The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Comparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada
https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions
<b>A comparison of section 35(1) of the Draft Human DNA Profiling Bill, section 4 of the Identification Act, Revised Statute of Canada, and a review of international best practices. </b>
<p style="text-align: justify; ">In continuance of research around the <a href="https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012">Draft Human DNA Profiling Bill</a> that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Indian Provision</h3>
<p style="text-align: justify; ">35 (1) “<i>On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely – </i></p>
<p style="text-align: justify; "><i>(a) </i><i>As to whether the DNA profile received is already contained in the Data Bank; and </i></p>
<p style="text-align: justify; "><i>(b) </i><i>Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. </i></p>
<p style="text-align: justify; "><i>(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”</i></p>
<h3 style="text-align: justify; ">Canadian Provision vs. Indian Provision</h3>
<p style="text-align: justify; ">According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:</p>
<ol>
<li style="text-align: justify; ">The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals. </li>
<li style="text-align: justify; ">The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank. </li>
<li style="text-align: justify; ">The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including: </li>
</ol> <ol><ol>
<li>(<i>a</i>) if the DNA profile is not already contained in the data bank, the fact that it is not;</li>
<li style="text-align: justify; ">(<i>b</i>) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;</li>
<li style="text-align: justify; ">(<i>c</i>) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and</li>
<li style="text-align: justify; ">(<i>d</i>) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (<i>c</i>) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.</li>
</ol></ol>
<p>While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.</p>
<h3>Concerns with 35(1) and Best Practices</h3>
<p style="text-align: justify; ">The Centre for Internet and Society finds 35(1) problematic because a DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “<i>1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.</i>”<a name="fr1"></a></p>
<p style="text-align: justify; ">Though it is common for DNA Banks to communicate responses such as “match”, “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:</p>
<ul>
<li style="text-align: justify; ">“The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability. </li>
<li style="text-align: justify; ">Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations. </li>
<li style="text-align: justify; ">The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made. </li>
<li style="text-align: justify; ">The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large. </li>
<li style="text-align: justify; ">Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”<a name="fr2"></a></li>
</ul>
<h3>Recommendations</h3>
<p style="text-align: justify; ">Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:</p>
<ul>
<li style="text-align: justify; "><strong>Response to Law enforcement agency and DNA Laboratory:</strong> The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .</li>
<li style="text-align: justify; "><strong>Response to Court and tribunal:</strong> When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:</li>
</ul>
<ol>
<li style="text-align: justify; ">The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random. </li>
<li>The frequency with which the matching DNA characteristics are likely to be found in the population at large.</li>
<li>The probability of contamination. </li>
</ol>
<p style="text-align: justify; ">The Bill should also provide for the database upon which the calculations were based to be made available when requested. In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.</p>
<ul>
</ul>
<hr />
<p>[<a name="fn1"></a>]. <a class="external-link" href="http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx">http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx</a></p>
<p><a class="external-link" href="http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx">[<span>2</span>].</a> <a class="external-link" href="http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf">http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions'>https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2014-03-03T08:20:55ZBlog EntryCIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy
https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy
<b>The “Fifty Second Report on Cyber Crime, Cyber Security, and Right to Privacy” issued by the 2013 -2014 Standing Committee on Information Technology on February 12th 2014, highlights the urgent need for reform in India’s cyber security framework and the need for the much awaited privacy legislation to be finalized and made into a law. </b>
<hr />
<p class="callout" style="text-align: justify; "><a class="external-link" href="http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf"><b>Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology</b></a></p>
<hr />
<p style="text-align: justify; ">The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward. <b> </b></p>
<p style="text-align: justify; ">The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.</p>
<p style="text-align: justify; ">Broadly, the Standing Committee sought input from DEITY on eight different aspects of cyber crime, cyber security, and privacy in India - namely: the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime, the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:</p>
<p style="text-align: justify; "><b>Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act</b>: When asked by the Standing Committee about the right to privacy and cyber security, DEITY highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY should coordinate with the DoPT and become involved in the process. <br /><br />As recognized by the Standing Committee, the Centre for Internet and Society would like to further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India. Inadequate aspects of the provisions have been pointed out by a number of sources. For example:</p>
<ol>
<li style="text-align: justify; "><a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">The Report of the Group of Experts on Privacy</a>: Prepared by the committee chaired by Justice AP Shah </li>
<li style="text-align: justify; "><a class="external-link" href="http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf">First Analysis of the Personal Data Protection Law in India</a>: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security</li>
<li style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011" class="external-link">Comments on the Information Technology</a> (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha</li>
<li style="text-align: justify; "><a class="external-link" href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1964013">India’s U-Turns on Data Privacy</a>: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011 </li>
</ol>
<p style="text-align: justify; "><b>Unclear Enforcement of 43A and associated rules</b>: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24). The Standing Committee did not directly respond to this comment.<br /><br />The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies that have been found to be compliant. The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.</p>
<p style="text-align: justify; "><b>UIDAI not in compliance with 43A and associated Rules</b>: In evidence provided, DEITY noted that <i>“..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...”</i> (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.</p>
<p style="text-align: justify; "><b>The potential harms of metadata</b>: In evidence provided, the Department noted <i>“...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.”</i> (pg.47) The Standing Committee did not respond directly to this comment.</p>
<p style="text-align: justify; ">The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.</p>
<p style="text-align: justify; "><b>Inadequacy of the Information Technology Act</b>: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner. DEITY also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:</p>
<ol>
<li>Breaking Down Section 66A of the IT Act</li>
<li>Short note on IT Amendment Act, 2008</li>
</ol>
<p style="text-align: justify; "><b>Implications of domestic servers</b>: In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.</p>
<p style="text-align: justify; "><b>Incorporation of safeguards into MOU’s for international cooperation</b>: When asked about MOU’s for international cooperation that DEITY has engaged in with other countries, DEITY reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported India entering into MOU’s for purposes of international cooperation, and encouraged DEITY to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.</p>
<p style="text-align: justify; ">The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY to ensure that all MOU’s and/or Mutual Legal Assistance Agreements:</p>
<ul>
<li>Uphold the principle of dual criminality </li>
<li>Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance </li>
<li style="text-align: justify; ">Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.</li>
