacy policy. Even though the Minister noted that the EU has reported its dissatisfaction with the changed policy, finding that the policy " <i>makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service</i> ", he argued that the Act and Rules therein merely stipulate the publication of a privacy policy which provide " <i>information to the end users as to how their personal information is collected, for which it is collected, processed and secure</i>". Further, when asked how changes to privacy policy affect end users the Minister shifted the responsibility on end users, stating that " <i> (t)he end users… need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services </i> ".( < <a href="http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22"> http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22 </a> >).</p>
</div>
<div id="ftn37">
<p><a href="#_ftnref37" name="_ftn37">[37]</a> . Available at <a href="http://portal.bsnl.in/portal/privacypolicy.htm">http://portal.bsnl.in/portal/privacypolicy.htm</a>, the privacy policy was found through a search engine and not through a link from the website. An RTI request was submitted to BSNL for a copy of its privacy policy as applicable to all its products, services and websites. BSNL responded by submitting a copy of this privacy policy even though the text of the policy does not clarify the scope.</p>
</div>
<div id="ftn38">
<p><a href="#_ftnref38" name="_ftn38">[38]</a> . See, <<a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a>></p>
</div>
<div id="ftn39">
<p><a href="#_ftnref39" name="_ftn39">[39]</a> . See <<a href="http://www.airtel.in/forme/privacy-policy">http://www.airtel.in/forme/privacy-policy</a>></p>
</div>
<div id="ftn40">
<p><a href="#_ftnref40" name="_ftn40">[40]</a> . See <<a href="http://www.tataindicom.com/Download/data-privacy-policy.pdf">www.tataindicom.com/Download/data-privacy-policy.pdf</a>></p>
</div>
<div id="ftn41">
<p><a href="#_ftnref41" name="_ftn41">[41]</a> . See <<www.aircel.com/AircelWar/appmanager/aircel/delhi?_nfpb=true&_pageLabel=P26400194591312373872061>></p>
</div>
<div id="ftn42">
<p><a href="#_ftnref42" name="_ftn42">[42]</a> . See <<a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar">https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar</a>></p>
</div>
<div id="ftn43">
<p><a href="#_ftnref43" name="_ftn43">[43]</a> . See<< http://portal.bsnl.in/portal/privacypolicy.htm>></p>
</div>
<div id="ftn44">
<p><a href="#_ftnref44" name="_ftn44">[44]</a> . See <<a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a>></p>
</div>
<div id="ftn45">
<p><a href="#_ftnref45" name="_ftn45">[45]</a> . See <<a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar">https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar</a>></p>
</div>
<div id="ftn46">
<p><a href="#_ftnref46" name="_ftn46">[46]</a> . See <<a href="http://www.tataindicom.com/Download/data-privacy-policy.pdf">http://www.tataindicom.com/Download/data-privacy-policy.pdf</a>></p>
</div>
<div id="ftn47">
<p><a href="#_ftnref47" name="_ftn47">[47]</a> . Ibid</p>
</div>
<div id="ftn48">
<p><a href="#_ftnref48" name="_ftn48">[48]</a> . The complaint center details are available here: < <a href="http://www.tccms.gov.in/Queries.aspx?cid=1">http://www.tccms.gov.in/Queries.aspx?cid=1</a>></p>
</div>
<div id="ftn49">
<p><a href="#_ftnref49" name="_ftn49">[49]</a> . Rules 5 and 6</p>
</div>
<div id="ftn50">
<p><a href="#_ftnref50" name="_ftn50">[50]</a> . Principle 2, Principle 3, Personal Information Protection and Electronic Documents Act 2000. Available at: << <a href="http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html">http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html</a>>></p>
</div>
<div id="ftn51">
<p><a href="#_ftnref51" name="_ftn51">[51]</a> . Rule 5(7),</p>
</div>
<div id="ftn52">
<p><a href="#_ftnref52" name="_ftn52">[52]</a> . Principle 2</p>
</div>
<div id="ftn53">
<p><a href="#_ftnref53" name="_ftn53">[53]</a> . P. 21</p>
</div>
<div id="ftn54">
<p><a href="#_ftnref54" name="_ftn54">[54]</a> . Telecom Regulatory Policy CRTC 2009-657, Review of the Internet traffic management practices of Internet service providers << <a href="http://www.crtc.gc.ca/eng/archive/2009/2009-657.htm">www.crtc.gc.ca/eng/archive/2009/2009-657.htm</a>>></p>
</div>
<div id="ftn55">
<p><a href="#_ftnref55" name="_ftn55">[55]</a> . Alex Cameron,<i>CRTC Imposes Super-PIPEDA Privacy Protections for Personal Information Collected by ISPs, </i>Privacy and Information Protection Bulletin, Fasken Martineau, << <a href="http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf"> http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf </a> . >> Accessed 21 May 2014</p>
</div>
<div id="ftn56">
<p><a href="#_ftnref56" name="_ftn56">[56]</a> . Bram D. Abramson, Grant Buchanan, Hank Intven, <i>CRTC Shapes Canadian "Net Neutrality" Rules, </i>McCarthy Tetrault. < <a href="http://www.mccarthy.ca/article_detail.aspx?id=4720">http://www.mccarthy.ca/article_detail.aspx?id=4720</a> > Accessed 21 May 2014</p>
</div>
<div id="ftn57">
<p><a href="#_ftnref57" name="_ftn57">[57]</a> . The Privacy Act, 1988, Part III, <i>available at <<</i> http://www.comlaw.gov.au/Series/C2004A03712.>></p>
</div>
<div id="ftn58">
<p><a href="#_ftnref58" name="_ftn58">[58]</a> . <i>Id</i>, note 28, Schedule 3, 1.</p>
</div>
<div id="ftn59">
<p><a href="#_ftnref59" name="_ftn59">[59]</a> . <i>Id</i>, schedule 3, 2.</p>
</div>
<div id="ftn60">
<p><a href="#_ftnref60" name="_ftn60">[60]</a> . <i>Id</i>, schedule 3, 3.</p>
</div>
<div id="ftn61">
<p><a href="#_ftnref61" name="_ftn61">[61]</a> . <i>Id</i>, schedule 3, 4.</p>
</div>
<div id="ftn62">
<p><a href="#_ftnref62" name="_ftn62">[62]</a> . <i>Id</i>, schedule 3, 5.</p>
</div>
<div id="ftn63">
<p><a href="#_ftnref63" name="_ftn63">[63]</a> . <i>Id</i>, schedule 3, 6.</p>
</div>
<div id="ftn64">
<p><a href="#_ftnref64" name="_ftn64">[64]</a> . <i>Id</i>, schedule 3, 7.</p>
</div>
<div id="ftn65">
<p><a href="#_ftnref65" name="_ftn65">[65]</a> . <i>Id</i>, schedule 3, 8.</p>
</div>
<div id="ftn66">
<p><a href="#_ftnref66" name="_ftn66">[66]</a> . <i>Id</i>, schedule 3, 9.</p>
</div>
<div id="ftn67">
<p><a href="#_ftnref67" name="_ftn67">[67]</a> . <i>Id</i>, schedule 3, 10.</p>
</div>
<div id="ftn68">
<p><a href="#_ftnref68" name="_ftn68">[68]</a> . Telecommunications Act, Part 13 (Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.)</p>
</div>
<div id="ftn69">
<p><a href="#_ftnref69" name="_ftn69">[69]</a> . Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, <i>available at</i> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.</p>
</div>
<div id="ftn70">
<p><a href="#_ftnref70" name="_ftn70">[70]</a> . <i>Id</i>, article 3.</p>
</div>
<div id="ftn71">
<p><a href="#_ftnref71" name="_ftn71">[71]</a> . <i>Id</i>, article 8.</p>
</div>
<div id="ftn72">
<p><a href="#_ftnref72" name="_ftn72">[72]</a> . <i>Id</i>, article 2, (d). (" <i> (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; </i> ")</p>
</div>
<div id="ftn73">
<p><a href="#_ftnref73" name="_ftn73">[73]</a> . European Commission-IP-12/46, 25 January 2012, < <a href="http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.">http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.</a>></p>
</div>
<div id="ftn74">
<p><a href="#_ftnref74" name="_ftn74">[74]</a> . Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.</p>
</div>
<div id="ftn75">
<p><a href="#_ftnref75" name="_ftn75">[75]</a> . Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.</p>
</div>
<div id="ftn76">
<p><a href="#_ftnref76" name="_ftn76">[76]</a> . Rule 2 (h)</p>
</div>
<div id="ftn77">
<p><a href="#_ftnref77" name="_ftn77">[77]</a> . Rule 3 (ii)</p>
</div>
<div id="ftn78">
<p><a href="#_ftnref78" name="_ftn78">[78]</a> . Rule 3 (vii) and (viii)</p>
</div>
<div id="ftn79">
<p><a href="#_ftnref79" name="_ftn79">[79]</a> . Rule 2 (i)</p>
</div>
<div id="ftn80">
<p><a href="#_ftnref80" name="_ftn80">[80]</a> . Rule 4(iii), (iv)</p>
</div>
<div id="ftn81">
<p><a href="#_ftnref81" name="_ftn81">[81]</a> . Section 2(v) of the Act defines 'information'</p>
</div>
<div id="ftn82">
<p><a href="#_ftnref82" name="_ftn82">[82]</a> . Rule 4 (1).</p>
</div>
<div id="ftn83">
<p><a href="#_ftnref83" name="_ftn83">[83]</a> . Rule 5 (5)</p>
</div>
<div id="ftn84">
<p><a href="#_ftnref84" name="_ftn84">[84]</a> . Defined by Venkatarama Aiyar, J as: "The rule of construction is well settled that when there are in an enactment two provisions which cannot be reconciled with each other, they should be so interpreted that, if possible, effect could be given to both" in <i>Venkataramana Devaru v. State of Mysore,</i> AIR 1958 SC 255, p. 268: G. P. Singh, Principles of Statutory Interpretation, 1th ed. 2010, Lexisnexis Butterworths Wadhwa Nagpur. The principle was applied to interpret statutory Rules in A. N. Sehgal v. Raje Ram Sheoram, AIR 1991 SC 1406.</p>
</div>
<div id="ftn85">
<p><a href="#_ftnref85" name="_ftn85">[85]</a> . Rule 6</p>
</div>
<div id="ftn86">
<p><a href="#_ftnref86" name="_ftn86">[86]</a> . Rule 8</p>
</div>
<div id="ftn87">
<p><a href="#_ftnref87" name="_ftn87">[87]</a> . 52<sup>nd</sup> Report, Standing Committee on Information Technology, 24, available at < <a href="http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf.%20"> http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf. </a> ></p>
</div>
<div id="ftn88">
<p><a href="#_ftnref88" name="_ftn88">[88]</a> . Panel Of Information Security Auditing Organisations, CERT-IN < <a href="http://www.cert-in.org.in/PDF/background.pdf">http://www.cert-in.org.in/PDF/background.pdf</a>></p>
</div>
<div id="ftn89">
<p><a href="#_ftnref89" name="_ftn89">[89]</a> . Section 1, Guidelines for applying to CERT-In for Empanelment of IT Security Audition Organisation, < <a href="http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf">http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf</a>></p>
</div>
<div id="ftn90">
<p><a href="#_ftnref90" name="_ftn90">[90]</a> . Section 2.0, Guidelines for auditee organizations, Version 2.0, IT Security</p>
<p>Auditing Assignment, http://www.cert-in.org.in/PDF/guideline_auditee.pdf</p>
</div>
<div id="ftn91">
<p><a href="#_ftnref91" name="_ftn91">[91]</a> . See <<a href="http://www.cert-in.org.in/PDF/Empanel_org.pdf">http://www.cert-in.org.in/PDF/Empanel_org.pdf</a>></p>
</div>
<div id="ftn92">
<p><a href="#_ftnref92" name="_ftn92">[92]</a> . Rule 4</p>
</div>
<div id="ftn93">
<p><a href="#_ftnref93" name="_ftn93">[93]</a> . Rule 4</p>
</div>
<div id="ftn94">
<p><a href="#_ftnref94" name="_ftn94">[94]</a> . Rule 5 (7)</p>
</div>
<div id="ftn95">