<li>Are clearly documented and publicly available</li>
<li>Contain provisions guaranteeing procedural fairness.<a href="#fn1" name="fr1">[1] </a> </li>
</ul>
<p style="text-align: justify; "><b>Hactivism as a benefit to society</b>: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.</p>
<p style="text-align: justify; ">The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism can benefit society and strengthen cyber security by finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.</p>
<p style="text-align: justify; ">This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.<a href="#fn2" name="fr2">[2] </a></p>
<p style="text-align: justify; ">Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.</p>
<p style="text-align: justify; ">While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID, the Centre for Internet and Society welcomes <i>the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy</i> and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance” <a class="external-link" href="https://en.necessaryandproportionate.org/text">https://en.necessaryandproportionate.org/text</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: <a class="external-link" href="http://www.iwar.org.uk/cyberterror/resources/denning.htm">http://www.iwar.org.uk/cyberterror/resources/denning.htm</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy'>https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2014-02-24T10:49:46ZBlog EntryGNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression
https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression
<b>Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.</b>
<h3>Introduction</h3>
<p style="text-align: justify; ">In January 2014, the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">Global Network Initiative (GNI)</a> published t<a href="http://globalnetworkinitiative.org/sites/default/files/GNI%20Assessments%20Public%20Report.pdf">he <i>Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo</i></a><i>. </i>GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.</p>
<h3 style="text-align: justify; ">Overview of the Public Report</h3>
<p style="text-align: justify; ">The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">GNI principles</a> on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with <a href="https://globalnetworkinitiative.org/sites/default/files/GNI_-_Implementation_Guidelines_1_.pdf">Implementation Guidelines</a> to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.</p>
<p style="text-align: justify; ">Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.</p>
<p style="text-align: justify; ">The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.</p>
<p style="text-align: justify; ">A number of findings came out of the assessments undertaken for the Report including:</p>
<ol>
<li style="text-align: justify; ">As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.</li>
<li style="text-align: justify; ">The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights. </li>
<li style="text-align: justify; ">Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles. </li>
</ol>
<p style="text-align: justify; ">The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:</p>
<ul>
<li>Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies. </li>
<li>Consider the impact of hardware on freedom of expression and privacy.</li>
<li>Improve external and internal reporting.</li>
<li>Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations. </li>
<li>Review executive management training.</li>
<li>Improve stakeholder engagement.</li>
<li>Improve communication with users. </li>
<li>Increase sharing of best practices. </li>
<li>The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights. </li>
</ul>
<h3>NSA leaks, global push for governmental surveillance reform, and the Public Report</h3>
<p style="text-align: justify; ">With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five <a href="http://reformgovernmentsurveillance.com/">Principles on Global Government Surveillance Reform</a>. Similar to other efforts to end mass and disproportionate surveillance, such as the <a href="https://en.necessaryandproportionate.org/text">Necessary and Proportionate</a> principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.</p>
<p style="text-align: justify; ">Along these lines, on January 14<sup>th</sup>, GNI released the statement <a href="http://globalnetworkinitiative.org/news/surveillance-reforms-protect-rights-and-restore-trust">“Surveillance Reforms to Protect Rights and Restore Trust”, </a> urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.</p>
<h3 style="text-align: justify; ">Conclusion and way forward</h3>
<p style="text-align: justify; ">Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.</p>
<p style="text-align: justify; ">The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression'>https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression</a>
</p>
No publisherelonnaiFreedom of Speech and ExpressionInternet Governance2014-01-20T06:17:46ZBlog EntryInternet Privacy in India
https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india
<b>Internet privacy encompasses a wide range of issues and topics. It can be understood as privacy rights that an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing. </b>
<h3 style="text-align: justify; ">The Changing Nature of Information</h3>
<p style="text-align: justify; ">For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.</p>
<h3 style="text-align: justify; ">The Blurry Line between the Public and Private Sphere</h3>
<p style="text-align: justify; ">The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,<a href="#fn2" name="fr2">[2]</a> while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.<a href="#fn3" name="fr3">[3] </a>Indian Courts have yet to deal directly with the question of social media content being public or private information.</p>
<h3 style="text-align: justify; ">The Complication of Jurisdiction</h3>
<p style="text-align: justify; ">The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.<a href="#fn4" name="fr4">[4] </a>In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.<a href="#fn5" name="fr5">[5] </a></p>
<p style="text-align: justify; ">Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.<a href="#fn6" name="fr6">[6] </a>Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.<a href="#fn7" name="fr7">[7] </a></p>
<p style="text-align: justify; ">In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.</p>
<h3 style="text-align: justify; ">Current Policy for Internet Privacy in India</h3>
<p style="text-align: justify; ">Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,<a href="#fn8" name="fr8">[8]</a>penalizing, hacking and fraud<a href="#fn9" name="fr9">[9] </a>and defining data protection standards for body corporate.<a href="#fn10" name="fr10">[10] </a></p>
<p style="text-align: justify; ">Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate<a href="#fn11" name="fr11">[11]</a> collection and monitoring of internet traffic data<a href="#fn12" name="fr12">[12] </a>and real time monitoring, interception, and decryption of online communications.<a href="#fn13" name="fr13">[13]</a> Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.</p>
<h3 style="text-align: justify; ">Online Data Protection</h3>
<p style="text-align: justify; ">Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.<a href="#fn14" name="fr14">[14] </a></p>
<p style="text-align: justify; ">The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”<a href="#fn15" name="fr15">[15] </a>and many gaps still exist. For example, the Rules apply only to:</p>
<ul style="text-align: justify; ">
<li>Body corporate and not to the government</li>
<li>Electronically generated and transmitted information </li>
<li>A limited scope of sensitive personal information.</li>
<li>A body corporate when a contractual agreement is not already in place.</li>
</ul>
<p style="text-align: justify; ">These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.</p>
<h3 style="text-align: justify; ">Cyber Cafés</h3>
<p style="text-align: justify; ">In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.<a href="#fn16" name="fr16">[16]</a> Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.<a href="#fn17" name="fr17">[17] </a>Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.<a href="#fn18" name="fr18">[18]</a> Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.<a href="#fn19" name="fr19">[19] </a>In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:</p>
<ul style="text-align: justify; ">
<li>An authorization process by which the registration agency follows to authorize individuals to conduct inspections.</li>
<li>Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.</li>
<li>The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.</li>
</ul>
<h3 style="text-align: justify; ">Online Surveillance and Access</h3>
<p style="text-align: justify; ">The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications<a href="#fn20" name="fr20">[20]</a> provide for the collection and monitoring of traffic data<a href="#fn21" name="fr21">[21]</a> and allow the government to set the national encryption standard.<a href="#fn22" name="fr22">[22] </a>In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.</p>
<h3 style="text-align: justify; ">Scope of Surveillance and Access</h3>
<p style="text-align: justify; ">The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.<a href="#fn24" name="fr24">[24] </a>This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.</p>
<p style="text-align: justify; ">Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.<a href="#fn25" name="fr25">[25]</a></p>
<p style="text-align: justify; ">The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.</p>
<h2 style="text-align: justify; ">Future frameworks for privacy in India: The Report of the Group of Experts on Privacy</h2>
<p style="text-align: justify; ">In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.<a href="#fn26" name="fr26">[26] </a>The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.</p>
<p style="text-align: justify; ">The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.</p>
<p style="text-align: justify; ">The nine national privacy principles include:</p>
<p style="text-align: justify; ">Notice: Principle 1: Notice</p>
<p style="text-align: justify; ">A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:</p>
<p style="text-align: justify; "><b>During Collection </b></p>
<ul>
<li>What personal information is being collected; </li>
<li>Purposes for which personal information is being collected; </li>
<li>Uses of collected personal information; </li>
<li>Whether or not personal information may be disclosed to third persons; </li>
<li>Security safeguards established by the data controller in relation to the personal information; </li>
<li>Processes available to data subjects to access and correct their own personal information; </li>
<li>Contact details of the privacy officers and SRO ombudsmen for filing complaints. </li>
</ul>
<p style="text-align: justify; "><b>Other Notices</b><br />Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.</p>
<h3 style="text-align: justify; ">Principle 2: Choice and Consent</h3>
<p style="text-align: justify; ">A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.</p>
<p style="text-align: justify; "><b>Example of implementation</b>: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.</p>
<h3 style="text-align: justify; ">Principle 3: Collection Limitation</h3>
<p>A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.</p>
<h3 style="text-align: justify; ">Principle 4: Purpose Limitation</h3>
<p style="text-align: justify; ">Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.</p>
<h3 style="text-align: justify; ">Principle 5: Access and Correction</h3>
<p style="text-align: justify; ">Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.</p>
<h3 style="text-align: justify; ">Principle 6: Disclosure of Information</h3>
<p style="text-align: justify; ">A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.</p>
<h3 style="text-align: justify; ">Principle 7: Security</h3>
<p style="text-align: justify; ">A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.</p>
<h3 style="text-align: justify; ">Principle 8: Openness</h3>
<p style="text-align: justify; ">A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.</p>
<h3 style="text-align: justify; ">Principle 9: Accountability</h3>
<p style="text-align: justify; ">The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.</p>
<h3 style="text-align: justify; ">Public Discourses on Privacy</h3>
<p style="text-align: justify; ">In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.</p>
<h3 style="text-align: justify; ">The Unique Identification Project</h3>
<p style="text-align: justify; ">One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,<a href="#fn27" name="fr27">[27] </a>privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions<a href="#fn28" name="fr28">[28] </a>but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.</p>
<h3 style="text-align: justify; ">The Human DNA Profiling Bill</h3>
<p style="text-align: justify; ">In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.<a href="#fn29" name="fr29">[29]</a></p>
<h3 style="text-align: justify; ">Surveillance</h3>
<p style="text-align: justify; ">For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.</p>
<p style="text-align: justify; ">The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.</p>
<h3 style="text-align: justify; ">A Privacy Legislation for India</h3>
<p style="text-align: justify; ">Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.<a href="#fn31" name="fr31">[31] </a>In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.<a href="#fn32" name="fr32">[32] </a>Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.<a href="#fn33" name="fr33">[33]</a> From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.<a href="#fn34" name="fr34">[34]</a></p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. http://www.bbc.co.uk/news/technology-24744695</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1</p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. ITA section 67</p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. ITA section 43, 66, and 66F</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009</p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn1">13</a>]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009</p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Ibid footnote 6</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Guidelines for Cyber Cafe Rules 5(4)</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Guidelines for Cyber Cafe Rules 5(6)</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Guidelines for Cyber Café Rules 5(6)</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Guidelines for Cyber Café Rules 7(1)</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Ibid footnote 9</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. Ibid footnote 8</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. ITA section 84A</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. http://www.epw.in/authors/elonnai-hickok</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft</p>
<p style="text-align: justify; ">[<a href="#fr34" name="fn34">34</a>]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</p>
<p>
For more details visit <a href='https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india'>https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india</a>
</p>
No publisherelonnaiInternet Access2014-01-08T13:51:06ZPageCIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.
https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d
<b>The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights. </b>
<p style="text-align: justify; ">On <a class="external-link" href="https://www.un.org/News/Press/docs/2013/gashc4094.doc.htm">November 26, 2013</a>, the United Nations adopted a non-binding resolution on <a href="http://www.un.org/ga/search/view_doc.asp?symbol=A/C.3/68/L.45/Rev.1">The Right to Privacy in the Digital Age</a>. The resolution was drafted <a href="http://news.idg.no/cw/art.cfm?id=F0537DC8-A06C-E9D5-2EBACEA94829DAC1">by Brazil and Germany</a> and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to <a href="http://www.theguardian.com/world/2013/nov/26/un-surveillance-resolution-human-right-privacy">privacy extending equally to citizens and non-citizens of a country. </a> The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.</p>
<p style="text-align: justify; ">The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the <a href="http://www.indexoncensorship.org/2013/11/india-online-report-freedom-expression-digital-freedom-3/">Central Monitoring System</a>, should take cognizance of, including in short:</p>
<ol>
<li style="text-align: justify; "><b>Privacy is a human right</b>: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence. </li>
<li style="text-align: justify; "><b>Privacy is integral to the right to free expression</b>: an integral component in recognizing the right to freedom of expression. </li>
<li style="text-align: justify; "><b>Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression</b>: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression. </li>
<li style="text-align: justify; "><b>Exceptions to privacy and freedom of expression should be in compliance with human rights law:</b> Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law. </li>
<li style="text-align: justify; "><b>Mass surveillance may have negative implications for human rights: </b>Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights. </li>
<li style="text-align: justify; "><b>Equal protection for online and offline privacy:</b> The right to privacy must be equally protected online and offline.</li>
</ol>
<p>The resolution further called upon states to:</p>
<ol>
<li style="text-align: justify; ">Respect and protect the right to privacy, particularly in the context of digital communications.</li>
<li style="text-align: justify; ">To ensure that relevant legislation is in compliance with international human rights law</li>
<li style="text-align: justify; ">To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.</li>
<li style="text-align: justify; ">To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.</li>
</ol>
<p style="text-align: justify; ">The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.</p>
<p style="text-align: justify; ">The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.</p>
<p style="text-align: justify; ">Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the <a href="https://en.necessaryandproportionate.org/TEXT">Necessary and Proportionate principles</a> that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A<a href="https://en.necessaryandproportionate.org/take-action/digiges"> petition</a> to sign onto the principles and demand an end to mass surveillance is currently underway.</p>
<p style="text-align: justify; ">Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.</p>
<p> </p>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d'>https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d</a>