<p><a href="#_ftnref95" name="_ftn95">[95]</a> . See << <a href="http://www.airtel.in/forme/privacy-policy">http://www.airtel.in/forme/privacy-policy</a>>></p>
</div>
<div id="ftn96">
<p><a href="#_ftnref96" name="_ftn96">[96]</a> <i> . 'Information that can be used by itself to uniquely identify, contact or locate a person, or can be used with information available from other sources to uniquely identify an individual. For the purpose of this policy, sensitive personal data or information has been considered as a part of personal information.' </i> Accessed at << <a href="http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 </a> >></p>
</div>
<div id="ftn97">
<p><a href="#_ftnref97" name="_ftn97">[97]</a> . Subscriber's name, father's name, mother's name, spouse's name, date of birth, current and previous addresses, telephone number, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Information related to your utilization of our services which may include your call details, your browsing history on our website, location details and additional information provided by you while using our services. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc.</p>
</div>
<div id="ftn98">
<p><a href="#_ftnref98" name="_ftn98">[98]</a> . Password<b>, </b>Financial information -details of Bank account, credit card, debit card, or other payment instrument detail <b>s, </b>Physical, physiological and mental health condition<b>.</b></p>
</div>
<div id="ftn99">
<p><a href="#_ftnref99" name="_ftn99">[99]</a> . Airtel states that if a customer does not provide information or consent for usage of personal information or subsequently withdraws consent, Airtel reserves the right to not provide the services or to withdraw the services for which the said information was sought, Avaliable at: < <a href="http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 </a> ></p>
</div>
<div id="ftn100">
<p><a href="#_ftnref100" name="_ftn100">[100]</a> . See <<a href="http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp">www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp</a>></p>
</div>
<div id="ftn101">
<p><a href="#_ftnref101" name="_ftn101">[101]</a> . See << <a href="http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp"> http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp </a> ></p>
</div>
<div id="ftn102">
<p><a href="#_ftnref102" name="_ftn102">[102]</a> . See << http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office>></p>
</div>
<div id="ftn103">
<p><a href="#_ftnref103" name="_ftn103">[103]</a> . Stakeholders are defined as: employee, associate, strategic partner, vendor</p>
</div>
<div id="ftn104">
<p><a href="#_ftnref104" name="_ftn104">[104]</a> . See << <a href="http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf"> http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf </a> >></p>
</div>
<div id="ftn105">
<p><a href="#_ftnref105" name="_ftn105">[105]</a> . Verification of customer's identity; Complete transactions effectively and bill for products and service; Respond to customer requests for service or assistance; Perform market analysis, market research, business and operational analysis; Provide, maintain and improve Airtel products and services; Anticipate and resolve issues and concerns with Airtel products and services; Promote and market Airtel products and services which it may consider of interest and benefit to customers; and, Ensure adherence to legal and regulatory requirements for prevention and detection of frauds and crimes.</p>
</div>
<div id="ftn106">
<p><a href="#_ftnref106" name="_ftn106">[106]</a> . See << <a href="http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0 </a> >></p>
</div>
<div id="ftn107">
<p><a href="#_ftnref107" name="_ftn107">[107]</a> . "Airtel may obtain a customer's consent for sharing personal information in several ways, such as in writing, online, through "click-through" agreements; orally, including through interactive voice response; or when a customer's consent is part of the terms and conditions pursuant to which Airtel provides a service."</p>
</div>
<div id="ftn108">
<p><a href="#_ftnref108" name="_ftn108">[108]</a> . Airtel and its employees may utilize some or all available personal information for internal assessments, measures, operations and related activities…"</p>
</div>
<div id="ftn109">
<p><a href="#_ftnref109" name="_ftn109">[109]</a> . Airtel may at its discretion employ, contract or include third parties external to itself for strategic, tactical and operational purposes. Such agencies though external to Airtel, will always be entities which are covered by contractual agreements. These agreements in turn include Airtel's guidelines to the management, treatment and secrecy of personal information</p>
</div>
<div id="ftn110">
<p><a href="#_ftnref110" name="_ftn110">[110]</a> . Airtel may transfer subscriber's personal information or other information collected, stored, processed by it to any other entity or organization located in India or outside India only in case it is necessary for providing services to a subscriber or if the subscriber has consented (at the time of collection of information) to the same. This may also include sharing of aggregated information with them in order for them to understand Airtel's environment and consequently, provide the subscriber with better services. While sharing personal information with third parties, adequate measures shall be taken to ensure that reasonable security practices are followed at the third party."</p>
</div>
<div id="ftn111">
<p><a href="#_ftnref111" name="_ftn111">[111]</a> . Airtel may share subscribers' personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences.</p>
</div>
<div id="ftn112">
<p><a href="#_ftnref112" name="_ftn112">[112]</a> . See<< <a href="http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0 </a> >></p>
</div>
<div id="ftn113">
<p><a href="#_ftnref113" name="_ftn113">[113]</a> . Airtel adopts reasonable security practices and procedures, in line with international standard IS/ISO/IEC 27001, to include, technical, operational, managerial and physical security controls in order to protect a customer's personal information from unauthorized access, or disclosure while it is under our control.</p>
</div>
<div id="ftn114">
<p><a href="#_ftnref114" name="_ftn114">[114]</a> . Airtel's security practices and procedures limit access to personal information on need-only basis. Further, its employees are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal information.</p>
</div>
<div id="ftn115">
<p><a href="#_ftnref115" name="_ftn115">[115]</a> . Airtel takes adequate steps to ensure that its third parties adopt reasonable level of security practices and procedures to ensure security of personal information.</p>
</div>
<div id="ftn116">
<p><a href="#_ftnref116" name="_ftn116">[116]</a> . Airtel may retain a subscriber's personal information for as long as required to provide him/her with services or if otherwise required under any law.</p>
</div>
<div id="ftn117">
<p><a href="#_ftnref117" name="_ftn117">[117]</a> . When Airtel disposes of its customers' personal information, it uses reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media)."</p>
</div>
<div id="ftn118">
<p><a href="#_ftnref118" name="_ftn118">[118]</a> . Airtel maintains the security of its internet connections, however for reasons outside of its control, security risks may still arise. Any personal information transmitted to Airtel or from its online products or services will therefore be at a customer's own risk. It observes reasonable security measures to protect a customer's personal information against hacking and virus dissemination.</p>
</div>
<div id="ftn119">
<p><a href="#_ftnref119" name="_ftn119">[119]</a> . See <<http://www.tatadocomo.com/downloads/data-privacy-policy.pdf</p>
</div>
<div id="ftn120">
<p><a href="#_ftnref120" name="_ftn120">[120]</a> . Information that customers provide to non-TTL companies is not covered by TTL's Policy. For example: When customers download applications or make an online purchase from a non-TTL company while using TTL's Internet or wireless services, the information collected by the non-TTL company is not subject to this Policy. When you navigate to a non-TTL company from TTL websites or applications (by clicking on a link or an advertisement, for example), information collected by the non-TTL company is governed by its privacy policy and not TTL's Privacy Policy. If one uses public forums - such as social networking services, Internet bulletin boards, chat rooms, or blogs on TTL or non-TTL websites, any Personal Information disclosed publicly can be read, collected, or used by others. Once one chooses to reveal Personal Information on such a site, the information is publicly available, and TTL cannot prevent distribution and use of that information by other parties. Information on a wireless Customer 's location, usage and numbers dialed, which is roaming on the network of a non-TTL company will be subject to the privacy policy of the non-TTL company, and not TTL's Policy.</p>
</div>
<div id="ftn121">
<p><a href="#_ftnref121" name="_ftn121">[121]</a> . "Personal Information" is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.</p>
</div>
<div id="ftn122">
<p><a href="#_ftnref122" name="_ftn122">[122]</a> . Personal Information - Some general examples -TTL may collect Confidential Data in different forms such as Personal and other Information based on a customer's use of its products and services. Some examples include, Contact Information that allows us to communicate with you -- including your name, address, telephone number, and e-mail address; Billing information-- including payment data, credit history, credit card number, security codes, and service history.Equipment, Performance, TTL Website Usage, Viewing and other Technical Information about use of TTL's network, services, products or websites.</p>
<p>Technical & Usage Information is clarified in the FAQ's as information<b> </b>related to the services provided, use of TTL's network, services, products or websites. Examples of the Technical & Usage Information collected include: <b>Equipment Information </b>that identifies the equipment used on TTL's network, such as equipment type, IDs, serial numbers, settings, configuration, and software. <b>Performance Information </b>about the operation of the equipment, services and applications used on TTL's network, such as IP addresses, URLs, data transmission rates and latencies, location information, security characteristics, and information about the amount of bandwidth and other network resources used in connection with uploading, downloading or streaming data to and from the Internet. <b>TTL Website Usage Information </b>about the use of TTL websites, including the pages visited, the length of time spent, the links or advertisements followed and the search terms entered on TTL sites, and the websites visited immediately before and immediately after visiting one of TTL's sites.TTL also may collect similar information about a customer's use of its applications on wireless devices. <b>Viewing Information </b>about the programs watched and recorded and similar choices under Value added TTL services and products.</p>