</p>
No publisherelonnaiSurveillanceInternet GovernancePrivacy2013-11-30T07:25:18ZBlog EntrySeventh Privacy Round-table
https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table
<b>On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.</b>
<p style="text-align: justify; ">The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.</p>
<p style="text-align: justify; ">Previous Privacy Round-tables were held in:</p>
<ul>
<li style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting" class="external-link">New Delhi</a>: (April 13, 2013) with 45 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/162t8rU">Bangalore</a>: (April 20, 2013) with 45 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/12ICGYD">Chennai</a>: (May 18, 2013) with 25 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/12fJSvZ">Mumbai</a>, (June 15, 2013) with 20 participants;</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/11dgINZ">Kolkata</a>: (July 13, 2013) with 25 participants; and</li>
<li style="text-align: justify; "><a class="external-link" href="http://bit.ly/195cWIf">New Delhi</a>: (August 24, 2013) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.</p>
<p style="text-align: justify; ">The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="external-link">the Privacy Protection Bill, 2013</a>, drafted by the Centre for Internet and Society, <a href="https://cis-india.org/internet-governance/blog/strengthening-privacy-protection.pdf" class="external-link">Strengthening Privacy through Co-regulation by the Data Security Council of India</a>, and the <a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy by the Justice A.P. Shah committee</a> were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.</p>
<p style="text-align: justify; ">The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under <a href="https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy" class="external-link">section 43A of the Information Technology Act</a>, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.</p>
<hr />
<p>Presentation: <b>Jacob Kohnstamm</b>, <i>Dutch Data Protection Authority and Chairman of the Article 29 Working Group </i></p>
<hr />
<p style="text-align: justify; ">Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded. <br /><br />Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.<br /><br /> In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.<br /> <br />Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.</p>
<p style="text-align: justify; ">Key Points:</p>
<ul>
</ul>
<ol>
<li style="text-align: justify; ">Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.</li>
<li style="text-align: justify; ">Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data. </li>
<li style="text-align: justify; ">India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.</li>
</ol>
<ul>
</ul>
<hr />
<p>Discussion: <b>National Security, Surveillance and Privacy</b></p>
<hr />
<p style="text-align: justify; ">Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.</p>
<p style="text-align: justify; ">Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.</p>
<p style="text-align: justify; ">While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.</p>
<p style="text-align: justify; ">Key Points:</p>
<ul>
</ul>
<ol>
<li>The Indian surveillance regime currently does not have strong enough safeguards.</li>
<li>The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.</li>
<li>A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.</li>
</ol>
<ul>
</ul>
<hr />
<p>Presentation: <b>Chantal Bernier</b>, <i>Deputy Privacy Commissioner, Canada</i></p>
<hr />
<p style="text-align: justify; ">In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.</p>
<p style="text-align: justify; ">Bernier described three main characteristics of the Canadian privacy regime including:</p>
<ol>
<li style="text-align: justify; ">It is comprehensive and applies to both the public and the private sectors.</li>
<li style="text-align: justify; ">The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.</li>
<li style="text-align: justify; ">The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing. </li>
</ol>
<p style="text-align: justify; ">Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.</p>
<p style="text-align: justify; ">Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.</p>
<p style="text-align: justify; ">Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:</p>
<ol>
<li>The importance of having strong regulators.</li>
<li>Privacy regulators must work and cooperate together.</li>
<li>Privacy has become a condition of trade.</li>
<li>In today’s age, issues around surveillance cannot be underestimated.</li>
<li>Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.</li>
<li>Privacy frameworks must be clear and flexible.</li>
<li>Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments. </li>
</ol>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The Right to Privacy is a fundamental right in Canada.</li>
<li style="text-align: justify; ">The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.</li>
<li style="text-align: justify; ">The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest. </li>
</ol>
<hr />
<p>Discussion: <b>The Data Protection Authority</b></p>
<hr />
<p style="text-align: justify; ">Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.</p>
<p style="text-align: justify; ">When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.</li>
<li style="text-align: justify; ">The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.</li>
<li style="text-align: justify; ">The Data Protection Authority could be established as a small regulator with an appellate body attached. </li>
</ol>
<hr />
<p style="text-align: justify; ">Presentation: <b>Christopher Graham</b>,<i> Information Commissioner, United Kingdom</i></p>
<hr />
<p style="text-align: justify; ">Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the <a class="external-link" href="https://www.gov.uk/data-protection">UK Data Protection Act</a> and the<a class="external-link" href="http://www.legislation.gov.uk/ukpga/2000/36/contents"> Freedom of Information Act</a>. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.</p>
<p style="text-align: justify; ">Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.</p>
<p style="text-align: justify; ">Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.</p>
<p style="text-align: justify; ">Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.</p>
<p style="text-align: justify; ">Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.</li>
<li style="text-align: justify; ">Penalties must be proportionate and scalable to the offense. </li>
<li style="text-align: justify; ">Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective. </li>
</ol>
<hr />
<p style="text-align: justify; ">Discussion: <b>Collection of Data with Consent and Collection of Data without Consent</b></p>
<hr />
<p style="text-align: justify; ">Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.</li>
<li style="text-align: justify; ">The Privacy Protection Bill should explicitly address transfer of information to other countries. </li>
<li style="text-align: justify; ">The Privacy Protection Bill should address consent in the context of changing terms of service. </li>
</ol>
<hr />
<p>Discussion: <b>Penalties and Offences</b></p>
<hr />
<p style="text-align: justify; ">The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.</p>
<p style="text-align: justify; ">The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.</li>
<li style="text-align: justify; ">Instead of levying penalties, the Bill should include incentives to ensure compliance. </li>
<li style="text-align: justify; ">Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach. </li>
</ol>
<hr />
<p>Discussion: <b>Cultural Aspects of Privacy</b></p>
<hr />
<p style="text-align: justify; ">The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.</p>
<p style="text-align: justify; ">Key Points:</p>
<ol>
<li style="text-align: justify; ">India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.</li>
<li style="text-align: justify; ">Given India’s diversity, a principle based model might not be adequate. </li>
<li style="text-align: justify; ">Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India. </li>
</ol>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table'>https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-11-20T09:58:39ZBlog EntryWhat India can Learn from the Snowden Revelations
https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations
<b>Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.</b>
<p>The title of the article was changed in the<a class="external-link" href="http://in.news.yahoo.com/why-india-needs-a-snowden-of-its-own-054956734.html"> version published by Yahoo</a> on October 23, 2013.</p>
<hr />
<p>Since the ‘<a href="http://www.theguardian.com/world/edward-snowden" target="_blank">Snowden revelations</a>’, which uncovered the United States government’s massive global <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_3">surveillance</span> through the <a href="http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29" target="_blank">PRISM</a> program, there have been reactions aplenty to their impact.</p>
<p style="text-align: justify; ">The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.</p>
<p style="text-align: justify; ">The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.</p>
<p style="text-align: justify; ">Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.</p>
<p style="text-align: justify; ">This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including <span class="cs4-visible yshortcuts" id="lw_1382621265093_1">India</span>.</p>
<h3 style="text-align: justify; ">India’s reaction</h3>
<p style="text-align: justify; ">After the first news of the Snowden revelations, the Indian Supreme Court <a href="http://www.medianama.com/2013/06/223-supreme-court-to-hear-pil-against-nsa-surveillance-of-indian-data-report/" target="_blank">agreed</a> to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.<br /><br />The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_7">government</span> or individual can take against the US government or companies incorporated there.<br /><br />In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take. <br /><br />For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.<br /><br />To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same. <br /><br />In India, P. Rajeev, Member of Parliament from Kerala, has started a <a href="http://www.change.org/petitions/google-facebook-microsoft-yahoo-reveal-information-on-data-of-indian-citizens-given-to-us-security-agencies-2" target="_blank">petition</a> asking that the companies disclose information on <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_8">Indian data</span> given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.<br /><br />The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been <a href="http://articles.economictimes.indiatimes.com/2013-08-14/news/41409701_1_traffic-originating-and-terminating-servers-mocit" target="_blank">voiced by many</a>, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal <a href="http://mha.nic.in/Policy_Planing_Division" target="_blank">Mutual Legal Assistance Treaty</a> process, it does not necessarily enhance the privacy of Indian data. <br /><br />As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.</p>
<h3 style="text-align: justify; ">Snooping</h3>
<p style="text-align: justify; ">The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India. <br /><br />For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually <a href="http://timesofindia.indiatimes.com/tech/tech-news/telecom/BlackBerry-sets-up-server-in-Mumbai-to-aid-interception/articleshow/11969224.cms" target="_blank">set up servers in Mumbai</a> and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from <a href="http://news.cnet.com/8301-1009_3-20015418-83.html" target="_blank">Skype and Google</a>. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.<br /><br />Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive. <br /><br />The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.</p>
<p style="text-align: justify; ">The gaps in the Indian <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_4">surveillance</span> regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, <span class="cs4-visible yshortcuts" id="lw_1382621265093_2">India</span> is in the process of realizing a privacy legislation. <br /><br />In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf" target="_blank">The Report of the Group of Experts on Privacy</a>, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.<br /><br />The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.<br /><br />For example, telecoms in India are now required to include <a href="http://www.firstpost.com/tech/exclusive-location-tracking-of-every-indian-mobile-user-by-2014-876109.html/2" target="_blank">user location data</a> as part of the ‘call detail record’ and be able to <a href="http://www.medianama.com/2012/08/223-indian-government-revises-location-accuracy-guidelines-says-telcos-should-bear-the-cost/" target="_blank">provide</a> the same to law enforcement agencies on request under <a href="http://www.cca.ap.nic.in/i_agreement.pdf" target="_blank">provisions</a> in the Unified Access Service and Internet Service Provider Licenses. <br /><br />At the same time, the Government of India is in the process of putting in place a <a href="http://en.wikipedia.org/wiki/Central_Monitoring_System" target="_blank">Central Monitoring System</a> that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.</p>
<p style="text-align: justify; ">Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.<br /><br />If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.<br /><br />Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.</p>
<h3 style="text-align: justify; ">Policy vacuum</h3>
<p style="text-align: justify; ">For any <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_5">government</span>, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe. <br /><br />When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.<br /><br />In 2013, the <a href="https://en.necessaryandproportionate.org/text" target="_blank">International Principles on the Application of Human Rights to Communications Surveillance</a> were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications. <br /><br />When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.</p>
<hr />
<p style="text-align: justify; "><i>Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations'>https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-25T07:29:57ZBlog EntryAn Interview with Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party
https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm
<b>The Centre for Internet and Society interviewed Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party.</b>
<h3 style="text-align: justify; ">What activities and functions does your office undertake?</h3>
<p style="text-align: justify; ">The activities and functions of the Dutch data protection authority can roughly be divided in 4 different categories: supervisory activities, giving advise on draft legislation, raising awareness and international tasks. <br /><br />The Dutch DPA supervises the legislation applicable in the Netherlands with regard to the use of personal data. The most important law is the Dutch Data Protection Act, but the Dutch DPA also supervises for example the Acts governing data processing by police and justice as well as parts of the Telecoms Act. <br /><br />The supervisory activities mainly consist of investigating, ex officio, violations of the law, with the focus on violations that are serious, structural and impact a large amount of people. Where necessary, the Dutch DPA can use its sanctioning powers, including imposing a conditional fine, to enforce the law. The Dutch DPA can also decide to examine sector-wide codes of conduct that are submitted to it and provide its views in the form of a formal opinion. <br /><br />In addition to investigations, the Dutch DPA advises the government, and sometimes the parliament, on draft legislation related to the processing of personal data. Following the Data Protection Act, the government is obliged to submit both primary and secondary legislation related to data processing to the DPA for advice. <br /><br />As regards awareness-raising, next to publishing the results of the investigations, its views on codes of conduct and its advice on legislation, the Dutch DPA also issues guidelines, on its own initiative, explaining legal norms. Via its websites, the Dutch DPA provides more information to both data subjects and controllers on how data can and cannot be processed. Specifically for data subjects, self-empowerment tools – including standard letters to exercise their rights – are made available. Furthermore, they can contact the Dutch DPA daily via a telephone hotline.<br /><br />Last but not least, the Dutch DPA participates in several International and European fora, including the Article 29 Working Party of which I am the Chair, the European and the International Conference of data protection and privacy commissioners, of whose Executive Committee I am also the Chair.</p>
<h3 style="text-align: justify; ">What powers does your office have? in your opinion are these sufficient? Which powers have been most useful? If there is a lack, what do you feel is needed?</h3>
<p style="text-align: justify; ">The Dutch DPA has a broad range investigative powers, including the power to order the controller to hand over all relevant information and entering the premises of the controller unannounced. All organisations subjected to the supervision of the Dutch DPA are obligated to cooperate. <br /><br />The Dutch DPA also has a considerable range of sanctioning powers, it can for example order the suspension or termination of certain processing operations and can also impose a conditional fine. Currently a bill is before Parliament to provide the Dutch DPA with fining powers as well.</p>
<p style="text-align: justify; ">Especially when the bill providing the Dutch DPA with fining powers will be passed, I feel the powers are sufficient, giving us all the necessary enforcement tools to ensure compliance with the law.</p>
<h3 style="text-align: justify; ">How is your office funded?</h3>
<p>The Dutch DPA is funded through the government who, together with the parliament, each year determines the budget for the next year. The budget is drafted on the basis of a proposal from the Dutch DPA.</p>
<h3 style="text-align: justify; ">What is the organizational structure of your office and the responsibilities of the key executives?</h3>
<p style="text-align: justify; ">The Dutch DPA consists of a college of commissioners and the supporting Secretariat, itself consisting of 6 departments and headed by the Director. The Dutch DPA has 2 supervision departments, one for the private and one for the public sector, a legal department, a communications department, an international department and a department providing the operational support.</p>