</div>
<div id="ftn123">
<p><a href="#_ftnref123" name="_ftn123">[123]</a> . Ways in which TTL collects information: On the purchase or interaction about a TTL product or service provided; Automatically collected when one visits TTL's websites or use its products and services; Other sources, such as credit agencies.</p>
</div>
<div id="ftn124">
<p><a href="#_ftnref124" name="_ftn124">[124]</a> . See <<a href="http://www.tatateleservices.com/t-customercare.aspx">http://www.tatateleservices.com/t-customercare.aspx</a>></p>
</div>
<div id="ftn125">
<p><a href="#_ftnref125" name="_ftn125">[125]</a> .See< <a href="http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf"> http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf </a> ></p>
</div>
<div id="ftn126">
<p><a href="#_ftnref126" name="_ftn126">[126]</a> . To provide the best customer experience possible; Provide the services a customer purchases, respond to customer questions; Communicate with customers regarding service updates, offers, and promotions; Deliver customized content and advertising that may be of interest to customers; Address network integrity and security issues; Investigate, prevent or take action regarding illegal activities, violations of TTL's Terms of Service or Acceptable Use Policies</p>
</div>
<div id="ftn127">
<p><a href="#_ftnref127" name="_ftn127">[127]</a> . <b>Site functionality </b>-Cookies and other tracking tools are used to help TTL analyze, manage and improve websites and storing customer preferences. <b>Advertising </b>TTL and its advertising partners, including Yahoo! and other advertising networks, use anonymous information gathered through cookies and other similar technologies, as well as other information TTL or its advertising networks may have, to help tailor the ads a customer sees on its sites.</p>
</div>
<div id="ftn128">
<p><a href="#_ftnref128" name="_ftn128">[128]</a> . TTL collects some Information on an anonymous basis. TTL also may anonymize the Personal Information it collects about customers. It may obtain aggregate data by combining anonymous data that meet certain criteria into groups.</p>
</div>
<div id="ftn129">
<p><a href="#_ftnref129" name="_ftn129">[129]</a> . In Other Circumstances: TTL may provide Personal Information to non-TTL companies or other third parties for purposes such as: To assist with identity verification, and to prevent fraud and identity theft; Enforcing its agreements and property rights; Obtaining payment for products and services that appear on customers' TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; and to comply to legal and regulatory requirements. TTL shares customer Personal Information only with non-TTL companies that perform services on its behalf, and only as necessary for them to perform those services. TTL requires those non-TTL companies to protect any Personal Information they may receive in a manner consistent with this policy. TTL does not provide Personal Information to non-TTL companies for the marketing of their own products and services without a customer's consent. TTL may share aggregate or anonymous Information in various formats with trusted non-TTL entities, and may work with those entities to do research and provide products and services.</p>
</div>
<div id="ftn130">
<p><a href="#_ftnref130" name="_ftn130">[130]</a> . TTL provides Personal Information to non-TTL companies or other third parties (for example, to government agencies, credit bureaus and collection agencies) without consent for certain purposes, such as: To comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims, To obtain payment for products and services that appear on customer TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; To enforce its agreements, and protect our rights or property; To assist with identity verification, and to prevent fraud and identity theft; To prevent unlawful use of TTL's services and to assist in repairing network outages; To provide information regarding the caller's location to a public safety entity when a call is made to police/investigation agencies, and to notify the public of wide-spread emergencies; To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay; To display name and telephone number on a Caller ID device;</p>
</div>
<div id="ftn131">
<p><a href="#_ftnref131" name="_ftn131">[131]</a> . Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI), the TTL companies may share your Personal Information with each other to make sure your experience is as seamless as possible, and you have the benefit of what TTL has to offer.</p>
</div>
<div id="ftn132">
<p><a href="#_ftnref132" name="_ftn132">[132]</a> . Customers and Users should be aware that TTL affiliates and non-TTL companies that perform services on behalf of TTL may be located outside the country where customers access TTL's services. As a result, when customer Personal Information is shared with or processed by such entities, it may be accessible to government authorities according to the laws of those jurisdictions.</p>
</div>
<div id="ftn133">
<p><a href="#_ftnref133" name="_ftn133">[133]</a> . TTL has implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL. It has established electronic and administrative safeguards designed to secure the information it collects, to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately. Some examples of those safeguards include: All TTL employees are subject to the internal Code of Business Conduct. The TTL Code requires all employees to follow the laws, rules, regulations, court and/or commission orders that apply to TTL's business such as legal requirements and company policies on the privacy of communications and the security and privacy of Customer records. Employees who fail to meet the standards embodied in the Code of Business Conduct are subject to disciplinary action, up to and including dismissal. TTL has implemented technology and security features and strict policy guidelines to safeguard the privacy of customer Personal Information. TTL has implemented encryption or other appropriate security controls to protect Personal Information when stored or transmitted by it; TTL limits access to Personal Information to those employees, contractors, and agents who need access to such information to operate, develop, or improve its services and products; TTL requires caller/online authentication before providing Account Information so that only the customer or someone who knows the customer's account Information will be able to access or change the information.</p>
</div>
<div id="ftn134">
<p><a href="#_ftnref134" name="_ftn134">[134]</a> . See << <a href="http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf"> http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf </a> >></p>
</div>
<div id="ftn135">
<p><a href="#_ftnref135" name="_ftn135">[135]</a> . See << <a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker">https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker</a> >></p>
</div>
<div id="ftn136">
<p><a href="#_ftnref136" name="_ftn136">[136]</a> . "We have created this Privacy Policy to help you understand how we collect, use and protect your information when you visit our web and WAP sites and use our products and services."</p>
</div>
<div id="ftn137">
<p><a href="#_ftnref137" name="_ftn137">[137]</a> . Vodafone may hold information relating to customers that have been provided (such as on an application or registration form) or that it may has obtained from another source (such as its suppliers or from marketing organisations and credit agencies).</p>
<p>This information may include, amongst other things, a customer's name, address, telephone numbers, information on how a customer uses Vodafone's products and services (such as the type, date, time, location and duration of calls or messages, the numbers called and how much a customer spends, and information on his/her browsing activity when visiting one of Vodafone's group companies' websites), the location of a customer's mobile phone from time to time, lifestyle information and any other information collected in relation to his/her use of Vodafone's products and services ("information").</p>
<p>It may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts with its website, and web-related products and services.</p>
<p>It may use a persistent cookie to record details such as a unique user identity and general registration details on your PC. Vodafone states that most browser technology (such as Internet Explorer, Netscape etc) allows one to choose whether to accept cookies or not - a customer can either refuse all cookies or set their browser to alert them each time that a website tries to set a cookie.</p>
</div>
<div id="ftn138">
<p><a href="#_ftnref138" name="_ftn138">[138]</a> . In case of any concerns the privacy officer can be contacted at <a href="mailto:privacyofficer@vodafone.com">privacyofficer@vodafone.com</a>. Additionally details of the Grievance Redressal Officers is provided via the TRAI website. (TRAI website: <a href="http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf"> http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf </a> _</p>
</div>
<div id="ftn139">
<p><a href="#_ftnref139" name="_ftn139">[139]</a> . The information that Vodafone collects from customers is held in accordance with applicable laws and regulations in India. It may be used by us for a number of purposes connected with its business operations and functions, which include:</p>
<p>2.1 Processing customer orders or applications;</p>
<p>2.2 Carrying out credit checking and scoring (unless Vodafone have agreed otherwise);</p>
<p>2.3 Providing the customer with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering his/her account;</p>
<p>2.4 Billing</p>
<p>2.5 Settling accounts with those who provide related services to Vodafone;</p>
<p>2.6 Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes;</p>
<p>2.7 Carrying out market and product analysis and marketing Vodafone and its group companies' products and services generally;</p>