<h3 style="text-align: justify; ">If India creates a framework of co-regulation, how would you suggest the overseeing body be structured?</h3>
<p style="text-align: justify; ">Considering the many differences between India and the Netherlands - and Europe - this is a very hard question to answer. But whatever construction is chosen in India, it is of utmost importance to guarantee the independence of the supervisory authorit(y)(ies), who shall be provided with sufficient and scalable powers to be able to sanction violations.</p>
<h3 style="text-align: justify; ">What legal challenges has your office faced?</h3>
<p style="text-align: justify; ">The biggest legal challenge we face at the moment is the new European legal framework currently being discussed. It is as yet uncertain whether and when this will enter into force, but it is clear that it will bring new challenges for our office.</p>
<h3 style="text-align: justify; ">What are the main differences between your offices?</h3>
<p style="text-align: justify; ">Generally, I think that the differences between my office and the UK and Canadian offices mostly stem from our different legal and cultural backgrounds, especially the difference between the common law and codified law systems. <br /><br />In addition, the norms and powers differ per supervisory authority. The Dutch DPA for example can enter a building without prior notice, while the ICO, if I understand correctly, can only enter with the consent of the supervised organisation. <br /><br />I however prefer to look at the similarities and possibilities to overcome our differences, because I think that we all feel that providing a high level of data protection and ensuring user control are all of our main priorities.<br /><br />Naturally, I am very curious to hear from Chrisopher and Chantal as well.</p>
<h3 style="text-align: justify; ">What are the most recent privacy developments for each of your respective offices?</h3>
<p style="text-align: justify; ">The technological developments of the past decades and the increasing use of smartphones and tablets, have also made privacy developments necessary and have obliged us, as data protection authorities, to consider the rules and norms in this new environment.</p>
<h3 style="text-align: justify; ">What would you broadly recommend for a privacy legislation for India?</h3>
<p style="text-align: justify; ">In my view the privacy legislation in India should in any case contain the basic principles of the protection of personal data, applicable to both the public and the private sector. Naturally with some exceptions for law enforcement purposes. <br /><br />Furthermore, the Indian law should protect the imported data of citizens from other parts of the world as well, including the EU. <br /><br />And as mentioned in my answer to question 5, it is of utmost importance that the Indian legislation guarantees the establishment of (a) completely independent supervisory authorit(y)(ies), provided with sufficient sanctioning powers, to supervise compliance with the legislation also of the government, including police and justice.<br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm'>https://cis-india.org/internet-governance/blog/interview-with-jacob-kohnstamm</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-25T04:50:56ZBlog EntryOpen Letter to Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee
https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee
<b>An open letter was sent to the Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee on the proposed EU Regulation. The letter was apart of an initiative that Privacy International and a number of other NGO's are undertaking.</b>
<p><b>Dear Members of the European Parliament of the Civil Liberties, Justice and Home Affairs Committee</b>,</p>
<p style="text-align: justify; ">On behalf of The Centre for Internet and Society, Bangalore, India, we are writing to express our support of the European Commission’s proposed General Data Protection Regulation (COM (2012) 11).</p>
<p style="text-align: justify; ">The legal framework established under the 1995 Data Protection Directive (95/46/EC) in Europe has positively influenced many existing privacy regimes worldwide, serving as a model legal framework in jurisdictions that are in the process of developing privacy regimes, including India. The positive impact of the Data Protection Directive shows the potential of the Regulation to become a global model for the protection of personal data. The Regulation seeks to address new scenarios that have arisen in the context of rapidly changing technologies and practices, increasing its potential for positively influencing privacy rights for individuals globally.</p>
<p style="text-align: justify; ">India is currently in the process of considering the enactment of privacy legislation, in part with the aim of ensuring adequate safeguards to enable and enhance information flows into India from countries around the world, including Europe. At the same time, India is seeking Data Secure Status from the EU, on the basis of its current regime.</p>
<p style="text-align: justify; ">It is clear that the EU framework for data protection has a major influence on the current and emerging privacy regime in India. India is only one country of many that are in the beginning stages of developing a comprehensive privacy regime. Thus, we ask that you keep in mind how the Regulation will impact the rights of individual in countries outside of Europe, particularly in countries that are in the process of developing privacy regimes.</p>
<p style="text-align: justify; ">We ask that you take into consideration the four following points that we believe need to be addressed in the Regulation to help ensure adequate protection of the rights of individuals in the European Union and around the world.</p>
<ol>
<li style="text-align: justify; "><b>Strengthen the principle of purpose limitation: </b>The Regulation should incorporate a strong purpose limitation principle that strictly limits present and future uses of personal data to the purposes for which it was originally collected. Currently, Article 6(4) allows for the further processing of data when the processing is <i>“not compatible with the one for which the personal data have been collected”. </i>Though the provision establishes legal requirements, one of which must be before information can be used for a further purpose, this is has proven insufficient in the existing Directive. The current provision in the Regulation dilutes the principle of purpose limitation as well as weakening an individual’s ability to make informed decisions about their personal data.<b> </b></li>
<li style="text-align: justify; "><b>Define principles for interpretation of broad terms: </b>The Regulation should create principles for interpreting broad terms such as “legitimate interest” and “public interest”. These vague terms are used throughout the Regulation, and create the potential for loopholes or abuse. Because these terms can be interpreted in many different ways, it is important to create a set of principles to guide their interpretation by data protection authorities and courts to avoid inconsistent application and enforcement of the Regulation.</li>
<li style="text-align: justify; "><b>Clarify the scope of the Regulation:</b> The Regulation should clearly describe the jurisdictional scope and reach of its provisions. Currently Article 3(1) states that the Regulation will apply to the processing of data “in the context of the activities of an establishment of a controller or a processor in the Union”. The flow of information on the online environment coupled with trends such as cloud computing, outsourcing, and cross border business creates a scenario where defining what constitutes “context of the activities of an establishment”, is difficult and could lead to situations where personal data is not protected, as the collection, use, or storage of it does not necessarily fall within the “context of the activities”. </li>
<li style="text-align: justify; "><b>Address access by foreign alliance bodies</b>: In light of growing demands by law enforcement for access, use, and transfer of personal information for investigative purposes across jurisdictions– the Regulation should define the circumstances in which personal data protected by its provisions can be accessed and used by foreign intelligence bodies, and the procedure by which to do so. The Regulation should address challenges such as access by foreign intelligence bodies to data stored on the cloud and data that has passed through/is stored on foreign networks/servers. </li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee'>https://cis-india.org/internet-governance/blog/open-letter-members-european-parliament-civil-liberties-justice-home-affairs-committee</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-23T05:00:02ZBlog EntryA Privacy Meeting with the Federal Trade Commission in New Delhi
https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi
<b>On September 20, the Centre for Internet and Society held a roundtable meeting with Betsy Broder, Counsel for International Consumer Protection, and Sarah Schroeder, Attorney, Bureau of Consumer Protection, Federal Trade Commission (FTC), United States. The meeting took place at the Imperial, Janpath, New Delhi and discussed both the U.S framework to privacy and potential frameworks and challenges to privacy in India.</b>