<p>2.8 Contacting a customer (including by post, email, fax, short text message (SMS), pager or telephone) about Vodafone and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to customers (unless a customer asks us in writing not to). Electronic marketing messages may not include a marketing facility.</p>
<p>2.9 Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that a customer may have in respect of our and our group companies' schemes.</p>
<p>2.10 inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party (subject to any objection or preference a customer may have indicated to us in writing);</p>
<p>2.11 carrying out any activity in connection with a legal, governmental or regulatory requirement on Vodafone or in connection with legal proceedings, crime or fraud prevention, detection or prosecution;</p>
<p>2.12 carrying out activities connected with the running of Vodafone's business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Vodafone's business with respect to a customer or a potential customer.</p>
</div>
<div id="ftn140">
<p><a href="#_ftnref140" name="_ftn140">[140]</a> . In the need for disclosure to third parties, the personal information will only be disclosed to the third parties below:</p>
<p>3.1 Vodafone's group companies who may in India use and disclose your information for the same purposes as us;</p>
<p>3.2 those who provide to Vodafone or its group companies products or services that support the services that we provide, such as our dealers and suppliers;</p>
<p>3.3 credit reference agencies (unless Vodafone has agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Vodafone makes against a customer's name;</p>
<p>3.4 if someone else pays a customer's bill, such as a customer's employer, that person;</p>
<p>3.5 those providing telephone and similar directories or directory enquiry services</p>
<p>3.6 anyone Vodafone transfers business to in respect of which a person is a customer or a potential customer;</p>
<p>3.7 anyone who assists Vodafone in protecting the operation of the Vodafone India networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;</p>
<p>3.8 persons to whom Vodafone may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services;</p>
<p>3.9 any person or organisation as authorised by laws and regulations applicable in India.</p>
<p>If a customer has opted in to receiving marketing material from Vodafone, it may also provide customer's personal information to carefully selected third parties who we reasonably believe provide products or services that may be of interest to customers and who have contracted with Vodafone India to keep the information confidential, or who are subject to obligations to protect your personal information.</p>
<p>To opt-out of receiving Vodafone marketing materials,customers can send a 'Do Not Disturb' message to Vodafone. If a customer wishes to use Vodafone products or services abroad, his/her information may be transferred outside India to that country. Vodafone's websites and those of its group companies may also be based on servers located outside of India.</p>
</div>
<div id="ftn141">
<p><a href="#_ftnref141" name="_ftn141">[141]</a> . Vodafone takes reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, modification or disclosure.</p>
<p>Vodafone makes every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to it or from its online products or services will be at a customer's own risk, however, it will use its best efforts to ensure that any such information remains secure. Vodafone cannot protect any information that a customer makes available to the general public - for example, on message boards or in chat rooms.</p>
<p>Vodafone may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts.</p>
</div>
<div id="ftn142">
<p><a href="#_ftnref142" name="_ftn142">[142]</a> . See <<a href="http://www.vodafone.com">http://www.vodafone.com</a>></p>
</div>
<div id="ftn143">
<p><a href="#_ftnref143" name="_ftn143">[143]</a> . See < <a href="http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html"> http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html </a> ></p>
</div>
<div id="ftn144">
<p><a href="#_ftnref144" name="_ftn144">[144]</a> . <a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061"> http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 </a> (Scope - This Privacy Policy has been created to help customer's understand how Aircel collects, uses and protects customer information when one visits its web and WAP sites and use its products and services.)</p>
</div>
<div id="ftn145">
<p><a href="#_ftnref145" name="_ftn145">[145]</a> . This information may include, amongst other things, customer's name, father's name, mother's name, spouse's name, date of birth, address, telephone numbers, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Aircel may also hold information related to utilization of its services. This may include customer call records, browsing history while surfing Aircel's website, location details and additional information provided by customer while using our services.</p>
<p>Aircel may keep a log of the activities performed by a customer on its websites by using various internet techniques such as web cookies, web beacons, server log files, etc.</p>
<p>Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with Aircel's website, and web-related products and services</p>
<p>Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on customer's Personal Computers.</p>
</div>
<div id="ftn146">
<p><a href="#_ftnref146" name="_ftn146">[146]</a> . In case a customer does not provide information or consent for usage of personal information or later on withdraw consent for usage of the personal information so collected, Aircel reserves the right to discontinue the services for which the said information was sought.</p>
</div>
<div id="ftn147">
<p><a href="#_ftnref147" name="_ftn147">[147]</a> . In case of any feedback or concern regarding protection of personal information, customers can contact Aircel's <b>Circle Care ID.</b> Alternatively, one may also direct your privacy-related feedback or concerns to the <b>Circle Nodal Officer.</b> (e.g. - Delhi Circle Nodal details are as mentioned below):</p>
<p><b>1. </b> <b>Name: Moushumi De</b></p>
<p><b> Contact Number: 9716199209</b></p>
<p><b> E-mail: </b> <a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061"> <b>nodalofficer.delhi@aircel.co.in</b> </a></p>
<p>Further it provides for a general customer grievance redressal mechanism</p>
<p>Additionally details of the Grievance Redressal Officers is provided via the TRAI website.</p>
<p><b> To resolve all concerns, Aircel has established a 2-tier complaint handling mechanism.</b> <b>Level I: Our Customer Touch Points</b> As an Aircel customer you have the convenience to contact at Customer Interface Points via email, post or telephone. <b>Level II - Appellate Authority</b>Despite the best efforts put by Aircel's executive, if a customer is still not satisfied with the resolution provided then he/she may submit his/her concern to the Appellate Authority of the circle. Comments - However this information contradicts the mechanism provided under Aircel's Manual of Practice for handling Consumer Complaints which provides for a 3<b>-</b>tier complaint handling mechanism.</p>
<p>[According to the DoT - The <b> earlier three-tier complaint redressal mechanism - Call center, Nodal Center and Appellate Authority, has been replaced by a two-tier </b> one by doing away with the level of Nodal Officer. This is because the Complaint Centres are essentially registration and response centres and do not deal with the resolution of complaints. They only facilitate registration of consumer complaint and the level at which a problem is resolved within a company depends upon the complexity of the issue involved.]</p>
</div>
<div id="ftn148">
<p><a href="#_ftnref148" name="_ftn148">[148]</a> . It may be used by us for a number of purposes connected with our business operations and functions, which include:</p>
<p>1. Processing customer orders or applications.</p>
<p>2. Carrying out credit checking and scoring (unless agreed otherwise).</p>
<p>3. Providing customers with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering a customer's account.</p>
<p>4. Billing (unless there exists another agreed method).</p>
<p>5. Settling accounts with those who provide related services to Aircel.</p>
<p>6. Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes.</p>
<p>7. Carrying out market and product analysis and marketing our and our group companies' products and services generally.</p>
<p>8. Contacting customers (including by post, email, fax, short text message (SMS), pager or telephone) about Aircel and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to a customer (unless a customer says 'no' in writing). Electronic messages need not have an unsubscribe facility.</p>
<p>9. Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that customers may have in respect of Aircel and its group companies' loyalty or reward programmes and other similar schemes.</p>
<p>10. Inclusion in any telephone or similar directory or directory enquiry service provided or operated by Aircel or by a third party (subject to any objection or preference a customer may have indicated in writing).</p>
<p>11. Carrying out any activity in connection with a legal, governmental or regulatory requirement on Aircel or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.</p>
<p>12. Carrying out activities connected with the running of business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Aircel's business with respect to a customer or potential customer. Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with our website, and web-related products and services, to:</p>
<p>● Understand what a customer likes and uses about Aircel's website.</p>
<p>● Provide a more enjoyable, customised service and experience</p>
<p>Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on your Personal Computer.</p>
</div>
<div id="ftn149">
<p><a href="#_ftnref149" name="_ftn149">[149]</a> . Where Aircel needs to disclose your information to third parties, such third parties will be:</p>
<p>1. Group companies who may use and disclose your information for the same purposes as us.</p>
<p>2. Those who provide to Aircel or its group companies products or services that support the services that we provide, such as our dealers and suppliers.</p>
<p>3. Credit reference agencies (unless we have agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Aircel make against your name.</p>
<p>4. If someone else pays a customer's bill, such as an employer.</p>
<p>5. Those providing telephone and similar directories or directory enquiry services.</p>
<p>6. Anyone Aircel transfers its business to in respect of which you are a customer or a potential customer.</p>
<p>7. Anyone who assists Aircel in protecting the operation of the Aircel networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities.</p>
<p>8. Persons to whom Aircel may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services. If a customer has opted in to receiving marketing material from Aircel, it may also provide personal information to carefully selected third parties who it reasonably believes to provide products or services that may be of interest to customers and who have contracted with Aircel to keep the information confidential, or who are subject to obligations to protect customer personal information.</p>
</div>
<div id="ftn150">
<p><a href="#_ftnref150" name="_ftn150">[150]</a> . We adopt reasonable security practices and procedures to include, technical, operational, managerial and physical security control measures in order to protect your personal information from unauthorized access, or disclosure while it is under our control.Our security practices and procedures limit access to personal information on need to know basis. Further, our employees, to the extent they may have limited access to your personal information on need to know basis, are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal informationWe take adequate steps to ensure that our third parties adopt reasonable level of security practices and procedures to ensure security of personal information</p>
<p>We may retain your personal information for as long as required to provide you with services or if otherwise required under any law. We, however assure you that Aircel does not disclose your personal information to unaffiliated third parties (parties outside Aircel corporate network and its Strategic and Business Partners) which could lead to invasion of your privacy</p>
<p>When we dispose off your personal information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media).</p>
<p>We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.</p>
<p>We make every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk, however we will use our best efforts to ensure that any such information remains secure.</p>
</div>
<div id="ftn151">
<p><a href="#_ftnref151" name="_ftn151">[151]</a> . http://www.acttv.in/index.php/privacy-policy</p>
</div>
<div id="ftn152">
<p><a href="#_ftnref152" name="_ftn152">[152]</a> . "When you register, we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests.</p>
<p>The Company collects information about your transactions with us and with some of our business partners, including information about your use of products and services that we offer."</p>
</div>
<div id="ftn153">
<p><a href="#_ftnref153" name="_ftn153">[153]</a> . Not provided for on the TRAI website as ACT is not a telecom.</p>
</div>
<div id="ftn154">
<p><a href="#_ftnref154" name="_ftn154">[154]</a> . The Company can use information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.</p>
<p>The Company collects personal information when you register with the Company, when you use the Company products or services, when you visit the Company pages or the pages of certain partners of the Company. The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you.</p>
</div>
<div id="ftn155">
<p><a href="#_ftnref155" name="_ftn155">[155]</a> . Aircel provide the information to trusted partners who work on behalf of or with the Company under confidentiality agreements. These companies may use customer personal information to help the Company communicate about offers from the Company and marketing partners.</p>
<p>Aircel believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Company's terms of use, or as otherwise required by law.</p>
<p>Aircel transfer information about a customer if the Company is acquired by or merged with another company under a different management. In this event, the Company will notify a customer before information about a customer is transferred and becomes subject to a different privacy policy.</p>
<p>The Company plans to display targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click on targeted ads meet the targeting criteria - for example, women ages 18-24 from a particular geographic area.</p>
<p>The Company will not provide any personal information to the advertiser when customers interact with or view a targeted ad. However, by interacting with or viewing an ad a customer consents to the possibility that the advertiser will make the assumption that he/she meets the targeting criteria used to display the ad.</p>
</div>
<div id="ftn156">
<p><a href="#_ftnref156" name="_ftn156">[156]</a> . Rule 8.</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules'>https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-01-13T02:37:31ZBlog EntryA Stolen Perspective
https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective
<b>The note below is a perspective piece on biometrics. On March 11th I traveled down to the Philippines, and had a chance to experience the possible convenience of biometric based identification.</b>
<h3>A Sequence of Events </h3>
<p>On the evening of March 11th I found myself on a plane destined to the Philippines for a week long joint privacy and ICT development conference in Bohol. After a 14 hour journey I landed in Manila, and was welcomed by the hot tropical weather, so familiar to the Philippines. Hungry I quickly dropped my checked bag at the hotel, and taking my backpack, set out immediately to explore Filipino food culture. Over a dinner of rice and grilled chicken, the standard local cuisine every tourists nightmare came true for me. I was robbed. While eating a group of men made a commotion around me and snatched my bag. Much to my distress the thief was able to get away with not only money and my camera, but my entire wallet consisting of my passport, Indian visa, Canadian visa, health card, FRO paper, and debit cards. In a nutshell – the wallet had every document essential and of value to my life. Little does the thief know, but his one snatching act has made me reconsider many aspects of my life, including my position on biometric forms of identification.</p>
<p>For the past several months I have been researching biometric forms of identification in response to the UID scheme that is being proposed in India. My stance on biometrics in my research has always been neutral – trying to draw out both the pro’s and the con’s of using biometrics. Personally though, I had always swayed away from the idea of my biometric being the strongest form of identification. The possibility that my daily motions could be easily tracked through the constant use of my finger print for transactions never settled well with me. Potential convergence of databases, unreliable technology, the possibility of stolen fingerprints, no choice to use other forms of identification have all been concerns that swayed me to the less optimistic side of the debate. But after jumping over hurdle after hurdle that came along with trying to replace the lost paper documents, and sweating at night thinking of all the possible ways the thief could exploit my papers, I am more privy to the idea of biometrics as a strong form of identification. </p>
<p>The process of recovering my documents started off with a police report and the cancelling of my cards. The second task was not as easy as I had hoped, as I had not brought photocopies of my cards. Thus, it took me three hours to actually cancel my cards. Throughout the whole process I kept thinking that if my account was only accessible through my fingerprint – I would not have to worry about closing the accounts. Or if I could have identified, verified, and cancelled my account with the use of a cell phone equipped with a fingerprint reader, I would not have had the stress of rushing around trying to find adequate information to cancel my bank account.</p>
<p>The next step in the process started early Monday morning when I set out to the American Embassy. Luckily the hotel had taken a copy of my American passport (I did not have a photocopy of this either). With the copy of the passport, police report, and my social security number – the American embassy was able to pull up my information, and issue me an emergency passport that would be valid for three months. If I had not had a copy of my passport – the process of getting an emergency passport I can only imagine would have been even more challenging. As I sat for hours in the embassy my mind wandered to the thief and the known market for American passports. I could not help but think about how much more secure my passport would be if verification was based on my fingerprints accompanied by a passport, rather than just my passport and a picture. Speaking with the embassy officer confirmed my thoughts. He talked about how fake American passports are becoming harder and harder to use now that the biometric has been introduced. In this situation the biometric would be a form of convenience and security – a way of lowering the risks of my stolen passport from being misused and my identity from being taken advantage of. </p>
<p></p>
<p style="text-align: justify;">On Tuesday morning I took on the
challenge of the Indian embassy. I officially came to India 8 months ago on an employment visa. When I
explained my situation to the embassy I hit my first road block of the day. By
rule, all matters relating to employment visa’s must be handled by and at the place
of issuance. Country databases do not talk between eachother – thus the Indian
embassy in the Philippines could not contact the Indian embassy in the States
or in India to verify my information. Therefore,
for my employment visa to be replaced I would need to return to New York and
speak with the embassy there. This was not an option. Speaking again with the
officer, he finally suggested a tourist visa. Typically tourist visa’s are not
issued on 3 months passports (my emergency passport was only three months), but
the officer made an exception and agreed to issue a tourist visa. When I went
to pay for my tourist visa I hit my second road block of the day. I was lucky
and had kept one credit card in another bag, but as it turns out, the Indian
embassy only accepted cash. The day was almost over and I needed to pay for my
application for it to be processed. The officer had already made an additional
exception, and had agreed to process my visa in three days (when my return
flight to India was scheduled) rather than the typical six working days. Trying
to think on my feet I sped to the nearest mall and tried to take money out of
an ATM. No luck. I tried to get cash back on a grocery store purchase. No luck.