<p style="text-align: justify; ">As a note, thoughts shared during the meeting represented personal perspectives, and did not constitute the official position of the Federal Trade Commission.</p>
<p style="text-align: justify; ">When explaining the U.S regulatory framework for privacy the FTC attorneys highlighted that the United States does not have comprehensive privacy legislation, like in Europe, but instead has sectoral laws that address different aspects of privacy. For example, the Fair Credit Reporting Act maintains confidentiality of consumer credit report information, the Gramm Leach Bliley Act imposes privacy and security requirements for financial institutions, HIPAA applies to patient health information, and the Children’s Online Privacy Protection Act prevents the collection and posting of personal information from minors. It was discussed that the sectoral model followed by the United States allows for a nuanced balance to be struck between privacy protection and the market. It was noted, however, that some have critiqued the U.S. regulatory framework for lacking clear principles that apply to the commercial world and lay out strong privacy protections for the individual. In light of this, the White House is developing a Privacy Bill of Rights.</p>
<p style="text-align: justify; ">The Federal Trade Commission is an independent agency in the United States Government with responsibility for enforcing both consumer protection and competition laws. It is composed of five commissioners, and a staff of roughly 1,000, which includes attorneys and economists. The FTC is primarily a law enforcement agency, but also undertakes policy development through workshops and reports, Consumer education is another key function of the agency.</p>
<p style="text-align: justify; ">On the consumer protection side, Congress has directed the FTC to enforce the Federal Trade Commission Act, as well as some more specific statutes, such as those that protect consumers from unwanted telemarketing laws, and the protection of children on line. Its main objectives are to protect consumer interests, and prevent fraud and unfair and deceptive business practices. The FTC carries out its privacy work through its consumer protection mission.</p>
<p style="text-align: justify; ">When understanding the FTC’s role in relation to privacy, it is important to understand that the FTC’s jurisdiction applies only to certain industries as defined by Congress. Thus, for example, the FTC does not have jurisdiction over banks or telecommunications.</p>
<p style="text-align: justify; ">The most critical part of the FTC’s activities is its law enforcement function. The FTC can investigate an organization if the staff believes that the entity may be involved in conduct that contravenes the FTC Act’s prohibition on unfair or deceptive practices, or another specific privacy law. The FTC has brought a number of privacy-related cases against major companies including Facebook, Google, ChoicePoint, and Twitter. Many of these cases address new challenges brought about by rapidly changing technologies.</p>
<p style="text-align: justify; ">The vast majority of the FTC’s actions have been settled with consent judgments. When the statute that the FTC enforces allows for the imposition of a civil penalty, the FTC sets the penalty at a level that ensures that it is fair and provides a deterrent, but will not impose a hardship on the company. As a civil enforcement agency, the FTC cannot seek criminal sanctions. While enforcement is the cornerstone of the FTC’s approach to privacy, the agency also supports self-regulation, where appropriate. In this system the FTC does not pre-approve an organization’s practices or define principles that all companies should abide by as it is felt that every organization is unique and has different needs and abilities, and assigning specific technical standards may stifle innovation.</p>
<p style="text-align: justify; ">In the meeting it was also discussed how US privacy laws may apply to overseas companies where they are providing services for US consumers or working on behalf of US companies. For example, under the Gramm Leach Bliley Act the FTC has created the Safeguards Rule, which speaks to how financial data by financial institutions must be handled and protected. This Rule applies to companies overseas if the company is performing work for US companies or US consumers. In other words, a US company cannot avoid compliance by outsourcing its work to an off shore organization. Discussions during the meeting also focused on consent and the key role that context, accessibility, and timing play in ensuring individuals have the ability to provide informed consent. Some of the attendees suggested that this practice could be greatly improved in India. For example, currently in India there are companies that only provide consumers access to the company privacy policy after an individual has consented and signed up to the service. When asked about the challenges to privacy that exist in India, many shared that, culturally, there is a different understanding of privacy in India than in many western countries.</p>
<p style="text-align: justify; ">Other thoughts included that the Indian government is currently imagining privacy regulation as being either fluid and purely self regulatory or being enforced through strict legal provisions. Instead, the government needs to begin to expand the possibilities for a regulatory framework for privacy in India in such a way that allows for strong legal enforcement, and flexible standards. The right to be forgotten was also discussed and it was mentioned that California has proposed a law that will allow individuals to request deletion of information.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi'>https://cis-india.org/internet-governance/blog/privacy-meeting-with-ftc-new-delhi</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-03T10:25:33ZBlog EntryCIS and International Coalition Calls upon Governments to Protect Privacy
https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy
<b>The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.</b>
<p style="text-align: justify; ">On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.</p>
<p style="text-align: justify; ">A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.</p>
<p style="text-align: justify; ">Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."</p>
<p style="text-align: justify; ">Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:</p>
<blockquote class="quoted" style="text-align: justify; ">"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."</blockquote>
<p style="text-align: justify; ">Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:</p>
<blockquote class="quoted" style="text-align: justify; ">"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."</blockquote>
<p style="text-align: justify; ">Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.ohchr.org%2FDocuments%2FHRBodies%2FHRCouncil%2FRegularSession%2FSession23%2FA.HRC.23.40_EN.pdf&sa=D&sntz=1&usg=AFQjCNEwtpzwnl_1_j_UoSnoE048kX-LYA">made clear </a>the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:</p>
<blockquote class="quoted" style="text-align: justify; ">"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."</blockquote>
<p style="text-align: justify; ">Speaking at the event, the UN Special Rapporteur remarked that:</p>
<blockquote class="quoted" style="text-align: justify; ">"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."</blockquote>
<p style="text-align: justify; ">Representatives of the Centre for Internet and Society, <a href="https://www.privacyinternational.org">Privacy International</a>, the <a href="https://eff.org">Electronic Frontier Foundation</a>,<a href="https://accessnow.org">Access</a>,<a href="http://www.hrw.org/">Human Rights Watch</a>,<a href="http://en.rsf.org/">Reporters Without Borders</a>, <a href="http://www.apc.org/">Association for Progressive Communications</a>, and the<a href="https://www.cdt.org/">Center</a><a href="https://www.cdt.org/"> for Democracy and Technology </a>all are taking part in the event.</p>
<p style="text-align: justify; ">Find out more about the Principles at <a href="https://necessaryandproportionate.org">https://NecessaryandProportionate.org</a></p>
<h3><b>Contacts</b></h3>
<p style="text-align: justify; ">NGOs currently in Geneva for the 24<sup>th</sup> Human Rights Council:</p>
<p><b>Access</b><br />Fabiola Carrion: <a class="mail-link" href="mailto:fabiola@accessnow.org">fabiola@accessnow.org</a></p>
<p><b>Association for Progressive Communication</b><br />Shawna Finnegan: <a href="mailto:shawna@apc.org">shawna@apc.org</a></p>
<p><b>Center for Democracy and Technology</b><br />Matthew Shears: <a href="mailto:mshears@cdt.org">mshears@cdt.org</a></p>
<p><b>Electronic Frontier Foundation</b><br />Katitza Rodriguez: <a href="mailto:katitza@eff.org">katitza@eff.org</a> - @txitua</p>
<p><b>Human Rights Watch</b><br />Cynthia Wong: <a class="mail-link" href="mailto:wongc@hrw.org">wongc@hrw.org</a></p>
<p><b>Privacy International</b><br />Carly Nyst: <a href="mailto:carly@privacy.org">carly@privacy.org</a></p>
<p><b>Reporters Without Borders</b><br />Lucie Morillon: <a href="mailto:lucie.morillon@rsf.org">lucie.morillon@rsf.org</a><br />Hélène Sackstein: <a href="mailto:helsack@gmail.com">helsack@gmail.com</a></p>
<p style="text-align: justify; "><b>Signatories</b></p>