I tried to western union myself money from my VISA. No luck. Finally I was able
to get through to a friend of my boss who could loan me the cash, but not until
the next morning. So, I rushed back to the embassy and begged with the officer
to process my visa in two days rather than one. Thankfully he agreed. Riding the local metro back to my hotel I
thought again about how convenient it would have been to have my credit
accessible through my fingerprint, and not have to rely on a card.</p>
<h3 style="text-align: justify;">Biometric is a convenience: </h3>
<p>This experience, and the many hurdles that I needed to jump in order to replace my lost papers made me realize that one side of the biometric debate that is often glazed over with talk of security and privacy, is that of convenience. It would have been incredibly convenient if on my initial visit to the American Embassy they had been able to pull up my entire file, re-issue me my lost passport and visas, and accepted payment through credit accessed through my fingerprint and a pin. Though I am still aware of the risks associated with biometrics as a form of identity, this experience has shown me the positive side and convenience of having a biometric identification rather than paper forms of identification.</p>
<h3>Perhaps there is a privacy happy medium:</h3>
<p>This experience has shown me that the use of biometric technology has many benefits. I do not think it is too far a leap to say that biometrics can be convenient and privacy enhancing. For instance, based off of research done by the Canadian Government on biometrics, there are many pivotal areas of biometrics which determine whether they are used in a way that enhances privacy or used in a way which invades privacy such as:</p>
<ul><li><strong>Distinguish between authentication and identification:</strong></li></ul>
<p> Identification involves a comparison of one biometric against all collected biometrics in one central database. Authentication involves a comparison of a live biometric against a stored template. Thus , the central database should not be accessed for both authentication and identification processes . Placing a biometric on a smart card puts the control of access for authentication in the hands of the data subject [1].</p>
<ul><li><strong>Encryption </strong></li></ul>
<p>A biometric should be encrypted whenever it is used. A biometric should be encrypted to this degree that it is not possible to reconstruct the biometric data. After an encrypted version of the biometric is made, the original biometric should be deleted [2].</p>
<ul><li><strong>No unique identification</strong> </li></ul>
<p>A fingerprint scan should not, and cannot be used alone to identify an individual [3].</p>
<ul><li><strong>Access control</strong></li></ul>
<p>Strict control on access regarding third parties should be enforced. To bolster this point, a warrant or court order should be required for access by external agencies.</p>
<ul><li><strong>Transactional information stored separately</strong></li></ul>
<p>Transactional information about a person should be stored separately from personal identifiers such as name or date of birth [4].</p>
<ul><li><strong>Procedural safeguards given legality </strong></li></ul>
<p>All procedural and technical safeguards that are established should be placed in a legislation to give them the force of the law.</p>
<h3>Biometrics in India</h3>
<p>Though there is no way to make a biometric perfectly safe, these standards, if enforced, I believe work to ensure that a biometric is as secure as possible. In India biometrics has become a controversial topic as the country is currently considering/has begun to implement the UID – an identity scheme based off of biometrics. Concerns with the project include the centralized storage of biometric information, the possibility of tracking individuals through the use of their biometric, and the unreliability of the technology. For example in an article found in Money Life, test results from the UID project showed the possibility of up to 15,000 false positives for every Indian resident [5]. Biometrics have been used in India even before the UID scheme. In 2009 schools proposed to use biometrics as a way of marking attendance for both the students and the teachers in order to decrease the dropout rate and insure that teachers are present in school [6] . Also in 2009 fishermen in the coastal village of Awas were issued the biometric based multi-purpose National Identity Card [7]. The MNIC scheme was later dropped. Clearly India is in a position where she must think about the convenience of biometrics weighed against the privacy risks, and determine how biometric use in India should be secured in order to find a balance between the two. </p>
<h3>Bibliography</h3>
<ol><li>Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10</li><li> Cavoukian, Dr. Ann. Privacy and Biometrics. Information and Privacy Commissioner Ontario, Canada. Pg. 4 <br /></li><li>Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10</li><li>Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.9</li><li>http://www.moneylife.in/article/how-uidai-goofed-up-pilot-test-results-to-press-forward-with-uid- scheme/14863.html</li><li>http://articles.timesofindia.indiatimes.com/2009-02-25/mumba</li><li>http://28038452_1_smart-cards-biometric-coastal-villages<br /></li></ol>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective'>https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective</a>
</p>
No publisherelonnai2012-03-21T09:43:51ZBlog EntryA Review of the Policy Debate around Big Data and Internet of Things
https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things
<b>This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.</b>
<h3>Defining and Connecting Big Data and Internet of Things</h3>
<p style="text-align: justify; ">The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the <i>velocity</i> at which data is generated, the <i>volume</i> of data that is generated, and the <i>variety</i> of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.</p>
<h3>General Implications of Big Data and Internet of Things</h3>
<p style="text-align: justify; ">Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.</p>
<p style="text-align: justify; ">At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article <i>"Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon"</i> propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " <i>The Societal Impact of the Internet of Things</i>" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]</p>
<p style="text-align: justify; ">Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]</p>
<h3>Regulation of Big Data and Internet of Things</h3>
<p style="text-align: justify; ">The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article <i>"Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"</i>stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article <i>"Big Data's Disparate Impact"</i> explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]</p>
<p><strong>The Impact of Big Data and IoT on Data Protection Principles</strong></p>
<p style="text-align: justify; ">In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:</p>
<ol>
<li style="text-align: justify; "><strong>Collection Limitation:</strong> As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]</li>
<li><strong>Consent: </strong>As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]</li>
<li><strong>Data Minimization:</strong> As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]</li>
<li><strong>Notice:</strong> As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]</li>
<li><strong>Purpose Limitation:</strong> As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]</li>
<li><strong>Necessity: </strong>As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]</li>
<li><strong>Access and Correction:</strong> As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]</li>
<li><strong>Opt In and Opt Out Choices: </strong>Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]</li>
<li><strong>PI:</strong> As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]</li>
<li><strong>Data Controller:</strong> In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]</li>
</ol>
<h3 style="text-align: justify; ">Possible Technical and Policy Solutions</h3>
<p style="text-align: justify; ">In a Report titled "<i>Internet of Things: Privacy & Security in a Connected World</i>" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:</p>
<ul>
<li>Automatically delete data after a specified period of time [21] (addressing concerns of data retention)</li>
<li>Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)</li>
<li style="text-align: justify; ">Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)</li>
<li style="text-align: justify; ">Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)</li>
<li style="text-align: justify; ">Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)</li>
<li style="text-align: justify; ">Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)</li>
<li>Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)</li>
<li>Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)</li>
</ul>
<p style="text-align: justify; ">Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]</p>
<p>Experts have also suggested that more emphasis should be placed on the principles and practices of:</p>
<ul>
<li>Transparency,</li>
<li> Access and correction,</li>
<li>Use/misuse</li>
<li>Breach notification</li>
<li>Remedy</li>
<li>Ability to withdraw consent</li>
</ul>
<p style="text-align: justify; ">Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]</p>
<h3>Possible Regulatory Frameworks</h3>
<p style="text-align: justify; ">To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]</p>
<h3>Conclusion</h3>
<p style="text-align: justify; ">A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.</p>
<p style="text-align: justify; ">Answering the 'how do we regulate Big Data” question requires <strong>re-conceptualization of data ownership and realities</strong>. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of <strong>critical</strong> <strong>national infrastructure of a nation, </strong>and accorded the security, protections, and legal backing thereof to <strong>prevent the misuse of the resource by the private or public sectors, local or foreign governments</strong>. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.</p>
<p style="text-align: justify; ">In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a <strong>National Data Archive</strong> with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.</p>
<hr />
<p style="text-align: justify; ">[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</p>
<p style="text-align: justify; "><i>[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/</i></p>
<p style="text-align: justify; ">[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: <a href="https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf">https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564</p>
<p style="text-align: justify; ">[5] Danah Boyd, Kate Crawford. <a href="http://www.tandfonline.com/doi/abs/10.1080/1369118X.2012.678878">CRITICAL QUESTIONS FOR BIG DATA</a>. In<a href="http://www.tandfonline.com/toc/rics20/15/5">formation, Communication & Society </a> Vol. 15, Iss. 5, 2012. Available at: <a href="http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878">http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: <a href="http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf">http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[7] ARTICLE 29 Data Protection Working Party. (2014). <i>Opinion 8/2014 on the on Recent Developments on the Internet of Things.</i> European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</p>