<p><b>Argentina</b><br />Ramiro Alvarez: <a href="mailto:rugarte@adc.org.ar">rugarte@adc.org.ar</a><br />Asociación por los Derechos Civiles</p>
<p class="normal" style="text-align: justify; "><b>Argentina</b><br />Beatriz Busaniche<b>: </b><a class="mail-link" href="mailto:bea@vialibre.org.ar">bea@vialibre.org.ar</a><br />Fundación Via Libre</p>
<p class="normal" style="text-align: justify; "><b>Colombia</b><br />Carolina Botero: <a class="mail-link" href="mailto:carobotero@gmail.com">carobotero@gmail.com</a><br />Fundación Karisma</p>
<p><b>Egypt</b><br />Ahmed Ezzat: <a href="mailto:ahmed.ezzat@afteegypt.org">ahmed.ezzat@afteegypt.org</a><br />Afteegypt</p>
<p><b>Honduras</b><br />Hedme Sierra-Castro: <a href="mailto:hedme.sc@gmail.com">hedme.sc@gmail.com</a><br />ACI-Participa</p>
<p><b>India</b><br />Elonnai Hickok: <a href="mailto:elonnai@cis-india.org">elonnai@cis-india.org</a><br />Center for Internet and Society</p>
<p><b>Korea</b><br />Prof. Park: <a href="mailto:kyungsinpark@korea.ac.kr">kyungsinpark@korea.ac.kr</a><br />Open Net Korea</p>
<p><b>Macedonia</b><br />Bardhyl Jashari: <a href="mailto:info@metamorphosis.org.mk">info@metamorphosis.org.mk</a><br />Metamorphosis Foundation for Internet and Society</p>
<p><b>Mauritania, Senegal, Tanzania</b><br />Abadacar Diop: <a href="mailto:jonction_jonction@yahoo.fr">jonction_jonction@yahoo.fr</a><br />Jonction</p>
<p class="normal" style="text-align: justify; "><b>Portugal</b><br />Andreia Martins<b>: </b><a class="mail-link" href="mailto:andreia@coolpolitics.pt">andreia@coolpolitics.pt</a><br />ASSOCIAÇÃO COOLPOLITICS</p>
<p><b>Peru</b><br />Miguel Morachimo: <a href="mailto:morachimo@gmail.com">morachimo@gmail.com</a><br />Hiperderecho</p>
<p><b>Russia</b><br />Andrei Soldatov: <a href="mailto:soldatov@agentura.ru">soldatov@agentura.ru</a><br />Agentura.ru</p>
<p><b>Serbia</b><br />Djordje Krivokapic: <a href="mailto:krivokapic@gmail.com">krivokapic@gmail.com</a><br />SHARE Foundation</p>
<p><b>Western Balkans</b><br />Valentina Pellizer: <a href="mailto:valentina.pellizzer@oneworldsee.org">valentina.pellizzer@oneworldsee.org</a><br />Oneworldsee</p>
<p><b>Brasil</b><br />Marcelo Saldanha: <a href="mailto:instituto@bemestarbrasil.org.br">instituto@bemestarbrasil.org.br</a><br />IBEBrasil</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy'>https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-09-25T07:21:09ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog EntryMore than a Hundred Global Groups Make a Principled Stand against Surveillance
https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance
<b>For some time now there has been a need to update understandings of existing human rights law to reflect modern surveillance technologies and techniques.</b>
<p style="text-align: justify; ">Nothing could demonstrate the urgency of this situation more than the <a href="https://www.privacyinternational.org/blog/looking-at-prism-nsas-mass-surveillance-program">recent</a> <a href="https://www.eff.org/deeplinks/2013/06/spy-without-borders">revelations</a> confirming the mass surveillance of innocent individuals around the world.</p>
<p style="text-align: justify; ">To move toward that goal, today we’re pleased to announce the formal launch of the <a href="https://cis-india.org/internet-governance/blog/necessary-and-proportionate.pdf" class="internal-link">International Principles on the Application of Human Rights to Communications Surveillance</a>. The principles articulate what international human rights law – which binds every country across the globe – require of governments in the digital age. They speak to a growing global consensus that modern surveillance has gone too far and needs to be restrained. They also give benchmarks that people around the world can use to evaluate and push for changes in their own legal systems.</p>
<p style="text-align: justify; ">The product of over a year of consultation among civil society, privacy and technology experts, including the Centre for Internet and Society (read <a href="https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance">here</a>, <a href="https://www.eff.org/deeplinks/2012/12/tackling-state-surveillance-and-human-rights-protecting-universal-freedoms">here</a>, <a href="https://www.eff.org/issues/surveillance-human-rights">here</a> and <a href="https://www.privacyinternational.org/blog/pi-is-pleased-to-announce-a-public-consultation-on-the-international-principles-on">here</a>), the principles have already been co-signed by over hundred organisations from around the world. The process was led by <a href="https://www.privacyinternational.org/">Privacy International</a>, <a href="https://accessnow.org/">Access</a>, and the <a href="https://eff.org/">Electronic Frontier Foundation</a>. The process was led by <a href="https://www.privacyinternational.org/">Privacy International</a>, <a href="https://accessnow.org/">Access</a>, and the <a href="https://eff.org/">Electronic Frontier Foundation</a>.</p>
<p style="text-align: justify; ">The release of the principles comes on the heels of a <a href="https://www.privacyinternational.org/blog/un-report-the-link-between-state-surveillance-and-freedom-of-expression">landmark</a> <a href="https://www.eff.org/deeplinks/2013/06/internet-and-surveillance-UN-makes-the-connection">report</a> from the United Nations Special Rapporteur on the right to Freedom of Opinion and Expression, which details the widespread use of state surveillance of communications, stating that such surveillance severely undermines citizens’ ability to enjoy a private life, freely express themselves and enjoy their other fundamental human rights. And recently, the UN High Commissioner for Human Rights, Nivay Pillay, <a href="http://www.ohchr.org/EN/NewsEvents/Pages/Media.aspx?IsMediaPage=true&LangID=E">emphasised the importance</a> of applying human right standards and democratic safeguards to surveillance and law enforcement activities.</p>
<p style="text-align: justify; ">"While concerns about national security and criminal activity may justify the exceptional and narrowly-tailored use of surveillance programmes, surveillance without adequate safeguards to protect the right to privacy actually risk impacting negatively on the enjoyment of human rights and fundamental freedoms," Pillay said.</p>
<p style="text-align: justify; ">The principles, summarised below, can be found in full at <a class="external-link" href="http://necessaryandproportionate.org">necessaryandproportionate.org</a>. Over the next year and beyond, groups around the world will be using them to advocate for changes in how present laws are interpreted and how new laws are crafted.</p>
<p style="text-align: justify; ">We encourage privacy advocates, rights organisations, scholars from legal and academic communities, and other members of civil society to support the principles by adding their signature.</p>
<p style="text-align: justify; ">To sign, please send an email to <a class="mail-link" href="mailto:rights@eff.org">rights@eff.org</a>, or visit <a class="external-link" href="https://www.necessaryandproportionate.org/about">https://www.necessaryandproportionate.org/about</a></p>
<h3 style="text-align: justify; ">Summary of the 13 principles</h3>
<ul>
<li>Legality: Any limitation on the right to privacy must be prescribed by law.</li>
<li style="text-align: justify; ">Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.</li>
<li style="text-align: justify; ">Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim.</li>
<li style="text-align: justify; ">Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfill the specific legitimate aim identified.</li>
<li style="text-align: justify; ">Proportionality: Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to users’ rights and to other competing interests.</li>
<li style="text-align: justify; ">Competent judicial authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.</li>
<li style="text-align: justify; ">Due process: States must respect and guarantee individuals' human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.</li>
<li style="text-align: justify; ">User notification: Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation.</li>
<li style="text-align: justify; ">Transparency: States should be transparent about the use and scope of communications surveillance techniques and powers.</li>
<li style="text-align: justify; ">Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance.</li>
<li style="text-align: justify; ">Integrity of communications and systems: States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain information.</li>
<li style="text-align: justify; ">Safeguards for international cooperation: Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the laws of more than one State could apply to communications surveillance, the available standard with the higher level of protection for users should apply.</li>
<li style="text-align: justify; ">Safeguards against illegitimate access: States should enact legislation criminalising illegal communications surveillance by public and private actors.</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance'>https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-07-31T14:26:38ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntryOpen Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="https://cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="https://cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="https://cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="https://cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog Entry