<p style="text-align: justify; ">[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784</p>
<p style="text-align: justify; ">[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899</p>
<p style="text-align: justify; ">[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899</p>
<p style="text-align: justify; ">[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.</p>
<p style="text-align: justify; ">[13] Omer Tene and Jules Polonetsky, <i>Big Data for All: Privacy and User Control in the Age of Analytics</i>, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).</p>
<p style="text-align: justify; ">[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf</p>
<p style="text-align: justify; ">[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14<sup>th</sup> 2013. Available at: <a href="http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf">http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[20] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[21] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[22] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[23] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[24] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[31] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[33] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1<sup>st</sup> 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf</p>
<p style="text-align: justify; ">[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25<sup>th</sup> 2015. Available at: <a href="http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/">http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/</a>. Accessed: August 8<sup>th</sup> 2015.</p>
<p style="text-align: justify; ">[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7<sup>th</sup> 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415</p>
<p style="text-align: justify; ">[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10<sup>th</sup> 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things'>https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things</a>
</p>
No publisherelonnaiInternet GovernanceBig Data2015-08-17T08:36:18ZBlog EntryA Public Meeting on DNA Profiling Bill in Delhi
https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill
<b>On September 27, 2012, the Centre for Internet and Society hosted a public talk at the Indian International Centre focused on the draft DNA Profiling Bill. Presenting at the meeting were international experts Dr. Helen Wallace, director of GeneWatch UK and Jeremy Gruber, president and executive director of the Council for Responsible Genetics US, and Dr. Anupuma Raina, senior scientist at AIIMs.</b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The use of DNA samples for forensics purposes has been increasing as law enforcement in India are relying on DNA samples as a source of evidence to solve crimes. India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Opening the meeting was a presentation by Dr. Anupama that focused on how DNA analysis has been used in various cases in India. Dr. Anupama emphasized the important role that DNA plays and the usefulness of the technology, but also cautioned that the police are still perfecting the use of DNA samples for forensic purposes. She promoted the passing of the DNA profiling bill with the correct safeguards. Dr. Anupama also provided insight into the current procedure for DNA analysis in India noting that consent is taken from individuals before taking DNA samples, and that ethical clearance is taken before DNA samples are taken and used for research purposes. She also noted that labs are working on improving quality insurance and emphasized the importance of chain of custody in ensuring that DNA samples are not contaminated.</p>
<p style="text-align: justify; ">Following Dr. Anupama, Jeremy Gruber spoke about the US experience with DNA databases and explained how DNA testing was initially introduced as a tool for establishing additional evidence for convicting violent felony offenders or freeing innocent individuals on a case to case basis. He explained how the technology of DNA sampling and its use in forensic cases can be both a useful tool when used justly and democratically, or can be harmful when used unjustly and undemocratically. He noted that there has been an increase in the routine use and retention of DNA by law enforcement today for purposes such as using DNA databases for familial searching purposes, and using DNA analysis to create profiles of individuals. Concerns that Jeremy Gruber raised with respect to the draft DNA Profiling Bill included the assumption in the preamble of the bill that DNA is an infallible piece of evidence, pointing out that when DNA is used for forensic purposes it is vulnerable to inaccuracies such as false matches, sample contamination, and analysis error. He also made the point that the definitions found in the bill are overly broad and work to expand the scope by defining a wide range of crimes for which individuals will be added to the DNA database for. These broad definitions essentially turn the database into an all crimes database. Other concerns with the bill included that DNA laboratories are not clearly independent of the police, and that the bill allows for the additional collection of DNA from missing persons and victims.</p>
<p style="text-align: justify; ">In her presentation, Dr. Helen Wallace described the UK experience, where the first DNA database was established in 1995. In 2000 a major expansion of the UK DNA database took place, but was controversial for a number of reasons. In 2008 the European Court of Justice ruled that the regime of retaining DNA samples in the UK was unlawful and a breach of privacy. Now the UK law requires that only a barcode with identifying information be stored. Dr. Wallace also emphasized the fact that the number of convictions resulting from DNA <span>detections</span> has not increased as the UK DNA database has expanded, because the number of solved crimes is driven by the number of crime scene samples. Thus, samples on a database are only useful if they relate directly to the crime scene and a possible criminal. Therefore the more profiles that are added to the database that are related to petty crimes, civil cases, victims, volunteers etc. the less efficient and accurate the database becomes. Dr. Wallace recommended that a DNA database contain only careful crime scene evidence in order to ensure samples are matched accurately. Concerns with the DNA profiling Bill emphasized by Dr. Wallace included that consent is not provided for in the bill, and court orders are not required. Furthermore, the bill does contain a removal process, and it is unclear what DNA profiling system will be used.</p>
<p style="text-align: justify; ">Responding to the presentations made by the speakers, members of the audience raised concerns over the use of DNA sampling in India for reasons beyond forensic purposes, such as requiring surrogate mothers and the children to undergo DNA tests. Other members of the audience pointed out that the bill does not address the rights of suspects and prisoners. Additionally the question of the evidentiary weight of DNA samples in court was raised, along with the concern that the broad collection of DNA samples from individuals is just another example of the growing trend by the Indian government to collect and store information about its citizens.</p>
<ul>
<li><a href="https://cis-india.org/internet-governance/blog/uk-dna-database-and-european-court-of-human-rights.ppt" class="internal-link">Download Dr. Helen Wallace's presentation</a></li>
</ul>
<ul>
<li><a href="https://cis-india.org/internet-governance/blog/forensic-dna-databases.ppt" class="internal-link">Download Jeremy Gruber's presentation</a></li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill'>https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-10T10:58:32ZBlog EntryA Privacy Meeting with the Federal Trade Commission in New Delhi
https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi
<b>On September 20, the Centre for Internet and Society held a roundtable meeting with Betsy Broder, Counsel for International Consumer Protection, and Sarah Schroeder, Attorney, Bureau of Consumer Protection, Federal Trade Commission (FTC), United States. The meeting took place at the Imperial, Janpath, New Delhi and discussed both the U.S framework to privacy and potential frameworks and challenges to privacy in India.</b>
<p style="text-align: justify; ">As a note, thoughts shared during the meeting represented personal perspectives, and did not constitute the official position of the Federal Trade Commission.</p>
<p style="text-align: justify; ">When explaining the U.S regulatory framework for privacy the FTC attorneys highlighted that the United States does not have comprehensive privacy legislation, like in Europe, but instead has sectoral laws that address different aspects of privacy. For example, the Fair Credit Reporting Act maintains confidentiality of consumer credit report information, the Gramm Leach Bliley Act imposes privacy and security requirements for financial institutions, HIPAA applies to patient health information, and the Children’s Online Privacy Protection Act prevents the collection and posting of personal information from minors. It was discussed that the sectoral model followed by the United States allows for a nuanced balance to be struck between privacy protection and the market. It was noted, however, that some have critiqued the U.S. regulatory framework for lacking clear principles that apply to the commercial world and lay out strong privacy protections for the individual. In light of this, the White House is developing a Privacy Bill of Rights.</p>
<p style="text-align: justify; ">The Federal Trade Commission is an independent agency in the United States Government with responsibility for enforcing both consumer protection and competition laws. It is composed of five commissioners, and a staff of roughly 1,000, which includes attorneys and economists. The FTC is primarily a law enforcement agency, but also undertakes policy development through workshops and reports, Consumer education is another key function of the agency.</p>
<p style="text-align: justify; ">On the consumer protection side, Congress has directed the FTC to enforce the Federal Trade Commission Act, as well as some more specific statutes, such as those that protect consumers from unwanted telemarketing laws, and the protection of children on line. Its main objectives are to protect consumer interests, and prevent fraud and unfair and deceptive business practices. The FTC carries out its privacy work through its consumer protection mission.</p>
<p style="text-align: justify; ">When understanding the FTC’s role in relation to privacy, it is important to understand that the FTC’s jurisdiction applies only to certain industries as defined by Congress. Thus, for example, the FTC does not have jurisdiction over banks or telecommunications.</p>
<p style="text-align: justify; ">The most critical part of the FTC’s activities is its law enforcement function. The FTC can investigate an organization if the staff believes that the entity may be involved in conduct that contravenes the FTC Act’s prohibition on unfair or deceptive practices, or another specific privacy law. The FTC has brought a number of privacy-related cases against major companies including Facebook, Google, ChoicePoint, and Twitter. Many of these cases address new challenges brought about by rapidly changing technologies.</p>
<p style="text-align: justify; ">The vast majority of the FTC’s actions have been settled with consent judgments. When the statute that the FTC enforces allows for the imposition of a civil penalty, the FTC sets the penalty at a level that ensures that it is fair and provides a deterrent, but will not impose a hardship on the company. As a civil enforcement agency, the FTC cannot seek criminal sanctions. While enforcement is the cornerstone of the FTC’s approach to privacy, the agency also supports self-regulation, where appropriate. In this system the FTC does not pre-approve an organization’s practices or define principles that all companies should abide by as it is felt that every organization is unique and has different needs and abilities, and assigning specific technical standards may stifle innovation.</p>
<p style="text-align: justify; ">In the meeting it was also discussed how US privacy laws may apply to overseas companies where they are providing services for US consumers or working on behalf of US companies. For example, under the Gramm Leach Bliley Act the FTC has created the Safeguards Rule, which speaks to how financial data by financial institutions must be handled and protected. This Rule applies to companies overseas if the company is performing work for US companies or US consumers. In other words, a US company cannot avoid compliance by outsourcing its work to an off shore organization. Discussions during the meeting also focused on consent and the key role that context, accessibility, and timing play in ensuring individuals have the ability to provide informed consent. Some of the attendees suggested that this practice could be greatly improved in India. For example, currently in India there are companies that only provide consumers access to the company privacy policy after an individual has consented and signed up to the service. When asked about the challenges to privacy that exist in India, many shared that, culturally, there is a different understanding of privacy in India than in many western countries.</p>
<p style="text-align: justify; ">Other thoughts included that the Indian government is currently imagining privacy regulation as being either fluid and purely self regulatory or being enforced through strict legal provisions. Instead, the government needs to begin to expand the possibilities for a regulatory framework for privacy in India in such a way that allows for strong legal enforcement, and flexible standards. The right to be forgotten was also discussed and it was mentioned that California has proposed a law that will allow individuals to request deletion of information.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi'>https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-03T10:25:33ZBlog EntryA Dissent Note to the Expert Committee for DNA Profiling
https://cis-india.org/internet-governance/blog/dna-dissent
<b>The Centre for Internet and Society has participated in the Expert Committee for DNA Profiling constituted by the Department of Biotechnology in 2012 for the purpose of deliberating on and finalizing the draft Human DNA Profiling Bill and appreciates this opportunity. CIS respectively dissents from the January 2015 draft of the Bill.</b>
<p> </p>
<p>Click for <a href="https://cis-india.org/internet-governance/blog/dna-bill-functions.pdf" class="external-link">DNA Bill Functions</a>, <a href="https://cis-india.org/internet-governance/blog/dna-list-of-offences.pdf" class="external-link">DNA List of Offences</a>, and <a href="https://cis-india.org/internet-governance/blog/cis-note-on-dna-bill.pdf" class="external-link">CIS Note on DNA Bill</a>. A modified version was published by <a class="external-link" href="http://bangalore.citizenmatters.in/articles/dna-bill-problems-issues-inputs-from-bangalore">Citizen Matters Bangalore</a> on July 28.</p>
<hr />
<p>Based on the final draft of the Human DNA Profiling Bill that was circulated on the 13th of January 2015 by the committee, the Centre for Internet and Society is issuing this note of dissent on the following grounds:</p>
<p style="text-align: justify;">The Centre for Internet and Society has made a number of submissions to the committee regarding different aspects of the Bill including recommendations for the functions of the board, offences for which DNA can be collected, and a general note on the Bill. Though the Centre for Internet and Society recognizes that the present form of the Bill contains stronger language regarding human rights and privacy, we do not find these to be adequate and believe that the core concerns or recommendations submitted to the committee by CIS have not been incorporated into the Bill.</p>
<p style="text-align: justify;">The Centre for Internet and Society has foundational objections to the collection of DNA profiles for non-forensic purposes. In the current form the DNA Bill provides for collection of DNA for the following non forensic purposes:</p>
<ul>
<li style="text-align: justify;">Section 31(4) provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation. </li>
<li style="text-align: justify;">Section 38 defines the permitted uses of DNA profiles and DNA samples including: identifying victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases listed in Part I of the Schedule or for other purposes as may be specified by regulation.</li>
<li style="text-align: justify;">Section 39 defines the permitted instances of when DNA profiles or DNA samples may be made available and include: for the creation and maintenance of a population statistics Data Bank that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.</li>
<li style="text-align: justify;">Part I of the schedule lists laws, disputes, and offences for which DNA profiles and DNA samples can be used. These include, among others, the Motor Vehicles Act, 1988, parental disputes, issues relating to pedigree, issues relating to assisted reproductive technologies, issues relating to transplantation of human organs, issues relating to immigration and emigration, issues relating to establishment of individual identity, any other civil matter as may be specified by the regulations, medical negligence, unidentified human remains, identification of abandoned or disputed children. </li></ul>
<p style="text-align: justify;">While rejecting non-forensic use entirely, we have specific substantive and procedural objections to the provisions relating to forensic profiling in the present version of the Bill. These include:</p>
<ul>
<li style="text-align: justify;"><strong>Over delegation of powers to the board</strong>: The DNA Board currently has vast powers as delegated by Section 12 including:<br /><em>“authorizing procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies, establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies, specifying by regulations the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule, undertaking any other activity which in the opinion of the Board advances the purposes of this Act.” </em><br /><br />Section 65 gives the Board the power to make regulations for a number purposes including: <em>“other purposes in addition to identification of victims of accidents, disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases lists in Part I of the Schedule for which records or samples may be used under section 38, other laws, if any, to be included under item (viii) of para B of Part I of the Schedule, other civil matters, if any, to be included under item (vii) of para C of Part I of the Schedule, and authorization of other persons, if any, for collection of non intimate body samples and for performance of non-intimate forensic procedures, under Part III of the Schedule.</em><br /><br />Ideally these powers would lie with the legislative or judicial branch. Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board and section 68 specifically states that <em>“no civil court shall have jurisdiction to entertain any suit or proceeding in respect to any matter which the Board is empowered by or under this Act to determine.” </em><br /><br />The above represents only a few instances of the overly broad powers that have been given to the Board. Indeed, the Bill gives the Board the power to make regulations for 37 different aspects relating to the collection, storage, use, sharing, analysis, and deletion of DNA samples and DNA profiles. As a result, the Bill establishes a Board that controls the entire ecosystem of DNA collection, analysis, and use in India without strong external oversight or accountability. </li>
<li style="text-align: justify;"><strong>Key terms undefined</strong>: Section 31 (5) states that the “indices maintained in every DNA Data Bank will include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 1 of the Act, and of records relating thereto, in accordance with the standards as may be specified by the regulations.”<br /><br />The term’ DNA analysis’ is not defined in the Act, yet it is a critical term as any information based on such an analysis and associated records can be included in the DNA Database. </li>
<li style="text-align: justify;"><strong>Low standards for sharing of information</strong>: Section 34 empowers the DNA Data Bank Manager to compare a received DNA profile with the profiles stored in the databank and for the purposes of any investigation or criminal prosecution, communicate the information regarding the received DNA profile to any court, tribunal, law enforcement agencies, or DNA laboratory which the DNA Data Bank Manager considers is concerned with it.<br /><br />The decision to share compared profiles and with whom should be made by an independent third party authority, rather than the DNA Bank Manager. Furthermore, this provision isvague and although the intention seems to be that the DNA profiles should be matched and the results communicated only in certain cases, the generic wording could take into its ambit every instance of receipt of a DNA profile. For eg. the regulations envisaged under section 31(4)(g) may prescribe for a DNA Data Bank for medical purposes, but section 34 as it is currently worded may include DNA profiles of patients to be compared and their information released to various agencies by the Data Bank Manager as an unintentional consequence.</li>
<li style="text-align: justify;"><strong>Missing privacy safeguards</strong>: Though the Bill refers to security and privacy procedures that labs are to follow, these have been left to be developed and implemented by the DNA Board. Thus, except for bare minimum standards and penalties addressing the access, sharing, and use of data – the Bill contains no privacy safeguards. <br /><br />In our interactions with the committee we have asked that the Bill be brought in line with the nine national privacy principles established by the Report of the Group of Experts on Privacy submitted to the Planning Commission in 2012. This has not been done.<br /><br /><br /><br /></li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/dna-dissent'>https://cis-india.org/internet-governance/blog/dna-dissent</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2016-07-21T11:01:44ZBlog Entry